Configuring ScreenOS Firewall

IPS can utilize a ScreenOS device as a policy enforcement point to work as a Layer 3 Enforcer. When the ScreenOS device is configured to work as an enforcer with IPS, the following takes place:

  • IPS provisions resource access policies.
  • Screen OS device gets the user's role membership information from authentication table entries that are sent by IPS when the user authenticates with the IPS or when the user tries to access resources through ScreenOS.
  • ScreenOS device does a policy lookup in resource access policies, which is sent by IPS and accordingly takes allow/deny decisions.

Configuring ScreenOS as an Enforcer

You can configure basic Infranet auth Enforcer policies that specify a source zone and a destination zone on the IPS Series device and then push the policies to the ScreenOS Enforcer to add additional policy details, or you can use the ScreenOS Enforcer to configure the policies with the CLI or Web UI. We recommend that you use the IPS Series device to set up the policies for source IP enforcement on the Infranet Enforcer.

Before setting a policy, you must create address book entries for the destination and source addresses unless you use address book entries that already exist, such as Any.

The following example, sets an Infranet auth policy and adds it to the top of the list of policies. The policy allows all traffic of any type from any host to another host. The policy allows traffic according to the Infranet Enforcer resource access policies that you configure on the IPS Series device.

set policy top from untrust to trust any permit Infranet-auth

The following example sets two address book entries and a policy between them for anyone in the 10.64.0.0/16 range can reach the 10.65.0.0/16 range.

set address Trust "10.64 Range" 10.64.0.0 255.255.0.0

set address Untrust "10.65 Range" 10.65.0.0 255.255.0.0

set policy from trust to untrust "10.64 Range" "10.65 Range" any permit Infranet-auth

You can use Route mode or Transparent mode to configure a Juniper Networks ScreenOS Enforcer. By default, the ScreenOS Enforcer operates in Route mode. For more information on ScreenOS, see the ScreenOS Reference Guide.

Configuring the ScreenOS in Route Mode

The IPS can reside on trust/untrust interface side of the Infranet Enforcer. If IPS resides on the trust interface side, and users come in through the untrust interface, the administrator must configure a policy (untrust to trust) on the Infranet Enforcer that allows traffic to pass between IPS and Ivanti Secure Access Client. By default, Infranet Enforcer traffic from the untrust interface to the trust interface is denied.

The following procedure describes the setup with IPS on the untrust interface side (same side as users).

To configure an Infranet Enforcer in Route mode:

  1. Set up the trust interface. The trust interface connects to the protected resource. The untrust interface connects to IPS. Set the following interface (ethernet1/1) settings:
    • Set routing
    • Enable management of the following services:
      • SSL
      • SSH
      • IP (options)
  2. Ensure that the DHCP server is disabled or enabled, as appropriate for the deployment.
  3. Import the certificate of the CA that signed IPS's server certificate into the Infranet Enforcer.

  4. If you set up an NSRP cluster before you import the CA certificate into the Infranet Enforcer, the CA certificate is automatically synchronized to all Infranet Enforcers in the cluster. However, if you set up the NSRP cluster after you import the CA certificate, you must manually synchronize the certificate to the other Infranet Enforcers in the cluster by typing the following CLI command:

    exec nsrp sync pki

    You cannot load the self-signed SSL certificate into the Juniper security device.

    The certificate of the CA that signed IPS's certificate must be imported on the Infranet Enforcer because the Infranet Enforcer must be able to trust IPS during an SSL session. When a user signs into a server by means of SSL, the server displays a dialog box in which the user can manually accept the certificate that is associated with that server. For the Infranet Enforcer to skip that manual step and automatically accept IPS's certificate, the Infranet Enforcer must have the certificate of the CA that signed IPS's certificate.

  5. Create an instance of IPS on the Juniper security device.
  6. Enable SSH.
  7. Verify routing from IPS to the untrust interface.
  8. Ensure that both the Infranet Enforcer and IPS have the correct time. If possible, use a Network Time Protocol (NTP) server to set the date and time of both appliances.

Creating a Route based interface with ScreenOS

When an interface is in route mode, the security device routes traffic between different zones without performing source NAT.

To create a IPS instance on ScreenOS, you must configure the following items:

  • IP address or hostname of IPS
  • Password to use when the Infranet Enforcer uses NACN to contact IPS
  • Source interface
  • CA index number (ca-idx)

You can set these items using the Web UI or the CLI.

In the following procedure, you first set interface management options and disable the DCHP server option. Then you enable SSHv2 and configure an IPS server named controller1. Next, you set the host IP address, which is the IP address of the server, to 10.64.12.1. The NACN password is 8!JsP37cK9a*_HiEwe. The NACN password must match the NACN password that you entered for IPS server. The source interface is the interface that the Infranet Enforcer uses to communicate with IPS, and the CA index number is 001.

For this example, the source interface is ethernet 1/1. For a descriptive list of CA index numbers by typing the following command at the ScreenOS CLI:

get ssl ca-list

To change SSH versions, delete SSH settings by typing the following CLI command:

delete ssh device all

When you use the Web UI, you do not need to fill in the Full Subject Name of IPS Cert field. If you do fill it in, be sure to enter the entire certificate subject. For example:

CN=ic1.sample.net,CN=14087306185,CN=06990218,OU=Software,O=Comp,S=CA, C=US

To create the instance using the Web UI:

  1. Select Network > Interfaces > Edit > Services from the left navigation bar to set management options.
  2. Select Network > DHCP > Edit to disable the DHCP server for both interfaces (Trust and Untrust).
  3. Select and load the CA if you have not already done so.
  4. Select Objects > Certificates.
  5. Click Browse to find and select the certificate. Then click Load.
  6. Select CA from the show list.
  7. Click Server Settings and make sure Check Method is set correctly for the certificate you are using.
  8. Click OK.
  9. Create IPS instance.
  10. Select Configuration > Infranet Auth > Controllers (List) > New.
  11. Type controller1 in IPS instance box.
  12. Type IP/domain name: 10.64.12.1 in the IP/Domain Name box.
  13. For the NACN Parameters, select ethernet1/1 from the Source Interface list.
  14. Type 8!JsP37cK9a*_HiEwe in the Password box.
  15. Select the CA from the Selected CA list.
  16. Enable SSH version 2.
  17. Select Configuration > Admin > Management > Enable SSH (v2).

To create the instance using the CLI:

Type the following commands

set interface ethernet1/1 manage ssl

set interface ethernet1/1 manage ssh

set interface ethernet1/1 manage ip

set interface ethernet2/1manage ping

set interface ethernet2/1 dhcp server disable

set interface ethernet1/1 dhcp server disable

delete ssh device all

set ssh version v2

set ssh enable

set infranet controller name controller1 host-name 10.64.12.1

set infranet controller name controller1 password 8!JsP37cK9a*_HiEwe

set infranet controller name controller1 src-interface ethernet1/1

set infranet controller name controller1 ca-idx 001

save

Configuring the ScreenOS in Transparent Mode

The ScreenOS device is usually installed between a core router and an access distribution device in a transparent mode. The services are enabled at the zone level, and VLAN1 is used for management.

Transparent mode permits you to implement the following functionality:

  • The device can act as a Layer 2 forwarding device, such as a bridge.
  • You can control traffic flow between Layer 2 security zones by defining policies.

To configure a ScreenOS Enforcer in Transparent mode:

  1. Set up Transparent mode using the predefined security zones, v1-trust and v1- untrust.
  2. Assign interfaces to v1-trust and v1-untrust.
  3. Configure the IP address for a source interface to establish connectivity with IPS. You can use V1-trust, V1-untrust, or V1-dmz.
  4. Configure the broadcast mechanism to flooding (default) or ARP/traceroute. ARP/trace-route is more secure than broadcast.
  5. Enable management of the following services for VLAN1:
    • SSL
    • SSH
    • Web (optional)
  6. Set up the Juniper Networks security device zones. The protected resources can be in either zone (v1-trust or v1-untrust) as long as the protected resources are in a zone different from the endpoints.
    IPS can also reside in either zone. If IPS resides in a zone different from the endpoints, configure a policy that allows traffic to the endpoints through the ScreenOS Enforcer.
  7. Import the certificate of the CA that signed IPS's server certificate into the ScreenOS Enforcer.
    Do not import IPS SSL certificate into the Juniper Networks security device.
  8. Create an instance of IPS on the ScreenOS Enforcer.
  9. Enable SSH.
  10. Verify routing from IPS to the V1-untrust zone.
    To use IPsec enforcement with a ScreenOS Enforcer in Transparent mode, you might need to configure a source interface policy on IPS.
  11. Ensure that both the Infranet Enforcer and IPS have the correct time. If possible, use a Network Time Protocol (NTP) server to set the date and time of both appliances.

Creating a Transparent Mode instance on the ScreenOS

To create a IPS instance in transparent mode, use the CLI to perform the following actions:

  • Assign all interfaces to Layer 2 zones.
  • Assign an IP address to vlan1 and set the route command.
  • Set interface management options.
  • Configure a IPS instance named controller1.
  • Set the host IP address, which is the IP address of IPS, to 10.64.12.1.
  • Enter the NACN password. The NACN password is 8!JsP37cK9a*_HiEwe. The NACN password must match the NACN password that you entered for IPS.
  • The source interface, vlan1, is the interface that the Infranet Enforcer uses to communicate with IPS. The CA index number is 001. For a descriptive list of CA index numbers type the following CLI command: get ssl ca-list

You can use the following sample configuration to create the instance using the CLI.

For the firewall to operate in Transparent (Layer 2) mode, all interfaces must be in a Layer 2 zone, such as v1-trust or in the null zone. Interfaces cannot remain in a Layer 3 zone.

set interface eth1 zone v1-trust

set interface eth2 zone v1-untrust

set interface vlan1 ip 10.64.12.x

set interface vlan1 route

set interface vlan1 ip manageable

unset interface vlan1 manage ping

unset interface vlan1 manage telnet

unset interface vlan1 manage snmp

unset interface vlan1 manage web

set infranet controller name controller1 host-name 10.64.12.1

set infranet controller name controller1 password 8!JsP37cK9a*_HiEwe

set infranet controller name controller1 src-interface vlan1

set infranet controller name controller1 ca-idx 0001

Verifying the IPS Configuration on ScreenOS Enforcer

You can view the configuration of a IPS instance through the Web UI and the CLI. You can view the following information:

  • Name of IPS instance
  • IP address or domain name of IPS
  • Port number (Default 11122)
  • Timeout (60 seconds by default)
  • Source interface

The Web UI also allows you to view the NACN password.

Web UI

To view configuration information on the Web UI select the following:

  1. Configuration > Infranet Auth > Controllers from the left navigation bar.
  2. Configuration > Infranet Auth > General Settings from the left navigation bar.

CLI

To view configuration information at the CLI, type the following command:

get infranet controller name controller1