JUNOS Software with Enhanced Services Features

JUNOS software with enhanced services Release 8.5 includes the following features. For more information, see the following manuals:

• JUNOS Enhanced Services Migration Guide
• JUNOS Enhanced Services J-series Services Router Getting Started Guide
• JUNOS Enhanced Services J-series Services Router Quick Start
• JUNOS Enhanced Services Design and Implementation Guide
• JUNOS Enhanced Services Interfaces and Routing Configuration Guide
• JUNOS Enhanced Services Administration Guide
• JUNOS Enhanced Services CLI Reference
• WXC Integrated Services Module Installation and Configuration Guide

Hardware Support

You can install JUNOS software with enhanced services on the following J-series Services Routers. Most models support DS3 (T3), T1, Gigabit Ethernet, Fast Ethernet, E3, E1, serial, ATM-over-ADSL, ATM-over-SHDSL, Channelized T1/E1/ISDN PRI, and ISDN BRI interfaces.

• J2320 and J2350 (DS3 and E3 interfaces not supported)
• J4350
• J6350
• SSG320m and SSG350m (requires conversion kit)
• SSG520m and SSG550m (requires conversion kit)

For more information, see the JUNOS Enhanced Services J-series Services Router Getting Started Guide.

J-Web User Interface

J-Web user interface—A graphical user interface enables you to configure and monitor J-series Services Routers through an Internet browser. The J-Web interface includes Quick Configuration pages to perform basic configuration of the routers and monitoring tools to view system health, routes, and statistics. The J-Web interface also provides diagnostic tools (such as ping and traceroute) and file utilities to manage configuration files, licenses, and temporary files on the router.

Security Features

• Network Address Translation (NAT)—NAT is the method by which an IP address used within a network is translated to a different IP address within a different network. Optionally, NAT also enables port number translation. This release supports the following NAT features:
  • Static NAT—Direct translation of one IP address to another without Port Address Translation (PAT).
  • Policy-based NAT-dst—You can define policies to translate the destination IP address. There are three ways to configure policy-based NAT-dst:
    • Translate one or multiple destination IP addresses to a single IP address.
    • Translate one or multiple destination IP addresses and port numbers to a single IP address and a specific port number.
    • Translate a range of destination IP addresses to another range of IP addresses. The mapping is one-to-one and static.
  • Allow-incoming table—Supports voice over IP (VoIP) incoming calls that are initiated from a public network to a private network.
  • Interface-based NAT—Enables configuration of predefined source pools.
  • Source pool with PAT—Enables translation of the source IP address and port number.
  • Source pool without PAT—Enables translation of the source IP address.
  • Static source pool—The system defines a one-to-one mapping from an original source IP address to a translated source IP address for a range of IP addresses.

  For more information, see the JUNOS Enhanced Services Security Configuration Guide.

• IKE and IPsec VPN—JUNOS software with enhanced services support a full Internet Key Exchange (IKE) and IP Security (IPsec) virtual private network (VPN) implementation, including the following features:
  • Site-to-site manual and IKE-negotiated (AutoKey) IPsec VPNs for policy-based VPNs and route-based VPNs
  • Authentication by preshared key and RSA public key certificates
  • Perfect Forward Secrecy (PFS) to use Diffie-Hellman Groups 1, 2, and 5.
  • NAT Traversal (NAT-T) of IPsec Encapsulating Service Payload (ESP) packets
  • IKE dead peer detection (DPD) as defined in RFC 3706
  • Next Hop Tunnel Binding (NHTB)—Binding multiple IPsec security associations to the same tunnel interface. This applies to static routes and OSPF only.
  • IPsec remote access with extended authentication (XAuth) support of the NS-Remote client v8.8
  • VPN monitoring
  • Priority queuing of IKE packets
  • Invalid security parameter index (SPI) response to invalid packets
  • Route-based hub-and-spoke VPNs
  • Generic routing encapsulation (GRE) in tunnel mode
  • Don’t Fragment (DF) bit, including a clear option

  For more information, see the JUNOS Enhanced Services Security Configuration Guide and JUNOS Enhanced Services Design and Implementation Guide.

• NetScreen-Remote—Juniper NetScreen-Remote (NS-Remote) is a VPN client that you can use to send and receive secure communications over the Internet.

  NS-Remote creates a VPN tunnel between an end user and a J-series Services Router. NS-Remote software secures traffic sent from a desktop or laptop computer across a public or private TCP/IP network. NS-Remote allows users to specify an internal network IP address for client-to-gateway communications.

  For detailed information about installing and using the NS-Remote client, see the Juniper NetScreen-Remote VPN Client Installation Guide and the Juniper NetScreen-Remote VPN Client Administrator’s Guide. For information about configuring a Services Router to support remote access, see the JUNOS Enhanced Services Design and Implementation Guide.

• Firewall screens—JUNOS software with enhanced services provide various detection methods and defense mechanisms to combat the following security breaches at all stages of their execution:
  • SYN, UDP, and ICMP flood attacks
  • Firewall denial of service (DoS) attacks
  • Network DoS attacks
  • Operating system-specific DoS attacks
  • Fragment reassembly
• Policy support—Stateful firewalls use policies to create flows that allow or deny traffic through the Services Router. When packets match a policy, the policy instructs the flow to apply different rules for features such as NAT, IPsec tunnel, and authentication to the packets. The following policy features are supported:
  • Predefined addresses
  • User addresses and address groups
  • Predefined services and groups
  • User services and groups
  • Configurable service timeout
  • Policy-based IPsec VPNs
  • Policy-based NAT
  • Schedulers
  • Traffic logs
  • Authentication
  • Policy application attachment/detachment for Application Layer Gateways (ALGs)
  • Policy counters

  For more information, see the JUNOS Enhanced Services Security Configuration Guide.

• Authentication—JUNOS software with enhanced services support two types of authentication:
  • Administrator user authentication. This is for users who configure and manage the device. The system supports the Challenge Handshake Authentication Protocol (CHAP) for Point-to-Point Protocol (PPP) serial connections. The system also supports Layer 2 Tunneling Protocol (L2TP) for both Password Authentication Protocol (PAP) and CHAP authentication for PPP users over L2TP.

    Administrative authentication supports local, RADIUS, and TACACS+ servers. For more information on administrator authentication, see the JUNOS Enhanced Services Administration Guide.

  • Firewall user authentication. This is for users accessing a protected resource from inside a network. The resource can be on the Internet or in another protected network behind the firewall.

    Firewall users are authenticated through either of the following methods:

    • Pass-through authentication—FTP, Telnet, and HTTP clients access the IP address of the protected resource.
    • Web authentication—Clients use HTTP to access the IP address on the Services Router that is enabled for Web authentication.

    Firewall user authentication supports local, RADIUS, and Lightweight Directory Access Protocol (LDAP) authentication servers. For more information on firewall user authentication, see the JUNOS Enhanced Services Security Configuration Guide.

• Interfaces and zones—You can use security zones as follows:
  • Define policies that control traffic based on source zone and destination zone.
  • Associate the interfaces in a zone with a routing instance that defines the routing table to be used for traffic entering from the zone.
  • Apply firewall screen options to a zone.

  For more information, see the JUNOS Enhanced Services Security Configuration Guide.

• DNS enhancements—You can configure your Services Router running JUNOS software with enhanced services as a Domain Name System (DNS) proxy server with the following features:
  • Split DNS, which enables the Services Router to redirect DNS queries to a specified DNS server in the private network over a secure connection
  • Dynamic DNS (DDNS) client, which enables servers that are protected by the Services Router to remain accessible despite dynamic IP address changes
  • DNS Proxy MIB, which supports production of SNMP statistics

  For more information, see the JUNOS Enhanced Services Administration Guide.

• Secure context and router context—You can operate the Services Router either in secure context or router context. The Services Router operates in secure context by default. The basic configuration for secure context binds the ge-/0/0/0 interface on built-in Gigabit Ethernet port 0/0 to a preconfigured zone called trust. All other interfaces are bound to a preconfigured untrust zone. The ge-0/0/0 interface is configured to allow management access with SSH and HTTP services enabled.

  The following host-inbound services are configured in the trust zone: Hypertext Transfer Protocol (HTTP), Hypertext Transfer Protocol over Secure Sockets Layer (HTTPS), SSH, and Dynamic Host Configuration Protocol (DHCP). For the trust zone, TCP reset is enabled. The default policy for the trust zone allows transmission of traffic from the trust zone to the untrust zone. All traffic within the trust zone is allowed.

  To protect against attacks launched from within the zone, the following screens are enabled for the untrust zone: ICMP ping-of-death attack, IP source route options attack, IP teardrop attack, TCP LAND attack, and TCP SYN flood attack. The TCP SYN flood screen has the following settings: alarm threshold set to 1024, attack threshold set to 200, source threshold set to 1024, destination threshold set to 2048, a queue size of 2000, and a timeout value of 20 seconds. The default policy for the untrust zone denies all traffic.

  In router context, all security checks of the transit traffic are disabled. The default policy allows all transit traffic, and all interfaces are bound to the trust zone.

  For more information, see the JUNOS Enhanced Services Administration Guide.

• ALG module—By inspecting traffic at the application level, the ALG module supports applications that embed IP addressing information in the user data. Many protocols open secondary channels on the dynamically assigned ports to improve performance. The ALG module identifies dynamic port assignments and allows legitimate traffic to bypass the security device.

  JUNOS software with enhanced services support the following ALGs:

  • Multimedia application protocols:
    • REAL
    • Real-Time Streaming Protocol (RTSP)
  • Basic Internet protocols:
    • DNS
    • FTP
    • Trivial File Transfer Protocol (TFTP)
    • TALK
    • Remote Shell Protocol (RSH)
    • Point-to-Point Tunneling Protocol (PPTP)

  For more information, see the JUNOS Enhanced Services Security Configuration Guide.

• Database and network support protocol, SQLNET V2, H.323 ALG—The JUNOS software with enhanced services H.323 Application Layer Gateway (ALG) supports the H.323 protocol, which includes a suite of protocols that together provide gatekeeper discovery, endpoint registration, admission and status, and call setup and control for voice over IP (VoIP) traffic.

  The H.323 ALG follows a common ALG processing framework and supports the following features:

  • H.323 decoding for H.323 v3 and v4
  • H.323 slow start
  • Gatekeeper routed mode
  • Incoming NAT to allow calls from public to private zones
  • H.323 fast connect, H.245 tunneling, and H.323 asymmetric media
  • Polycom/Radvision Enhanced Communication Server (ECS) Gatekeeper
  • Polycom ViaVideo
  • Advanced call features, including call waiting, call forwarding, voice mail, call ID, conference calls, call on hold, and music on hold
  • Statistic counters

  The H.323 ALG also provides application-layer firewall screening to protect gatekeepers, and allows users to specify the number of Remote Access Service (RAS) request messages to be processed by a gatekeeper.

  For more information, see the JUNOS Enhanced Services Security Configuration Guide.

• SIP ALG—The JUNOS software with enhanced services Session Initiation Protocol (SIP) ALG supports the features of SIP, a VoIP signaling protocol. The SIP ALG is scalable and modular so that new Internet Engineering Task Force (IETF) and RFC-generated features and customer proprietary behavior can be quickly incorporated.

  The SIP ALG follows a common ALG processing framework and supports the following features:

  • SIP signaling payload inspection
  • Stateful processing
  • NAT
  • Management of pinholes (temporary openings in the firewall) for VoIP traffic
  • Security policy enforcement
  • DoS attack protection
  • Packet encoding according to SIP RFCs with translated IP addresses

  For more information, see the JUNOS Enhanced Services Security Configuration Guide.

• SCCP ALG—The JUNOS software with enhanced services Skinny Client Control Protocol (SCCP) ALG supports the Cisco SCCP proprietary protocol for VoIP. SCCP is based on a call control architecture that negotiates media endpoint parameters—specifically the Real-Time Transport Protocol (RTP) port number and the IP address of media termination—by embedding information in the control packets. The SCCP ALG implements rate limiting of calls and helps protect critical resources from overloading due to DoS attacks.

  The SCCP ALG follows a common ALG processing framework and supports the following features:

  • Validation of SCCP protocol data units (PDUs)
  • Translation of embedded IP address and port numbers
  • Allocation of firewall resources (pinholes and gates) to pass media
  • Rate limits on calls flowing through the Services Router
  • Aging out of idle calls
  • Configuration API for SCCP ALG parameters
  • Operational mode API for displaying counters, status, and statistics

  For more information, see the JUNOS Enhanced Services Security Configuration Guide.

• MGCP ALGs—The JUNOS software with enhanced services Media Gateway Control Protocol (MGCP) ALG supports MGCP for VoIP call traffic. MGCP is a text-based application layer protocol used for call setup and control between a Media Gateway (MG) and a Media Gateway Controller (MGC).

  The MGCP ALG follows a common ALG processing framework and supports the following features:

  • Inspection of VoIP signaling payload
  • Stateful processing
  • NAT
  • Management of pinholes for VoIP traffic
  • Security policy enforcement
  • DoS attack protection

  For more information, see the JUNOS Enhanced Services Security Configuration Guide.

Routing and Interface Features

• Cisco-compatible Frame Relay encapsulation—J-series Services Routers support Cisco-compatible Frame Relay encapsulation.

  To configure Frame Relay encapsulation on a physical interface, include the encapsulation statement at the [edit interfaces interface-name] hierarchy level and specify the frame-relay-ether-type, frame-relay-ether-type-tcc, or frame-relay-ether-type-ext-tcc encapsulation type.

  To configure Frame Relay encapsulation on a logical interface, include the encapsulation statement at the [edit interfaces interface-name unit logical-unit-number] hierarchy level and specify the frame-relay-ether-type or frame-relay-ether-type-tcc encapsulation type.

  For more information, see the JUNOS Network Interfaces Configuration Guide.

• Flow-based stateful processing—In addition to packet processing, J-series Services Routers running JUNOS software with enhanced services perform flow-based stateful processing.
  1. When an IPv4 packet arrives, any packet-based filter processing associated with the interface is applied to the packet.
  2. Next, flow-based processing is performed. Each packet is processed in the context of its flow state. The first packet in the flow is used to create the flow state.

     When a packet enters the router, the flow-based forwarding engine attempts to match the packet against an existing session based on a session’s match criteria (source and destination addresses, source and destination ports, and protocol and session tokens derived from the zone and virtual router).

     If a packet matches an existing session, it is processed according to the flow’s session features, security policies, NAT, screens, and other features. If the packet does not match an existing session, a new session is established for the packet based on routing, policy, and other classification information.

  3. Before a packet leaves the router, filters and traffic shaping are applied to it.

  For details, see the JUNOS Enhanced Services Security Configuration Guide and the JUNOS Enhanced Services Design and Implementation Guide.

• DHCP enhancements—JUNOS software with enhanced services supports the DHCP server, client, and relay. For details, see the JUNOS Enhanced Services Administration Guide.
• Class of service (CoS) support—The router provides for improved high-priority packet delivery and protection for control packets through implementation of enhanced differential packet processing on the output (egress) interface as well as the input (ingress) interface. After its ingress processing, the Services Router processes a packet in a first-in, first-out (FIFO) manner, and the packet loses its priority status. Applying differential packet processing again before a packet leaves the router reinstates priority handling.

  For details, see the JUNOS Enhanced Services Security Configuration Guide and the JUNOS Enhanced Services Design and Implementation Guide.

USB Modems and uPIMs

• USB modem support for WAN backup—USB modems are supported on J-series Services Routers as a backup for the primary Internet connection. The router can be configured to “fail over” to a USB modem connection when the primary connection experiences interruptions in Internet connectivity. You can use the umd0 interface configured for a USB modem connected to the USB port on a Services Router for WAN backup. The USB modem interface supports the following WAN interface features:
  • CoS
  • Services such as NAT, stateful firewall, and generic routing encapsulation (GRE) tunneling
  • Packet capture (PCAP), sampling, and tcpdump
  • Interface statistics

  To specify whether dial-in calls are for management console access or routable calls, use the dialin (console | routable) statement at the [edit interfaces umd0 modem-options] hierarchy level.

  For more information, see the JUNOS Enhanced Services Interfaces and Routing Configuration Guide and the JUNOS Enhanced Services CLI Reference.

• Ethernet Layer 2 switching on uPIMs—Gigabit Ethernet universal Physical Interface Modules (uPIMs) with 6 ports, 8 ports, and 16 ports can forward traffic at both Open Systems Interconnection (OSI) Layer 2 (for switching) and OSI Layer 3 (for routing).

  You can configure a uPIM to operate in either routing mode (the default) or switching mode. Routing mode provides traditional routing services. Switching mode provides the following features:

  • Layer 3 forwarding—Routing of traffic destined for any WAN interface that is installed on the chassis
  • Layer 2 forwarding—Switching of intra-LAN traffic from one host on the LAN to another LAN host—one port on a uPIM to another port on the same uPIM

  To enable routing or switching mode, include the routing or switching statement at the [edit chassis fpc pim-slot-number pic 0 ethernet pic-mode] hierarchy level. To view Layer 2 switching statistics, issue the show interfaces interface-name switch-port command. To clear Layer 2 switching statistics, issue the clear interfaces statistics interface-name switch-port command.

  Note: Gigabit Ethernet uPIMs support virtual LANs (VLANs) in routing mode only.

WXC Integrated Service Module

• WXC Integrated Services Module 200 for J-series routers—The WXC Integrated Services Module (ISM 200) can be added to J2320, J2350, J4350, and J6350 Service Routers running JUNOS software with enhanced services. The module occupies two slots, and provides WAN traffic optimization and acceleration. For more information, see the WXC Integrated Services Module Installation and Configuration Guide.

Management, Monitoring, and Configuration Features

• SNMP enhancements—JUNOS software with enhanced services support new MIBs for monitoring and gathering statistics about firewall authentication, certificate authorities (CAs), DNS proxies, IPsec flow, NAT, security policy entries, and security policy statistics.
• Shared client lists and prefix lists for SNMP and policies—Instead of adding clients or IP address prefixes individually to an SNMP community or a routing policy, you can create a list of clients or a list of prefixes that can be shared by multiple communities and policies. Use the client-list or prefix-list statement at the [edit snmp] or [edit policy-options] hierarchy level to create the lists. To add a list to an SNMP or policy configuration, use the client-list-name statement.

  Because the client list and the prefix list are both added with the client-list-name statement, you must ensure that you do not create a client list and a prefix list with the same name.

• Dataplane tracing—JUNOS software with enhanced services extends JUNOS trace options to support dataplane tracing. Use the CLI to configure and display traces. For more information, see the JUNOS Enhanced Services Security Configuration Guide and JUNOS Enhanced Services CLI Reference.
• CLI configuration wizard—A CLI configuration wizard helps you to configure a Services Router from the factory default configuration. The configuration wizard interactively guides you through the initial configuration so that the router is connected to a network, allowing further configuration with the CLI or J-Web interface.

  You configure the following settings with the configuration wizard:

  • Hostname
  • Root password
  • Domain name
  • Domain Name System (DNS) servers
  • Management interfaces
  • Default gateway
  • New user account (nonroot user)
  • SNMP
  • Security zone information

  To start the configuration wizard, enter config-wizard at the console prompt after initial login:

  % config-wizard

  For more information, see the JUNOS Enhanced Services J-series Services Router Getting Started Guide.

• Element management support on J2320 and J2350 Services Routers—The JUNOScope software allows you to configure J2320 and J2350 Services Routers and manage them using element management tools such as Looking Glass, Configuration Manager, Software Manager, and Inventory Management. For JUNOScope information, see the JUNOScope Software User Guide.
• Logging infrastructure—JUNOS software with enhanced services allows security events to be logged and distributed to external system log (syslog) processes. Both traditional syslog format (RFC 3164) and structured system logs are supported. Use the CLI to configure the log format at the device level. For details, see the JUNOS System Log Messages Reference.
• Licensing—Permanent licenses are required for the J-Flow traffic analysis feature and the BGP route reflectors feature. You must install and configure the license to use the feature. However, so as not to interrupt configuration processing, the router allows you to commit a configuration with a feature that requires a license even if the license is not current. For license details, see the JUNOS Enhanced Services J-series Services Router Getting Started Guide.
• Active and passive FTP modes—JUNOS software with enhanced services supports FTP usage on or to a server in both active and passive modes.
• Netconf “hello” message—The Netconf “hello” message includes the JUNOS software release version.