Muutke küpsiste eelistusi

Junos Security [Pehme köide]

3.90/5 (53 hinnangut Goodreads-ist)
  • Formaat: Paperback / softback, 848 pages, kõrgus x laius x paksus: 230x175x50 mm, black & white illustrations
  • Sari: OREILLY
  • Ilmumisaeg: 28-Sep-2010
  • Kirjastus: O'Reilly Media
  • ISBN-10: 1449381715
  • ISBN-13: 9781449381714
Teised raamatud teemal:
  • Pehme köide
  • Hind: 71,22 €*
  • * hind on lõplik, st. muud allahindlused enam ei rakendu
  • Tavahind: 83,79 €
  • Säästad 15%
  • Raamatu kohalejõudmiseks kirjastusest kulub orienteeruvalt 2-4 nädalat
  • Kogus:
  • Lisa ostukorvi
  • Tasuta tarne
  • Tellimisaeg 2-4 nädalat
  • Lisa soovinimekirja
Junos SecuritySuurem pilt
  • Formaat: Paperback / softback, 848 pages, kõrgus x laius x paksus: 230x175x50 mm, black & white illustrations
  • Sari: OREILLY
  • Ilmumisaeg: 28-Sep-2010
  • Kirjastus: O'Reilly Media
  • ISBN-10: 1449381715
  • ISBN-13: 9781449381714
Teised raamatud teemal:
Püsilink: https://www.kriso.ee/db/9781449381714.html
Written for network administrators and security professionals this large volume details the setup, security and maintenance of the Juniper Networks SRX hardware system. One of the two major companies providing network hardware for large to very large scale computer networks and datacenters, Juniper hardware is controlled by its own proprietary operating system, Junos. This guide begins with an overview of the SRX platform and an introduction to the Junos environment and progresses through common network administration tasks such as firewall setup, NAT, Ipsec VPN and routing. Each section provides step-by-step instructions, code snippets and illustrations. This manual is also an official study guide for the JNTCP network security certification test. The authors are affiliated with Juniper Networks. Annotation ©2010 Book News, Inc., Portland, OR (booknews.com)

Junos® Security is the complete and authorized introduction to Juniper Network's new SRX hardware series running the Junos operating system. This book not only provides a practical hands-on field guide to deploying, configuring, and operating SRX, but also serves as a reference to help you prepare for the JNCIS-ES and JNCIE-ES Certification examinations.

Network administrators and security professionals will learn how to address a whole array of enterprise data network requirements using SRX Junos services gateways -- including IP routing, intrusion detection, attack mitigation, unified threat management, and WAN acceleration. Junos Security is a clear and detailed roadmap to the SRX product lines.

  • Get up to speed on Juniper's multi-function SRX platforms and SRX Junos software
  • Learn directly from engineers with extensive experience using SRX
  • Take advantage of the authors' knowledge through case studies and troubleshooting tips
  • Become familiar with SRX security policy, Network Address Translation, and IPSec VPN configuration
  • Learn about routing fundamentals and high availability using SRX platforms
  • Discover what sets SRX apart from typical firewalls
  • Gain knowledge about the Junos operating system that spans the entire Juniper Networks networking hardware portfolio
  • Learn about the more commonly deployed branch series SRX as well as the large Data Center SRX firewalls
Foreword xv
Preface xvii
1 Introduction to the SRX 1(70)
Evolving into the SRX
1(4)
ScreenOS to Junos
2(3)
The SRX Series Platform
5(1)
Built for Services
5(1)
Deployment Solutions
6(20)
Small Branch
7(1)
Medium Branch
8(1)
Large Branch
9(1)
Data Center
10(1)
Data Center Edge
11(1)
Data Center Services Tier
12(3)
Service Provider
15(1)
Mobile Carriers
16(3)
Cloud Networks
19(2)
The Junos Enterprise Services Reference Network
21(5)
SRX Series Product Lines
26(1)
Branch SRX Series
27(19)
Branch-Specific Features
27(3)
SRX100
30(2)
SRX200
32(4)
SRX600
36(3)
AX411
39(3)
CX111
42(1)
Branch SEX Series Hardware Overview
42(2)
Licensing
44(1)
Branch Summary
45(1)
Data Center SRX Series
46(22)
Data Center SRX-Specific Features
46(2)
SPC
48(1)
NPU
49(2)
Data Center SRX Series Session Setup
51(4)
Data Center SRX Series Hardware Overview
55(2)
SRX3000
57(4)
SRX5000
61(7)
Summary
68(1)
Chapter Review Questions
68(1)
Chapter Review Answers
69(2)
2 What Makes Junos So Special? 71(16)
OS Basics
72(7)
FreeBSD
73(1)
Process Separation
74(1)
Development Model
75(2)
Adding New Features
77(1)
Data Plane
78(1)
Junos Is Junos Except When It's Junos
79(1)
Coming from Other Products
79(5)
ScreenOS
80(2)
IOS and PIX OS
82(1)
Check Point
83(1)
Summary
84(1)
Chapter Review Questions
85(1)
Chapter Review Answers
85(2)
3 Hands-On Junos 87(38)
Introduction
87(1)
Driving the Command Line
88(1)
Operational Mode
89(6)
Variable Length Output
90(1)
Passing Through the Pipe
90(1)
Seeking Immediate Help
91(4)
Configuration Mode
95(5)
Commit Model
100(6)
Restarting Processes
106(2)
Junos Automation
108(1)
Junos Configuration Essentials
109(13)
System Settings
109(4)
Interfaces
113(3)
Switching (Branch)
116(3)
Zones
119(3)
Summary
122(1)
Chapter Review Questions
123(1)
Chapter Review Answers
123(2)
4 Security Policy 125(68)
Security Policy Overview
125(3)
SRX Policy Processing
128(2)
Viewing SRX Policy Tables
130(3)
Viewing Policy Statistics
133(2)
Viewing Session Flows
135(2)
Policy Structure
137(8)
Security Zones
137(2)
Service Configuration
139(4)
Blocking Unwanted Traffic
143(2)
Policy Logging
145(4)
Troubleshooting Security Policy and Traffic Flows
149(11)
Troubleshooting Sample
150(2)
Troubleshooting Output
152(7)
Turning Off Traceoptions
159(1)
Application Layer Gateway Services
160(8)
How to Configure an ALG
163(5)
Policy Schedulers
168(4)
One-Time Schedulers
170(2)
Web and Proxy Authentication
172(4)
Web Authentication
172(2)
Pass-Through Authentication
174(2)
Case Study 4-1
176(8)
Case Study 4-2
184(4)
Converters and Scripts
188(1)
Summary
189(1)
Chapter Review Questions
190(1)
Chapter Review Answers
190(3)
5 Network Address Translation 193(54)
How the SRX Processes NAT
193(2)
Source NAT
195(36)
Interface NAT
197(11)
Address Pools
208(8)
Removing PAT
216(3)
Proxy ARP
219(4)
Persistent NAT
223(4)
Case Study 5-1: ISP Redundancy via PAT
227(4)
Conclusion
231(1)
Destination NAT
231(9)
Implementing Destination NAT
232(2)
Viewing Destination NAT
234(2)
Tracing Destination NAT Flows
236(2)
Case Study 5-2: Virtual IP NAT
238(2)
Static NAT
240(5)
Case Study 5-3: Double NAT
243(2)
Summary
245(1)
Chapter Review Questions
245(1)
Chapter Review Answers
246(1)
6 IPsec VPN 247(94)
VPN Architecture Overview
248(5)
Site-to-Site IPsec VPNs
248(1)
Hub and Spoke IPsec VPNs
249(1)
Full Mesh VPNs
250(1)
Multipoint VPNs
250(1)
Remote Access VPNs
251(2)
IPsec VPN Concepts Overview
253(6)
IPsec Encryption Algorithms
254(1)
IPsec Authentication Algorithms
254(1)
IKE Version 1 Overview
255(2)
IPsec VPN Protocol
257(1)
IPsec VPN Mode
258(1)
IPsec Manual Keys
258(1)
Phase 1 IKE Negotiations
259(3)
IKE Authentication
259(1)
IKE Identities
260(1)
Phase 1 IKE Negotiation Modes
261(1)
Phase 2 IKE Negotiations
262(2)
Perfect Forward Secrecy
263(1)
Quick Mode
263(1)
Proxy ID Negotiation
263(1)
Flow Processing and IPsec VPNs
264(1)
SRX VPN Types
264(4)
Policy-Based VPNs
265(1)
Route-Based VPNs
265(3)
Other SRX VPN Components
268(7)
Dead Peer Detection
268(1)
VPN Monitoring
269(1)
XAuth
269(1)
NAT Traversal
270(1)
Anti-Replay Protection
270(1)
Fragmentation
271(1)
Differentiated Services Code Point
272(1)
IKE Key Lifetimes
272(1)
Network Time Protocol
273(1)
Certificate Validation
273(1)
Simple Certificate Enrollment Protocol
274(1)
Group VPN
274(1)
Dynamic VPN
275(1)
Selecting the Appropriate VPN Configuration
275(4)
IPsec VPN Configuration
279(30)
Configuring NTP
279(1)
Certificate Preconfiguration Tasks
279(3)
Phase 1 IKE Configuration
282(11)
Phase 2 IKE Configuration
293(10)
Configuring Manual Key IPsec VPNs
303(2)
Dynamic VPN
305(4)
VPN Verification and Troubleshooting
309(17)
Useful VPN Commands
310(2)
VPN Tracing and Debugging
312(14)
Case Studies
326(11)
Case Study 6-1: Site-to-Site VPN
326(9)
Case Study 6-2: Remote Access VPN
335(2)
Summary
337(1)
Chapter Review Questions
337(1)
Chapter Review Answers
338(3)
7 High-Performance Attack Mitigation 341(48)
Network Protection Tools Overview
342(7)
Firewall Filters
342(3)
Screens
345(2)
Security Policy
347(1)
IPS and AppDoS
348(1)
Protecting Against Network Reconnaissance
349(5)
Firewall Filtering
350(1)
Screening
350(2)
Port Scan Screening
352(1)
Summary
353(1)
Protecting Against Basic IP Attacks
354(4)
Basic IP Protections
354(2)
Basic ICMP Protections
356(1)
Basic TCP Protections
357(1)
Basic Denial-of-Service Screens
358(3)
Advanced Denial-of-Service and Distributed Denial-of-Service Protection
361(2)
ICMP Floods
363(1)
UDP Floods
364(1)
SYN/TCP Floods
365(5)
SYN Cookies
370(2)
SYN-ACK-ACK Proxies
371(1)
Session Limitation
372(5)
AppDoS
377(1)
Application Protection
377(4)
SIP
378(1)
MGCP
378(2)
SCCP
380(1)
Protecting the SRX
381(4)
Summary
385(1)
Chapter Review Questions
386(1)
Chapter Review Answers
386(3)
8 Intrusion Prevention 389(98)
The Need for IPS
389(43)
How Does IPS Work?
391(5)
IPS Packet Processing on the SRX
396(8)
Attack Object Types
404(4)
IPS Policy Components
408(8)
Security Packages
416(2)
Sensor Attributes
418(3)
SSL Inspection
421(2)
AppDDoS Protection
423(4)
Custom Attack Groups and Objects
427(5)
Configuring IPS Features on the SRX
432(22)
Getting Started with IPS on the SRX
432(22)
Deploying and Tuning IPS
454(3)
First Steps to Deploying IPS
454(1)
Building the Policy
454(1)
Testing Your Policy
455(1)
Actual Deployment
456(1)
Day-to-Day IPS Management
456(1)
Troubleshooting IPS
457(9)
Checking IPS Status
457(1)
Checking Security Package Version
458(1)
IPS Attack Table
458(1)
Application Statistics
459(1)
IPS Counters
460(1)
IP Action Table
461(1)
AppDDoS Useful Commands
462(1)
Troubleshooting the Commit/Compilation Process
463(3)
Case Study 8-1
466(18)
Summary
484(1)
Chapter Review Questions
484(1)
Chapter Review Answers
485(2)
9 Unified Threat Management 487(52)
What Is UTM?
487(36)
Application Proxy
488(1)
Web Filtering
489(9)
Antivirus
498(8)
Notifications
506(2)
Viewing the UTM Logs
508(6)
Controlling What to Do When Things Go Wrong
514(2)
Content Filtering
516(5)
Antispam
521(2)
UTM Monitoring
523(7)
Licensing
527(1)
Tracing UTM Sessions
528(2)
Case Study 9-1: Small Branch Office
530(7)
Security Policies
533(1)
UTM Policies and Profiles
534(3)
Summary
537(1)
Chapter Review Questions
537(1)
Chapter Review Answers
537(2)
10 High Availability 539(82)
Understanding High Availability in the SRX
540(14)
Chassis Cluster
540(2)
The Control Plane
542(1)
The Data Plane
543(2)
Junos High Availability Concepts
545(3)
Deployment Concepts
548(6)
Configuration
554(32)
Differences from Standalone
554(1)
Activating JSRPD (Juniper Services Redundancy Protocol)
555(2)
Managing Cluster Members
557(1)
Configuring the Control Ports
558(5)
Configuring the Fabric Links
563(4)
Node-Specific Information
567(3)
Configuring Heartbeat Timers
570(1)
Redundancy Groups
571(6)
Configuring Interfaces
577(6)
Integrating Dynamic Routing
583(1)
Upgrading the Cluster
584(2)
Fault Monitoring
586(20)
Interface Monitoring
586(5)
IP Monitoring
591(4)
Manual Failover
595(4)
Hardware Monitoring
599(5)
Software Monitoring
604(1)
Preserving the Control Plane
605(1)
Using Junos Automation
605(1)
Troubleshooting the Cluster
606(12)
First Steps
606(4)
Checking Interfaces
610(1)
Verifying the Data Plane
611(4)
Core Dumps
615(1)
The Dreaded Priority Zero
615(2)
When All Else Fails
617(1)
Summary
618(1)
Chapter Review Questions
618(1)
Chapter Review Answers
619(2)
11 Routing 621(88)
How the SRX "Routes" IP Packets
622(4)
Forwarding Tables
622(2)
IP Routing
624(1)
Asymmetric Routing
625(1)
Address Resolution Protocol (ARP)
626(1)
Static Routing
626(5)
Creating a Static Route
627(2)
Verifying a Static Route
629(2)
Dynamic Routing
631(33)
Configuring OSPF Routing
632(14)
Case Study 11-1: Securing OSPF Adjacencies
646(2)
Case Study 11-2: Redundant Paths and Routing Metrics
648(3)
Growing OSPF Networks
651(13)
Routing Policy
664(8)
Case Study 11-3: Equal Cost Multipath (ECMP)
670(2)
Internet Peering
672(16)
Configuring BGP Peerings
674(8)
BGP Routing Tables
682(1)
Case Study 11-4: Internet Redundancy
683(5)
Routing Instances
688(5)
Configuring Routing Instances
689(4)
Filter-Based Forwarding
693(12)
Configuring Filter-Based Forwarding
694(3)
Case Study 11-5: Dynamic Traffic Engineering
697(8)
Summary
705(1)
Chapter Review Questions
706(1)
Chapter Review Answers
706(3)
12 Transparent Mode 709(46)
Transparent Mode Overview
709(15)
Why Use Transparent Mode?
710(2)
MAC Address Learning
712(1)
Transparent Mode and Bridge Loops, Spanning Tree Protocol
712(1)
Transparent Mode Limitations
713(1)
Transparent Mode Components
714(1)
Interface Modes in Transparent Mode
715(1)
Bridge Domains
715(1)
IRB Interfaces
716(1)
Transparent Mode Zones
716(1)
Transparent Mode Security Policy
717(1)
Transparent Mode Specific Options
717(1)
QoS in Transparent Mode
718(1)
VLAN Rewriting
718(1)
High Availability with Transparent Mode
718(3)
Transparent Mode Flow Process
721(3)
Configuring Transparent Mode
724(16)
Configuring Transparent Mode Basics
725(4)
Configuring Integrated Routing and Bridging
729(2)
Configuring Transparent Mode Security Zones
731(1)
Configuring Transparent Mode Security Policies
732(4)
Configuring Bridging Options
736(1)
Configuring Transparent Mode QoS
736(2)
Configuring VLAN Rewriting
738(2)
Transparent Mode Commands and Troubleshooting
740(5)
The show bridge domain Command
740(1)
The show bridge mac-table Command
741(1)
The show 12-learning global-information Command
741(1)
The show 12-learning global-mac-count Command
742(1)
The show 12-learning interface Command
742(1)
Transparent Mode Troubleshooting Steps
743(2)
Case Study 12-1
745(7)
Summary
752(1)
Chapter Review Questions
752(1)
Chapter Review Answers
753(2)
13 SRX Management 755(48)
The Management Infrastructure
755(6)
Operational Mode
756(2)
Configuration Mode
758(3)
J-Web
761(1)
NSM and Junos Space
761(2)
NETCONF
763(3)
Scripting and Automation
766(23)
Commit Scripts
767(7)
Creating a Configuration Template
774(3)
Operational Scripts
777(6)
Event Scripts
783(6)
Keeping Your Scripts Up-to-Date
789(1)
Case Studies
790(11)
Case Study 13-1: Displaying the Interface and Zone Information
791(1)
Case Study 13-2: Zone Groups
791(1)
Case Study 13-3: Showing the Security Policies in a Compact Format
792(1)
Case Study 13-4: Track-IP Functionality to Trigger a Cluster Failover
793(1)
Case Study 13-5: Track-IP Using RPM Probes
794(2)
Case Study 13-6: Top Talkers
796(2)
Case Study 13-7: Destination NAT on Interfaces with Dynamic IP Addresses
798(2)
Case Study 13-8: High-End SRX Monitor
800(1)
Summary
801(1)
Chapter Review Questions
801(1)
Chapter Review Answers
801(2)
Index 803
Rob Cameron is a Technical Marketing Manager for Juniper Networks' high-end security systems and the author of several SSN and SSL books published by Syngress. He is an expert on the SRX and leads the engineering teams supporting the technology across carrier, enterprise, and service provider venues. Brad Woodberg is a Technical Marketing Engineer for Juniper Networks high-end security systems. He currently holds the JNCIE-M #356, JNCIS-FWV, JNCIS-SSL, JNCIA-IDP, JNCIA-AC, and CCNP certifications and a BS in Computer Engineering from Michigan State University. Before joining Juniper Networks Brad worked as a senior engineer at a Juniper Elite Partner where he designed, implemented, managed, and supported large network and security infrastructures. Patricio Giecco is a Technical Marketing Engineer for Juniper Networks' branch security systems, where he designs best-practice security solutions and features for Juniper Networks. He has more than ten years of network consulting experience working for both vendors and service providers in Latin America, Europe, Asia and North America. At Juniper Networks, Patricio specializes in network security architecture, routing, risk management, and high-availability designs. Timothy Eberhard is a Subject Matter Expert for the wireless data networks at Sprint, where he has been a member of the Network Operations team for more than four years. He is CCSP, C|EH, JNCIS-FWV, JNCIS-ER, and JNCIS-M certified. He has written two open source software tools utilized by engineers around the world for supporting Juniper firewalls: the NSSA firewall session analyzer and the TPCAT packet capture analyzer. James Quinn is a Technical Marketing Engineer for Juniper Networks' high-end security systems. He was previously the Senior Resident Engineer for Juniper Networks at one of the largest wireless carriers in the world, and before that a senior engineer for a large public university system. He is JNCIE-M #117, JNCIE-ER #40, CCIE #8919, JNCIS-FWV, and JNCIS-ES certified and has contributed to writing Juniper Networks certification exams.