This chapter focusses on the concepts involved in establishing system parameters affecting the following areas of a NetScreen security appliance:
NetScreen firewalls secure a network by inspecting, and then allowing or denying, all connection attempts that require crossing the Untrusted, Trusted, and DMZ (NetScreen-10 and -100) interfaces.
By default, a NetScreen firewall denies all traffic in all directions.
1 Through the creation of Access Policies, you can then control the traffic flow across an interface by defining the kinds of traffic permitted to pass from specified sources to specified destinations at scheduled times. At the broadest level, you can allow all kinds of traffic from any Trusted source to any Untrusted destination without any scheduling restrictions. At the narrowest level, you can create an Access Policy that allows only one kind of traffic between a specified server on the Trusted side and a specified client on the Untrusted side during a scheduled period of time. In the first case, the firewall keeps all Internet traffic out of the protected network while providing all Trusted hosts access to the Internet. In the second case, you completely separate the two sides of the firewall except for a single hole connecting a point on the Trusted side to another point on the Untrusted side.
To secure all connection attempts originating from Trusted hosts, NetScreen devices use a dynamic packet filtering method known as stateful inspection. Using this method, the NetScreen device notes various components in an outgoing TCP packet header- source and destination IP addresses, source and destination port numbers, and packet sequence numbers-and maintains the state of each TCP session traversing the firewall. (The NetScreen device also modifies session states based on changing elements such as dynamic port changes or session termination.) When a responding TCP packet arrives, the NetScreen device compares the information reported in its header with the state of its associated session stored in the inspection table. If they match, the incoming packet is allowed to pass the firewall. If the two do not match, the packet is dropped.
To protect against attacks from the Untrusted interface, you can enable defense mechanisms that can detect and deflect over a dozen common network attacks:
·
SYN Flood: A SYN flood attack occurs when a network becomes so overwhelmed by SYN packets initiating uncompletable connection requests that it can no longer process legitimate connection requests, resulting in a denial of service (DoS).
·
ICMP Flood: An ICMP flood occurs when ICMP pings overload a system with so many echo requests that the system expends all its resources responding until it can no longer process valid network traffic. After enabling the ICMP flood protection feature, you can set a threshold that once exceeded invokes the ICMP flood attack protection feature. (The default threshold value is 1000 packets per second.) If the threshold is exceeded, the NetScreen device ignores further ICMP echo requests for the remainder of that second.
·
UDP Flood: Similar to the ICMP flood, UDP flooding occurs when UDP packets are sent with the purpose of slowing down the system to the point that it can no longer handle valid connections. After enabling the UDP flood protection feature, you can set a threshold that once exceeded invokes the UDP flood attack protection feature. (The default threshold value is 1000 packets per second.) If the threshold is exceeded, the NetScreen device ignores further UDP packets for the remainder of that second.
·
Ping of Death: The TCP/IP specification requires a specific packet size for datagram transmission. Many ping implementations allow the user to specify a larger packet size if desired. A grossly oversized ICMP packet can trigger a range of adverse system reactions such as denial of service (DoS), crashing, freezing, and rebooting. If you enable the NetScreen device to do so, it can detect and reject such oversized and irregular packet sizes.
·
IP Spoofing: Spoofing attacks occur when an attacker attempts to bypass the firewall security by imitating a valid client IP address. When IP Spoofing defense is enabled, the NetScreen device guards against this attack by analyzing the IP addresses with its own route table. If the IP address is not in the route table, traffic from that source is not allowed to communicate through the NetScreen device and any packets from that source are dropped.
·
Port Scan Attack: Port scan attacks occur when packets are sent with different port numbers with the purpose of scanning the available services in hopes that one port will respond. The NetScreen device internally logs the number of different ports scanned from one remote source. If a remote host scans 10 ports in 0.3 seconds, NetScreen flags this as a port scan attack, and drops the connection.
·
Land Attack: Combining a SYN attack with IP spoofing, a Land attack occurs when an attacker sends spoofed SYN packets containing the IP address of the victim as both the destination and source IP address. The receiving system responds by sending the SYN-ACK packet to itself, creating an empty connection that lasts until the idle timeout value is reached. Flooding a system with such empty connections can overwhelm the system, causing a DoS. By combining elements of the SYN flood defense and IP Spoofing protection, the NetScreen device blocks any attempts of this nature.
·
Tear Drop Attack: Tear Drop attacks exploit the reassembly of fragmented IP packets. In the IP header, one of the options is offset. When the sum of the offset and size of one fragmented packet differ from that of the next fragmented packet, the packets overlap, and the server attempting to reassemble the packet can crash. If the NetScreen sees this discrepancy in a fragmented packet, it drops it.
·
Filter IP Source Route Option: IP header information has an option to contain routing information that may specify a different source than the header source. Enable this option to block all IP traffic that employs the Source Route Option. Source Route Option can allow an attacker to enter a network with a false IP address and have data sent back to his real address.
·
Address Sweep Attack: Similar to a port scan attack, an address sweep attack occurs when an attacker sends ICMP echo requests (or pings) to different destination addresses hoping that one will reply, thus uncovering an address to target. The NetScreen device internally logs the number of different addresses being pinged from one remote source. If a remote host pings 10 addresses in 0.3 seconds, NetScreen flags this as an address sweep attack, and drops the connection.
·
Block Java/ActiveX/ZIP/EXE Component: Malicious Java or ActiveX components can be hidden in Web pages. When downloaded, these applets install a Trojan horse
2 on your computer. Similarly, Trojan horses can be hidden in compressed files such as .zip, .gzip, and .tar, and executable (.exe) files. Enabling this feature blocks all embedded Java and ActiveX applets from Web pages and strips attached .zip, .gzip, .tar and .exe files from e-mail.
·
Winnuke Attack: WinNuke is a pervasive application, whose sole intent is to cause any computer on the Internet running Windows to crash. WinNuke sends out-of-band (OOB) data-usually to NetBIOS port 139-to a host with an established connection, and introduces a NetBIOS fragment overlap, which causes many machines to crash. After rebooting, the following message appears, indicating that an attack has occurred:
An exception OE has occurred at 0028:[address] in VxD MSTCP(01) +
000041AE. This was called from 0028:[address] in VxD NDIS(01) +
00008660. It may be possible to continue normally.
- Press any key to attempt to continue.
- Press CTRL+ALT+DEL to restart your computer. You will lose any unsaved information in all applications.
- Press any key to continue.
If you enable the WinNuke attack defense mechanism on a NetScreen device, it scans any incoming Microsoft NetBIOS Session Service (port139) packets. If the NetScreen device observes that TCP URG code bit is set on one of those packets, it inspects the offset, removes the fragmented overlap, and corrects the offset as necessary to prevent an OOB error. The modified packet is then passed, and a WinNuke attack log entry is created in the Alarm Event log.
To enable the firewall features designed to counter the network attacks listed above, do either of the following:
Configure >> General: Select the features you want enabled (and set threshold values for SYN Attack, ICMP Flood, and UDP Flood), and then click
Apply:
Detect SYN Attack (and threshold value)
Detect ICMP Flood (and threshold value)
Detect UDP Flood (and threshold value)
Detect Ping of Death Attack
Detect IP Spoofing Attack
Filter IP Source Route Option
Detect Address Sweep Attack
Block Java/ActiveX/ZIP/EXE Component
set firewall {applet | bypass-others-ipsec | default-deny | icmp-flood [threshold <number>] | ip-spoofing | ip-sweep [threshold <microseconds>] | land | log-self | ping-of-death | port-scan [threshold <number>] | src-route | syn-flood [alarm-threshold <number> | queue-size <number> | timeout <number>] | tear-drop | udp-flood [threshold <number>] | winnuke}
|
Note: See the NetScreen CLI Reference Guide for an explanation of the set firewall arguments, plus examples and related commands.
|
Example: SYN Flood Attack
A TCP connection is established with a triple exchange of packets known as a three-way handshake: A sends a SYN packet to B; B responds with a SYN/ACK packet; and A responds with an ACK packet. A SYN Flood attack inundates a site with SYN packets containing forged ("spoofed") IP source addresses with nonexistent or unreachable addresses. The firewall responds with SYN/ACK packets to these addresses and then waits for responding ACK packets. Because the SYN/ACK packets are sent to nonexistent or unreachable IP addresses, they never elicit responses and eventually time out.
By flooding a server or host with uncompletable connections, the attacker eventually fills the host's memory buffer. Once this buffer is full, no further connections can be made and the host's operating system might be damaged. Either way, the attack disables the host and its normal operations. A SYN Flood attack is classified as a denial-of-service (DoS) attack.
SYN Flood Attack Protection
NetScreen devices can impose a limit on the number of SYN packets per second permitted to pass through the firewall. When that threshold is reached, the NetScreen device starts proxying incoming SYN packets, sending out SYN/ACK responses for the host and storing the incomplete connections in a connection queue.
3 The incomplete connections remain in the queue until the connection is completed or the request times out.
In the following illustration, the SYN threshold has been passed and the NetScreen device has begun proxying SYN packets.
In the next illustration, the proxied connection queue has completely filled up, and new incoming SYN packets are being rejected.
This action attempts to shield hosts on the protected network from the bombardment of incomplete three-way handshakes.
|
Note: The procedure of proxying incomplete SYN connections above a set threshold pertains only to traffic permitted by existing Access Policies. Any traffic for which an Access Policy does not exist is automatically dropped.
|
WebUI: Enabling SYN Flood Attack Protection
1. Configure >> General: Enter the following settings, and then click
Apply:
Detect SYN Attack check box: Select
SYN Attack Threshold (NetScreen-5/10/100): 20,000/Sec.
|
Note: The NetScreen-1000 proxies all sessions; therefore, there is no threshold to set. On the NetScreen-5/10/100, proxying is enabled when SYN Attack detection is enabled.
Through the WebUI, you can set the threshold at which the NetScreen-5, -10, and -100 begin proxying sessions. Through the CLI, you can also set the queue length, timeout value, and alarm threshold.
|
CLI: Enabling SYN Flood Attack Protection and Defining Parameters
1. Enable SYN Flood attack protection.
You can set the following four parameters for proxying uncompleted SYN connections:
2.
Threshold: The number of SYN packets per second required to activate the SYN proxying mechanism. Although you can set the threshold at any number, you need to know the normal traffic patterns at your site to set an appropriate threshold for it. For example, if it is an e-business site that normally gets 20,000 SYN packets per second, you might want to set the threshold at 30,000/second. If a smaller site normally gets 20 SYN packets/second, you might consider setting the threshold at 40.
set syn-threshold <number>
3.
Queue size: The number of proxied connection requests held in the proxied connection queue before the system starts rejecting new connection requests. The longer the queue size, the longer the NetScreen device needs to scan the queue to match a valid ACK response to a proxied connection request. This can slightly slow the initial connection establishment; however, because the time to begin data transfer is normally far greater than any minor delays in initial connection setup, users would not see a noticeable difference. The queue size can be from 0-2000 for the NetScreen-10, and 0-20,000 for both the NetScreen-100 and -100p.
4.
Timeout: The maximum length of time before a half-completed connection is dropped from the queue.
The default is 20 seconds, and you can set the timeout from 0-50 seconds on the NetScreen-10, -100, and -100p. You might try decreasing the timeout value to a shorter length until you begin to see any dropped connections during normal traffic conditions. 20 seconds is a very conservative timeout for a threeway-handshake ACK response.
5.
Alarm: The number of proxied, half-complete connections per second at which an alarm is entered in the Event Alarm log.
The value you set for an alarm threshold triggers an alarm when the number of proxied, half-completed connections per second exceeds that value. For example, if the SYN threshold is set at 2000 SYN packets per second and the alarm at 1000, then a total of 3001 SYN packets per second are required to trigger an alarm entry in the log. More precisely:
1. The firewall passes the first 2000 SYN packets per second that meet Access Policy requirements.
2. The firewall proxies the next 1000 SYN packets in the same second.
3. The 1001st proxied connection (or 3001st connection request in that second) triggers the alarm.
If an attack persists, the Event Alarm log enters an alarm for each second of the attack until the attack stops and the queue empties.
Route Table Configuration
The route table provides information that helps the NetScreen device direct traffic to different interfaces
4 and subnets. You need to define static routes for conditions such as the following:
· If the Trusted interface is on a subnet with more than one router leading to other subnets, you must define static routes that specify which router to use when forwarding traffic destined for those subnets.
· If the Untrusted interface is on a subnet with more than one router leading to multiple Internet connections, you must define static routes that specify which router to use for forwarding traffic to specific ISPs.
· You
must define static routes that direct management traffic originating from the device itself (as opposed to user traffic traversing the firewall). For example, you need to define static routes directing syslog, SNMP, OneSecure, and WebTrends messages to the administrator's address, authentication requests to the RADIUS, SecurID, and LDAP servers, and URL checks to the Websense server.
|
Note: When the NetScreen device is in Transparent mode, you must define a static route for management traffic from the device even if the destination is on the same subnet as the device. This route is necessary to define the interface through which to send traffic.
|
In the following example, a NetScreen-100 operating in NAT mode protects a multilevel network. There is both local and remote management (via NetScreen-Global Manager and Global Pro). SNMP traps and syslog reports are sent to the local administrator, located on the Trusted network, while NetScreen-Global PRO reports are sent to the remote administrator, located on the Untrusted network. A SecurID server on the DMZ is used to authenticate users, and a Websense server on the Trusted side performs URL blocking.
There must be statements in the NetScreen-100 route table specifying the destination network address and subnet mask, and the gateway IP address and interface
5 through which the NetScreen-100 directs traffic to the following destinations:
1. Default gateway to the Internet
2. Remote administrator in the 3.3.3.0/24 subnet
3. The Trusted 10.10.0.0/16 subnet
4. The Trusted 10.20.0.0/16 subnet
5. The Trusted 10.30.1.0/24 subnet
6. The DMZ 2.2.40.0/24 subnet
7. The DMZ 2.20.0.0/16 subnet
|
Note: The following example assumes that you have already configured the Untrusted, DMZ, and Trusted interfaces as 2.2.2.1/24, 2.2.10.1/24, and 10.1.1.1/24 respectively.
|
1. Interface >> Untrusted >> Edit: Enter the following to create the Untrusted default gateway, and then click
Save and Reset:
2. Configure >> Route Table >> New Entry: Enter the following to direct system reports generated by the NetScreen-100 to remote management, and then click
Apply:
Gateway IP Address: 2.2.2.3
3. Configure >> Route Table >> New Entry: Enter the following, and then click
Apply:
Network Address: 10.10.0.0
Gateway IP Address: 10.1.1.2
4. Configure >> Route Table >> New Entry: Enter the following, and then click
Apply:
Network Address: 10.20.0.0
Gateway IP Address: 10.1.1.3
5. Configure >> Route Table >> New Entry: Enter the following, and then click
Apply:
Network Address: 10.30.1.0
Gateway IP Address: 10.1.1.4
6. Configure >> Route Table >> New Entry: Enter the following, and then click
Apply:
Network Address: 2.2.40.0
Gateway IP Address: 2.2.10.2
7. Configure >> Route Table >> New Entry: Enter the following, and then click
Apply:
Network Address: 2.20.0.0
Gateway IP Address: 2.2.10.3
|
Note: To modify a route table entry, click Edit under the Configure section for the entry you want to modify. The Route Table Configuration dialog box for that entry opens. Make your changes and click Apply. To remove an entry, click Remove. A System Message appears prompting you to confirm the removal. Click Yes to proceed, or No to cancel the action.
|
1. set interface untrust gateway 2.2.2.2
2. set route 3.3.3.0 255.255.255.0 interface untrust gateway 2.2.2.3
3. set route 10.10.0.0 255.255.0.0 interface trust gateway 10.1.1.2
4. set route 10.20.0.0 255.255.0.0 interface trust gateway 10.1.1.3
5. set route 10.30.1.0 255.255.255.0 interface trust gateway 10.1.1.4
6. set route 2.2.40.0 255.255.255.0 interface dmz gateway 2.2.10.2
7. set route 2.20.0.0 255.255.0.0 interface dmz gateway 2.2.10.3
Domain Name System Support
The NetScreen device incorporates Domain Name System (DNS) support allowing you to use domain names as well as IP addresses for identifying locations. A DNS server keeps a table of the IP addresses associated with domain names. Using DNS makes it possible to reference locations by domain name (such as www.netscreen.com) in addition to using the routable IP address, which for www.netscreen.com is 209.125.148.135. DNS translation is supported in all the following programs:
· NetScreen Global-Manager
Before you can use DNS for domain name/address resolution, you must enter the addresses for DNS servers (the primary and secondary DNS servers) in the NetScreen device.
|
Note: When enabling the NetScreen-5 or -10 as a Dynamic Host Control Protocol server (see "DHCP" on page 8107), you must also enter the IP addresses for DNS servers in the DHCP page on the WebUI or through the set dhcp command in the CLI.
|
When the NetScreen device connects to the DNS server to resolve a domain name/IP address mapping, it stores that entry in its DNS status table. Some details involved in a DNS lookup follow:
· In the WebUI, the DNS lookup is performed as soon as you press
Apply or
OK on a page that supports DNS. In the CLI, the DNS lookup occurs when you enter a command that supports DNS.
· When a DNS lookup returns multiple entries, the address book accepts all entries. The other programs listed above accept only the first one.
· The NetScreen device reinstalls all Access Policies if it finds that anything in the domain name table has changed when you refresh a lookup using the
Refresh Now button in the WebUI or enter the
exec dns refresh CLI command.
· If a DNS server fails, the NetScreen device looks up everything again.
· If a lookup fails, the NetScreen device removes it from the cache table.
· If the domain name lookup fails when adding addresses to the address book, the NetScreen device displays an error message and prompts you to choose to continue adding the entry to the address book or not.
The NetScreen device must do a new lookup once a day, which you can schedule the NetScreen device to do at a specified time:
Configure >> DNS: Enter the following, and then click
Apply:
Lookup DNS every day at: Select check box and enter time <hh:mm>
1. set dns host schedule <hh:mm>
The DNS status table reports all the domain names looked up, their corresponding IP addresses, whether the lookup was successful, and when the domain name/IP address was last resolved. The report format looks like the example below:
|
|
|
|
www.yahoo.com www.hotbot.com
|
204.71.200.74 204.71.200.75 204.71.200.67 204.71.200.68 209.185.151.28 209.185.151.210 216.32.228.18
|
|
8/13/2000 16:45:33 8/13/2000 16:45:38
|
Example: Defining DNS Server Addresses and Scheduling Lookups
To implement DNS functionality, the IP addresses for the DNS servers at 24.0.0.3 and 24.1.64.38 are entered in the NetScreen-5, protecting a single host in a home office. The NetScreen-5 is scheduled to refresh the DNS settings stored in its DNS status table everyday at 11:00 P.M.
Configure >> DNS: Enter the following, and then click
Apply:
Primary DNS Server: 24.0.0.3
Secondary DNS Server: 24.1.64.38
Lookup DNS every day at: 23:00
1. set dns host dns1 24.0.0.3
2. set dns host dns2 24.1.64.38
3. set dns host schedule 23:00
Dynamic Host Control Protocol (DHCP) was designed to reduce the demands on network administrators by automatically assigning the TCP/IP settings for the hosts on a network. Instead of requiring administrators to assign, configure, track, and change (when necessary) all the TCP/IP settings for every machine on a network, DHCP does it all automatically. Furthermore, DHCP ensures that duplicate addresses are not used, reassigns unused addresses, and automatically assigns IP addresses appropriate for the subnet on which a host is connected.
Both the NetScreen-5 and -10 can act as a DHCP client, receiving a dynamically assigned IP address for the Untrusted interface from an ISP. The NetScreen-5 and -10 can also act as a DHCP server, allocating dynamic IP addresses to hosts, acting as DHCP clients, on the Trusted network.
|
Note: While using DHCP to assign addresses to hosts on the Trusted network such as workstations and printers, you can still use fixed IP addresses for other machines such as mail servers and WINS servers.
|
DHCP consists of two components: a protocol for delivering host-specific TCP/IP configuration settings and a mechanism for allocating IP addresses. The NetScreen device provides the following TCP/IP settings to each host when that host boots up:
· Default gateway IP address of the router-if there is one-that connects to the Trusted interface.
· The IP addresses of the following servers:
- WINS servers (2):
6 A Windows Internet Naming Service (WINS) server maps a NetBIOS name used in a Windows NT network environment to an IP address used on an IP-based network.
- DNS servers (3): A Domain Name System (DNS) server maps a uniform resource locator (URL) to an IP address.
- SMTP server (1): A Simple Mail Transfer Protocol (SMTP) server delivers SMTP messages to a mail server, such as a POP3 server, which stores the incoming mail.
- POP3 server (1): A Post Office Protocol version 3 (POP3) server stores incoming mail. A POP3 server must work conjointly with an SMTP server.
- News server (1): A news server receives and stores postings for news groups.
|
Note: If a DHCP client to which the NetScreen device is passing the above parameters has a specified IP address, that address overrides all the dynamic information received from the DHCP server.
|
When using DHCP, a NetScreen device allocates IP addresses and subnet masks in two modes:
· In Dynamic mode, the NetScreen device, acting as a DHCP server, assigns (or "leases") an IP address from an address pool
7 to a host, acting as a DHCP client. The IP address is leased for a determined period of time or until the client relinquishes the address. (To define an unlimited lease period, enter 0.)
· In Reserved mode, the NetScreen device assigns a designated IP address from an address pool exclusively to a specific client every time that client goes online.
|
Note: The NetScreen device saves every IP address assigned through DHCP in flash memory. Consequently, rebooting the NetScreen device does not affect address assignments.
|
Example: NetScreen-10 as DHCP Server
Using DHCP, the Trusted network behind a NetScreen-10 is sectioned into three IP address pools. All IP addresses are assigned dynamically, except for two workstations that have reserved IP addresses, and four servers that have static IP addresses. The NetScreen-10 is operating in NAT mode. The domain name is dynamic.com.
1. Address >> Trust >> New Address: Enter the following, and then click
OK:
IP Address/Domain Name: 172.16.10.240
Comment: Primary DNS Server
2. Address >> Trust >> New Address: Enter the following, and then click
OK:
IP Address/Domain Name: 172.16.10.241
Comment: Secondary DNS Server
3. Address >> Trust >> New Address: Enter the following, and then click
OK:
IP Address/Domain Name: 172.16.10.25
4. Address >> Trust >> New Address: Enter the following, and then click
OK:
IP Address/Domain Name: 172.16.10.110
5. Admin >> DHCP >> Enter the following information and click
Apply:
Enable DHCP Server: (select)
Lease: Unlimited (select)
6. Admin >> DHCP >> New Address: Enter the following, and then click
OK:
IP Address Start: 172.16.10.10
IP Address End: 172.16.10.19
7. Admin >> DHCP >> New Address: Enter the following, and then click
OK:
IP Address Start: 172.16.10.120
IP Address End: 172.16.10.129
8. Admin >> DHCP >> New Address: Enter the following, and then click
OK:
IP Address Start: 172.16.10.210
IP Address End: 172.16.10.219
9. Admin >> DHCP >> New Address: Enter the following, and then click
OK:
Ethernet Address: 1234 abcd 5678
10. Admin >> DHCP >> New Address: Enter the following, and then click
OK:
IP Address: 172.16.10.112
Ethernet Address: abcd 1234 efgh
1. set address trust dns#1 172.16.10.240 255.255.255.255 "primary dns server"
2. set address trust dns#2 172.16.10.241 255.255.255.255 "secondary dns server"
3. set address trust snmp 172.16.10.25 255.255.255.255 "snmp server"
4. set address trust pop3 172.16.10.110 255.255.255.255 "pop3 server"
5. set dhcp server service
6. set dhcp server option domainname dynamic.com
7. set dhcp server option lease 0
8. set dhcp server option netmask 255.255.255.0
9. set dhcp server option dns1 172.16.10.240
10. set dhcp server option dns2 172.16.10.241
11. set dhcp server option smtp 172.16.10.25
12. set dhcp server option pop3 172.16.10.110
13. set dhcp server ip 172.16.10.10 to 172.16.10.19
14. set dhcp server ip 172.16.10.120 to 172.16.10.129
15. set dhcp server ip 172.16.10.210 to 172.16.10.219
16. set dhcp server ip 172.16.10.11 mac 1234abcd5678
17. set dhcp server ip 172.16.10.112 mac abcd1234efgh
Example: NetScreen-5 as DHCP Client
The Untrusted interface of the NetScreen-5 has a dynamically assigned IP address. When the NetScreen-5 requests its IP address from its ISP, it receives its IP address, subnet mask, gateway IP address, and the length of its lease on the address. The IP address of the DHCP server is 222.33.44.55.
|
Note: Before setting up a site for DHCP service, you must have the following:
· Digital subscriber line (DSL) modem and line
|
Interface >> Untrust >> Edit: Select
Obtain IP using DHCP, and then click
Save and Reset.
8
1. set interface untrust dhcp
2. set dhcp client server 222.33.44.55
Point-to-Point Protocol over Ethernet (PPPoE) is a protocol that allows the members of an Ethernet LAN to make individual PPP connections with their ISP by encapsulating the IP packet within the PPP payload, which is encapsulated inside the PPPoE payload.
The NetScreen-5 supports PPPoE, allowing it to operate compatibly on DSL, Ethernet Direct, and cable networks run by ISPs using PPPoE for their clients' Internet access.
Example: Setting Up PPPoE
The following example illustrates how to define the Untrusted interface of the NetScreen-5 for PPPoE connections, and how to initiate PPPoE service.
In this example, the NetScreen-5 receives a dynamically assigned IP address for its Untrusted interface from the ISP, and the NetScreen-5 also dynamically assigns IP addresses for the three hosts on its Trusted side. In this case, the NetScreen-5 acts both as a PPPoE client and DHCP server. The NetScreen-5 must be in either NAT mode or Route mode.
Before setting up the site in this example for PPPoE service, you must have the following:
· Digital subscriber line (DSL) modem and line
· User name and password (obtained from the ISP)
1. Interface >> Trusted >> Edit: Enter the following, and then click
Save:
Subnet Mask: 255.255.255.0
2. Interface >> Untrusted >> Edit: Enter the following:
Obtain IP using PPPoE (select)
3. Interface >> Untrusted >> Edit: To test your PPPoE connection, click
Connect.
|
Note: When you initiate a PPPoE connection, your ISP automatically provides the IP addresses for the Untrusted interface and the IP addresses for the Domain Name Service (DNS) servers. If you use a static IP address for the Untrusted interface, you must obtain the DNS servers' IP addresses and then manually enter them on the NetScreen-5 and on the Trusted hosts.
|
4. Admin >> DHCP: Enter the following, and then click
Apply:
Enable DHCP Server (select)
Domain Name: (leave blank)
5. Admin >> DHCP >> New Address: Enter the following, and then click
OK:
IP Address Start: 172.16.30.2
IP Address End: 172.16.30.5
6. Turn off the power to the DSL modem, the NetScreen-5, and the three workstations.
7. Turn on the DSL modem.
8. Turn on the NetScreen-5.
The NetScreen-5 makes a PPPoE connection to the ISP and, through the ISP, gets the IP addresses for the DNS servers.
9. Turn on the workstations.
The workstations automatically receive the IP addresses for the DNS servers. They get an IP address for themselves when they attempt a TCP/IP connection.
|
Note: When you use DHCP to assign IP addresses to hosts on the Trusted side, the NetScreen-5 automatically forwards the IP addresses of the DNS servers that it receives from the ISP to the Trusted hosts.
If the IP addresses for the hosts are not dynamically assigned through DHCP, you must manually enter the IP addresses for the DNS servers on each host.
|
Every TCP/IP connection that a Trusted host makes to the Untrusted side, automatically goes through the PPPoE encapsulation process.
1. set interface trust ip 172.16.30.10 255.255.255.0
2. set pppoe interface untrust
3. set pppoe username <name> password <password>
4. To test your PPPoE connection:
5. set dhcp server service
6. set dhcp server ip 172.16.30.2 to 172.16.30.5
7. set dhcp server option lease 60
9. Turn off the power to the DSL modem, the NetScreen-5, and the three workstations.
10. Turn on the DSL modem.
11. Turn on the NetScreen-5.
12. Turn on the workstations.
The workstations automatically receive the IP addresses for the DNS servers. They get an IP address for themselves when they attempt a TCP/IP connection.
Every TCP/IP connection that a Trusted host makes to the Untrusted side, automatically goes through the PPPoE encapsulation process.
URL Filtering Configuration
NetScreen URL filtering features the Websense Enterprise Engine, which enables you to block or permit access to different sites based on their URLs, domain names, and IP addresses. With the Websense API built directly into the NetScreen firewall, the NetScreen device creates a direct link to a Websense URL-blocking server, running on either Microsoft Windows NT 4.0 or Solaris 2.5 or 2.6.
Using Websense manager, the NetScreen administrator can do the following:
· Alter the URL-blocking database to block or allow access to any sites they choose
· Schedule different URL filtering profiles for different times of the day
· Download Websense Reporter logs of blocked or viewed URLs
|
Note: For additional information about Websense, visit www.websense.com.
|
To specify URL filtering options:
Configure >> URL Filtering: Enter the following information, and then click
Apply:
Enable URL Filtering via Websense Server: (select)
Websense Server Name: The IP address of the computer running the Websense server.
Websense Server Port: The default port for Websense is 15868. If you have changed the default port on the Websense server you must also change it on the NetScreen device. Please see your Websense documentation for full details.
Communication Timeout: The time interval, in seconds, that the NetScreen device waits for a response from the Websense filter. If Websense does not respond within the time interval, the NetScreen device will ultimately block the request.
Current Server Status: The NetScreen device reports the status of the Websense server.
URL Block Return Message: This is the message the NetScreen device returns to the user after blocking the site. You can use the message sent from the Websense server, or create a message (up to 220 characters) to be sent from the NetScreen device.
set url config {enable | disable}
set url server {<domain_name> | <a.b.c.d>} <port_number> <timeout_value>
|
Note: See the NetScreen CLI Reference Guide for an explanation of the set url arguments, plus examples and related commands.
|
Downloading/Uploading Settings and Software
You can upload and download configuration settings and software to and from a NetScreen device. The kinds of location that you upload from and download to depend on whether you use the WebUI or the CLI to perform the operation. Using the WebUI and Web browser support, you can upload and download configuration settings and upload ScreenOS software from any local directory. Through the CLI, you can upload and download settings and software from and to a TFTP server or PCMCIA card.
Saving and Importing Settings
It is good practice to backup your settings after every significant change you make. Through the WebUI, you can download the configuration to any local directory as a backup precaution. Through the CLI, you can download the configuration to a TFTP server or PCMCIA card (NetScreen-10, -100, and -1000). Should you need the saved backup configuration, you can then simply upload it to the NetScreen device.
The ability to download and upload a configuration also provides the means for mass distribution of configuration templates.
To download a configuration:
1. Admin >> Settings: Click
Download Configuration.
2. Browse to the location where you want to keep the configuration file, and then click
Save.
save config to {tftp <a.b.c.d>| slot} <filename>
|
Note: On the NetScreen-1000, you must specify slot 1 or slot 2.
|
To upload a configuration:
Admin >> Settings: Specify the file name and location, and then click
Apply:
Configure Script Upload: Type the configuration file location.
Click
Browse and navigate to the file location, select the file, and then click
Open.
save config from {tftp <a.b.c.d>| slot} <filename>
|
Note: On the NetScreen-1000, you must specify slot 1 or slot 2.
|
Uploading and Downloading Software
When the NetScreen ScreenOS operating system is updated, a customer can purchase and upload it to their NetScreen device. Through the WebUI, you can upload software from a local directory. Through the CLI, you can upload the software from a TFTP server or PCMCIA card (NetScreen-10, -100, and -1000), and you can download software to a TFTP server.
|
Note: After the software is upgraded, the NetScreen device reboots. This process takes a few minutes.
|
Configure >> General: Specify the file name and location, and then click
Apply:
Software Update: Type the software file location.
Click
Browse and navigate to the file location, select the file, and then click
Open.
save software from {tftp <a.b.c.d>| slot} <filename>
|
Note: On the NetScreen-1000, you must specify slot 1 or slot 2.
|
Through the CLI, you can also download software to a TFTP server, using the
save command:
save software from flash to tftp <a.b.c.d> <filename>
The software key feature allows you to expand the capabilities of your NetScreen device without having to upgrade to a different device or system image. You can purchase a key that unlocks specified features already loaded in the software, such as the following:
Each NetScreen device ships with a standard set of features enabled and might support the activation of optional features or the increased capacity of existing features. For information regarding which features are currently available for upgrading, refer to the latest marketing literature from NetScreen.
Example: Expanding User Capacity
A small company using a single NetScreen-5 with a license for 10 users has grown to the point where it now needs an unrestricted user license. The NetScreen administrator expands the capabilities of the NetScreen-5 by obtaining a software key for an unrestricted number of users.
1. Contact the value-added reseller (VAR) who sold you the NetScreen device or contact NetScreen Technologies directly.
2. Provide the serial number of your device and state the feature option you want-an unrestricted user license, in this example.
A combination of the serial number, the feature keyword (vpn, capacity, vsys), and the feature option keyword (<number> or "unlimited" tunnels, users, users) is used to generate the software key (for example, 7e58e876ca050192). The key is then sent to you via e-mail.
3. Enter the key through either the WebUI or CLI:
Admin >> Software Key: Specify the path and file name, and then click
Apply and Reset:
9
Software Update: Type the software key file location.
Click
Browse and navigate to the software key file location, select the file, and then click
Open.
set software-key {vpn | capacity | vsys} <key_value>
1
The NetScreen-5 default Access Policy denies all inbound traffic but allows all outbound traffic.
2
A Trojan horse is a program that when surreptitiously installed on a computer provides direct control of the computer to an outside party.
3
Because the NetScreen-1000 proxies all incoming SYN packets, setting a threshold is unnecessary.
4
When you set the interface IP addresses for a NetScreen device in NAT mode, the route table automatically creates static routes for traffic traversing the interfaces.
5
For each route table entry, there is also metric statement of either 0 or 1. This parameter specifies the priority of the route; that is, when there are multiple route entries for the same subnet in the route table, the NetScreen device uses the one with the lowest metric value. When using the
WebUI, all route table entries that are automatically created when you define the Trusted,
Untrusted, or DMZ interface have a value of 0, and any user-defined routes have a metric value of 1. Although you cannot redefine this value through the WebUI, the CLI does allow you to set it.
6
The number in parentheses indicates the number of servers supported.
7
An address pool is a defined range of IP addresses within the same subnet from which the NetScreen device can draw DHCP address assignments. You can group up to 255 IP addresses in up to 64 address pools.
8
You cannot specify the IP address of the DHCP server through the WebUI; however, you can do so through the CLI. Also, through the CLI, you can schedule the NetScreen-5, -10, and -100 to
reset at a time that is convenient for maintaining uninterrupted network operation:
set timer <mm|dd|yyyy> <hh:mm> action reset.
9
Through the CLI, you can schedule the NetScreen-5, -10, and -100 to reset at a time that is convenient for maintaining uninterrupted network operation:
set timer <mm|dd|yyyy> <hh:mm> action reset.