JNCIS SEC PPT - Screen Options - Coruse 10.a

Junos for Security Platforms
Chapter 6: SCREEN Options
© 2010 Juniper Networks, Inc. All rights reserved. | www.juniper.net | Worldwide Education Services
Chapter Objectives
 After successfully completing this chapter, you will be

able to:
•Explain the meaning of SCREEN options
•List various types of attacks that SCREEN options can detect
and prevent
•Identify advantages of using Junos SCREEN options
•Configure zone-based SCREEN options to block attacks
•Apply and monitor SCREEN operations
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 6-2
Agenda: SCREEN Options
Multilayer Network Protection

 Stages and Types of Attacks
 Using Junos SCREEN Options
•Reconnaissance Attack Handling
•Denial of Service Attack Handling
•Suspicious Packets Attack Handling
 Applying and Monitoring SCREEN Options
Networks Are Under Attack
Compromised PC, U-turn
attack, hijacked remote session
Telecommuter
Business
partner
Internet Regional
office
Worms, viruses,
Trojan attacks
Unauthorized
DMZ WLAN user
Wireless
network
Human
resources Internal attacks:
roaming,
Finance malicious users
Points of Vulnerability = Points of Control
Remote Access
Telecommuter
Business
Partner
Internet Regional
office
Site to Site Network Perimeter
DMZ
Wireless
Network
Human
Resources
LAN Data Center or Core
Finance
Attack Detection and Prevention
 The Junos OS provides an attack detection system,

named SCREEN options:
•Offers protection against various attacks
•Where enabled, applies to traffic entering a Junos security
device
•Checks traffic prior to policy processing, thereby resulting in
fewer resources used for malicious packet processing
Review: Packet Flow
Focus of this chapter
Flow Module
Session-based SCREEN
D-NAT Route Zones Policy S-NAT Services Session
Options ALG
No First Path
Match Yes SCREEN Services

Session TCP NAT
Options ALG
?
Fast Path
Per-packet filters
Packet-based
Per-packet policers and shapers
Event Scheduler
Ingress Egress
Packet Packet
 Multilayer Network Protection

Stages and Types of Attacks
Stages of an Attack
 Three phases of an attack:

•Reconnaissance phase:
• Map the network
• Scan for devices and ports to exploit
• Determine the device OS
•Exploit phase:
• Launch the attack
• Conceal the origin of the attack
• Remove and hide the evidence of the attack
•Propagation phase:
• Use trust relationship with other back-end devices to take over the
devices, then create a tunnel back to the attacker to control the
target network
Types of Attack: Reconnaissance
 IP address sweep
 Port scanning
 IP options
 OS probes
 Evasion techniques
Phase of attack Reconnaissance
Types of Attack: Denial of Service
 Forms of DoS:
•Router and firewall DoS
• Session table flood
• SYN-ACK-ACK proxy flood
•Network DoS
• SYN flood
• SYN cookie Internet
• ICMP flood
• UDP flood
• LAND attack
•Device DoS Web Server
• Ping of Death
• Teardrop
• WinNuke
Phase of Attack Exploit
Types of Attacks: Suspicious Packets
 Suspicious packets:
•ICMP abnormalities
•Bad IP options
•Unknown protocols
•IP packet fragments
•SYN fragments
Phase of Attack All Phases

Using Junos SCREEN Options
Reconnaissance Attack Handling
SCREEN Options—Best Practices
 Best practice suggestions:
•Prior to implementing SCREEN options, you should know:
• Legitimate applications and their behavior
• Legitimate traffic patterns
•Failure to understand legitimate traffic patterns can lead to
malfunctioned networks and unhappy users
•Deploy SCREEN options only in vulnerable zones
•Can use alarm-without-drop statement to test the
configured SCREEN values prior to full deployment, ensuring
proper legitimate traffic handling:
[edit security screen]
user@host# show
ids-option ids-option-name {
alarm-without-drop;
}
IP Address Sweep and Port Scan
 The attack:
•Send ICMP packets or SYN segments to various hosts within
a predefined period of time, hoping that one replies
•Once a host or port replies, the target is uncovered
 The defense:
•Drop all ICMP traffic from a source after:
• >10 ICMP packets sent within configurable time threshold
• Drop all traffic from a source after:
• >10 ports scanned within configurable time threshold
•Both thresholds are configurable, ranging from 1000 to
1,000,000 microseconds (default is 5000)
IP Address Sweep and Port Scan—
SCREEN Options ICMP packets or
TCP SYN
segments
Finance Server
Internet
Data Server
If security policy permits ICMP traffic, Enable the port scanning detection
enable the IP address sweep SCREEN SCREEN option:
option:
user@host# show
user@host# show
tcp {
port-scan threshold microseconds;
icmp {
}
ip-sweep threshold microseconds;
}
}
}
IP Options
 The attack:
•Cause problems to network devices and networks by
abusing the options field of an IP packet—the record route,
timestamp, security, and stream ID fields
 The defense:
•Track packets that use any of these options
•Flag these packets as a network reconnaissance attack
•Record the events and the corresponding ingress interface
IP Options—SCREEN Options
Version Header Type of Service Total Packet Length
Identification 0 D M Fragment Offset
Time to Live (TTL) Protocol Header Checksum
Source Address
Destination Address
Options
Payload
Enable the network reconnaissance SCREEN options:

user@host# show
ip {
record-route-option;
timestamp-option;
security-option;
stream-option;
}
}
Operating System Probes
 The attack:
•Probe the targeted host, trying to learn its operating system
•Use OS information to exploit known vulnerabilities
 The defense:
•Detect SYN and FIN flags set in TCP segments
•Detect TCP segments with the FIN flag set without the ACK
flag
•Detect a TCP segment without any flags set
Operating System Probes—
SCREEN Options
16-bit source port number 16-bit destination port number
32-bit sequence number
32-bit acknowledgement number
U A P R S F
4-bit
Reserved R C S S Y I 16-bit window size
header
G K H T N N
16-bit TCP checksum 16-bit urgent pointer
Options (if any)
Payload (if any)
Enable the operating system probes blocking SCREEN options:

user@host# show
tcp {
syn-fin;
fin-no-ack;
tcp-no-flag;
}
}
IP Spoofing
 The attack:
•Invade networks by making the packets appear as if they
come from a trusted source
 The defense:
•Compare the source IP address of an incoming packet with
the closest prefix match found in the forwarding table
• If the prefix was not learned from the ingress interface of the
incoming packet, consider the packet to be an IP spoof attack
• Deny those packets
IP Spoofing—SCREEN Option
S.A. is part of 168.10.10/24 range
Private Zone
…SA=168.10.10.1…
Finance Server
ge-1/0/0 168.10.10/24
Internet
…SA=168.10.10.1… Payload
Data Server
Forwarding Table
Enable the IP spoofing detection SCREEN option:
[edit security screen] Network Interface Gateway
user@host# show
ids-option ids-option-name { 168.10.10/24 ge-0/0/1 direct
ip {
168.10.10.224/27 ge-0/0/0 direct
spoofing;
} 0.0.0.0 ge-1/0/0 direct
}
IP Source Route Options
 The attack:
•Hide the true source address
•Access restricted areas of a network by specifying a
different route
 The defense:
•Block any packets with loose or strict source route options
settings
—OR—
•Detect those options as being set and record them
IP Source Route Options—SCREEN Options
External Zone
Permit traffic
3.3.3/24 originating from
source 5.5.5/24
Finance Server
Internet
ge-1/0/0
5.5.5/24
SCREEN option:
Deny IP traffic Data Server
with source route
option set
…SA=5.5.5.100… Payload
Enable the IP source route option detection
Enable the IP source route option SCREEN option to record packets upon
detection SCREEN option to block detection:
packets upon detection: [edit security screen]
[edit security screen] Blocks user@host# show Detects
user@host# show ids-option ids-option-name {
ids-option ids-option-name { ip {
ip { loose-source-route-option;
source-route-option; strict-source-route-option;
} }
} }

Denial of Service Attack Handling
DoS Attacks—Goals and Categories
 Goal of DoS attacks:

•Immobilize the firewall or router device
•Immobilize the network behind the firewall
 Firewall and router DoS attacks:
•Session table flood
•SYN-ACK-ACK proxy flood
 Networks DoS attacks:
•SYN flood, ICMP flood, UDP flood, and LAND attacks
 PC-based operating system DoS attacks:
• Ping of Death, Teardrop, WinNuke
Firewall and Router Device DoS—
Session Table Flood
 The attack:
•Session table floods can take many forms—SYN flood, ICMP
flood, UDP flood, and so forth
 The defense:
•Limit source-based number of concurrent sessions
•Limit destination-based number of concurrent sessions
Session Table Flood—SCREEN Option
 Limit the number of concurrent sessions based on
either the source IP address, the destination IP
address, or both:
•Set source-based session limit to prevent a DoS attack
• Default is 128; range is dependant upon device
•Set destination-based session limit to prevent a DDoS
attack
• Default is 128; range is dependant upon device
Enable the session table flood SCREEN option to prevent DoS attacks on
firewall or router devices:
user@host# show
limit-session {
source-ip-based number-of-sessions;
destination-ip-based number-of-sessions;
}
}
Firewall and Router Device DoS—
SYN-ACK-ACK Proxy Flood
 The attacker sends a SYN-ACK-ACK pattern within

Finance
a seemingly normal TCP connection Server
Session
Attack ! 1 SYN Table
Session lookup: no session match
Let me initiate
Create session table entry
a Telnet
Proxy SYN/ACK back to source
session
2 SYN/ACK
Process first packet
Send SYN to server
The initial 3-way handshake is complete
3 ACK 4 SYN
Host
5 SYN/ACK
6 ACK
7 Send login prompt
8 SYN
9 SYN/ACK
10 ACK
...
SYN-ACK-ACK Proxy Flood—SCREEN Option
 The defense:
•Be a proxy for TCP connections, thereby detecting
SYN-ACK-ACK sessions
•Set SYN-ACK-ACK proxy threshold from an address
• Default is 512 connections; range is between 1 and 250,000
•Limit the number of concurrent TCP sessions from a single
source:
Enable the SYN-ACK-ACK proxy flood SCREEN option:
user@host# show
tcp {
syn-ack-ack-proxy threshold number-of-connections
}
}
Network DoS—SYN Flood
 The attack:
•SYN flood attack inundates a target network resource with
SYN segments containing forged or spoofed IP source
addresses with nonexistent or unreachable addresses
• Forces targets to respond with SYN/ACK and wait for responses
•Because destinations do not exist, sessions consume
memory resources until timing out
•When memory exhausts, no legitimate session can establish
 The defense:
•Limit the number of SYN segments per second using
threshold-based SYN proxying
SYN Flood—SCREEN Options
SYN
SYN/ACK Finance Server

?
SYN
SYN/ACK
? Data Server
SYN
SYN/ACK Proxying Connection Queue

?
Enable the SYN flood SCREEN option:
user@host# show
tcp {
syn-flood {
alarm-threshold number-of-TCP-connection-requests-per-second;
attack-threshold number-of-SYN-segments-per-second-to-dest-ip-and-port;
source-threshold number-of-SYN-segments-per-second-from-source-ip;
destination-threshold number-of-SYN-segments-per-second-to-dest-ip;
timeout maximum-seconds-hold-time-in-queue;
}
}
}
Network DoS Attack Mitigation with the
Help of the SYN Cookie
 SYN cookie advantages:
•Protects targeted hosts and Junos security device from
spoofed SYN flood attacks
•Ensures a valid SYN cookie response receipt prior to
allowing processing of a new TCP connection
•A SYN cookie is stateless; therefore, it does not require a
session, a policy, or a route lookup
 SYN cookie details:
•Uses a cryptographic hash to generate a unique TCP ISN
•Generates a cookie from a local address, a foreign address,
and ports
•Sends one SYN-ACK back with the cookie as ISN
•Cryptographically verifies the received ACK based on the
cookie
SYN Cookie Handling
1 SYN
SYN cookie triggered Finance
Calculate ISN Server
Send SYN/ACK back to source
2 SYN/ACK
Host 3 ACK
Session lookup: no session match Session
SYN cookie validated
Data
Table
Process first packet Server
Create a session
Send SYN to server
4 SYN Accept
Connection
Send
5 SYN/ACK SYN/ACK
Send ACK to both ends
7 ACK 6 ACK
Connected
8 Data/ACK
9 ACK
Enable the following option to add a SYN cookie:

[edit security]
user@host# show
flow {
syn-flood-protection-mode syn-cookie;
} Worldwide Education Services

© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 6-40
Network DoS—ICMP and UDP Floods
 The attack—ICMP flood:  The attack—UDP flood:
•ICMP echo requests •UDP traffic purposely
overload the target, slows down the target,
causing it to stop causing it to stop
responding to valid traffic accepting any valid
 The defense: connections
•Limit the number of ICMP  The defense:
echo requests •Limit the number of UDP
•Drop ICMP echo requests packets to a single
once they reach the limit destination address
•Drop UDP packets to that
destination once they
reach the limit
ICMP and UDP Floods—SCREEN Options
ICMP Floods
Finance Server
UDP Floods
Data Server
Enable the ICMP SCREEN option: Enable the UDP SCREEN option:
[edit security screen] [edit security screen]
user@host# show user@host# show
ids-option ids-option-name { ids-option ids-option-name {
icmp { udp {
flood threshold value-packetsPerSec; flood threshold value-packetsPerSec;
} }
} }
Network DoS—LAND Attack
 The attack:
•The attacker sends a combined attack—a SYN attack with IP
spoofing.
• This attack sends spoofed SYN packets containing the IP address
of the target as both the source and destination IP address
 The defense:
•Combining elements of the SYN flood defense and IP
spoofing protection
• Results in the detection and blocking of malicious traffic
LAND Attack—SCREEN Option
Source IP: Destination IP: Finance Server

TCP SYN
20.5.1.1 20.5.1.1
Source IP: Destination IP:

TCP SYN Data Server
20.5.1.1 20.5.1.1
Source IP: Destination IP:

TCP SYN
20.5.1.1 20.5.1.1
Resources
Enable the LAND attack SCREEN option:

user@host# show
tcp {
land;
}
}
PC-Based Operating System DoS Attacks
 The attack:
•Ping of Death
•Teardrop
•WinNuke
 The defense:
•Detect oversized and irregular ICMP packets
•Detect discrepancy in a fragmented packet and drop it
•Detect URG flag setting within a packet and unset it
PC-Based OS DoS—SCREEN Options
 Mitigation of attacks:
•Ping of Death mitigation: •WinNuke mitigation:
Enable the Ping of Death SCREEN option: Enable the WinNuke SCREEN
lab@host# show
option:
lab@host# show
icmp {
ping-death;
tcp {
}
winnuke;
}
}
}
•Teardrop mitigation:
Enable the Teardrop SCREEN option:
user@host# show
ip {
tear-drop;
}
}

Suspicious Packets Attack Handling
ICMP Abnormalities
 The attack:
•Use ICMP packets to attack hosts, networks, or both
•Once targets are defined, launch attacks
 The defense:
•Detect fragmentation of an ICMP packet
•Block any fragmented ICMP packets
•Drop ICMP packets with a length > 1024 bytes
ICMP Abnormalities—SCREEN Option
Total packet
Version Header Type of service Total packet length value is >
1024 bytes
Identification 0 D M Fragment offset
Time to live (TTL) Header checksum Fragment

Protocol (ICMP = 1)
offset value
is nonzero
Source address
Destination address
More
fragments
Protocol Options
flag is set
is ICMP
Payload
Enable ICMP abnormalities detection SCREEN option:

user@host# show
icmp {
fragment;
large;
}
}
IP Packet Fragments and Bad IP Options
 IP packet fragments—the attack:

•Abuse the legitimacy of packet fragmentation
•Crash the system by producing malicious packets resulting
from IP packet reassembly
 Bad IP options—the attack:
•Abuse the IP options field of a packet
•Produce incomplete or malformed fields within a packet
 The defense:
•Detect and block IP packet fragments or packets with
incorrectly formatted IP options
IP Packet Fragments and Bad IP Options—
SCREEN Option Fragment
offset value
Version Header Type of service Total packet length is nonzero
Time to live (TTL) Protocol Header checksum

More fragment
field is set
Source address
Destination address
Options IP options
incorrectly
formatted
Payload
Enable the IP packet fragment Enable the bad IP options detection

detection SCREEN option: SCREEN option:
[edit security screen] [edit security screen]
user@host# show user@host# show
ids-option ids-option-name { ids-option ids-option-name {
ip { ip {
block-frag; bad-option;
} }
} }
Unknown Protocols
 The attack:
•Abuse the protocol type field by setting it to 137 or greater
•Produce malicious packets
 The defense:
•Detect and block packets with protocol ID set to 137 or
greater
Unknown Protocols—SCREEN Option
Version Header Type of service Total packet length
Source address The protocol

number is
≥ 137
Destination address
Options
Payload
Enable the unknown protocols detection SCREEN option:

user@host# show
ip {
unknown-protocol;
}
}
SYN Fragments
 The attack:
•Abuse the legitimacy of packet fragmentation
•Crash the system by producing malicious packets resulting
from IP packet reassembly
 The defense:
•Detect and block TCP SYN fragmented packets
SYN Fragments—SCREEN Option
Version Header Type of service Total packet length Fragment
offset value
is nonzero
Identification D M Fragment offset
0
IP Header
Source address More fragment

field is set
Destination address
Options
Source port number Destination port number

Sequence number SYN flag
TCP Header
Acknowledgement number is set

Header U A P R S F
Reserved R C S S Y I Window size
length G K H T N N
TCP checksum Urgent pointer
Options (if any)
Data (if any)
Enable the SYN fragment detection SCREEN option:

user@host# show
tcp {
syn-frag;
}
}

Applying and Monitoring SCREEN Options
Configuration Syntax for SCREEN Options
 Configuration steps:
•Step 1: Creating SCREEN options
security {
screen {
options;
options;
…
}
}
}
•Step 2: Applying SCREEN options to a zone

security {
zones {
security-zone zone-name {
…
screen ids-option-name;
…
}
}
}
Case Study: Protecting the Private Zone
Private Public
Zone Zone
Host A
10.1.10.8 ge-0/0/3.100 ge-1/0/1.602
Internet
.2
10.1.10.5 EdgeR
Host B
 Using SCREEN options, protect the private zone from:

•ICMP abnormalities
•ICMP floods
•Session table floods
Case Study:
Step 1—Creating the SCREEN Options
[edit]
 Create SCREEN options user@host# show security
to offer protection from screen {
ICMP abnormalities, ids-option Protector {

icmp {
ICMP flood, and session fragment;
table flood large;
flood threshold 500;
}
limit-session {
source-ip-based 50;
}
}
}
Case Study:
Step 2—Applying the SCREEN
[edit]
user@host# show security zones
...
security-zone Public {
address-book {
Apply the created address host1 2.2.2.1/32;
SCREEN option to the address host2 1.1.70.251/32;
public zone address-set Public-hosts {
address host1;
address host2;
}
}
screen Protector;
host-inbound-traffic {
system-services {
all;
telnet {
except;
}
}
...
Attack Monitoring (1 of 3)
user@host> show security screen statistics zone Public
Screen statistics:
 Use the show IDS attack type Statistics
ICMP flood 0
security screen UDP flood
TCP winnuke
0
0
statistics zone TCP port scan

ICMP address sweep
IP tear drop
0
0
0
zone-name command TCP SYN flood
IP spoofing
0
0
ICMP ping of death 0
IP source route option 0
TCP land attack 0
TCP SYN fragment 0
TCP no flag 0
IP unknown protocol 0
IP bad options 0
IP record route option 0
IP timestamp option 0
IP security option 0
IP loose source route option 0
IP strict source route option 0
IP stream option 0
ICMP fragment 0
ICMP large packet 126
TCP SYN FIN 0
TCP FIN no ACK 0
Source session limit 10
TCP SYN-ACK-ACK proxy 0
IP block fragment 0
Destination session limit 0
 Use the show security screen ids-option
screen-name command
[edit]
user@host# show security user@host> show security screen ids-option Protector
screen { Screen object status:
ids-option Protector {
icmp { Name Value
fragment; ICMP flood threshold 500
large; ICMP fragmentation enabled
flood threshold 500; ICMP large packet enabled
} Session source limit threshold 50
limit-session { Session destination limit threshold 128
source-ip-based 50;
}
}
 Log events into a traceoptions file:
[edit security]
user@host# show screen
traceoptions {
file {
filename;
files number-of-tracefiles;
no-world-readable | world-readable;
size maximum-size-of-tracefile;
match regular-expression-for-logged-info;
}
flag configuration | flow | all;
}
•Retrieve log with the show log filename command
Summary
 In this chapter we:
•Explained the meaning of SCREEN options
•Listed various types of attacks that SCREEN options can
detect and prevent
•Identified the advantages of using the Junos SCREEN
options
•Configured zone-based SCREEN options to block attacks
•Applied and monitored SCREEN operations
Review Questions
1. Explain the purpose of SCREEN options in the

Junos OS.
2. What types of SCREEN options are available?
3. What is the advantage of using SCREEN options?
4. What are the goals of a DoS attack?
5. Under which configuration stanza do you apply
SCREEN options?
Lab 4: Implementing SCREEN Options
 Perform tasks normally associated with SCREEN

options configuration and monitoring.
Worldwide Education Services

JNCIS SEC PPT - Screen Options - Coruse 10.a

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

JNCIS SEC PPT - Screen Options - Coruse 10.a

Загружено:

Авторское право:

Доступные форматы

Junos for Security Platforms

Chapter 6: SCREEN Options

 After successfully completing this chapter, you will be

Multilayer Network Protection

Site to Site Network Perimeter

 The Junos OS provides an attack detection system,

Match Yes SCREEN Services

 Multilayer Network Protection

 Three phases of an attack:

Phase of attack Reconnaissance

Phase of Attack Exploit

Phase of Attack All Phases

 Multilayer Network Protection

Identification 0 D M Fragment Offset

Time to Live (TTL) Protocol Header Checksum

Enable the network reconnaissance SCREEN options:

32-bit sequence number

32-bit acknowledgement number

16-bit TCP checksum 16-bit urgent pointer

Options (if any)

Payload (if any)

Enable the operating system probes blocking SCREEN options:

 Multilayer Network Protection

 Goal of DoS attacks:

 The attacker sends a SYN-ACK-ACK pattern within

SYN/ACK Finance Server

SYN/ACK Proxying Connection Queue

Enable the following option to add a SYN cookie:

} Worldwide Education Services

Source IP: Destination IP: Finance Server

Source IP: Destination IP:

Source IP: Destination IP:

Enable the LAND attack SCREEN option:

 Multilayer Network Protection

Time to live (TTL) Header checksum Fragment

Enable ICMP abnormalities detection SCREEN option:

 IP packet fragments—the attack:

Identification 0 D M Fragment offset

Time to live (TTL) Protocol Header checksum

Enable the IP packet fragment Enable the bad IP options detection

Identification 0 D M Fragment offset

Time to live (TTL) Protocol Header checksum

Source address The protocol

Enable the unknown protocols detection SCREEN option:

Time to live (TTL) Protocol Header checksum

Source address More fragment

Source port number Destination port number

Acknowledgement number is set

Enable the SYN fragment detection SCREEN option:

 Multilayer Network Protection

•Step 2: Applying SCREEN options to a zone

 Using SCREEN options, protect the private zone from:

ICMP abnormalities, ids-option Protector {

statistics zone TCP port scan

•Retrieve log with the show log filename command

1. Explain the purpose of SCREEN options in the

 Perform tasks normally associated with SCREEN

Вам также может понравиться