Configuring Security Zones

To configure security zones using the J-Web interface:

  1. Select Configure>Security>Zones/Screens. The Zones/Screens Configuration page appears.
  2. Click one:
    • Add— Adds a new zones/screen. Table 30 describe the available options for zones/screens.
    • Edit— Edits selected zones/screens.
    • Delete— Deletes selected zones/screens.
  3. Click one:
    • Ok— Saves the configuration and returns to the main configuration page.
    • Cancel— Cancels your entries and returns to the main configuration page.

Table 30: Security Zones Options

Field

Function

Action

Main

Zone name

Name of the zone for which you are enabling policies

Specify a unique name for the zone you are adding.

Zone type

Type of zone you are adding.

Select either security or functional as the zone type. Only one Functional zone can be configured.

Traffic Control Options

Send RST for non matching session

When the RST (reset) feature is enabled, the system sends a TCP segment with the RESET flag set when traffic arrives that does not match an existing session and does not have the SYNchronize flag set.

Select this check box to enable the tcp-rst feature, which sends a TCP segment with the RESET flag set to 1 in response to a TCP segment with any flag set other than SYN and that does not belong to an existing session.

Binding screen

Assign screens to a zone. If you have already configureed screens, the drop-down list shows the screen names and allows you to select or delete a screen.

Assign a screen to the zone.

Interfaces in this zone

Available interfaces for the security zone.

Use the left or right arrows to select or clear the interfaces that you want included in the security zone.

Host inbound traffic - Zone

Selected Interfaces

Displays the selected interfaces.

Select any interface to enable Protocols and Services option

Protocols

Protocols that permit inbound traffic of the selected type to be transmitted to hosts with the zone.

Highlight the protocols in the Available column and then use the right arrow to move them to the Selected column. Select all to permit all protocols.

Services

Interface services that permit inbound traffic of the selected type to be transmitted to hosts within the zone, provided there is a policy that permits it.

Highlight the services in the Available column and then use the right arrow to move them to the Selected column. Select all to permit all services.

Host inbound traffic - Interface

Interface services

Services that permit inbound traffic from the selected interface to be transmitted to hosts within the zone.

Highlight the interface services in the Available column and then use the right arrow to move them to the Selected column. Select all to permit all interface services.

Note: If you select multiple interfaces, the existing Interface services and Interface protocols selections clear and new Interface services and Interface protocols selections are applied to the selected interfaces.

Interface protocols

Interface protocols that permit inbound traffic from the selected interface to be transmitted to hosts within the zone.

Highlight the interface protocols in the Available column and then use the right arrow to move them to the Selected column. Select all to permit all interface protocols.

Table 31: Security Screen Options

FieldFunctionAction
Main

Screen Name

Name of the screen object.

Specify a unique name for the screen object you are defining.

Generate alarms without dropping packet

Generates alarms without dropping packets.

Select this check box to enable alarm generation but do not drop any packets.

Scan/Spoof/Sweep Defence

IP spoofing

Enables IP address spoofing. IP spoofing is when a bogus source address is inserted in the packet header to make the packet appear to come from a trusted source.

Select this check box to enable IP address spoofing.

IP sweep

Number of ICMP address sweeps. An IP address sweep can occur with the intent of triggering responses from active hosts.

Select this check box to enable IP address sweep.

Configure a time interval (in microseconds). If a remote host sends ICMP traffic to 10 addresses within this interval, an address sweep attack is flagged and further ICMP packets from the remote host are rejected. Valid values are between 1000 and 1000000 microseconds. The default value is 5000 microseconds.

Port scan

Number of TCP port scans. The purpose of this attack is to scan the available services in the hopes that at least one port will respond, thus identifying a service to target.

Select this check box to enable port scanning.

Configure a time interval (in microseconds). If a remote host scans 10 ports within this interval, a port scan attack is flagged and further packets from the remote host are rejected. Valid values are between 1000 and 1000000 microseconds. The default value is 5000 microseconds.

Ms Windows Defense

WinNuke attack protection

Number of Transport Control Protocol (TCP) WinNuke attacks. WinNuke is a DoS attack targeting any computer on the Internet running Windows.

Select this check box to enable WinNuke attack protection option.

Denial of Service

Land attack protection

Number of land attacks. Land attacks occur when an attacker sends spoofed SYN packets containing the IP address of the victim as both the destination and source IP address.

Select this check box to enable land attack protection option.

Teardrop attack protection

Number of teardrop attacks. Teardrop attacks exploit the reassembly of fragmented IP packets.

Select this check box to enable teardrop protection option.

ICMP fragment protection

Number of ICMP fragments. Because ICMP packets contain very short messages, there is no legitimate reason for ICMP packets to be fragmented. If an ICMP packet is so large that it must be fragmented, something is amiss.

Select this check box to enable ICMP fragment protection option.

Ping of death attack protection

ICMP ping of death counter. Ping of death occurs when IP packets are sent that exceed the maximum legal length (65,535 bytes).

Select this check box to enable ping of death attack protection option.

Large size ICMP packet protection

Number of large ICMP packets.

Select this check box to enable large (size >1024) ICMP packet protection option.

Block fragment traffic

Number of IP block fragments.

Select this check box to enable IP fragment blocking.

SYN-ACK-ACK proxy protection

Number of TCP flags enabled with SYN-ACK-ACK. This is designed to prevent flooding with SYN-ACK-ACK sessions. After the number of connections from the same IP address reaches the SYN-ACK-ACK proxy threshold, JUNOS software rejects further connection requests from that IP address.

Select this check box to enable SYN-ACK-ACK proxy protection.

Configure the threshold between 1 and 250000 sessions. The default value is 512 sessions.

Anomalies - IP

Bad option

Number of bad options counter.

Select this check box to enable IP with bad option IDs screen option.

Security

Provides a way for hosts to send security.

Select this check box to enable IP with security option.

Unknown protocol

Select this check box to enable IP with security option.

Select this check box to enable Unknown Protocol Protection option.

Strict source route

Specifies the complete route list for a packet to take on its journey from source to destination.

Select this check box to enable IP with strict source route option.

Source route

Number of IP addresses of the devices set at the source that an IP transmission is allowed to take along the path on its way to its destination.

Select this check box to enable IP with source route option.

Timestamp

Records the time (in Universal Time) when each network device receives the packet during its trip from the point of origin to its destination.

Select this check box to enable IP with timestamp option.

Stream

Provides a way for the 16-bit SATNET stream identifier to be carried through networks that did not support the stream concept.

Select this check box to enable IP with stream option.

Loose source route

Specifies a partial route list for a packet to take on its journey from source to destination.

Select this check box to enable IP with loose source route option.

Record route

Records the IP addresses of the network devices along the path that the IP packet travels.

Select this check box to enable IP with record route option.

TCP

SYN Fragment Protection

Number of TCP SYN fragments.

Select this check box to enable SYN Fragment option.

SYN and FIN Flags Set Protection

Number of TCP SYN and FIN flags. When you enable this option, JUNOS Software checks if the SYN and FIN flags are set in TCP headers. If it discovers such a header, it drops the packet.

Select this check box to enable SYN and FIN flags Set option.

FIN Flag Without ACK Flag Set Protection

Number of TCP SYN and FIN flags. When you enable this option, JUNOS Software checks if the SYN and FIN flags are set in TCP headers. If it discovers such a header, it drops the packet.

Select this check box to enable FIN flag without ACK option and FIN Flag Set option.

TCP Packet Without Flag Set Protection

Number of TCP headers without flags set. A normal TCP segment header has at least one flag control set.

Select this check box to enable TCP Packet without Flag Set option.

Flood Defence
Limit Sessions

TCP Packet Without Flag Set Protection

Number of TCP headers without flags set. A normal TCP segment header has at least one flag control set.

Select this check box to enable TCP Packet without Flag Set option.

Limit sessions from the same destination

Limits sessions from the same destination IP.

Select this check box to enable destination IP based session limit.

Configure the threshold between 1 and 50000 sessions. The default value is 128 sessions.

Note: For SRX Series devices, the applicable range is 1 through 8000000 sessions per second.

ICM/UDP protection

ICMP flood protection

Internet Control Message Protocol (ICMP) flood counter. An ICMP flood typically occurs when ICMP echo requests use all resources in responding, such that valid network traffic can no longer be processed.

Select this check box to enable ICMP Flood Protection option. The default value is 1000 pps.

Configure threshold value for ICMP flood between 1 and 100000 ICMP packets per second (pps).

Note: For SRX Series devices, the applicable range is 1 through 4000000 ICMP Packets per second.

UDP flood protection

User Datagram Protocol (UDP) flood counter. UDP flooding occurs when an attacker sends IP packets containing UDP datagrams with the purpose of slowing down the resources, such that valid connections can no longer be handled.

Select this check box to enable UDP flood protection.

Configure the threshold between 1 and 100000 sessions. The default value is 1000 sessions.

SYN Flood Protection

SYN flood protection

SYN flood occurs when a host becomes so overwhelmed by SYN segments initiating incomplete connection requests that it can no longer process legitimate connection requests.

Select this check box to enable all the threshold and ager timeout options.

Attack threshold

Defines the number of SYN packets per second required to trigger the SYN proxy mechanism.

Attack threshold is 25% higher than the average peak number of new connection requests per second per server, which is unusual for this network environment. When the number of SYN packets per second for any one of the four Web servers exceeds this number, the device begins proxying new connection requests to that server. (In other words, beginning with the 626th SYN packet to the same destination address and port number in one second, the device begins proxying connection requests to that address and port number.)

Configure a value between 1 and 100000 proxied requests per second. The default value is 200.

Note: For SRX Series devices, the applicable range is 1 through 1000000 proxied requests per second.

Default threshold is 625 packets per second (pps).

Alarm threshold

Define the number of half-complete proxy connections per second at which the device makes entries in the event alarm log.

When the device proxies 251 new connection requests in one second, it makes an alarm entry in the event log. By setting the alarm threshold somewhat higher than the attack threshold, you can avoid alarm entries for traffic spikes that only slightly exceed the attack threshold.

Configure a value between 1 and 100000 segments received per second for SYN flood alarm. The default value is 512.

Note: For SRX Series devices, the applicable range is 1 through 1000000 segments per second.

The default value is packets per second 250 (pps).

Source threshold

Defines the number of SYN segments received per second from a single source IP address (regardless of the destination IP address and port number) before the device begins dropping connection requests from that source.

When you set a source threshold, the device tracks the source IP address of SYN packets, regardless of the destination address and port number. (Note that this source-based tracking is separate from the tracking of SYN packets based on destination address and destination port number that constitutes the basic SYN flood protection mechanism.) Therefore, connection requests exceeding this threshold are unusual and provide sufficient cause for the device to execute its proxying mechanism. (25 pps is 1/25 of the attack threshold, which is 625 pps.)

In the one week of monitoring activity, you observed that no more than 1/25 of new connection requests for all servers came from any one source within a one-second interval.

If the device tracks 25 SYN packets from the same source IP address, beginning with the 26th packet, it rejects all further SYN packets from that source for the remainder of that second and the next second as well.

Configure a value for SYN flood from the same source between 4 and 100000 segments received per second. The default value is 4000.

Note: For SRX Series devices, the applicable range is 4 through 1000000 segments per second.

The default value is packets per second 25 (pps).

Destination threshold

Defines the Number of SYN segments received per second for a single destination IP address before the device begins dropping connection requests to that destination. If a protected host runs multiple services, you might want to set a threshold based only on destination IP address, regardless of the destination port number.

When you set a destination threshold, the device runs a separate tracking of only the destination IP address, regardless of the destination port number. Because the four Web servers only receive HTTP traffic (destination port 80)—no traffic to any other destination port number reaches them—setting a separate destination threshold offers no additional advantage.

Configure a value for SYN flood to the same destination between 4 and 100000. The default value is 4000.

Note: For SRX Series devices, the applicable range is 4 through 1000000 segments per second.

The default value is packets per second 0 (pps).

Ager timeout

Defines the maximum length of time before a half-completed connection is dropped from the queue. You can decrease the timeout value until you see any connections dropped during normal traffic conditions.

The default value of 20 seconds is a reasonable length of time to hold incomplete connection requests.

Configure a value for SYN attack protection between 1 and 50 seconds. The default value is 20 seconds.

Apply to Zones

Available

Displays the configured zones.

 

Selected

Displays selected zones.