SRX Services Gateway
Reply
Contributor
Rohit
Posts: 41
Registered: ‎08-15-2011
0

How can I block HTTPS website on juniper srx 100

do some one know how to block https website on juniper srx 100 like facebook  or gmail chat.i spoke to  jtec support team they are denying it,can any one had done it on srx 100

Distinguished Expert
aarseniev
Posts: 1,700
Registered: ‎08-21-2009
0

Re: How can I block HTTPS website on juniper srx 100

Hello there,

You can do it in several ways:

1/  DNS doctoring (make your SRX return 127.0.0.1 for *.facebook.com) - SRX must be inline for DNS requests-replies

This will block HTTP and HTTPS acccess to Facebook  but I guess you don't need HTTP acccess to Facebook either?

2/ write an IDP policy which matches on SSL Client Hello extension "server_name" and sends a TCP RST if this extension contains "*.facebook.com"

3/ most crude method - write a prefix-list which contains Facebook prefixes (below is from whois query I executed few mins ago)

 


Facebook, Inc. TFBNET2 (NET-69-63-176-0-1) 69.63.176.0 - 69.63.191.255

 

 -- and block TCP port 443 outbound towards these prefixes, using output FW filter.

 

As for gmail chat, I guess blocking gmail access altogether (which is over HTTPS anyway) shoul do:

 

Name:		gmail.com
IP:		74.125.230.119, 		74.125.230.117, 		74.125.230.118, 		74.125.230.120

 



 

 

HTH

Rgds

Alex 

 

 

___________________________________
Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
Contributor
AidanOS
Posts: 47
Registered: ‎09-27-2009
0

Re: How can I block HTTPS website on juniper srx 100


aarseniev wrote:

1/  DNS doctoring (make your SRX return 127.0.0.1 for *.facebook.com) - SRX must be inline for DNS requests-replies

This will block HTTP and HTTPS acccess to Facebook  but I guess you don't need HTTP acccess to Facebook either?


Would you be able to provide a configuration example of DNS doctoring, aarseniev?  Although the documentation alludes to such a feature it doesn't give any instructions on configuring it.

 

Thanks.

Distinguished Expert
aarseniev
Posts: 1,700
Registered: ‎08-21-2009
0

Re: How can I block HTTPS website on juniper srx 100

[ Edited ]

Sure

http://www.juniper.net/techpubs/en_US/junos10.1/information-products/topic-collections/release-notes...

 

DNS doctoring support—This feature is supported on all SRX Series and J Series devices.

Domain Name System (DNS) ALG functionality has been extended to support static NAT. You should configure static NAT for the DNS server first. Then if the DNS ALG is enabled, public-to-private and private-to-public static address translation can occur for A-records in DNS replies.

Basically, DNS doctoring is DNS ALG+static NAT for DNS server IP and IPs in A-replies. DNS ALG is enabled by default, only thing to configure is static NAT entries + address-book entries.

Also, from 11.1 there are 2 additional knobs for DNS doctoring :

 

http://www.juniper.net/techpubs/en_US/junos11.1/information-products/topic-collections/release-notes...

 

The restoring/doctoring is performed in two parts:

    Packet sanity check
    NAT

Doctoring feature is disabled by using the two new CLI commands listed below:

    set security alg dns doctoring none – This command disables all the doctoring features.
    set security alg dns doctoring sanity-check – This command disables the NAT feature and retains the sanity-check feature