The outdoor recreation have become increasingly popular due to the COVID-19 pandemic, so I went for a quick hike at Mount Faber Park. At the hilltop, you'll see the Singapore Cable Car (to/from Sentosa Island) and enjoy the scenic view of Keppel Harbour.
You'll also find the Henderson Waves bridge, which is the highest pedestrian bridge in Singapore. It connects Mount Faber Park to Telok Blangah Hill Park.
After a long and grueling hike, I treated myself a Chick'n Shack burger, cheese fries and a chocolate shake. This is Shake Shack in VivoCity shopping mall.
The Juniper SRX Firewall Content Filtering provides basic data loss prevention functionality. Content filtering filters traffic is based on MIME type, file extension, and protocol commands. You can also use the content filter module to block ActiveX, Java Applets, and other types of content. Content filtering does not require a separate license
The content filter module evaluates traffic before all other UTM modules, except Web Filtering. Therefore, if traffic meets criteria configured in the content-filter, the content-filter acts first upon this traffic.
You can configure the following types of content filters:
MIME Pattern Filter - MIME patterns are used to identify the type of traffic in HTTP and MAIL protocols. There are two lists of MIME patterns that are used by the content filter to determine the action to be taken
Block Extension List - Because the name of a file is available during file transfers, using file extensions is a highly practical way to block or allow file transfers.
Protocol Command Block and Permit Lists - Different protocols use different commands to communicate between servers and clients. By blocking or allowing certain commands, traffic can be controlled on the protocol command level.
The first step is to configure a Content Filtering profile, go to Configure > Security > UTM > Content Filtering > click Add.
You could either create a Custom Object to define several content types (exe, zip, etc) and select the created Custom Object under Block extension list.
In this case, I just want to filter an executable file (.exe) which is already listed under the Available content types. Type a Profile name: CF_EXE > select exe > move to the Selected content types on the right.
Go to Notification Options tab > select Notification type: message > type Custom notification message (according to your IT policy): File Download Blocked due to IT Security Policy. Please contact IT for further assistance > click OK.
The second step is to create a UTM Policy. Go to Configure > Security > UTM > Policy > click Add.
Under
Main tab > type Policy name: UTM_POLICY_1 > leave the default Session per client over
limit: Log and permit.
Go
to Content filtering profiles tab > select HTTP profile: CF_EXE > click OK.
The last step is to assign the UTM Policy to a Security Policy rule.
Go to Configure > Security Policy > Policy Elements > Security Policy.
Filter the trust to untrust Security Context > select the TRUST-UNTRUST rule > click Edit.
Go to Application Services tab > select UTM Policy: UTM_POLICY_1 > click OK.
Click Commit > Commit to apply changes.
To test, I tried to download a free TFTP installer file (.exe) and it was blocked by the Content Filtering policy.
Notice the Internet Explorer tab indicated Request was dropped.
You can view the Content Filtering policy statistics under Monitor > Security > UTM > Content Filtering.
Notice under Statistics type: EXE files, a Counter blocked incremented by one (1).
You can view the same output in CLI using the show security utm content-filtering statistics command.
root@vSRX-1> show security ?
Possible completions:
advance-policy-based-routing Show advance policy based routing information
alarms Show active security alarm information
alg Show ALG security services information
application-firewall Show security application firewall policies
application-tracking Show Application tracking information
dns-cache Show DNS cache of firewall policy
dynamic-address Security dynamic address name
dynamic-policies Show security firewall dynamic policies
firewall-authentication Show firewall authentication tables, information
flow Show flow information
forward-options Show forward-options status
gprs Show GPRS information
group-vpn Show Group VPN Security information
idp Show Intrusion Detection and Prevention information
ike Show Internet Key Exchange information
internal-security-association Show internal security association
ipsec Show IP Security information
keychain Show all protocols keychain
log Show auditable security log information
match-policies Show security match policies
monitoring Show security SPU monitoring information
nat Show Network Address Translation information
pki Show public-key infrastructure information
policies Show security firewall policies
resource-manager Show resource manager security services information
screen Show screen service information
shadow-policies Show security shadow policies
softwires Show softwire information
ssh Show SSH information
tcp-encap Show TCP encapsulation information
user-identification Show user-identification information
utm Show security utm information
zones Show security zone information
root@vSRX-1> show security utm ?
Possible completions:
anti-spam Show anti-spam information
anti-virus Show anti-virus information
content-filtering Show content-filtering information
session Show security utm session
status Show security utm status
web-filtering Show web-filtering information
root@vSRX-1> show security utm content-filtering ?
Possible completions:
statistics Show content-filtering statistics
root@vSRX-1> show security utm content-filtering statistics
Content-filtering-statistic: Blocked
Base on command list: 0
Base on mime list: 0
Base on extension list: 0
ActiveX plugin: 0
Java applet: 0
EXE files: 1
ZIP files: 0
HTTP cookie: 0
Below is the complete show configuration.
root@vSRX-1# show
## Last changed: 2021-03-02 09:40:35 SGT
version 15.1X49-D80.4;
system {
host-name vSRX-1;
root-authentication {
encrypted-password "$5$h/gVhuqb$nH2lW4/iyVyXnAnvbBg8aLy2b1HZcpqhiTeH/lSFD./"; ## SECRET-DATA
}
name-server {
8.8.8.8;
}
services {
ssh {
root-login allow;
}
web-management {
https {
system-generated-certificate;
interface ge-0/0/0.0;
}
}
}
syslog {
user * {
any emergency;
}
file messages {
any any;
authorization info;
}
file interactive-commands {
interactive-commands any;
}
}
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
ntp;
}
services {
application-identification;
}
security {
utm {
custom-objects {
url-pattern {
ALLOWED_WEBSITES {
value [ www.juniper.net www.google.com www.playstation.com ];
}
BLOCKED_WEBSITES {
value [ www.cisco.com www.yahoo.com www.xbox.com ];
}
}
custom-url-category {
GOOD_WEBSITES {
value ALLOWED_WEBSITES;
}
BAD_WEBSITES {
value BLOCKED_WEBSITES;
}
}
}
feature-profile {
web-filtering {
url-whitelist GOOD_WEBSITES;
url-blacklist BAD_WEBSITES;
type juniper-local;
juniper-local {
profile CUSTOM_LOCAL_WF {
default block;
custom-block-message "Website access denied. Please contact IT for assistance.";
fallback-settings {
default log-and-permit;
server-connectivity log-and-permit;
timeout log-and-permit;
too-many-requests log-and-permit;
}
timeout 30;
}
}
}
content-filtering {
profile CF_EXE {
block-content-type {
exe;
}
notification-options {
type message;
custom-message "File Download Blocked due to IT Security Policy. Please contact IT for assistance.";
}
}
}
}
utm-policy UTM_POLICY_1 {
content-filtering {
http-profile CF_EXE;
}
traffic-options {
sessions-per-client {
over-limit log-and-permit;
}
}
}
}
screen {
ids-option untrust-screen {
icmp {
fragment;
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
port-scan threshold 10000;
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
queue-size 2000; ## Warning: 'queue-size' is deprecated
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set SOURCE-NAT-TRUST {
from zone trust;
to zone untrust;
rule SOURCE-NAT-TRUST {
match {
source-address 172.16.1.0/24;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
destination {
pool DEST_NAT_FTP {
address 172.16.1.100/32 port 21;
}
rule-set DEST_NAT_FTP {
from zone untrust;
rule DEST_NAT_FTP {
match {
destination-address 192.168.1.150/32;
destination-port {
21;
}
}
then {
destination-nat {
pool {
DEST_NAT_FTP;
}
}
}
}
}
}
}
policies {
from-zone trust to-zone trust {
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone trust {
policy FTP_UNTRUST_TRUST {
match {
source-address any-ipv4;
destination-address WIN7-VM;
application junos-ftp;
}
then {
permit;
log {
session-init;
}
}
}
}
from-zone trust to-zone untrust {
policy TRUST-UNTRUST {
match {
source-address any;
destination-address any;
application any;
}
then {
permit {
application-services {
utm-policy UTM_POLICY_1;
}
}
log {
session-init;
}
}
}
}
}
zones {
security-zone trust {
tcp-rst;
address-book {
address WIN7-VM 172.16.1.100/32;
}
interfaces {
ge-0/0/1.0 {
host-inbound-traffic {
system-services {
ping;
ssh;
}
}
}
}
}
security-zone untrust {
screen untrust-screen;
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
ping;
ssh;
https;
}
}
}
}
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 192.168.1.150/24;
}
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 172.16.1.1/24;
}
}
}
fxp0 {
unit 0 {
family inet;
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 192.168.1.1;
}
}
[edit]
No comments:
Post a Comment