Juniper Security Associate (JNCIA-SEC) based on vSRX version 22.1R1.10


Juniper Security Associate (JNCIA-SEC) based on vSRX version 22.1R1.10 covers the concept and configuration of the most important topics to configure a firewall in the network.


JNCIA-SEC Introduction
Juniper SRX series and security features are the topics which will be discussed in this section.
Juniper SRX devices are classified based on the location that will be used, like LAN, data center, branch offices and virtual environment.
Juniper SRX is primarily a firewall and therefore supports the features that are supported in firewall in any other vendor like traffic filtering, NAT, VPN and some new or next-generation features like user based filtering, application firewall and UTM features like antivirus and antispam.
Juniper SRX traffic flow knowledge is a requirement to troubleshoot connectivity over SRX device.
The way that the first packet of a new session is processed and forwarded in juniper SRX is different from processing and forwarding of a packet belonging to existing session.
In this section we will discuss how a new packet from a new session or a packet from existing session is forwarded in juniper SRX device.
Junos Security Objects
Juniper SRX security zones provide the ability to assign networks with different security requirements to different security zones, which is a prerequisite for controlling traffic between networks.
It is also possible to control traffic from different security domains to the Juniper device itself and vice versa, from the Juniper device to different security domains, which is a further discussion of this section.
The Juniper SRX address book is used to configure address range entries used in different zones in the enterprise.
To configure a security policy in Juniper SRX to control traffic between zones, address book entries must be used as source and destination addresses.
Juniper SRX applications and application-set objects are another required object in security policies.
In other words, when you configure a security policy, in addition to source address and destination address, the name of the application is also required to be configured.
Source address and destination address must be already configured in address book that we have discussed in the previous section. the application name must be also already configured in the list of applications.
Juniper SRX screen options provide the ability to detect and prevent attacks primarily at Layer 3 and Layer 4. between them, the most well-known attacks are ICMP flood, UDP flood and TCP syn flood.
Juniper SRX screen policy is the first policy applied to traffic in the ingress direction of the interface for both packets from new sessions or belonging to the existing sessions.
Security Policies
Juniper SRX security policy is the main task of the SRX device to control traffic between zones.
Unlike firewall filter it works stateful. That means you only have to permit from the initiator zone to the destination zone. Return traffic is automatically allowed based on the session table.
In this section we will learn how to configure security policy. security policy monitoring will be discussed in the next specific section because of its importance.
Monitoring and troubleshooting security policies on Juniper SRX device is critical especially when you have a problem in a connection through SRX device.
In this section we will learn five practical commands, specific for the purpose of security policy monitoring and troubleshooting.
Juniper SRX global security policy gives the capability to write policies to control traffic but independent of the zone-pairs. Global policy can be also used to be applied to multiple zone-pairs at once.
It is important to notice that global policy is processed after normal inter-zone policy and before default deny-all policy.
Juniper SRX application firewall provides the capability to control traffic at application layer.
In the traditional firewall that we have configured so far, we have had the ability to control traffic only at Layer 3 and Layer 4.
Application layer traffic control is possible using application signatures prepared by Juniper.
Juniper SRX IDP (Intrusion Detection and Prevention) gives the capability to inspect network traffic to make sure that they are not malicious or intrusions.
In this section we will learn how to download and install IDP signatures and how they are used in security policies.
Juniper SRX Policy Rematch feature allows SRX device to re-evaluate active sessions whose associated policy has changed. Therefore, active sessions with changed policy will remain open if they are still allowed to be forwarded, otherwise they will be closed.
Juniper SRX Active Directory Integration is a prerequisite for implementing user-based access control.
In this section, you will learn how Juniper SRX retrieves users and groups information from Active Directory and how to determine each user’s current IP address.
Then we’re ready to implement a user-based firewall or access control in the next section.
Juniper SRX Identity based Firewall provide the capability to control traffic based on user name in addition to source IP address that we use normally.
As we have discussed in the previous section, user information and corresponding IP address is retrieved using LDAP and the Active Directory event log database..
Network Address Translation (NAT)
Juniper SRX Source NAT allows users with a private IP address within the network to communicate over the Internet.
This is possible when private source IP addresses are translated to a public address when traffic are routed from an internal network to the Internet.
The source private IP address can be translated to the outgoing interface IP address which will be discussed in this section. It can also be translated into an IP address from a pool of IP addresses, which will be discussed in the next section.
Juniper SRX Source NAT Pool based and Proxy ARP is the discussion topic of this section.
With Source NAT all users with private IP addresses can access to the internet.
With configuring a pool of public IP addresses, source private IP address of outgoing traffic is translated to IP addresses configured in the pool.
Juniper SRX Destination NAT allows services with private IP addresses to be published over the Internet.
In other words, servers with private IP address can be reachable from the internet with the help of destination NAT.
It is also known as pre-routing NAT because the destination NAT occurs before routing.
Juniper SRX Source NAT Off allows to disable source NAT for some specific Traffic.
It can be very helpful for VPN traffic, since most VPN protocols are not compatible with NAT services.
Disabling NAT can also be configured for destination NAT, however it is mostly useful for source NAT.
Juniper SRX Static NAT is a one-to-one mapping between two IP addresses. It has the highest priority in NAT policies.
It is bi-directional, meaning it translates the IP address in both directions. In other words, in acts as both destination NAT and source NAT.
Juniper IPsec VPN
Juniper SRX VPN Cryptography understanding is the prerequisite to understand the IPsec VPN concept and configuration that we will discuss in the next sections.
In this section, we will have an overview of basic cryptography concepts such as encryption, authentication, and integrity.
Juniper SRX IPsec VPN is a security framework used to secure remote connections.
It uses cryptography algorithms to secure traffic to ensure it cannot be eavesdropped or manipulated with by unauthorized users.
In this section we discuss the theoretical concept of IPsec VPN. We will see the configuration examples in the next sections.
Juniper SRX policy based IPsec VPN is one of two methods of IPsec implementation that is configured in this section.
Route based IPsec VPN is another implementation method that will be configured in the next section.
Juniper SRX route based IPsec VPN is another and preferred method of IPsec implementation that will be discussed in this section.
Policy based IPsec VPN is another method that we have implemented in the previous section.
Unified Threat Management (UTM)
Juniper SRX UTM or Unified Threat Management is another security feature that integrates multiple security features including antivirus, antispam, content filtering and web filtering into a single device.
This section is just to review these features and we will show how to implement them in the next sections.
Juniper SRX UTM Antivirus is one of the four services in UTM that we will discuss and configure in this section.
Juniper SRX Antispam feature blocks or tags incoming and outgoing spam emails or unwanted emails.
It detects spam emails based on a cloud-based Juniper spam block list (SBL) or a locally configured blacklist and whitelist.
Juniper SRX Content Filtering is another UTM feature used to filter traffic based on file type (MIME type), file extension and also protocol commands.
It is also possible to filter cookie, ActiveX, java applet and some other content types.
In previous sections, we have discussed configured UTM antivirus and antispam features. This section is dedicated to content filtering feature.
Juniper SRX web filtering is the last URM feature that allows you to filter based on URLs and URL categories.
We will discuss Local and Websense web filtering in this section and enhanced web filtering in the next section.
Juniper SRX enhanced web filtering is the third method of web filtering implementation which is based on Websense cloud solution and will be discussed in this section.


There are no reviews yet.

Be the first to review “Juniper Security Associate (JNCIA-SEC) based on vSRX version 22.1R1.10”

Your email address will not be published. Required fields are marked *

Post comment