Friday, February 1, 2013

Chapter 16 - Netscreen as enforcement firewalls

Chapter 16 - Netscreen as enforcement firewalls




In NetScreen OS you will see a Shield on the Policy  that will indicate a infranet-auth policy invocation.

Source IP will match
Then permit will point to the INFRANET

the INFRANET will check if the traffic is allowed.

You can add VPN  they recommend you configure it from the MAG.

Policies
Resource
IPSEC VPN
Source Interface
AUTH table mapping
IP address pool for the NAT.

Resource Policy defines which users can allow or deny to resource
AUTH table match the user request with the resource policies

Generic source policy on the enforcer
MAG pushes the resource policy to the nforcer
End user auth to the MAG
maps the roles
Same thing- the Enforcer does not know if you are allowed only that you need to check for permission.

The dropping and then querying is called
Dyanmic auth table allocation.

source IP policy : permit any any any infranet-auth
it is basically a placeholder that will call the MAG to provide the details of the access.

release 6.1 or later allows you to specify an IPSEC policy to a zone
less than that you need to each resource.

you need resource access policy
and VPN setup policy for it to work

You can map specific roles to low end devices so their Auth table does not overflow.
6.1 and above uses dynamic Auth table.

Source INTERFACE policy
is useful when the device is in transparent mode.

You can set up NAT with IP address pools.
If the device connecting is behind a NAT the MAG can give it a VIP address
to use for the IPSEC ???

On the UAC > Infranet enforcer you set up a IPSEC tunnel.
Then you set up a resource policy to the reousrce (ip)
apply it to your chosen roles.
then you can add additional  AntiSpam-IDP-Antivurs from the firewall.

In the IPSEC policy you set up the virtual adapater if you want.
then apply it to the roles.

on the AUTh table Mpaping you can delete the default policy and limit it to specific  roles.

on the IP address pools you set up the IP address pools for the VIP addresses that will be given to the VPN

Verify
>get policy id 1it will say permit-infranet-auth
> get auth table    to see if there are any users

You need a IPSEC policy for each interface that can be receiving the traffic.
>get policy id 3
tunnel-infranet-auth status enabled.



Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)