Tuesday, December 15, 2015

Understanding Juniper SRX TCP Security Check

Juniper SRX is a stateful firewall and allows traffic which matches an existing session. Sessions are created when a TCP SYN packet is received and it is permitted by the security policy. This of course means that the firewall needs to see both directions of a flow (client-server and server-client), otherwise these checks will block legitimate packets.

Following flow chart illustrates packet flow sequences both when SYN flag checking is enabled and when it is disabled.
SYN Flag Checking

By default, security TCP check is enabled on all TCP flow sessions. The Junos operating system (Junos OS) performs the following operations during TCP sessions:

  • Checks for SYN flags in the first packet of a session and rejects any TCP segments with non- SYN flags that attempt to initiate a session.
  • Validates the TCP sequence numbers during stateful inspection.

Reset packet is turned off for non-SYN session TCP packets:
{primary:node0}
root@fw-mgmt-trn1-1> show security zones
node0:
--------------------------------------------------------------------------

Security zone: MGMT1
  Send reset for non-SYN session TCP packets: Off
  Policy configurable: Yes
  Interfaces bound: 1
  Interfaces:
    reth4.201

Security zone: TSMGMT
  Send reset for non-SYN session TCP packets: Off
  Policy configurable: Yes
  Interfaces bound: 1
  Interfaces:
    reth4.198

Security zone: MGMT2
  Send reset for non-SYN session TCP packets: Off
  Policy configurable: Yes
  Interfaces bound: 1
  Interfaces:
    reth3.0
We can enable reset packets when received non-syn tcp session packets.
{primary:node0}[edit]
root@fw-mgmt-1# set security zones security-zone MGMT1 tcp-rst

{primary:node0}[edit]
root@fw-mgmt-1# set security zones security-zone TSMGMT tcp-rst

{primary:node0}[edit]
root@fw-mgmt-1# set security zones security-zone MGMT tcp-rst        

Check the settings again:
root@fw-mgmt-1> show security zones 
node0:
--------------------------------------------------------------------------

Security zone: MGMT1
  Send reset for non-SYN session TCP packets: On
  Policy configurable: Yes  
  Interfaces bound: 1
  Interfaces:
    reth4.201

Security zone: TSMGMT
  Send reset for non-SYN session TCP packets: On
  Policy configurable: Yes  
  Interfaces bound: 1
  Interfaces:
    reth4.198

Security zone: MGMT2
  Send reset for non-SYN session TCP packets: On
  Policy configurable: Yes  
  Interfaces bound: 1
  Interfaces:reth3.0


Junos OS provides a mechanism for disabling security checks on TCP packets to ensure interoperability with hosts and devices with faulty TCP implementations. During no-SYN-check the Junos OS does not look for the TCP SYN packet for session creation. No-sequence check disables TCP sequence checking validation. Also, increases throughput. SYN check and sequence check are enabled by default. The set security flow command disables TCP SYN checks and TCP sequence checks on all TCP sessions thus reduces security. This may be required in scenarios with customers like big transfer files, or with applications that do not correctly work with standards.

Another reason to disable syn-check and sequence-check is the asymmetric flows in your environment. It is best, whenever possible, to ensure that asymmetric flows do not occur; but this is not always possible. So, you can disable these checks globally on the SRX device.

To disable TCP packet security checks:
set security flow tcp-session no-syn-check
set security flow tcp-session no-sequence-check

After you disabled the tcp options, tcp-syn-check, and tcp-sequence-check that are configured at global level, you might want to configure TCP packet security checks at the policy level.

Note: Disabling the global SYN check and enforcing the SYN check after policy search will greatly impact the number of packets that the router can process. This in turn will result in intense CPU operations.

Configure the checking for the TCP SYN bit before creating a session:
[edit]
user@host# set security policies from-zone Zone-A to-zone Zone-B policy pol1 then permit tcp-options syn-check-required

Configure the checking for sequence numbers in TCP segments during stateful inspection:
[edit]
user@host# set security policies from-zone Zone-A to-zone Zone-B policy pol1 then permit tcp-options sequence-check-required

It is also possible to disable TCP SYN or sequence checking on one policy and enable them on all other policies, an apply-group can be used to complete this configuration based on KB24566.


Reference:



No comments:

Post a Comment

NetSec Youtube Videos