Chapter 1 - Intro

These are my notes for the JNCIS-SEC exam.

The only material available is two PDFs
JNCIS-SEC study guide part 1 and part 2.
This is a companion guide, read it as you go through the PDFs.


A router vs Firewall

A router makes a decision in a state less fashion.
The decision is basically a one liner.
Saying if something comes from here to there then allow it.




A Firewall is more intelligent
it allows you to run Stateful rules. They also call this Stateful packet processing.

In this example.
PC1 asked the Server(SRV007)   for a Web page  using port 80.
The Firewall therefore expects the web server to respond with the Web page.
So it leaves a reverse route open for the web server.

This route will remain open for the default session timers.
The default timers are 30 minutes for TCP.
The default timers are 1 minute for UDP.


Let's practice seeing this.

This is an example of what it will look like.
You cannot currently see this till you set up your own SRX.
This is the layout of this Lab.

The command is either
> show security flow session
or
If you are in Cofigure mode   # run show security flow session.


root@srx101# run show security flow session
Session ID: 7085, Policy name: ALLW-PING/4, Timeout: 2, Valid
  In: 192.168.0.2/84 --> 10.0.0.1/32;icmp, If: fe-0/0/6.0, Pkts: 1, Bytes: 100
  Out: 10.0.0.1/32 --> 10.0.0.50/25316;icmp, If: fe-0/0/7.0, Pkts: 1, Bytes: 100

This is important and on the tests.
The first thing you will see is WHICH policy is handling this flow.
In this case my policy is   ALLW-PING
The second thing to look at is who is sending it.
In this case the LAN IP of 192.168.0.2  will go out to   10.0.0.1 (Server)
When it comes back  there is already a reservation called OUT  which will send the
PING response back to the LAN PC.  {{In the above Example there is a SourceNAT }}




Juniper SRX information
High End Juniper

I made the above slide to try to explain them in one slide.
It won't be easy.
Now.
First and foremost. Juniper has.
RE  Routing Engine
Forwarding Engine.
This is the pride and joy of Juniper. The RE runs separately from the Forwarding.
So if you update the device. The Forwarding keeps running. If you update the RE the forwarding keeps running. etc.
So remember the Routing Plane   runs    separately from the Forwarding plane.

Second, Juniper has 3 device families in the high end SRX.
1400
3xxx
5xxx
the xxx marks the number of slots.

So - Routing engines.
In the SRX 1400 it will be in the front.
In the SRX 3xxx it will be in the back
on the SRX 5xxx  it will be mounted on the SCB Switch control board


I/O cards
Yes, very simple. Each I/O allows you to connect devices to the Firewall.



In the case of the SRX1400 you get a GigE or 10 GigE I/O card and you can add another.
In the case of the SRX 3xxx You can add  them
In the case of the SRX 5xxx you can add them as line cards



SPC - Service Processing Card.
A Service processing card handles the Services. It basically is a CPU and will run the Services
like IDP, IPS, VPN, NAT anything you want. The more SPCs in the device the faster the SERVICES
will run on it.

In the case of the SRX 1400 , the SPC is bolted on the same card as the NPC.
In the case of the SRX 3xxx , you need to add them to a slot. So they take room.
In the case of the SRX 5xxx, they take up a WHOLE line card slot.


NPC- Network Processing Card.
A Network Processing card handles the data from the I/O cards and distributes it to the right SPC or out the right I/O card.  It can be used for the DDoS and the QoS.
So

This is an example.
The PC talks to a switch that goes into the I/O module. Remember the I/o has ports.
The I/O module asks the NPC where to FLOW. Either to an existing flow or a new one.
The NPC, then tasks the SPC to do a SERVICE for example NAT.
The SPC will return a response .
The NPC now will send the FLOW to the Egress I/O and from there to the WEB.

Remember the Security flow sessions we talked about earlier.
So the Firewall will add a session for the return of the packet back.

So the NPC does networking, like forwarding for example.


On the SRX 1400   the NPC is bolted on with the SPC
On the SRX3xxx it takes a slot in the chassis.
On the SRX 5xxx the NPC are BUILT inside the I/O modules.

So to sum it up, the I/O modules on the SRX 5xxx are very smart as they have the NPC bolted on.


The above are the HIGH RANGE SRX. There are more options but they will confuse you.
For now.
RE routing engine,    SPC  does services,   NPC  runs the network  and   I/O are input output ports.




SRX Midrange or low End.

Ok, Low range.
Keys to remember.
The SRX100 do not have a Anti-Virus Express accelerator or a CSA. They also do not have PIM.
The SRX 200 only differ on the number of PIM slots.
The SRX 650 has a Routing Engine. SRE it is replaceable.
All of the above can run the UTM Unified threat management, like the AV,Anti-Spam,WebFiltering etc.

All of the above have ONE CPU with many cores.
Routing Engine will run on ONE core. The data plane will run on the rest of the cores.
Some have PoE and some have 3G slots but don't try memorizing.

This is the flow.
Port then switch then CPU. The goal here is to save the CPU from wasting cycles on easy switching.




Okay,
How does the Juniper Firewall work.
Let's have a look at the FLOW.
How things FLOW around the Firewall.

So a packet comes.
The first thing is on the INTERFACE. You can limit how many packets come in (Policing)
Then on the INTERFACE you can set up static firewall rules, like drop all port 23 (Per Packet Filter)
This is similar to how you run IOS rules on a router.

This is an example of a Filter on an interface.

ge-0/0/0 {                               # interface GigE 0/0/0
   unit 0 {                                  #Unit 0
      family inet {                       # family IPv4
         filter {                                 #  apply a Filter
            input icmp-filter;                  # input means incoming and the name of the filter icmp-filter.
         }
         address 1.1.1.1/30;                 #random IP address on the interface.

#show firewall family inet filter icmp-filter
icmp-filter {
   term 1 {                                  # Every part of a Filter is a TERM.
      from {                                           # from
         source-address any ;                     #any IP
         destination-address 1.1.1.1;            # to the IP of the interface
         protocol icmp;                                  #  protocol  ICMP(ping)
      }
      then {                                                  # then says take this action.  From -> Then
         count icmp-counter;                        # count , So this will count how many ICMP I am getting
         accept;                                             # after you finish counting, just accept it.


Ok, so packet made it across the interface.
Now if there was already a FLOW, the packet gets a shortcut  called Fast path.
IF there was no existing FLOW, then it has to go all the way again.
The way is.

Screen option - DDoS protection. So it will be dropped if it is DDoS.
Destination NAT -  The SRX will convert the IP to the proper destination .
Route-   the SRX will then ROUTE the packet   using the (forwarding table).
Zones-   based on the route, it can figure out which zones does it need to go throught.
Policy -  when traffic passes between zones a policy will be applied.
SourceNAT  -   If all goes well then if there is a source NAT it will change the IP before leaving.
Services ALG-   is the final step where the device will run the UTM features. Like AV/AS/Web flitering.
After the above are done a session is created
and a Flow is added in the session table for the return packets.
Then it simply leaves out the Egress interface.
Where it might get "shaped".


Run-Time Changes.
Yes, I think there is a question on this.
Routing run-time changes will change the session. ALWAYS.
Now if you change the Security Policy it will not affect the current sessions.
That is unless you run
#set security policies policy-rematch                  
this command causes the change in policy to drop current sessions

So to sum up run-time changes.
Routing Always - you want the packet to be able to reach the destination even if a line dropped.
Security policy - sometimes. If you want to force it, run the command policy-rematch.

Alright.
Last example of this chapter.
A Packet flow

Ok,
new packet.
10.1.20.5
Does it have a session   (let's say no)
Screen    (not a DDoS)
Destination NAT  (no)
Route -  (OK look at the routing table to see where it goes to)
Zone   - map out the relevant interfaces it will go to using the ZONES.

Policy -  once you know the zones it goes from . You look if the policy of the zone to zone allows it. (ok)
E Voila.
Add it to the sessions table with the   FLOW session ready to receive the returning packet.

Then simply send it to the WEB

Ok.
Some easy questions.
Routers use _____ processing
Firewalls use     ______ processing
What is the difference between Security platforms and routers
What is the shortcut route in Junos Flow called.


Answers are.
A. Per Packet
B. Per Flow
C. Security platforms start off with a DENY , routers start with allow everything.
D.  the Shortcut route is called    "fast path".