Example: Detecting Packets That Use IP Screen Options for Reconnaissance

This example shows how to detect packets that use IP screen options for reconnaissance.

Requirements

Before you begin, understand how network reconnaissance works. See Understanding Network Reconnaissance Using IP Options.

Overview

RFC 791, Internet Protocol, specifies a set of options for providing special routing controls, diagnostic tools, and security. The screen options detect IP options that an attacker can use for reconnaissance, including record route, timestamp, security, and stream ID.

In this example, you configure the following IP screens: ip-record-route, ip-timestamp-opt, ip-security-opt, and ip-stream-opt. The screens are enabled in the zone-1 security zone.

Configuration

CLI Quick Configuration

To quickly detect packets with the record route, timestamp, security, and stream ID IP screen options, copy the following commands and paste them into the CLI.

[edit]set security screen ids-option ip-record-route ip record-route-optionset security screen ids-option ip-timestamp-opt ip timestamp-option set security screen ids-option ip-security-opt ip security-option set security screen ids-option ip-stream-opt ip stream-option set security zones security-zone zone-1 screen ip-record-route-opt set security zones security-zone zone-1 screen ip-timestamp-opt set security zones security-zone zone-1 screen ip-security-opt set security zones security-zone zone-1 screen ip-stream-opt

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.

To detect packets that use IP screen options for reconnaissance:

  1. Configure IP screen options.

    Note: Currently, these screen options support IPv4 only.

    [edit security screen]user@host# set ids-option ip-record-route ip record-route-optionuser@host# set ids-option ip-timestamp-opt ip timestamp-optionuser@host# set ids-option ip-security-opt ip security-optionuser@host# set ids-option ip-stream-opt ip stream-option
  2. Enable the screens in the security zone:
    [edit security zones ]user@host# set zone screen ip-record-route-optuser@host# set security-zone zone-1 screen ip-timestamp-optuser@host# set security-zone zone-1 screen ip-security-optuser@host# set security-zone zone-1 screen ip-stream-opt

Results

From configuration mode, confirm your configuration by entering the show security screen command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

[edit]user@host# show security screenids-option ip-record-route {ip {record-route-option;}}ids-option ip-security-opt {ip {security-option;}}ids-option ip-stream-opt {ip {stream-option;}}ids-option ip-timestamp-opt {ip {timestamp-option;}}

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform these tasks:

Verifying the Detection Packets That Use IP Options for Reconnaissance

Purpose

Verify that the IP screen options for reconnaissance are configured.

Action

From operational mode, enter the show security screen command.

Verifying Screens in the Zone-1 Security Zone Are Enabled

Purpose

Verify that the screens in the zone-1 security zone are enabled.

Action

From operational mode, enter the show security zones command.

Related Topics

Copyright© 1999-2010 Juniper Networks, Inc. All rights reserved.