I got a chance to visit the Singapore Botanic Gardens before the partial lockdown was announced last May 2021. The Botanic Garden was listed as a UNESCO World Heritage Site in 2015 and it has over 60,000 species of plants and orchids.
The National Orchid Garden is one of the main attraction and it houses over 1,000 orchid species and 2,000 hybrids.
The Sembcorp Cool House is the latest addition inside the Orchid Garden. It's a glasshouse garden which has an inside temperature of around 16 degrees Celsius. This recreates the low humidity conditions of a high elevation montane forest.
This is my lunch at Tapa King called the Royal Meal which consist of a beef tapa (beef jerky), sunny-side up egg, hotdog, fried bangus (milk fish) and fried rice.
The Juniper SRX Screen feature provides basic Intrusion Detection and Prevention (IDP) for Layer 3 and Layer 4 blocking of application anomalies/exploit and Distributed Denial-of-Service (DDoS). I modified my Juniper vSRX virtual lab by adding a Kali Linux VM.
To configure Screen, go to Configure > Security > Zones/Screens.
Notice a system default Screen Profile called untrust-screen is applied to the untrust zone.
Go to Screen List tab. Notice under Type: ICMP, IP and TCP Screen are configured.
Select the untrust-screen > click Edit to view its configuration.
Below are the default Screen options in a vSRX on each tab.
To monitor Screen Counter, go to Monitor > Security > Policy > Screen Counters.
You can specify the Type: Zone > Select a value: untrust.
Notice all Counters are currently zero (0).
You can view the Screen Profile configuration using the show configuration security | match screen | display set command.
root@vSRX-1> show configuration security | match screen | display set
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood queue-size 2000
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security zones security-zone untrust screen untrust-screen
To view the configuration of a Screen profile use the show security screen ids-option <SCREEN-NAME> command.
root@vSRX-1> show security ?
Possible completions:
advance-policy-based-routing Show advance policy based routing information
alarms Show active security alarm information
alg Show ALG security services information
application-firewall Show security application firewall policies
application-tracking Show Application tracking information
dns-cache Show DNS cache of firewall policy
dynamic-address Security dynamic address name
dynamic-policies Show security firewall dynamic policies
firewall-authentication Show firewall authentication tables, information
flow Show flow information
forward-options Show forward-options status
gprs Show GPRS information
group-vpn Show Group VPN Security information
idp Show Intrusion Detection and Prevention information
ike Show Internet Key Exchange information
internal-security-association Show internal security association
ipsec Show IP Security information
keychain Show all protocols keychain
log Show auditable security log information
match-policies Show security match policies
monitoring Show security SPU monitoring information
nat Show Network Address Translation information
pki Show public-key infrastructure information
policies Show security firewall policies
resource-manager Show resource manager security services information
screen Show screen service information
shadow-policies Show security shadow policies
softwires Show softwire information
ssh Show SSH information
tcp-encap Show TCP encapsulation information
user-identification Show user-identification information
utm Show security utm information
zones Show security zone information
root@vSRX-1> show security screen ?
Possible completions:
ids-option Show status of screen object
statistics Show screen attack statistics information
status Show screen data
root@vSRX-1> show security screen ids-option ?
Possible completions:
<screen-name> Screen name
untrust-screen Screen name
root@vSRX-1> show security screen ids-option untrust-screen
Screen object status:
Name Value
IP tear drop enabled
TCP SYN flood attack threshold 200
TCP SYN flood alarm threshold 1024
TCP SYN flood source threshold 1024
TCP SYN flood destination threshold 2048
TCP SYN flood timeout 20
ICMP ping of death enabled
IP source route option enabled
TCP land attack enabled
To view Screen statistics use the show security screen statistics zone <ZONE> command.
root@vSRX-1> show security screen statistics zone untrust
Screen statistics:
IDS attack type Statistics
ICMP flood 0
UDP flood 0
TCP winnuke 0
TCP port scan 0
UDP port scan 0
ICMP address sweep 0
TCP sweep 0
UDP sweep 0
IP tear drop 0
TCP SYN flood 0
IP spoofing 0
ICMP ping of death 0
IP source route option 0
TCP land attack 0
TCP SYN fragment 0
TCP no flag 0
IP unknown protocol 0
IP bad options 0
IP record route option 0
IP timestamp option 0
IP security option 0
IP loose source route option 0
IP strict source route option 0
IP stream option 0
ICMP fragment 0
ICMP large packet 0
TCP SYN FIN 0
TCP FIN no ACK 0
Source session limit 0
TCP SYN-ACK-ACK proxy 0
IP block fragment 0
Destination session limit 0
IPv6 extension header 0
IPv6 extension hop by hop option 0
IPv6 extension destination option 0
IPv6 extension header limit 0
IPv6 malformed header 0
ICMPv6 malformed packet 0
IP tunnel summary 0
This link provides a good explanation for each Volumetric/Flood-based and Application/Exploit-based Screen options.
I enabled Screen for Port Scan under Main tab > select: Port scan > type Threshold: 10000 (in microseconds).
Under Denial of Service tab > select: ICMP fragment protection.
Click OK.
Notice
a Commit Pending appeared beside Commit. Click Commit > Commit.
I used a Kali Linux VM to simulate an attacking host on the Untrust zone/Internet. It's been a couple of years now since I deployed a Kali Linux VM. So I downloaded and installed Kali Linux 2021 VM in my virtual lab.
I encountered the
installation error: Guest operating system 'debian-10-64' is not supported.
Just change the Kali Guest OS by clicking Edit VM settings > Options tab > Guest OS > Linux > Ubuntu.
The new default username/password: kali / kali
Just follow this link on how to configure a static IP address and create the SSH/RSA key in Kali Linux.
I initiated a simple port scan from Kali Linux using NMAP towards the vSRX WAN IP address 192.168.1.150. This will launch a TCP port scan on the 1000 well-known ports.
Open a terminal > type sudo su > type the root password: kali
This will allow you to execute terminal commands without keep typing sudo.
kali@kali:~% sudo su
[sudo] password for kali:
root@kali:/home/kali#
root@kali:/home/kali# nmap 192.168.1.150
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-04 21:07 EST
Nmap scan report for 192.168.1.150
Host is up (0.040s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE
22/tcp open ssh
443/tcp open https
MAC Address: 00:0C:29:0C:F2:F4 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 8.91 seconds
Go to Monitor > Security > Policy > Screen Counters to check again the Screen Counters.
Notice under IDS attack type > TCP port scan > Counter: 1169.
You can view the same output using the CLI show security screen statistics zone untrust command.
root@vSRX-1> show security screen statistics zone untrust
Screen statistics:
IDS attack type Statistics
ICMP flood 0
UDP flood 0
TCP winnuke 0
TCP port scan 1169
UDP port scan 0
ICMP address sweep 0
TCP sweep 0
UDP sweep 0
IP tear drop 0
TCP SYN flood 0
IP spoofing 0
ICMP ping of death 0
IP source route option 0
TCP land attack 0
TCP SYN fragment 0
TCP no flag 0
IP unknown protocol 0
IP bad options 0
IP record route option 0
IP timestamp option 0
IP security option 0
IP loose source route option 0
IP strict source route option 0
IP stream option 0
ICMP fragment 0
ICMP large packet 0
TCP SYN FIN 0
TCP FIN no ACK 0
Source session limit 0
TCP SYN-ACK-ACK proxy 0
IP block fragment 0
Destination session limit 0
IPv6 extension header 0
IPv6 extension hop by hop option 0
IPv6 extension destination option 0
IPv6 extension header limit 0
IPv6 malformed header 0
ICMPv6 malformed packet 0
IP tunnel summary 0
I tried to ping the vSRX WAN IP using a small fragment size or bytes (100) and got a reply.
root@kali:/home/kali# ping 192.168.1.150 -s 100
PING 192.168.1.150 (192.168.1.150) 100(128) bytes of data.
108 bytes from 192.168.1.150: icmp_seq=1 ttl=64 time=289 ms
108 bytes from 192.168.1.150: icmp_seq=2 ttl=64 time=1.28 ms
108 bytes from 192.168.1.150: icmp_seq=3 ttl=64 time=33.1 ms
108 bytes from 192.168.1.150: icmp_seq=4 ttl=64 time=0.398 ms
^C
--- 192.168.1.150 ping statistics ---
5 packets transmitted, 4 received, 20% packet loss, time 4004ms
rtt min/avg/max/mdev = 0.398/80.882/288.707/120.710 ms
I ping again using a bigger size of 10000 bytes and failed.
root@kali:/home/kali# ping 192.168.1.150 -s 10000
PING 192.168.1.150 (192.168.1.150) 10000(10028) bytes of data.
^C
--- 192.168.1.150 ping statistics ---
6 packets transmitted, 0 received, 100% packet loss, time 5106ms
Click Refresh to refresh the Screen Counters.
Notice under ICMP fragment > Counter: 54
root@vSRX-1> show security screen statistics zone untrust
Screen statistics:
IDS attack type Statistics
ICMP flood 0
UDP flood 0
TCP winnuke 0
TCP port scan 1169
UDP port scan 0
ICMP address sweep 0
TCP sweep 0
UDP sweep 0
IP tear drop 0
TCP SYN flood 0
IP spoofing 0
ICMP ping of death 0
IP source route option 0
TCP land attack 0
TCP SYN fragment 0
TCP no flag 0
IP unknown protocol 0
IP bad options 0
IP record route option 0
IP timestamp option 0
IP security option 0
IP loose source route option 0
IP strict source route option 0
IP stream option 0
ICMP fragment 54
ICMP large packet 0
TCP SYN FIN 0
TCP FIN no ACK 0
Source session limit 0
TCP SYN-ACK-ACK proxy 0
IP block fragment 0
Destination session limit 0
IPv6 extension header 0
IPv6 extension hop by hop option 0
IPv6 extension destination option 0
IPv6 extension header limit 0
IPv6 malformed header 0
ICMPv6 malformed packet 0
IP tunnel summary 0
