Friday, June 4, 2021

Juniper Networks SRX Firewall Screen

I got a chance to visit the Singapore Botanic Gardens before the partial lockdown was announced last May 2021. The Botanic Garden was listed as a UNESCO World Heritage Site in 2015 and it has over 60,000 species of plants and orchids.


The National Orchid Garden is one of the main attraction and it houses over 1,000 orchid species and 2,000 hybrids.


The Sembcorp Cool House is the latest addition inside the Orchid Garden. It's a glasshouse garden which has an inside temperature of around 16 degrees Celsius. This recreates the low humidity conditions of a high elevation montane forest.


This is my lunch at Tapa King called the Royal Meal which consist of a beef tapa (beef jerky), sunny-side up egg, hotdog, fried bangus (milk fish) and fried rice.

 

The Juniper SRX Screen feature provides basic Intrusion Detection and Prevention (IDP) for Layer 3 and Layer 4 blocking of application anomalies/exploit and Distributed Denial-of-Service (DDoS). I modified my Juniper vSRX virtual lab by adding a Kali Linux VM.

To configure Screen, go to Configure > Security > Zones/Screens.

 

Notice a system default Screen Profile called untrust-screen is applied to the untrust zone.

 

Go to Screen List tab. Notice under Type: ICMP, IP and TCP Screen are configured.

 

Select the untrust-screen > click Edit to view its configuration.

 

Below are the default Screen options in a vSRX on each tab.






To monitor Screen Counter, go to Monitor > Security > Policy > Screen Counters.

 

You can specify the Type: Zone > Select a value: untrust.

 

Notice all Counters are currently zero (0).

You can view the Screen Profile configuration using the show configuration security | match screen | display set command.

 

root@vSRX-1> show configuration security | match screen | display set

set security screen ids-option untrust-screen icmp ping-death

set security screen ids-option untrust-screen ip source-route-option

set security screen ids-option untrust-screen ip tear-drop

set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024

set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200

set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024

set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048

set security screen ids-option untrust-screen tcp syn-flood queue-size 2000

set security screen ids-option untrust-screen tcp syn-flood timeout 20

set security screen ids-option untrust-screen tcp land

set security zones security-zone untrust screen untrust-screen


To view the configuration of a Screen profile use the show security screen ids-option <SCREEN-NAME> command.

 

root@vSRX-1> show security ?

Possible completions:

  advance-policy-based-routing  Show advance policy based routing information

  alarms               Show active security alarm information

  alg                  Show ALG security services information

  application-firewall  Show security application firewall policies

  application-tracking  Show Application tracking information

  dns-cache            Show DNS cache of firewall policy

  dynamic-address      Security dynamic address name

  dynamic-policies     Show security firewall dynamic policies

  firewall-authentication  Show firewall authentication tables, information

  flow                 Show flow information

  forward-options      Show forward-options status

  gprs                 Show GPRS information

  group-vpn            Show Group VPN Security information

  idp                  Show Intrusion Detection and Prevention information

  ike                  Show Internet Key Exchange information

  internal-security-association  Show internal security association

  ipsec                Show IP Security information

  keychain             Show all protocols keychain

  log                  Show auditable security log information

  match-policies       Show security match policies

  monitoring           Show security SPU monitoring information

  nat                  Show Network Address Translation information

  pki                  Show public-key infrastructure information

  policies             Show security firewall policies

  resource-manager     Show resource manager security services information

  screen               Show screen service information

  shadow-policies      Show security shadow policies

  softwires            Show softwire information

  ssh                  Show SSH information

  tcp-encap            Show TCP encapsulation information

  user-identification  Show user-identification information

  utm                  Show security utm information

  zones                Show security zone information

root@vSRX-1> show security screen ?

Possible completions:

  ids-option           Show status of screen object

  statistics           Show screen attack statistics information

  status               Show screen data

root@vSRX-1> show security screen ids-option ?

Possible completions:

  <screen-name>        Screen name

  untrust-screen       Screen name

 

root@vSRX-1> show security screen ids-option untrust-screen

Screen object status:

 

Name                                         Value

  IP tear drop                               enabled   

  TCP SYN flood attack threshold             200       

  TCP SYN flood alarm threshold              1024      

  TCP SYN flood source threshold             1024      

  TCP SYN flood destination threshold        2048      

  TCP SYN flood timeout                      20        

  ICMP ping of death                         enabled   

  IP source route option                     enabled   

  TCP land attack                            enabled 

 

 

To view Screen statistics use the show security screen statistics zone <ZONE> command.

 

root@vSRX-1> show security screen statistics zone untrust

Screen statistics:

 

IDS attack type                              Statistics

  ICMP flood                                 0

  UDP flood                                  0

  TCP winnuke                                0

  TCP port scan                              0

  UDP port scan                              0

  ICMP address sweep                         0

  TCP sweep                                  0

  UDP sweep                                  0

  IP tear drop                               0

  TCP SYN flood                              0

  IP spoofing                                0

  ICMP ping of death                         0

  IP source route option                     0

  TCP land attack                            0

  TCP SYN fragment                           0

  TCP no flag                                0

  IP unknown protocol                        0

  IP bad options                             0

  IP record route option                     0

  IP timestamp option                        0

  IP security option                         0

  IP loose source route option               0

  IP strict source route option              0

  IP stream option                           0

  ICMP fragment                              0

  ICMP large packet                          0

  TCP SYN FIN                                0

  TCP FIN no ACK                             0

  Source session limit                       0

  TCP SYN-ACK-ACK proxy                      0

  IP block fragment                          0

  Destination session limit                  0

  IPv6 extension header                      0

  IPv6 extension hop by hop option           0

  IPv6 extension destination option          0

  IPv6 extension header limit                0

  IPv6 malformed header                      0

  ICMPv6 malformed packet                    0

  IP tunnel summary                          0

 

 

This link provides a good explanation for each Volumetric/Flood-based and Application/Exploit-based Screen options.

 

I enabled Screen for Port Scan under Main tab > select: Port scan > type Threshold: 10000 (in microseconds).

 

Under Denial of Service tab > select: ICMP fragment protection.

Click OK.

Notice a Commit Pending appeared beside Commit. Click Commit > Commit.


I used a Kali Linux VM to simulate an attacking host on the Untrust zone/Internet. It's been a couple of years now since I deployed a Kali Linux VM. So I downloaded and installed Kali Linux 2021 VM in my virtual lab.

 

I encountered the installation error: Guest operating system 'debian-10-64' is not supported.

 

Just change the Kali Guest OS by clicking Edit VM settings > Options tab > Guest OS > Linux > Ubuntu.

The new default username/password: kali / kali

Just follow this link on how to configure a static IP address and create the SSH/RSA key in Kali Linux.

I initiated a simple port scan from Kali Linux using NMAP towards the vSRX WAN IP address 192.168.1.150. This will launch a TCP port scan on the 1000 well-known ports.

 

Open a terminal > type sudo su > type the root password: kali

 

This will allow you to execute terminal commands without keep typing sudo.

 

kali@kali:~% sudo su

[sudo] password for kali:

root@kali:/home/kali#

 

root@kali:/home/kali# nmap 192.168.1.150

Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-04 21:07 EST

Nmap scan report for 192.168.1.150

Host is up (0.040s latency).

Not shown: 998 filtered ports

PORT    STATE SERVICE

22/tcp  open  ssh

443/tcp open  https

MAC Address: 00:0C:29:0C:F2:F4 (VMware)

 

Nmap done: 1 IP address (1 host up) scanned in 8.91 seconds

 

 

Go to Monitor > Security > Policy > Screen Counters to check again the Screen Counters.

 

Notice under IDS attack type > TCP port scan > Counter: 1169.

 

You can view the same output using the CLI show security screen statistics zone untrust command.

 

root@vSRX-1> show security screen statistics zone untrust

Screen statistics:

 

IDS attack type                              Statistics

  ICMP flood                                 0

  UDP flood                                  0

  TCP winnuke                                0

  TCP port scan                              1169

  UDP port scan                              0

  ICMP address sweep                         0

  TCP sweep                                  0

  UDP sweep                                  0

  IP tear drop                               0

  TCP SYN flood                              0

  IP spoofing                                0

  ICMP ping of death                         0

  IP source route option                     0

  TCP land attack                            0

  TCP SYN fragment                           0

  TCP no flag                                0

  IP unknown protocol                        0

  IP bad options                             0

  IP record route option                     0

  IP timestamp option                        0

  IP security option                         0

  IP loose source route option               0

  IP strict source route option              0

  IP stream option                           0

  ICMP fragment                              0

  ICMP large packet                          0

  TCP SYN FIN                                0

  TCP FIN no ACK                             0

  Source session limit                       0

  TCP SYN-ACK-ACK proxy                      0

  IP block fragment                          0

  Destination session limit                  0

  IPv6 extension header                      0

  IPv6 extension hop by hop option           0

  IPv6 extension destination option          0

  IPv6 extension header limit                0

  IPv6 malformed header                      0

  ICMPv6 malformed packet                    0

  IP tunnel summary                          0

 

 

I tried to ping the vSRX WAN IP using a small fragment size or bytes (100) and got a reply.

 

root@kali:/home/kali# ping 192.168.1.150 -s 100

PING 192.168.1.150 (192.168.1.150) 100(128) bytes of data.

108 bytes from 192.168.1.150: icmp_seq=1 ttl=64 time=289 ms

108 bytes from 192.168.1.150: icmp_seq=2 ttl=64 time=1.28 ms

108 bytes from 192.168.1.150: icmp_seq=3 ttl=64 time=33.1 ms

108 bytes from 192.168.1.150: icmp_seq=4 ttl=64 time=0.398 ms

^C

--- 192.168.1.150 ping statistics ---

5 packets transmitted, 4 received, 20% packet loss, time 4004ms

rtt min/avg/max/mdev = 0.398/80.882/288.707/120.710 ms

 

 

I ping again using a bigger size of 10000 bytes and failed.

 

root@kali:/home/kali# ping 192.168.1.150 -s 10000

PING 192.168.1.150 (192.168.1.150) 10000(10028) bytes of data.

^C

--- 192.168.1.150 ping statistics ---

6 packets transmitted, 0 received, 100% packet loss, time 5106ms

 

 

Click Refresh to refresh the Screen Counters.

 

Notice under ICMP fragment > Counter: 54

root@vSRX-1> show security screen statistics zone untrust   

Screen statistics:

 

IDS attack type                              Statistics

  ICMP flood                                 0

  UDP flood                                  0

  TCP winnuke                                0

  TCP port scan                              1169

  UDP port scan                              0

  ICMP address sweep                         0

  TCP sweep                                  0

  UDP sweep                                  0

  IP tear drop                               0

  TCP SYN flood                              0

  IP spoofing                                0

  ICMP ping of death                         0

  IP source route option                     0

  TCP land attack                            0

  TCP SYN fragment                           0

  TCP no flag                                0

  IP unknown protocol                        0

  IP bad options                             0

  IP record route option                     0

  IP timestamp option                        0

  IP security option                         0

  IP loose source route option               0

  IP strict source route option              0

  IP stream option                           0

  ICMP fragment                              54

  ICMP large packet                          0

  TCP SYN FIN                                0

  TCP FIN no ACK                             0

  Source session limit                       0

  TCP SYN-ACK-ACK proxy                      0

  IP block fragment                          0

  Destination session limit                  0

  IPv6 extension header                      0

  IPv6 extension hop by hop option           0

  IPv6 extension destination option          0

  IPv6 extension header limit                0

  IPv6 malformed header                      0

  ICMPv6 malformed packet                    0

  IP tunnel summary                          0