SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  SRX3400 Chassis Cluster Screen Option Configuration

    Posted 06-15-2013 03:57

    I have srx3400 chassis cluster with 2 zones, trust and untrust. I want to apply screen option, and as per Juniper documentation, screen option is deployed in vulnerable zones. anyone has some ideas or recommendations?

     

    please if anyone run across such scenario and have some configuration, please share it.

     

    Thank you

     

    BR

    Haitham Jneid



  • 2.  RE: SRX3400 Chassis Cluster Screen Option Configuration

    Posted 06-15-2013 21:52

    You need to state exactly what you want to protect. There are many screen options. You indicated " want to apply screen option, and as per Juniper documentation", what specifically are you concerned about? 

    Here is a link with all the screens that can be applied, an explanation and how to configure and apply the protection.

    https://www.juniper.net/techpubs/software/junos-security/junos-security96/junos-security-swconfig-security/id-68220.html#id-68220

    The configuration and application is like this:

     

    Define the screen

    user@host# set security screen ids-option icmp-fragment icmp fragment

     

    Apply screen to the zone you expect the problems.

    user@host# set security zones security-zone zone screen icmp-fragment



  • 3.  RE: SRX3400 Chassis Cluster Screen Option Configuration

    Posted 06-16-2013 00:13

    Hi

     

    thank you for your help.

     

    I know there are many screen options but how to decide which one to use and which one not to use.

     

    let's say I want to protect the trust zone from the untrust zone(Internet).

     

    should I enable all screens?or some of them? how to elaborate this?

     

    Thank you.

     

    Best Regads,

    Haitham Jneid



  • 4.  RE: SRX3400 Chassis Cluster Screen Option Configuration

    Posted 06-17-2013 06:44

    Jneid,

     

    You should not turn on all the screens blindly. First you need to assess which network threats are really critical, tune their screen related parameters and then finall enable them.

     

    If you are still interested in using all of them, use them with alarm-without-drop parameter to ensure services are not affected. Then analyze the logs and decide which one you want to keep. However, it is a hard way of doing 🙂

     

    Moreover, default screen pre-configured on every SRX box is a good start point to achieve minimum security.

     

    set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood queue-size 2000
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security zones security-zone untrust screen untrust-screen

     

    You can apply this screen (untrust-screen) on any zone. 

     

    set security zones security-zone <zone-name> screen untrust-screen

     

    Regards

     



  • 5.  RE: SRX3400 Chassis Cluster Screen Option Configuration

    Posted 06-19-2013 03:58

     

    Hi Hafiz,

     

    thank you for your help.

     

    the default screen option is already applied to the untrust zone as per juniper documentation right? or should I apply it to the untrust zone once I create that zone?

     

    analyzing the log will take so much time. and it's realy very hard.

     

    I just want to focus on the type of attack that most commonly used and protect against them.

     

    I am still confused about which screen to enable and which not. I don't want to do it blindly. because the more screen you enable, the more overhead you load on SRX series gateway. moreover, some screen has default values that should somtime be changed to a value fit with my network.

     

    does anyone have an easy way of acheiving this??? I want to protect the trust zone from the untrust zone(Internet), but in the mean time, there is no security policy that allow traffic from untrust to trust, only one security policy is there which allow traffic from trust to untrust. still should I use screen option???

     

    thank you

     

    Best Regards,

    Haitham Jneid



  • 6.  RE: SRX3400 Chassis Cluster Screen Option Configuration
    Best Answer

    Posted 06-21-2013 04:23

    Hi Jneid,

    Sorry for late reply,

    yes you are right it is by default there, you can confirm it by checking configuration. Read this KB
    http://kb.juniper.net/InfoCenter/index?page=content&id=KB16618

     

    I personally use this screen (a modified version of default screen)

     

    set security screen ids-option untrust-screen icmp ping-death

set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip bad-option
set security screen ids-option untrust-screen ip block-frag
set security screen ids-option untrust-screen ip spoofing
set security screen ids-option untrust-screen ip tear-drop

set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood queue-size 2000
set security screen ids-option untrust-screen tcp syn-flood timeout 20

set security screen ids-option untrust-screen tcp syn-fin
set security screen ids-option untrust-screen tcp fin-no-ack
set security screen ids-option untrust-screen tcp tcp-no-flag
set security screen ids-option untrust-screen tcp land
set security screen ids-option untrust-screen tcp winnuke

set security zones security-zone untrust screen untrust-screen

     

    However, keep in eye on the log as you apply it.

     

    Regards



  • 7.  RE: SRX3400 Chassis Cluster Screen Option Configuration

    Posted 06-21-2013 12:36

     

    Hi Hafiz,

     

    I really appreciate your support on this topic but one more question if you please.

     

    what is the method you are using for logging, may you please share the config.

     

    for sure, the recommended method is to log messages to a remote syslog server.

     

    Thank you,

     

    Best Regards,

    Haitham Jneid



  • 8.  RE: SRX3400 Chassis Cluster Screen Option Configuration

    Posted 06-17-2013 08:23

    Hello,

     

    If you would like to test the different protections that the ScreenOS like features provide, as per my own testing I can tell you that the features work really well, I test them using different opensource tools, I can recomend backtrack5 since it have a lot of programs that you can use to test them, as they told you previously, you do not need to enable all of them blindly, be sure the amount of traffic that services or applications should be using, is not the same the amount of traffic expected for a ldap server that 10 users access than the Call agen used by the company that have 12.000 users.

     

    Regards,

     

    Luis Sandi