Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  Looking at the SSG5 and have some questions about VLANs, interoperability and IPS.

    Posted 09-27-2009 10:30

    Hello everyone,

     

    I'm looking into purchasing a new firewall for an SMB with some decent VLAN capabilities.  I know that some firewalls (like the Firebox Edge series) bridge the LAN ports together in hardware which limits the usefulness of the device.  Does the SSG5 do this?  If instead it only bridges via software, allowing me to treat each port individually, is the following VLAN configuration possible:

     

    Port 1 - WAN

    Port 2 - Switch (VLAN 100, 110)

    Port 3 - WAP (VLAN 100, 110, 120)

    Port 4 - WAP (VLAN 100, 110, 120)

     

    In this scenario VLAN 100 is our internal network and is bridged across all virtual interfaces.  VLAN 110 is our DMZ network and is bridged across all virtual interfaces.  VLAN 120 is our guest network and is not required to be bridged across all virtual interfaces.  All VLANs would only be able to access their own VLAN and the WAN.

     

    The WAPs would also be HP MSM access points.  I'm assuming that these will work together but unfortunately am not big enough to bring demo equipment in to test everything.  Furthermore, is there a restriction to how many VLANs can be transported across a trunk?

     

    The second question relates to the IPS service.  It seems like a little brother of the larger IDP boxes but I haven't been able to find any exact details on what it is capable of.  Is it able to apply simpler rule sets such as P2P to traffic filtering, for example? 

     

    Purchasing the extended license isn't issue if that's what's necessary to make this work.  Thanks in advance for your feedback everyone!

     

    AidanOS

    Message Edited by AidanOS on 09-27-2009 11:33 AM


  • 2.  RE: Looking at the SSG5 and have some questions about VLANs, interoperability and IPS.
    Best Answer

    Posted 10-01-2009 03:20

    Hi,

     

    The default configuration is as following : 

    eth0/0 (port 1) configured as individual interface 

    eth0/1 (port 2) configured as individual interface

    eth0/2 to eth0/6 (port 3 to 7) configured as bridge interface bgroup0

     

    But you can remove any physical port from the bridge group, and configure it as a standard network interface. 

     

    The IDP capabilities on ssg are know as deep-inspection. 

    You canhave more infos about IDP/IPS capabilities in the "concept and examples guide - attack detection and defense mechanisms" available at juniper site : http://www.juniper.net/techpubs/software/screenos/screenos6.3.0/630_ce_AttackDetection.pdf



  • 3.  RE: Looking at the SSG5 and have some questions about VLANs, interoperability and IPS.

    Posted 10-03-2009 07:46

    Thanks for the information pkc.  I was reading through the documentation as well and it looks like VLANs within a zone (and as such I'm assuming across ports) can communicate with each other unless I enable intra-zone blocking.  Becoming increasingly impressed with this product so far.

     

    And thanks for providing the link to the DI documentation.  It gave me a much better overview than what I had been able to find so far.