Netscreen Ce VPN

8/6/2019 Netscreen Ce VPN

1/569

1HW6FUHHQ &RQFHSWV ([DPSOHV

1HW6FUHHQ &RQFHSW ([DPSOHV

6FUHHQ26 5HIHUHQFH *XLGH

9HUVLRQ

3 1

5HY %


2/569
http://www.netscreen.com/


3/569


4/569

1HW6FUHHQ &RQFHSWV ([DPSOHV LY

the exclusions and limitations of incidental, consequential orspecial damages, so the above exclusions and limitations may notapply to you.

8. Export Law Assurance. You understand that the Software issubject to export control laws and regulations. YOU MAY NOTDOWNLOAD OR OTHERWISE EXPORT OR RE-EXPORT THESOFTWARE OR ANY UNDERLYING INFORMATION ORTECHNOLOGY EXCEPT IN FULL COMPLIANCE WITH ALL UNITEDSTATES AND OTHER APPLICABLE LAWS AND REGULATIONS.

9. U.S. Government Restricted Rights. If this Product is beingacquired by the U.S. Government, the Product and related

documentation is commercial computer Product anddocumentation developed exclusively at private expense, and (a) ifacquired by or on behalf of civilian agency, shall be subject to theterms of this computer Software, and (b) if acquired by or onbehalf of units of the Department of Defense (DoD) shall besubject to terms of this commercial computer Software licenseSupplement and its successors.

10. Tax Liability. You agree to be responsible for the payment ofany sales or use taxes imposed at any time whatsoever on thistransaction.

11. General. If any provisions of this Agreement are held invalid,the remainder shall continue in full force and effect. The laws ofthe State of California, excluding the application of its conflicts oflaw rules shall govern this License Agreement. This Agreementwill not be governed by the United Nations Convention on theContracts for the International Sale of Goods. This Agreement isthe entire agreement between the parties as to the subject matterhereof and supersedes any other Technologies, advertisements,or understandings with respect to the Software anddocumentation. This Agreement may not be modified or altered,except by written amendment, which expressly refers to thisAgreement and which, is duly executed by both parties.

You acknowledge that you have read this Agreement, understandit, and agree to be bound by its terms and conditions.


5/569


6/569


7/569


8/569


9/569


10/569


11/569


12/569

&RQWHQWV

1HW6FUHHQ &RQFHSWV ([DPSOHV [LL

QHWVFUHHQ6FKHGXOH 9 QHWVFUHHQ5HVRXUFH 9

QHWVFUHHQ,S 9

$SSHQGL[ % *ORVVDU\

,QGH[


13/569

1HW6FUHHQ &RQFHSWV ([DPSOHV [LLL

3UHIDFH

NetScreen devices are ASIC-based, ICSA-certified 1 Internet security appliances that integrate firewall, virtual privatenetworking (VPN), and traffic-shaping features to provide complete protection of your local area network (LAN)when connecting to the Internet.

Firewall: A firewall screens traffic crossing the boundary between a private LAN and the public network,such as the Internet.

VPN: A VPN provides a secure communications channel between two or more remote network appliances. Traffic Shaping: Traffic shaping functionality allows administrative monitoring and control of traffic passing

across the NetScreen firewall to maintain a networks quality-of-service (QoS) level.

1. The Internet Computer Security Association (ICSA) is an organization focused on all types of network security for Internet-connected companies. Among itsmany functions, ICSA provides product certification for several kinds of security products such as virus protection, firewall, PKI, intrusion detection, IPSec,and cryptography. ICSA has certified all NetScreen products for firewall and IPSec.

Note: For information on NetScreen compliance with Federal Information Processing Standards (FIPS) and for instructions on setting a FIPS-compliant NetScreen device in FIPS mode, see the NetScreen-100 Cryptographic

Module Security Policy on the documentation CD-ROM .


14/569

1HW6FUHHQ &RQFHSWV ([DPSOHV [LY

NetScreen ScreenOS version 3.0.0 is the operating system that provides all the features needed to set up andmanage any NetScreen security appliance or system. The NetScreen Concepts & Examples ScreenOS Reference Guide provides a useful reference guide for configuring and managing a NetScreen appliance through theScreenOS.

VPNs: Securecommunication tunnelsbetween sites for traffic

passing through the Internet

Firewall: Screening trafficbetween the protected LAN

and the Internet

LAN LAN

LAN

Traffic Shaping: Efficientprioritization of traffic as it

traverses the firewall


15/569

1HW6FUHHQ 'RFXPHQWDWLRQ

1HW6FUHHQ &RQFHSWV ([DPSOHV [Y

1 (76&5((1 ' 2&80(17$7,21

In addition to the NetScreen Concepts & Examples ScreenOS Reference Guide guide , there are other technicalpublications available from NetScreen. These publications are as follows:

Whats New in ScreenOS 3.0.0?

This manual describes all new features in ScreenOS 3.0.0. In addition, it lists all commands that have been removedsince version 2.6.1 and all commands that have remained the same. It also presents full descriptions of all newcommands, and all commands that have undergone modification.

NetScreen WebUI Reference Guide This manual presents a brief introduction to the WebUI management application, with a glossary of importanttechnical terms, and general instructions on how to use the application.

NetScreen CLI Reference Guide

This manual provides descriptions of all command line interface (CLI) commands. Each command descriptionpresents the commands syntax and basic elements, including options, parameters, switches, and element

dependencies. The descriptions also provide practical examples of command execution.NetScreen-5XP Installers Guide, NetScreen-10 Installers Guide, NetScreen-25 Installers Guide, NetScreen-50 Installers Guide

These manuals provide instructions for connecting a NetScreen-5XP, -10, -25, and -50 device respectively to anetwork, and performing an initial configuration. The instructions explain how to set up the device in Transparent,NAT, or Route mode, how to configure an access policy permitting outbound traffic only, and how to change theadmins login name and password. Each manual also provides an overview of the hardware for each specificplatform.


16/569

1HW6FUHHQ 'RFXPHQWDWLRQ

1HW6FUHHQ &RQFHSWV ([DPSOHV [YL

NetScreen-100 Installers Guide, NetScreen-204/208 Installers Guide, NetScreen-500 Installers Guide, and NetScreen-1000 Installers Guide

These manuals provide instructions for connecting a NetScreen-100, -204/208, -500, and -1000 device respectivelyto a network, and performing an initial configuration. The instructions explain how to set up the device inTransparent, NAT, or Route mode, how to configure an access policy permitting outbound traffic only, and how tochange the admins login name and password. The manual also provides an overview of the hardware, and cablingand configuration instructions for single appliances and redundant appliances using High Availability (HA).

NetScreen-Remote Administrators Guide

This manual provides instructions for installing and using the NetScreen-Remote client software, which allows aremote user to connect with a NetScreen security device through a virtual private network (VPN) tunnel.

NetScreen Message Log Reference Guide

This manual documents the log messages that appear in ScreenOS 3.0.0. Each log message entry includes themessage text, its meaning, and any recommended action to take upon receiving the message.

If you find any errors or omissions in the content of this or any other NetScreen manual, please contact us at the

e-mail address below:[email protected]
mailto:[email protected]:[email protected]


17/569

&RQFHSWV ([DPSOHV 0DQXDO 2UJDQL]DWLRQ

1HW6FUHHQ &RQFHSWV ([DPSOHV [YLL

&21&(376 (;$03/(6 0 $18$/ 25*$1,=$7,21

The following are summaries of each of the chapters in the NetScreen Concepts & Examples ScreenOS Reference Guide :

Chapter 1 , Universal Security Gateway Architecture presents the fundamental elements of USGAthearchitecture presented in ScreenOS 3.1.0and concludes with a four-part example illustrating an enterprise-basedconfiguration incorporating most of those elements. In this and all subsequent chapters, each concept isaccompanied by illustrative examples.

Chapter 2 , Zones explains security zones, tunnel zones, and function zones.

Chapter 3 , Interfaces describes the various physical, logical, and virtual interfaces on NetScreen devices, explainsthe concepts behind Transparent, Network Address Translation (NAT), and Route operational modes, and includesinformation on various firewall attacks and the attack blocking options that NetScreen provides.

Chapter 4 , System Parameters presents the concepts behind Domain Name System (DNS) addressing; usingDynamic Host Configuration Protocol (DHCP) to assign or relay TCP/IP settings; URL filtering; downloading anduploading system configurations and software; and setting the system clock.

Chapter 5 , Administration explains the different means available for managing a NetScreen device both locallyand remotely. This chapter also explains the privileges pertaining to each of the four levels of network administratorsthat can be defined. Finally, it explains how to secure local and remote administrative traffic.

Chapter 6 , Monitoring NetScreen Devices explains various monitoring methods and provides guidance ininterpreting monitoring output.

Chapter 7 , Virtual Routers presents the concept of a virtual router and explains how to configure the virtual routers

on the NetScreen device. It also contains information on routing table entries.Chapter 8 , Building Blocks for Access Policies and VPNs discusses the elements used for creating accesspolicies and virtual private networks (VPNs): addresses (including VIP addresses), users, and services. It alsopresents several example configurations support for the H.323 protocol.

Chapter 9 , Access Policies explores the components and functions of access policies and offers guidance on theircreation and application.


18/569

&RQFHSWV ([DPSOHV 0DQXDO 2UJDQL]DWLRQ

1HW6FUHHQ &RQFHSWV ([DPSOHV [YLLL

Chapter 10 , IPSec provides background information bout IPSec, presents a flow sequence for Phase 1 in IKEnegotiations in Aggressive and Main modes, and concludes with information regarding NAT-Traversal.

Chapter 11 , Public Key Cryptography provides information on how to obtain and load digital certificates andcertificate revocation lists (CRLs).

Chapter 12 , Routing-Based VPNs provides extensive examples of routing-based VPN configurations, includinghub-and-spoke and back-to-back tunnel designs.

Chapter 13 , Policy-Based VPNs provides extensive examples of policy-based VPN configurations for LAN-to-LANand client-to-LAN communication using Manual Key and AutoKey IKE mechanisms. It also details how to make use

of tunnel interfaces to provide policy-based NAT to traffic flowing through VPN tunnels between sites that havetrusted networks with an overlapping address space.

Chapter 14 , L2TP explains the Layer 2 Tunneling Protocol (L2TP), its use alone and in conjunction with IPSec(L2TP-over-IPSec).

Chapter 15 , Policy-Based NAT explains how to provide NAT services for network traffic at the policy level.

Chapter 16 , Traffic Shaping explains how you can manage bandwidth at the interface and Access Policy levels

and prioritize services.Chapter 17 , Virtual Systems presents the concepts of virtual systems and virtual local area networks (VLANs),and explains how to set up virtual systems and create virtual system administrators.

Chapter 18 , High Availability explains how to cable, configure, and manage two or more NetScreen-100, -204/208,-500, or -1000 devices in a redundant group to provide high availability.

Appendix A , SNMP MIB Files lists and briefly describes the Management Information Base (MIB) files available for

MIB compilers.Appendix B , Glossary provides a reference for the terms and acronyms used in the Security and Firewall field.


19/569

&RQYHQWLRQV

1HW6FUHHQ &RQFHSWV ([DPSOHV [L[

&219(17,216

This book presents two management methods for configuring a NetScreen device: the Web user interface (WebUI)and the command line interface (CLI). The conventions used for both are introduced below.

:HE8, 1DYLJDWLRQ &RQYHQWLRQVThroughout this book, a double chevron ( >> ) is used to indicate navigation through the WebUI by clicking buttons,tabs, and links.

([DPSOH 3ROLF\ !! ,QFRPLQJ !! 1HZ 3ROLF\To access the Policy Configuration dialog box to create an incoming Access Policy, do the following:

1. Click the Policy button in the menu column.2. Click the Incoming tab.3. Click the New Policy link.

The Policy Configuration dialog box appears.

&/, &RQYHQWLRQVThe CLI conventions are as follows:

A parameter inside [ ] (square brackets) is optional. A parameter inside { } (braces) is required. Anything inside < > is a variable. If there is more than one choice for a parameter inside [ ] and { }, they are separated by a pipe ( | ). For

example, [auth {md5 | sha-1}] means choose either MD5 or SHA-1 as your authentication method. IP addresses are represented by and . A subnet mask is represented by .


20/569

&RQYHQWLRQV

1HW6FUHHQ &RQFHSWV ([DPSOHV [[

For example, when entering a route to the route table for the IP address 2.2.2.2/32 via the untrusted interface, usethe following syntax:

set route interface { trust | untrust | dmz | mgt | tunnel/ } [ gateway ] [ metric ]

to produce this command:

set route 2.2.2.2 255.255.255.255 interface untrust

Because the gateway IP address and the metric 2 are optionalthese arguments are presented within brackets [ ]you can omit them from the command. In this example, the gateway IP address would be that of a router on theuntrusted side through which you want to route traffic bound for 2.2.2.2/32. By not specifying a router, the defaultrouter for the untrusted interface is used .

If you want to see the options following part of a command, press the SPACE key and then type ? (question mark).

For example, typing set interface ? displays the following options: trust, untrust, dmz, mgt, ha1, ha2, tunnelwhichare the available options that you can enter after typing set interface .

2. The metric argument specifies the number of hops between the NetScreen-500 and the specified gateway. In this example, you do not specifya gateway; consequently, you do not specify a metric for it. However, even if you do specify a gateway, specifying a metric is optional.

Note: When typing a key word, you only have to type enough letters to identify the word uniquely. For example,typing set in t n is enough to enter the command set interface trust nat .


21/569


8 u h r

8QLYHUVDO 6HFXULW\ *DWHZD\ $UFKLWHFWXUHNetScreen ScreenOS 3.1.0 introduces Universal Security Gateway Architecture (USGA), an architecture that offersgreat flexibility in designing the layout of your network security. On NetScreen devices with multiple interfaces, youcan create numerous security zones and configure access policies to regulate traffic between them. You can bindone or more interfaces to each zone and enable a unique set of management and firewall attack screening optionson a per-interface basis. Essentially, USGA allows you to create the number of zones your network environmentrequires, assign the number of interfaces each zone requires, and design each interface to your specifications.

This chapter presents an overview of USGA, covering the following key components:

Multiple Security Zones on page 2 Security Zone Interfaces on page 3 Virtual Routers on page 5 Access Policies on page 7 VPNs on page 8 Virtual Systems on page 10

Furthermore, to better understand the ScreenOS mechanism for processing traffic, you can see the flow sequencefor an incoming packet in Packet Flow Sequence on page 13 .

The chapter concludes with a four-part example that illustrates a basic configuration for a NetScreen device usingScreenOS 3.1.0 with USGA.

Example (Part 1): Enterprise with Six Zones on page 15 Example (Part 2): Interfaces for Six Zones on page 17 Example (Part 3): Enterprise with Two Routing Domains on page 22 Example (Part 4): Access Policies for an Enterprise with Six Zones on page 25


22/569

&KDSWHU 8QLYHUVDO 6HFXULW\ *DWHZD\ $UFKLWHFWXUH 0XOWLSOH 6HFXUL


0 8/7,3/( 6(&85,7< =21(6A security zone is a collection of one 1 or more network segments requiring the regulation of inbound and outboundtraffic via access policies. You can define multiple security zones, the exact number of which you determine basedon your network needs. In addition to user-defined zones, you can also use the three predefined zones: trust,untrust, and DMZ. In fact, if you upgrade from an earlier version of ScreenOS, all your configurations for the trust,untrust, and DMZ zones remain intact. If you like, you can continue using just the predefined zones. You can alsodelete all predefined zones 2 and use user-defined zones exclusively. Optionally, you can use both kinds of zonespredefined and user-definedside by side. USGA provides the flexibility for you to use and define security zones tobest suit your specific needs.

1. The one security zone that requires no network segment is the global zone. (For more information, see Global zone Global Zone on page 33 .) Additionally,any zone without an interface bound to it nor any address book entries can also be said not to contain any network segments.

2. If you delete a security zone, you also automatically delete all addresses configured for that zone.

PolicyEngine

DMZ

Untrust

Trust

Finance

Eng

A network configured with 5 securityzones3 default zones (Trust,

Untrust, DMZ), and 2 user-definedzones

(Finance, Eng)

Traffic (indicated by black lines)passes from one security zone

to another only if a policypermits it.

NetScreen device


23/569

&KDSWHU 8QLYHUVDO 6HFXULW\ *DWHZD\ $UFKLWHFWXUH 6HFXULW\ =RQH ,QW


6(&85,7< =21( ,17(5)$&(6An interface for a security zone can be thought of as a doorway through which TCP/IP traffic can pass between thatzone and any other zone.

Through the access policies you define, you can permit traffic between zones to flow in one direction or in both 3.With the routes that you define, you specify the interfaces that traffic from one zone to another must use. Becauseyou can bind multiple interfaces to a zone, the routes you chart are important for directing traffic to the interfaces ofyour choice.

To provide a zone with a doorway, you bind an interface to the zone andfor an interface in Route or NAT mode

assign an IP address to the interface. Such interfaces can be of two types: physical interfaces andfor thosedevices with virtual system supportsubinterfaces (that is, a layer 2 substantiation of a physical interface).

3K\VLFDO ,QWHUIDFHVA physical interface is identified by the position of an interface module and an ethernet port on that module. Forexample, on the NetScreen-500, the interface ethernet1/2 designates the interface module in the first bay (ethernet 1 /2) and the second port (ethernet1/ 2 ) on that module. A physical interface relates to components thatare physically present on the NetScreen device.

3. For traffic to flow between interfaces bound to the same zone, no policy is required because both interfaces have security equivalency. ScreenOS requirespolicies for traffic between zones, not within a zone.

1/1 1/2 3/1 3/2

2/1 2/2 4/1 4/2

Physical Interface Assignments


24/569

&KDSWHU 8QLYHUVDO 6HFXULW\ *DWHZD\ $UFKLWHFWXUH 6HFXULW\ =RQH ,QW


6XELQWHUIDFHVOn devices that support virtual systems, you can logically divide a physical interface into several virtualsubinterfaces, each of which borrows the bandwidth it needs from the physical interface from which it stems. Asubinterface is an abstraction that functions identically to an interface for a physically present port and isdistinguished by 802.1Q VLAN tagging 4. The NetScreen device directs traffic to and from a zone with a subinterfacevia its IP address and VLAN tag. For convenience, administrators usually assign a VLAN tag that is the same as theinterface number. For example, an interface using VLAN tag 3 and named ethernet1/2.3 refers to the interfacemodule in the first bay, the second port on that module, and interface number 3 (ethernet1/2. 3 ) .

Note that although a subinterface shares part of its identity with a physical interface, the zone to which you bind it is

not dependent on the zone to which you bind the physical interface. You can bind the subinterface ethernet1/2.3 toa different zone than that to which you bind the physical interface ethernet1/2 , or to which you bind ethernet1/2.2 .Similarly, there are no restrictions in terms of IP address assignments. The term subinterface does not imply that itsaddress be in a subnet of the address space of the physical interface.

4. 802.1Q is an IEEE standard that defines the mechanisms for the implementation of virtual bridged LANs and the ethernet frame formats used to indicateVLAN membership via VLAN tagging.

Note: For more information on interfaces, see Universal Security Gateway Architecture on page 1 .

1/1 1/2 3/1 3/2

2/1 2/2 4/1 4/2

Subinterface Assignments

1/1.11/1.2

1/2.11/2.2

2/1.12/1.2

2/2.12/2.2

4/1.14/1.2

4/2.14/2.2

3/1.13/1.23/1.3

3/2.13/2.23/2.3


25/569

&KDSWHU 8QLYHUVDO 6HFXULW\ *DWHZD\ $UFKLWHFWXUH 9LUWXDO


9 ,578$/ 5287(56A virtual router (VR) functions identically to a nonvirtual router. It has its own interfaces and its own routing table. InUSGA, a NetScreen device supports two virtual routers. This allows the NetScreen device to maintain two separaterouting tables and conceal the routing information in one virtual router from the other. For example, virtual router 1,which is typically used for communication with untrusted parties, does not contain any routing information for any ofthe protected zones, which is maintained by virtual router 2. Thus, no internal network information can be gleaned bythe surreptitious extraction of routes from virtual router 1.

Note: To create additional VRs, you must first obtain and load a virtual router software key on the NetScreen device.

Untrust-VR Routing DomainVR1

Route Redistribution

Finance

Trust

Eng

Untrust

DMZ

Trust-VR Routing Domain

Note: The castle icon represents an interface for a security zone.



26/569



5RXWH 5HGLVWULEXWLRQEach virtual router (VR) maintains a routing table with unique entries for its routing domain. That is, the entries inVR1 are completely different from those maintained in VR2. Because the routing table entries in VR2 cannot befound in VR1, the VR1 routing table must include a route pointing to VR2 for any routes that it does not have andthat you want to make accessible for traffic from VR1. (Likewise, the reverse is required for traffic in the otherdirection; that is, from VR2 to VR1.) The term for this link between the two virtual routers is route redistribution.

Note: For more information about virtual routers, see Chapter 7 , Virtual Routers .

eth1/1

eth1/2

eth2/1eth4/1

eth3/1To Use

10.10.1.0/24 eth1/1

10.10.2.0/24 eth1/2

10.10.3.0/24 eth2/10.0.0.0/0 VR1

Finance10.10.1.0/24

Trust10.10.2.0/24

Engineering10.10.3.0/24

Untrust210.10.1.0/24

DMZ210.10.2.0/24

To Use

210.10.1.0/24 eth3/1

210.10.2.0/24 eth4/1

10.10.0.0/16 VR20.0.0.0/0 eth3/1

Trust-VR (VR2) Routing Domain Untrust-VR (VR1) Routing Domain


&KDSWHU 8QLYHUVDO 6HFXULW\ *DWHZD\ $UFKLWHFWXUH $FFHVV 3RO


27/569

&KDSWHU 8QLYHUVDO 6HFXULW\ *DWHZD\ $UFKLWHFWXUH $FFHVV 3RO


$ &&(66 32/,&,(6Every time a packet attempts to pass from one zone to another, the NetScreen device checks its access control list(ACL) for a policy that permits such traffic. To allow traffic to pass from one security zone to anotherfor example,from zone A to zone Byou must configure an access policy that permits zone A to send traffic to zone B. To allowtraffic to flow the other way, you must configure another policy permitting traffic from zone B to zone A. For anytraffic to pass from one zone to another, there must be an access policy that permits it.

Note: For information about access policies, see Chapter 9 , Access Policies .

PolicyEngine

Finance

Trust

Eng

Untrust

DMZNote: The black lines represent traffic

between security zones.


Untrust-VR Routing DomainTrust-VR Routing Domain

&KDSWHU 8QLYHUVDO 6HFXULW\ *DWHZD\ $UFKLWHFWXUH 93


28/569



931 6USGA supports several VPN configuration options, some of which allow the separation of virtual private network(VPN) tunnels and access policies 5. Once configured, such tunnels exist as available resources for securing trafficen route between one security zone and another.

The main steps for configuring a VPN tunnel independent of any access policy are as follows:

1. While configuring the VPN tunnel (for example, vpn-to-SF , where SF is the destination or end entity),specify a physical or subinterface on the local device. (The IP address for this interface is what the remotepeer must use when configuring its remote gateway.)

2. Create a tunnel interface (for example, tunnel.1 ), and bind it to a security zone6

.3. Bind the tunnel interface tunnel.1 to the VPN tunnel vpn-to-SF .4. To direct traffic through this tunnel, set up a route stating that traffic to SF must use tunnel.1 .

At this point, the tunnel is ready for traffic bound for SF . You can now set up access policies to permit or block trafficfrom a specified source to that destination.

5. In earlier versions of ScreenOS, a VPN policy must explicitly specify tunneling and name a specific VPN tunnel. You can still configure VPN policies this wayin ScreenOS 3.1.0. However, you can also configure policies that only permit or deny traffic between two security zones. If permitted, that traffic is tunneledif the route to the specified destination points to an interface bound to a VPN tunnel.

6. You do not have to bind the tunnel interface to the same zone from which VPN traffic originates locally. Traffic from any zone can access a tunnel interfaceif a route points to that interface.

RoutingTable

------------------------------------------------

VPN tunnel Destination ZoneSource Zone Tunnel

Interface

Packet sent

Policy

Engine

Packet arrives



29/569

&KDSWHU 8QLYHUVDO 6HFXULW\ DWHZD\ $UFKLWHFWXUH 93


Zone: Financeeth1/110.10.1.1/24

VPN Tunnelvpn-to-SF

To Reach Use

10.20.2.0/24 tunnel.1

10.10.1.0/24 eth1/1

0.0.0.0/0 VR1

SF LAN10.20.2.0/24

To Reach Use

210.10.1.0 eth3/10.0.0.0/0 210.10.1.2/24

Local Device

Traffic from security zone Finance to SF LAN in security zone Untrust is routed to thetunnel interface tunnel.1. Because tunnel.1 is bound to VPN tunnel vpn-to-SF, the trafficis sent through that tunnel to the remote gateway at SF LAN.

Zone: Untrusteth3/1210.10.1.1/24

Interface:tunnel.1

VR1: Untrust Virtual Router

VR2: Trust Virtual Router

Default Gateway:210.10.1.2

&KDSWHU 8QLYHUVDO 6HFXULW\ *DWHZD\ $UFKLWHFWXUH 9LUWXDO 6


30/569

Q $


9 ,578$/ 6


31/569


=RQHV LQ D 9LUWXDO 6\VWHPWhen a root-level admin creates a virtual system, the following zones are automatically inherited or created:

Shared Untrust Zone (inherited from the root system) Shared Null Zone (inherited from the root system) Trust- Zone Untrust-Tun- Zone Self- Zone Global- Zone

All virtual systems share the untrust and null zones with the root system. Note that because the root system and allvirtual systems share the untrust zone, they also share the address book for the untrust zone.

All other zones in a vsys are owned by that vsys.

In addition, a root-level admin can create one user-defined zone for each virtual system.

,QWHUIDFHVA virtual system can have any of the following three types of interfaces bound to the untrust zone:

One or more vsys can share the physical interface that is bound to the untrust zone with the root system. A vsys can have its own subinterface bound to the untrust zone, and use VLAN tagging as the means for

trunking 8 inbound and outbound traffic. A vsys can have its own physical interface bound to the untrust zone or to trustzone.

You can bind one, two, or all three of the above interface types to the untrust zone concurrently. You can also bindmultiple interfaces of each type to the untrust zone.

Note: For information on each of these zone types, see Chapter 2 , Zones .

8. VLAN trunking allows one physical interface to support multiple logical subinterfaces, each of which must be identified by a unique VLAN tag. The VLANidentifier (tag) on an incoming ethernet frame indicates its intended subinterfaceand hence the virtual systemto which it is destined.

&KDSWHU 8QLYHUVDO 6HFXULW\ *DWHZD\ $UFKLWHFWXUH 9LUWXDO 6


32/569


You can bind either a subinterface (with VLAN tagging to trunk traffic) or a physical interface to thetrust- zone. You can also bind multiple interfaces of each type to these zones.

9LUWXDO 5RXWHUVWhen a root-level admin creates a virtual system, the vsys automatically has the following two virtual routersavailable for its use:

A shared virtual router: untrust-vr In the same way that a vsys and the root system share the untrust zone,they also share untrust-vr, which maintains the routing information for that zone.

Its own virtual router: -vr This is a vsys-specific virtual router that, by default, maintains therouting table for the trustzone.

If you, as a root-level administrator, want all of the vsys zones to be in the untrust-vr routing domainfor example, ifall the interfaces bound to the vsys-trust zone are in Route modeyou can dispense with the trust-vr by changingthe zone bindings from the trust-vr to the untrust-vr. For more information on virtual routers, see Chapter 7 , VirtualRouters .

Note: ScreenOS 3.1.0 does not support user-defined virtual routers within a vsys.

&KDSWHU 8QLYHUVDO 6HFXULW\ *DWHZD\ $UFKLWHFWXUH 3DFNHW )ORZ 6HTX


33/569


3 $&.(7 )/2: 6(48(1&(In USGA, the flow sequence of an incoming packet progresses as illustrated below.

2

If network traffic, sourcezone = security zone towhich interface orsubinterface is bound.

If VPN traffic to tunnelinterface bound to VPNtunnel, source zone =security zone in whichtunnel interface isconfigured

If VPN traffic to tunnelinterface in a tunnelzone, source zone =carrier zone

SourceZone

IncomingInterface

MIP/VIPHost IP

RouteLookup

Route Table10.10.10.0/24 eth1/10.0.0.0/0 untrust-vr

PolicyLookup

ACLsrc dst service action

( ) Src AddrTranslation( )

DestinationInterface and

Destination Zone

Permit = Forward packetDeny = Drop packetTunnel = Use specifiedtunnel for VPN encryption

1 3 4 5

If destination zone = security zone,use that zone for policy lookup.

If destination zone = tunnel zone, useits carrier zone for policy lookup

Incoming Packet

SecurityZones

TunnelZone

6



34/569


1. The interface module identifies the incoming interface and, consequently, the source zone to which theinterface is bound.

The source zone determination is based on the following criteria: If the packet is not encapsulated, the source zone is the security zone to which the incoming interface

or subinterface is bound. If the packet is encapsulated and the tunnel interface is bound to a VPN tunnel, the source zone is the

security zone in which the tunnel interface is configured. If the packet is encapsulated and the tunnel interface is in a tunnel zone, the source zone is the

corresponding carrier zone (a security zone that carries a tunnel zone) for that tunnel zone.

2. If a mapped IP (MIP) or virtual IP (VIP) address is used, the address-mapping module resolves the MIP orVIP so that the routing table can search for the actual host address.

3. The route table lookup finds the destination interface that leads to the destination address. In so doing, theinterface module identifies the destination zone to which that interface is bound.

The destination zone determination is based on the following criteria:

If the destination zone is a security zone, that zone is used for the policy lookup.

If the destination zone is a tunnel zone, the corresponding carrier zone is used for the policy lookup.4. The policy engine searches the access control list (ACL) for a policy between the addresses in the identified

source and destination zones.

The action configured in the policy determines what the NetScreen firewall does with the packet:

If the action is permit , the firewall determines to forward the packet to its destination. If the action is deny , the firewall determines to drop the packet.

If the action is tunnel , the firewall determines to forward the packet to the VPN module, whichencapsulates the packet and transmits it using the specified VPN tunnel settings.

5. If source address translation is specified (either interface-based NAT or policy-based NAT), the NAT moduletranslates the source address before forwarding it either to its destination or to the VPN module.

6. The NetScreen device performs the action specified in the access policy.



35/569


([DPSOH 3DUW (QWHUSULVH ZLWK 6L[ =RQHVThis is the first part of an ongoing example. For the next part, in which the interfaces for each zone are set, see

Example (Part 2): Interfaces for Six Zones on page 17 . Here you configure the following six zones for anenterprise:

The zones Trust, Untrust, and DMZ are preconfigured. You must configure the zones Finance, Eng, and Mail. Bydefault, a user-configured zone is placed in the virtual router trust-vr. Thus, you do not have to specify a virtual routerfor the Finance and Eng zones. However, in addition to configuring the Mail zone, you must also specify that it be inthe virtual router untrust-vr 9. For both the DMZ and the Mail zones, you enable intra-zone blocking.

Finance Trust

Eng Mail

Untrust DMZ

9. For more information on virtual routers and their routing domains, see Chapter 7 , Virtual Routers .

Finance

Trust

Eng

Mail

Untrust

DMZ

Trust-VR RoutingDomain

Untrust-VR RoutingDomain



36/569


:HE8,

1. Zone >> New Entry: Enter the following, and then click OK :

Name: Finance

Virtual Router Name: trust-vr

Zone Type: Regular: (select)


Name: Eng

Virtual Router Name: trust-vrZone Type: Regular: (select)


Name: Mail

Intra-Zone Blocking: (select)

Virtual Router Name: untrust-vr

Zone Type: Regular: (select)

4. Zone >> Edit (for DMZ): Select Intra-Zone Blocking , and then click OK .

&/,

1. set zone name finance

2. set zone name eng3. set zone name mail4. set zone mail vrouter untrust-vr5. set zone mail block6. set zone dmz block7. save



37/569


([DPSOH 3DUW ,QWHUIDFHV IRU 6L[ =RQHVThis is the second part of an ongoing example. For the first part, in which zones are configured, see

Example (Part 1): Enterprise with Six Zones on page 15 . For the next part, in which virtual routers areconfigured, see Example (Part 3): Enterprise with Two Routing Domains on page 22 . This part of theexample demonstrates how to configure interfaces and bind them to zones.

Finance10.10.1.1/24

eth3/2.1

Trust10.10.2.1/24

eth3/2

Eng10.10.3.1/24

eth3/1

DMZ210.10.4.1/24

eth2/2

Untrust210.10.3.1/24eth1/2

Mail

210.10.1.1/24eth1/1

210.10.2.2/24eth1/1.2



38/569


:HE8,

,QWHUIDFH HWKHUQHW

1. Interface >> Physical >> Edit (for ethernet3/2): Enter the following, and then click Save :

IP Address: 10.10.2.1

Netmask: 255.255.255.0

Zone Name: Trust

Interface Mode: NAT (select)

Management Services: WebUI, Telnet, SNMP, SCS (select)

Other Services: Ping (select)

,QWHUIDFH HWKHUQHW

2. Interface >> Physical >> New Sub-i/f (for ethernet3/2): Enter the following, and then click Save :

Interface Name: ethernet3/2.: 1

IP Address: 10.10.1.1Netmask: 255.255.255.0

VLAN Tag: 1

Zone Name: Finance


Other Services: Ping (select),QWHUIDFH HWKHUQHW



Netmask: 255.255.255.0



39/569


Zone Name: Eng


Other Services: Ping (select),QWHUIDFH HWKHUQHW



Netmask: 255.255.255.0

Zone Name: Mail,QWHUIDFH HWKHUQHW

5. Interface >> Physical >> Sub-i/f (for ethernet1/1): Enter the following, and then click Save :

Interface Name: ethernet1/1.: 2


Netmask: 255.255.255.0VLAN Tag: 2

Zone Name: Mail

,QWHUIDFH HWKHUQHW



Zone Name: Untrust

Management Services: SNMP (select)



40/569


,QWHUIDFH HWKHUQHW



Zone Name: DMZ

&/,

,QWHUIDFH HWKHUQHW

8. set interface eth3/2 zone trust9. set interface eth3/2 ip 10.10.2.1/2410. set interface eth3/2 nat11. set interface eth3/2 manage ping12. set interface eth3/2 manage webui

13. set interface eth3/2 manage telnet14. set interface eth3/2 manage snmp15. set interface eth3/2 manage scs

,QWHUIDFH HWKHUQHW

1. set interface eth3/2.1 zone finance2. set interface eth3/2.1 ip 10.10.1.1/24 tag 13. set interface eth3/2.1 nat4. set interface eth3/2.1 manage ping



41/569


,QWHUIDFH HWKHUQHW

5. set interface eth3/1 zone eng

6. set interface eth3/1 ip 10.10.3.1/247. set interface eth3/1 nat8. set interface eth3/1 manage ping

,QWHUIDFH HWKHUQHW

9. set interface eth1/1 zone mail10. set interface eth1/1 ip 210.10.1.1/24

,QWHUIDFH HWKHUQHW

11. set interface eth1/1.1 zone mail12. set interface eth1/1.1 ip 210.10.2.2 /24 tag 2

,QWHUIDFH HWKHUQHW

13. set interface eth1/2 zone untrust14. set interface eth1/2 ip 210.10.3.1/2415. set interface eth1/2 manage snmp

,QWHUIDFH HWKHUQHW

16. set interface eth2/2 zone dmz17. set interface eth2/2 ip 210.10.4.1/2418. save



42/569


([DPSOH 3DUW (QWHUSULVH ZLWK 7ZR 5RXWLQJ 'RPDLQVThis is the third part of an ongoing example. For the previous part, in which interfaces for the various security zones

are defined, see Example (Part 2): Interfaces for Six Zones on page 17 . For the next part, in which the accesspolices are set, see Example (Part 4): Access Policies for an Enterprise with Six Zones on page 25 . In thisexample, you only have to configure a route for the default gateway to the internet. The other routes areautomatically created by the NetScreen device when you create the interface IP addresses.

Finance10.10.1.1/24

eth3/2.1, NAT

Trust10.10.2.1/24eth3/2, NAT

Eng10.10.3.1/24eth3/1, NAT

Mail

Untrust210.10.3.1/24eth1/2, Route

DMZ210.10.4.1/24eth2/2, Route

210.10.3.254

ToInternet

210.10.1.1/24eth1/1, Route

210.10.2.2/24eth1/1.2, Route

RouteRedistribution

Trust-VR Routing Domain Untrust-VR Routing Domain



43/569


:HE8,

1. Routing >> Route Table >> New Entry: Enter the following, and then click OK :

Virtual Router Name: untrust-vr

Network Address: 0.0.0.0

Netmask: 0.0.0.0

Gateway IP Address: 210.10.2.254

Interface: ethernet1/2(untrust-vr)

&/,

1. set vrouter untrust-vr route 0.0.0.0/0 interface eth1/2 gateway 210.10.1.2542. save

To see the route table entries for the ongoing example, look at the tables on the next page.



44/569


The NetScreen device automatically creates the following routes (in black):

To Reach: Use Interface: Use Gateway:0.0.0.0/0 n/a Untrust-VR

10.10.3.0/24 eth3/1 0.0.0.0

10.10.2.0/24 eth3/2 0.0.0.0

10.10.1.0/24 eth3/2.1 0.0.0.0

To Reach: Use Interface: Use Gateway:

210.10.4.0/24 eth2/2 0.0.0.0

210.10.3.0/24 eth1/2 0.0.0.0

210.10.2.0/24 eth1/1.2 0.0.0.0

210.10.1.0/24 eth1/1 0.0.0.0

0.0.0.0/0 eth1/2 210.10.3.254 Note: This is the only user-configured entry.



45/569


([DPSOH 3DUW $FFHVV 3ROLFLHV IRU DQ (QWHUSULVH ZLWK 6L[ =RQHVThis is the last part of an ongoing example. The previous part is Example (Part 3): Enterprise with Two Routing

Domains on page 22 . This part of the example demonstrates how to configure new access policies.

For the purpose of this example, before you begin configuring new access policies, you need to create new servicegroups.

Note: When you create a zone, the NetScreen device automatically creates the address Any for all hosts within that zone. This example makes use of the address Any for the hosts.

Finance

Trust

Eng DMZ

Untrust

Mail

PolicyEngine




46/569


:HE8,

6HUYLFH *URXSV

1. Service >> Custom >> New Group: Enter the following, and then click OK.

Group Name: Mail-Pop3

Group Members > Custom >> New Group: Enter the following, and then click OK.Group Name: HTTP-FTPGet

Group Members > New Policy: Enter the following, and then click OK:

Source Address: Any

Destination Address: Any

Service: Mail-Pop3

Action: Permit

4. Policy (From Zone: Trust, To Zone: Mail) >> New Policy: Enter the following, and then click OK:

Source Address: Any


Service: Mail-Pop3



47/569


Action: Permit

5. Policy (From Zone: Eng, To Zone: Mail) >> New Policy: Enter the following, and then click OK:

Source Address: AnyDestination Address: Any

Service: Mail-Pop3

Action: Permit

6. Policy (From Zone: Untrust, To Zone: Mail) >> New Policy: Enter the following, and then click OK:

Source Address: Any


Service: Mail

Action: Permit

7. Policy (From Zone: Finance, To Zone: Untrust) >> New Policy: Enter the following, and then click OK:

Source Address: Any

Destination Address: AnyService: HTTP-FTPGet

Action: Permit

8. Policy (From Zone: Finance, To Zone: DMZ) >> New Policy: Enter the following, and then click OK:

Source Address: Any

Destination Address: AnyService: HTTP-FTPGet

Action: Permit

9. Policy (From Zone: Trust, To Zone: Untrust) >> New Policy: Enter the following, and then click OK:

Source Address: Any



48/569



Service: HTTP-FTPGet

Action: Permit10. Policy (From Zone: Trust, To Zone: DMZ) >> New Policy: Enter the following, and then click OK:

Source Address: Any



Action: Permit

11. Policy (From Zone: Eng, To Zone: DMZ) >> New Policy: Enter the following, and then click OK:

Source Address: Any



Action: Permit

12. Policy (From Zone: Eng, To Zone: DMZ) >> New Policy: Enter the following, and then click OK:Source Address: Any


Service: FTP-Put

Action: Permit

13. Policy (From Zone: Untrust, To Zone: DMZ) >> New Policy: Enter the following, and then click OK:Source Address: Any



Action: Permit



49/569


&/,

6HUYLFH *URXSV

1. set group service mail-pop3 add mail2. set group service mail-pop3 add pop33. set group service http-ftpget add http4. set group service http-ftpget add ftpget

$FFHVV 3ROLFLHV

5. set policy from finance to mail any any mail-pop3 permit6. set policy from trust to mail any any mail-pop3 permit7. set policy from eng to mail any any mail-pop3 permit8. set policy from untrust to mail any any mail permit9. set policy from finance to untrust any any http-ftpget permit10. set policy from finance to dmz any any http-ftpget permit

11. set policy from trust to untrust any any http-ftpget permit12. set policy from trust to dmz any any http-ftpget permit13. set policy from eng to untrust any any http-ftpget permit14. set policy from eng to dmz any any http-ftpget permit15. set policy from eng to dmz any any ftp-put permit16. set policy from untrust to dmz any any http-ftpget permit

17. save



50/569



51/569


8 u h r !

=RQHVA zone can be a segment of network space to which security measures are applied (a security zone), a logicalsegment to which a VPN tunnel interface is bound (a tunnel zone), or either a physical or logical entity that performsa specific function (a function zone). This chapter examines each type of zone, with particular emphasis given to thesecurity zone, and is organized into the following sections:

Security Zones on page 33 Tunnel Zones on page 34 Function Zones on page 37

When you first boot up a NetScreen device, you can see a number of preconfigured zones. In the WebUI, click Zone in the menu column on the left. In the CLI, use the get zone command.

&KDSWHU =RQHV

The output of the get zone command:


52/569


The output of the get zone command:

The preconfigured zones shown above can be grouped into three different types:Security Zones: Untrust, Trust, DMZ, Global, V1-Untrust, V1-Trust, V1-DMZ

Tunnel Zone: Untrust-Tun

Function Zones: Null, Self, MGT, HA

These zones providebackward compatibility when

upgrading to ScreenOS3.1.0the top 3 for devices in

NAT or Route mode, thebottom 3 for devices in

Transparent mode.

ns500-> get zoneTotal of 12 zones in vsys root------------------------------------------------------------------------Id Name Type Attr VR Default-If vsys0 Null Null Shared trust-vr null Root1 Untrust Reg Shared untrust-vr ethernet1/2 Root2 Trust Reg trust-vr ethernet3/2 Root3 DMZ Reg untrust-vr ethernet2/2 Root

4 Self Reg trust-vr self Root5 MGT Reg trust-vr mgt Root6 HA Reg trust-vr ha1 Root10 Global Reg trust-vr null Root11 V1-Untrust L2 trust-vr v1-untrust Root12 V1-Trust L2 trust-vr v1-trust Root13 V1-DMZ L2 trust-vr v1-dmz Root16 Untrust-Tun Tun trust-vr tunnel Root------------------------------------------------------------------------

The root and virtual systems

share these zones.

These zones do not andcannot have an interface.

By default, VPN tunnel interfaces are bound to the Untrust-Tunzone, whose carrier zone is the Untrust zone. (When upgrading to

ScreenOS 3.1.0, existing tunnels are bound to the Untrust-Tun zone.)

Zone ID numbers 79 and 1415are reserved for future use.

&KDSWHU =RQHV 6HFXULW\ =RQHV

6(&85 7< =21(6


53/569


6(&85,7< =21(6On a single NetScreen device, you can configure multiple security zones, sectioning the network into segments to

which you can apply various security options to satisfy the needs of each segment. At a minimum, you must definetwo security zones, basically to protect one area of the network from the other. You can also define many securityzones, bringing finer granularity to your network security design and without deploying multiple securityappliances to do so.

*OREDO =RQHYou can identify a security zone because it has an address book and can be referenced in access policies. Theglobal zone satisfies these criteria. However, it does not have one element that all other security zones do haveaninterface. The global zone serves as a storage area for mapped IP (MIP) and virtual IP (VIP) addresses. Becausetraffic going to these addresses is mapped to other addresses, the global zone does not require an interface fortraffic to flow through it.

Note: When configuring a policy for a MIP or VIP, you can specify the global zone as the destination zone. If you specify the security zone to which the MIP or VIP maps the traffic it receives as the destination, the policy engine

automatically changes it to global.

&KDSWHU =RQHV 7XQQHO =RQHV

7811(/ =21(6


54/569


7811(/ =21(6A tunnel zone is a logical segment that hosts one or more tunnel interfaces. A tunnel zone is associated with a

security zone that acts as its carrier. The NetScreen device uses the routing information for the carrier zone to directtraffic to the tunnel endpoint. The default tunnel zone is Untrust-Tun, and it is associated with the Untrust zone. Youcan create other tunnel zones and bind them to other security zones, with a maximum of one tunnel zone per carrierzone per virtual system 1.

By default, a tunnel zone is in the Trust-VR routing domain, but you can also move a tunnel zone into anotherrouting domain.

&UHDWLQJ D 6HFXULW\ =RQHTo create a security zone or tunnel zone, do either of the following:

:HE8,

Zone >> New Entry: Enter the following, and then click OK :

Name: Type a name for the zone.

Block Intra-Zone Traffic: Select this if you want to block traffic between hostswithin the same security zone. By default, intra-zone blocking is disabled.

Virtual Router Name: Select the virtual router in whose routing domain youwant to place the zone.

Zone Type: Select Regular to create a zone to which you can bind interfacesin NAT or Route mode. Select Layer 2 to create a zone to which you canbind interfaces in Transparent mode. Select Tunnel Out Zone whencreating a tunnel zone and binding it to a carrier zone, and then select aspecific carrier zone from the drop-down list.

1. The root system and all virtual systems can share the Untrust zone. However, each system has its own separate Untrust-Tun zone.


&/,


55/569


&/,

set zone name [ l2 | tunnel ]

set zone blockset zone vrouter

0RGLI\LQJ D 6HFXULW\ =RQHTo modify the ID number or name of a security zone or tunnel zone, you must first delete the zone 2, and then createit again with the new name. To change the intra-zone blocking option or to change the virtual router, you can modifythose settings on the existing zone.

:HE8,

0RGLI\LQJ WKH =RQH 1DPH

1. Zone: Click Remove (for the zone whose ID number or name you want to modify).2. When the prompt appears, asking for confirmation of the removal, click Yes .3. Zone >> New Entry: Enter the zone settings, modifying the ID number or name, and then click OK .

&KDQJLQJ WKH ,QWUD =RQH %ORFNLQJ 2SWLRQ RU 9LUWXDO 5RXWHU

1. Zone >> Edit (for the zone that you want to modify): Enter the following, and then click OK :

Intra-Zone Blocking: To enable, select the check box. To disable, clear it.

Virtual Router Name: From the drop-down list, select the virtual router intowhose routing domain you want to move the zone.

2. Before you can remove a zone, you must first unbind all interfaces bound to it.


&/,


56/569


,

0RGLI\LQJ WKH =RQH 1DPH

1. unset zone 2. set zone name [ l2 | tunnel ]

&KDQJLQJ WKH ,QWUD =RQH %ORFNLQJ 2SWLRQ RU 9LUWXDO 5RXWHU

{ set | unset } zone block

set zone vrouter

'HOHWLQJ D 6HFXULW\ =RQHTo delete a security zone or tunnel zone, do either of the following 3:

:HE8,

1. Zone: Click Remove (for the zone you want to delete).2. When the prompt appears, asking for confirmation of the removal, click Yes .

&/,

unset zone

3. Before you can remove a zone, you must first unbind all interfaces bound to it.

&KDSWHU =RQHV )XQFWLRQ =RQHV

) 81&7 21 =21(6


57/569


) 81&7,21 21(6The four function zones are Null, MGT, HA, and Self. Each zone exists for a single purpose, as explained below.

1XOO =RQHThis zone serves as temporary storage for any interfaces that are not bound to any other zone.

0*7 =RQHThis zone hosts the out-of-band management interface, MGT.

+$ =RQHThis zone hosts the high availability interfaces, HA1 and HA2.

6HOI =RQHThis zone hosts the interface for remote management connections. When you connect to the NetScreen device viaHTTP, SCS, or Telnet, you connect to the Self zone.

Note: Although you can set interfaces for the MGT and HA zones, the zones themselves are not configurable.

&KDSWHU =RQHV )XQFWLRQ =RQHV


58/569


8 u h r "


59/569


,QWHUIDFHV

Creating an interface is the next step following the creation of a zone. You must create an interface and bind it to azone to allow traffic to flow in and out of the zone. Then, you must set routes and configure access policies to allowtraffic to pass from interface to interface . Physical interfaces and subinterfaces, like doorways, allow traffic to enterand exit a zone. You can assign multiple interfaces to a zone, but an interface can only be assigned to one zone.

For more information on configuring access policies, see Access Policies on page 241 , and Policy-Based VPNson page 375 for VPN tunnels. For more information on configuring routes, see Virtual Routers on page 165 .The great flexibility of USGA enables you to set DHCP service and firewall options on a per interface basis.

This chapter contains the following sections:

Interface Types on page 40 Interface Settings and Operational Modes on page 45

Secondary IP Addresses on page 63 Management Services Options on page 65 Interface Services Options on page 66 Firewall Options on page 67 Configuring an interface on page 72

&KDSWHU ,QWHUIDFHV ,QWHUIDFH 7\SHV

,17(5)$&( 7


60/569


, ( ) ( (This section describes physical interfaces, subinterfaces, and tunnel interfaces. For information on how to view a

table of all these interfaces, see Viewing interfaces on page 42 .

6HFXULW\ =RQH ,QWHUIDFHVThe purpose of physical interfaces and subinterfaces is to provide an opening through which network traffic canpass between zones.

3K\VLFDOEach port on your NetScreen device represents a physical interface, and the name of the interface ispredefined. The name of a physical interface is composed of the media type, slot number (for someNetScreen devices), and port number, for example, ethernet3/2 or ethernet2 (see also Security ZoneInterfaces on page 3 ). For backward compatibility, certain interfaces can still be named Trust, Untrust, andDMZ as in the old version of ScreenOS. You can bind a physical interface to any security zone where it actsas a doorway through which traffic enters and exits the zone. Without an interface, no traffic can access the

zone or leave it.Three of the physical ethernet interfaces are pre-bound to specific zonesTrust, Untrust, or DMZ andwhich interface is bound to which zone is specific to each platform. For more information on the Trust,Untrust, and DMZ zones, see Multiple Security Zones on page 2 .

6XELQWHUIDFH

A subinterface, like a physical interface, acts as a doorway through which traffic enters and exits a securityzone. You can logically divide a physical interface into several virtual subinterfaces. Each virtualsubinterface borrows the bandwidth it needs from the physical interface from which it stems, thus its name isan extension of the physical interface name, for example, ethernet3/2.1 or ethernet2.1 (see also SecurityZone Interfaces on page 3 ).


You can bind a subinterface to any zone. You can bind a subinterface to the same zone as its physicalinterface or you can bind it to a different zone


61/569


interface, or you can bind it to a different zone.

)XQFWLRQ =RQH ,QWHUIDFHVFunction zone interfaces, such as Management and HA, each serve a special purpose.

0DQDJHPHQW ,QWHUIDFHOn some NetScreen devices, you can manage the device through a separate physical interfacetheManagement (MGT) interfacemoving administrative traffic outside the regular network user traffic.Separating administrative traffic from network user traffic greatly increases security and assures constantmanagement bandwidth.

+$ ,QWHUIDFH

With NetScreen devices with dedicated High Availability (HA) interfaces, you can link two or more devicestogether to form a redundant group, or cluster. In a redundant group, one unit acts as the master, performingthe network firewall, VPN, and traffic-shaping functions, while the other units act as backups, basicallywaiting to take over the firewall functions should the master unit fail. The HA interface is a physical port usedexclusively for HA functions.

9LUWXDO +$ ,QWHUIDFH

On NetScreen devices without a dedicated HA interface, a Virtual High Availability (HA) interfaceprovides the same functionality. Because there is no separate physical port exclusively used for HAtraffic, the Virtual HA interface must be bound to one of the physical portstrusted, untrusted, or DMZ.

Note: For information on configuring the device for administration, see Administration on page 111 .


7XQQHO ,QWHUIDFHV


62/569


A tunnel interface acts as a doorway to a VPN tunnel. Traffic enters and exits a VPN tunnel via a tunnel interface.

By binding a tunnel interface to a VPN, you can separate the policy from the VPN tunnel. This way, you canconfigure one tunnel, and define multiple policies to regulate the traffic that flows through that tunnel. When there isno tunnel interface bound to a VPN tunnel, only one policy can be defined per VPN tunnel.

You can perform policy-based NAT on outgoing or incoming traffic using a pool of dynamic IP (DIP) addresses in thesame subnet as the tunnel interface. A typical reason for using policy-based NAT on a tunnel interface is to avoid IPaddress conflicts between the two sites on either end of the VPN tunnel. You can use the same tunnel interface andDIP pool for more than one VPN tunnel.

In USGA, you can bind a tunnel interface to any zone. For more information on tunnel interfaces, see TunnelInterfaces on page 42 .

9LHZLQJ LQWHUIDFHVYou can view a table that lists all interfaces on your NetScreen device. Because they are predefined,physical interfaces are listed regardless of whether or not you configure them. Subinterfaces and tunnelinterfaces are only listed once you create and configure them.

To view the interface table in the WebUI, click Interface in the menu column on the left, and to view it in theCLI, use the get interface command. In the CLI, the get interface command includes tunnel interfaces. Inthe WebUI, tunnel interfaces are separated from other interfaces. To view them, click Interface >> Tunnel .

,QWHUIDFH 7DEOHThe interface table displays the following information on each interface:

Name: This field identifies the name of the interface. IP/Netmask: This field identifies the IP address and netmask address of the interface.

Note: For information on how to configure an interface, see Configuring an interface on page 72 .


Zone: This field identifies the zone to which the interface is bound.Link: This field identifies whether the interface is active (Up) or inactive (Down)


63/569


Link: This field identifies whether the interface is active (Up) or inactive (Down). Configure: This field allows you configure and modify interfaces through these options:

Edit: Configure a physical interface for the first time, or modify an existing configuration.

New Sub-i/f: Create a new subinterface, or click Edit to modify an existing configuration.

Remove: Click to delete an interface.

MIP: Create a mapped IP address.

DIP: Create a dynamic IP address pool.

2IP: Create a secondary IP address.

VIP: Create a virtual IP address.

Screen: Select Network Attack Blocking Engine (Screen) options to counter network attacks suchas the ones listed in the Firewall Options on page 67 .

Note: In the WebUI, in the physical interfaces and subinterfaces table, yellow rows identify physical interfaces, and green rows identify subinterfaces (see WebUI Interface Table on page 44 ). In the CLI,you can distinguish a subinterface from a physical interface by its VLAN tag (see CLI Interface Table on page 44 ).


WebUI Interface Table


64/569


CLI Interface Table

VLAN Tag VLAN Tag

&KDSWHU ,QWHUIDFHV ,QWHUIDFH 6HWWLQJV DQG 2SHUDWLRQDO 0R

,17(5)$&( 6(77,1*6 $1' 23(5$7,21$/ 02'(6


65/569


Interfaces can operate in three different modes: Network Address Translation (NAT), Route, and Transparent

modes. You select an operational mode when you configure an interface.

7UDQVSDUHQW 0RGHWhen an interface is in a Transparent mode, the NetScreen device filters packets traversing the firewall withoutmodifying any of the source or destination information in the IP packet header. All interfaces behave as though theyare part of the same network, with the NetScreen device acting much like a layer-2 switch or bridge. In Transparentmode, the IP addresses of interfaces are set at 0.0.0.0, making the presence of the NetScreen device invisible, ortransparent, to users.

ExternalRouter

Public AddressSpace

Switch

209.122.30.1

209.122.30.2209.122.30.3

209.122.30.4

209.122.30.5

Trust Zone

Untrust Zone

To Internet


Transparent mode is a convenient means for protecting Web servers, or any other kind of server that mainlyreceives traffic from untrusted sources. Using Transparent mode offers the following benefits:


66/569


No need to reconfigure the IP settings of routers or protected servers

No need to create Mapped or Virtual IP addresses for incoming traffic to reach protected servers

,QWHUIDFH 6HWWLQJVInterfaces in transparent mode can only be managed through the VLAN1 interface. By default, ScreenOS alwayscreates a VLAN1 interface, and three VLAN1 zones: V1-Trust, V1-Untrust, V1-DMZ.

9/$1 ,QWHUIDFH

While ScreenOS creates the VLAN1 interface, you need to configure it before you can use it to manage anyinterface. The VLAN1 interface has in fact two main purposes: one is to provide an address for managingthe device, and the other is to terminate VPN traffic when the device is in transparent mode. The VLAN1interface has the same configuration and management abilities as a physical interface.

You can configure the VLAN1 interface to permit hosts in the VLAN1 zones to manage it, in which case, youmust set the VLAN1 interface IP to be in the same subnet as the hosts.

The VLAN1 interface IP overrides the system IP and the manage IP. When the VLAN1 interface isconfigured, neither the system IP nor the manage IP have any effect on interfaces in transparent mode.

9/$1 =RQHV

VLAN1 zones are also referred to as Layer 2 zones because they share the same layer 2 domain. Whenyou configure an interface in one of the VLAN1 zones, it gets added to the layer 2 domain shared by allinterfaces in all the VLAN1 zones.

By default the following physical interfaces are bound to the VLAN1 zones:

Zone NetScreen 200 Series Interface NetScreen 500 Interface

V1-Trust ethernet1 ethernet3/2

V1-DMZ ethernet2 ethernet2/2


V1 Untrust ethernet3 ethernet1/2

Zone NetScreen 200 Series Interface NetScreen 500 Interface


67/569


All hosts in the VLAN1 zones must be on the same subnet to communicate, and you must define policies toallow hosts to communicate between zones. For more information on how to set policies, see AccessPolicies on page 241 .

([DPSOH +RZ WR VHW 9/$1 ,QWHUIDFHThis example demonstrates how to set an IP address for the VLAN1 interface, management options, and a route toenable traffic to flow to and from the NetScreen device.

:HE8,

1. Interface >> Physical >> Edit (for the VLAN1 interface): Enter the following, and then click OK.

IP Address: 209.122.30.254

Netmask: 255.255.255.0

Management Services: WebUI, Telnet, SCS (select)Other Services: Ping (select)

&/,

1. set interface vlan1 ip 209.122.30.254/242. set interface vlan1 manage webui telnet scs ping3. save

V1-Untrust ethernet3 ethernet1/2


([DPSOH 7UDQVSDUHQW 0RGHTh f ll i l ill t t b i fi ti f i l LAN t t d b N tS d i i


68/569


The following example illustrates a basic configuration for a single LAN protected by a NetScreen device inTransparent mode. Access policies permit outgoing traffic for all four hosts in the Trust zone, incoming mail for themail server, and incoming FTP for the FTP server. The device is managed through its VLAN1 IP address.

:HE8,

1. Interface >> Physical >> Edit (for the VLAN1 interface): Enter the following, and then click Apply :

IP Address: 209.122.17.252

Netmask: 255.255.255.0Management Services: WebUI, Telnet, SCS (select)

Other Services: Ping (select)

2. Admin >> Web: Enter the following, and then click Apply :

HTTP Port: 5555 1

Internet

NetScreen Device

Router209.122.17.253/24

VLAN1 IP209.122.17.252

Port 5555

Mail Server209.122.17.249/24

FTP Server209.122.17.250/24

PC #1209.122.17.1/24

PC #2209.122.17.2/24

Trust Zone


3. Interface >> Physical >> Edit (for ethernet1): Enter the following, and then click Save :

IP Address: 0.0.0.0


69/569


Netmask: 0.0.0.0

Manage IP: 0.0.0.0

Traffic Bandwidth: 0

Zone Name: Trust

4. Interface >> Physical >> Edit (for ethernet3): Enter the following, and then click Save .

IP Address: 0.0.0.0

Netmask: 0.0.0.0Manage IP: 0.0.0.0


Zone Name: Untrust

5. Address >> Address (under the New column for the Trust zone): Enter the following and then click OK:

Address Name: Mail ServerIP Address/Domain Name: 209.122.17.249

Netmask: 255.255.255.255

6. Address >> Address (under the New column for the Trust zone): Enter the following and then click OK:

Address Name: FTP Server

IP Address/Domain Name: 209.122.17.250

Netmask: 255.255.255.255

7. Policy >> From Zone: Trust, To Zone: Untrust >> New Policy: Enter the following and then click OK:

Source Address: Any

1. The default port number is 80. Changing this to any number between 1024 and 32,767 is advised for discouraging unauthorized access to the configuration.When logging in to manage the device later, enter the following in the URL field of your Web browser: http://209.122.17.252:5555.



Service: Any


70/569


Action: Permit

8. Policy >> From Zone: Untrust, To Zone: Trust >> New Policy: Enter the following and then click OK:

Source Address: Any

Destination Address: Mail Server

Service: Mail

Action: Permit

9. Policy >> From Zone: Untrust, To Zone: Trust >> New Policy: Enter the following and then click OK:

Source Address: Any

Destination Address: FTP ServerService: FTP

Action: Permit

Note: To get the Mail Server address, it must already exist in the address list. You can create this address by selecting Address >> Address (under the New column for the appropriate zone) and specifying the mail servers name and IP address.

Note: Because PC #1 and PC #2 are not specified in an access policy, they do not need to be added to the address book. The term Any applies to any device connected to the interface in the Trust zone.


&/,

1 set vlan1 ip 209 122 17 252


71/569


1. set vlan1 ip 209.122.17.252

2. set admin port 55552

3. set interface ethernet1 zone trust4. set interface ethernet1 ip 0.0.0.0/05. set interface ethernet3 zone untrust6. set interface ethernet3 ip 0.0.0.0/07. set address trust Mail_Server 209.122.17.249/24

8. set address trust FTP_Server 209.122.17.250/249. set policy from trust to untrust any any any permit10. set policy from untrust to trust any 209.122.17.250/24 mail permit11. set policy from untrust to trust any 209.122.17.249/24 ftp permit12. save

2. When logging in to manage the device later, enter the following in the URL field of your Web browser: http://209.122.17.252:5555


1HWZRUN $GGUHVV 7UDQVODWLRQ 0RGHWhen an interface is in Network Address Translation (NAT) mode, the NetScreen device, acting like a layer-3 switch


72/569


When an interface is in Network Address Translation (NAT) mode, the NetScreen device, acting like a layer 3 switch(or router), translates two components in the header of an outgoing IP packet traversing the firewall across aninterface in NAT mode: its source IP address and source port number. The NetScreen device replaces the source IPaddress of the host that sent the packet with the IP address of the interface of the destination zone. Also, it replacesthe source port number with another random port number generated by the NetScreen device.

When the reply packet arrives at the NetScreen device, the device translates two components in the IP header ofthe incoming packet: the destination address and port number, which are translated back to the original numbers.The packet is then forwarded to its destination.

NAT adds a level of security not provided in Transparent mode: The addresses of hosts connected to the trustedport are never exposed to the network in the Untrust or DMZ zones.

Private AddressSpace

Trust Zone

Untrust Zone

172.16.20.1

172.16.20.2 172.16.20.3 172.16.20.4

172.16.20.5

Trust ZoneInterface

172.16.20.10

Untrust ZoneInterface

209.122.30.10

Internet


Also, NAT preserves the use of Internet-routable IP addresses. With only one public, Internet-routable IP addressthat of the interface in the Untrust zonethe LAN in the Trust zone, or any other zone using NAT services, can havea vast number of hosts with private IP addresses. The following IP address ranges are reserved for private IP


73/569


p g g pnetworks and must not get routed on the Internet:

10.0.0.0 - 10.255.255.255172.16.0.0 - 172.31.255.255192.168.0.0 - 192.168.255.255

A host in a zone sending traffic through an interface in NAT mode can initiate outbound traffic to another zone if anaccess policy permits it, but it cannot receive traffic from another zone unless a Mapped IP (MIP), Virtual IP (VIP), orVPN tunnel is set up for it.

Note: For more about MIPs, see Mapped IP on page 468 . For more about VIPs, see Virtual IP on page 190 .


,QWHUIDFH 6HWWLQJVFor NAT mode, define the following interface settings, where and represent numbers in an


74/569


IP address, represents the numbers in a netmask, represents the number of a VLAN tag, represents the name of a zone, and represents the bandwidth size in kbps:

([DPSOH 1$7 0RGHThe following example illustrates a simple configuration for a LAN with a single subnet in the Trust zone. The LAN isprotected by a NetScreen device in NAT mode. Access policies permit outgoing traffic for all three hosts in the Trustzone and incoming mail for the mail server. The incoming mail is routed to the mail server through a Virtual IPaddress.

Zone Interfaces Settings Zone Subinterfaces

Trust and User-Defined Zones using NAT IP: Netmask: Manage IP*: Traffic Bandwidth:

NAT: (select)

* You can set the manage IP address on a per interface basis. Its primary purpose is to provide an address for accessing a specificdevice when it is in a high availability configuration. You can also use the manage IP address for management purposes when using

the NetScreen device as a single security appliance.

Optional setting for traffic shaping.

Selecting NAT defines the interface mode as NAT. Selecting Route defines the interface mode as Route.

IP: Netmask: VLAN Tag: Zone Name:

NAT : (select)Untrust and DMZ IP:

Netmask: Manage IP *: Traffic Bandwidth :

IP: Netmask: VLAN Tag: Zone Name:

Note: Compare this example with that for Route mode on page 60 .


Router200 2 2 1/24

Mail ServerVIP 209.2.2.3


75/569


:HE8,

1. Admin >> Settings: Enter the following, and then click Apply .

System IP Address: 0.0.0.01. Interface >> Physical >> Edit (for ethernet1): Enter the following, and then click Save :

IP Address: 172.16.10.1

Netmask: 255.255.255.0

Manage IP: 0.0.0.0

Traffic Bandwidth: 0Zone Name: Trust

NAT: 3 (select)

3. Selecting NAT determines that the NetScreen device performs NAT on traffic entering and exiting the Trust zone.

200.2.2.1/24NAT 172.16.10.253

NetScreen Device

Workstation #1172.16.10.20/24 Workstation #2172.16.10.30/24

Internet

Trust ZoneInterface

172.16.10.1/24


200.2.2.2/24

Trust Zone

Untrust Zone


2. Interface >> Physical >> Edit (for ethernet3): Enter the following, and then click Save :

IP Address 4: 200.2.2.2

N k 255 255 255 0


76/569


Netmask: 255.255.255.0

Manage IP: 0.0.0.0


Zone Name: Untrust

3. Interface >> Physical >> VIP (for ethernet3) >> New Entry: Enter the following, and then click OK :

Virtual IP Address: 200.2.2.3

4. Interface >> Physical >> VIP (for ethernet3) >> Services: Enter the following, and then click OK :Virtual Port: 25

Service: Mail

Map to IP: 172.16.10.253

5. Policy >> From Zone: Trust, To Zone: Untrust >> New Policy: Enter the following, and then click OK :

Source Address: AnyDestination Address: Any

Service: Any

Action: Permit

6. Policy >> From Zone: Untrust, To Zone: Trust >> New Policy: Enter the following and then click OK :

Source Address: Any

Destination Address: VIP(200.2.2.3)

Service: Mail

Action: Permit

4. If the IP address in the Untrust zone on the NetScreen device is dynamically assigned by an ISP, leave the IP address and netmask fields empty and selectDHCP. If the ISP uses Point-to-Point Protocol over Ethernet, select PPPoE and enter the name and password.


&/,

1. set admin sys-ip 0.0.0.0


77/569


2. set interface ethernet1 zone trust3. set interface ethernet1 ip 172.16.10.1 255.255.255.04. set interface ethernet1 NAT 5

5. set interface ethernet3 zone untrust 6 6. set interface ethernet3 ip 200.2.2.2 255.255.255.07. set interface ethernet3 ip 0.0.0.0 0.0.0.0

8. set vip ethernet3 200.2.2.3 25 mail 172.16.10.2539. set policy from trust to untrust any any any permit10. set policy from untrust to trust any vip 200.2.2.3 mail permit11. save

5. The set interface ethernet nat command determines that the NetScreen device operates in NAT mode.

6. If the IP address in the Untrust zone on the NetScreen device is dynamically assigned by an ISP, use the following command: set interface untrust dhcp .If the ISP uses Point-to-Point Protocol over Ethernet, use the set pppoe and exec pppoe commands. For more information, see the NetScreen CLIReference Guide.


5RXWH 0RGHWhen an interface is in Route mode, the NetScreen device routes traffic between different zones without performingNAT th t i th dd d t b i th IP k t h d i h g d it t th


78/569


NAT; that is, the source address and port number in the IP packet header remain unchanged as it traverses theNetScreen device. Unlike NAT, you do not need to establish Mapped and Virtual IP addresses on an interface inRoute mode to allow inbound sessions to reach hosts. Unlike Transparent mode, the interfaces in the Trust zoneand the interfaces in the Untrust zone are on different subnets.

Instead of applying NAT at the interface level so that all source addresses initiating outgoing traffic get translated tothe IP address of the destination interface, when an interface operates in Route mode, you can perform NATselectively at the policy level. You can determine which network and VPN traffic to route and on which traffic toperform NAT by creating access policies that enable NAT for specified source addresses on either incoming or

Private AddressSpace

Trust Zone

Untrust Zone

212.45.30.1

212.45.30.2 212.45.30.3 212.45.30.4

212.45.30.5

Trust ZoneInterface

212.45.30.10


209.122.30.10

Internet


outgoing traffic. For network traffic, you can perform NAT using the IP address or addresses of the destination zoneinterface from a Dynamic IP (DIP) pool, which is in the same subnet as the destination zone interface. For VPNtraffic, you can perform NAT using the destination zone interface IP address or an address from its associated DIPpool or a tunnel interface IP address or an address from its associated DIP pool


79/569


pool, or a tunnel interface IP address or an address from its associated DIP pool.

3DFNHW )ORZ 6HTXHQFHFor information and examples on packet flow sequence, see Packet Flow Sequence on page 13 .

,QWHUIDFH 6HWWLQJVFor Route mode, define the following interface settings, where and represent numbers inan IP address, represents the numbers in a netmask, represents the number of a VLAN tag, represents the name of a zone, and represents the bandwidth size in kbps:

Note: For more information about configuring policy-based NAT, see Chapter 15 , Policy-Based NAT on page 463 .

Zone Interfaces Settings Zone Subinterfaces

Trust and User-Defined Zones using NAT IP:

Netmask: Manage IP*: Traffic Bandwidth: Route: (select)

* You can set the manage IP address on a per interface basis. Its primary purpose is to provide an address for accessing a specificdevice when it is in a high availability configuration. You can also use the manage IP address for management purposes when usingthe NetScreen device as a single security appliance.

Optional setting for traffic shaping.

Selecting NAT defines the interface mode as NAT. Selecting Route defines the interface mode as Route.

IP:

Netmask: VLAN Tag: Zone Name: Route : (select)

Untrust and DMZ IP: Netmask: Manage IP *:

Traffic Bandwidth :

IP: Netmask: VLAN Tag:

Zone Name:


([DPSOH 5RXWH 0RGHIn the previous example, Example: NAT Mode on page 54 , the hosts in the Trust zone LAN have private IPaddresses and a Mapped IP for the mail server In the following example of the same network protected by a


80/569


addresses and a Mapped IP for the mail server. In the following e

Netscreen Ce VPN

Documents

Transcript of Netscreen Ce VPN