JSEC EX InstructorNotes 30may2010

Download as pdf or txt
Download as pdf or txt
You are on page 1of 9

Worldwide Education Services

Junos for Security Platforms


Instructor Notes
Author’s Name: R. Jasun Rutter
Training Group: Education Services

Date: September 28, 2009


Revision Number: 10.a
Course Title: Junos for Security Platforms
Product Name: SRX240 Services Gateways
Part Number: EDU-JUN-JSEC
Software Release Code: 10.1R1.8

May 30, 2010 1 of 9


© 2010 Juniper Networks, Inc. All rights reserved.
Junos for Security Platforms Instructor Notes
Worldwide Education Services

Table of Contents

Introduction....................................................................................... page 3

Instructor Preparation ...................................................................... page 3

Classroom Resources....................................................................... page 3

Room Arrangement .......................................................................... page 3

Suggested Schedule......................................................................... page 4

Lab Setup .......................................................................................... page 5

Lab Infrastructure Information ........................................................ page 6

Lab Notes .......................................................................................... page 6

May 30, 2010 2 of 9


© 2010 Juniper Networks, Inc. All rights reserved.
Junos for Security Platforms Instructor Notes
Worldwide Education Services

Introduction
JSEC is a three-day course that provides students with the skills for configuration, operation,
and implementation of SRX Series Services Gateways in a typical network environment. This
course is based on Junos Software version 10.1R1.8.
Through demonstrations and hands-on labs, students will gain experience in configuring and
monitoring Junos Software for Junos security platforms.
An instructor’s guide exists and is recommended for any one preparing to teach this course.
The instructor’s guide highlights a number of caveats between Junos platforms, existing issues
found in the Junos software version used in this course, and various suggestions that may
come in handy when teaching this course.

Instructor Preparation

In preparation for teaching the class, you should be very familiar with the material and the
labs. You should complete and understand all the labs. You should download and read current
copies of the following documents (the most current copies of which are available from the
Course Distribution System): the Instructor Notes (this document), the Errata, and Change Log.
As you prepare to teach this course, you may run across errors or have suggestions. Please
forward all errata items and course suggestions to [email protected].

Classroom Resources

Each student should have the following materials:


• Student Guide
• Lab Diagrams
• High-level Lab Guide
• Detailed Lab Guide
• A pen to take notes
Each classroom should provide the following:
• Method for displaying slides
• Adequate seating
• Access to a delivery rack configured for the IJS lab topology
• A computer for each team of students

Room Arrangement

All labs are modular by design. The organization is as follows:


• srxA-1 & srxA-2 (Pod A)
• srxB-1 & srxB-2 (Pod B)

May 30, 2010 3 of 9


© 2010 Juniper Networks, Inc. All rights reserved.
Junos for Security Platforms Instructor Notes
Worldwide Education Services

• srxC-1 & srxC-2 (Pod C)


• srxD-1 & srxD-2 (Pod D)
Therefore, it is advantageous to arrange the room such that students working on Junos devices
that form pods sit together.

Suggested Schedule

Day 1

• Chapter 1:Course Introduction


• Chapter 2:Introduction to Junos Security Platforms
• Chapter 3:Zones
• Lab 1: Configuring and Monitoring Zones
• Chapter 4: Security Policies
• Lab2: Security Policies

Day 2

• Chapter 5:Firewall User Authentication


• Lab 3: Configuring Firewall Authentication
• Chapter 6: SCREEN Options
• Lab 4: Implementing SCREEN Options
• Chapter 7: Network Address Translation
• Lab 5: Network Address Translation

Day 3

• Chapter 8: IPsec VPNs


• Lab 6: Implementing IPsec VPNs
• Chapter 9: Introduction to Intrusion Detection and Prevention
• Lab 7: Implementing IDP
• Chapter 10: High Availability Clustering
• Lab 8: Implementing Chassis Clusters

May 30, 2010 4 of 9


© 2010 Juniper Networks, Inc. All rights reserved.
Junos for Security Platforms Instructor Notes
Worldwide Education Services

Lab Setup

For lab setup instructions, review the EnterprisePhysicalTopology.ppt. This document illustrates
the physical topology used in the labs for this course. This document can be retrieved through
the Course Distribution System (CDS) and is found in the \GeneralInfo\Junos directory.
The student devices are organized in pods. Depending on your delivery environment, you may
have one, two, three, or four pods. Each pod consists of two student devices. Typically, there
are two students assigned to each device. The student devices are named srxX-1 and srxX-2,
where X is either A, B, C, or D depending on assigned pod. This course requires Junos Software
Release [10.1R1.8] SRX240 devices. In addition to the student devices, each delivery
environment requires supporting devices which include a J2350 (vr-device), a server, and
a shared hub or switch.
The J2350 or vr-device is logically segmented into multiple virtual routers and represents
networking devices as well as the Internet. The vr-device is managed by the instructor,
should have the reset configuration loaded before lab 1, and requires Junos Software Release
[10.1R1.8].
• In some situations, the maximum number of processes on the J2350 may
become exhausted. If this occurs the students will not be able to initiate further
telnet, FTP or CLI sessions and will see a message indicating that the maximum
process limit has been reached. It is recommended that all J2350s used in a full
rack delivery environment have their default limit of processes increased. The
default number of processes is 148. It is recommended that the limit be
increased to 500. An example of how this is done is shown below:
root@j2320-vr% cat /boot/loader.conf
console="comconsole"
kernel="/kernel"
autoboot_delay="2"
root@j2320-vr% echo "kern.maxproc=500" >> /boot/loader.conf
root@j2320-vr% cat /boot/loader.conf
console="comconsole"
kernel="/kernel"
autoboot_delay="2"
kern.maxproc=500
root@j2320-vr% reboot

The server is used as the storage location for the device licenses and the IDP security package
download. The server requirements include:
• User account lab with password of lab123 used for file transfers via SCP
• NTP service must be running and set to the correct local time

Note
Some lab exercises can only be performed from
7am to 6pm according to the system time on the
student device. If you will be using a student device
outside of these hours, you may need to alter the
system clock or security policy scheduler
configuration.

May 30, 2010 5 of 9


© 2010 Juniper Networks, Inc. All rights reserved.
Junos for Security Platforms Instructor Notes
Worldwide Education Services

• The idp.tar.tgz file available on CDS in the JSEC directory must be stored under
/usr/home/lab/jsec
• License files for each student device that allow IDP signature updates must be
stored under /usr/home/lab/jsec as .txt files and named after each student
device, i.e. srxA-1.txt, srxA-2.txt, srxB-1.txt, etc.
The shared hub or switch is used for two primary purposes--
1. Management Network: The first purpose is to connect all devices on the
management network, which can be done by associating the relevant switch ports
with a management VLAN. The management subnet will vary depending on the
delivery environment. For delivery racks owned and managed by Juniper
Networks, a management network diagram for each delivery environment can be
found in the \GeneralInfo\Junos\ManagementNetworkDiagrams directory.
2. Student Device to VR Connections: The second purpose of the shared hub or
switch is to allow for a common connection point for all student devices and the
vr-device.
If the same switch is used for both purposes, it is highly recommended that separate untagged
VLANs be created for these connections. We also recommend that spanning tree be disabled.
A sample EX Series switch configuration is located in the CDS folder for JSEC. The example
configuration accommodate both the management network and the student device
connections. Note that the management IP addresses will vary depending on the environment.

Lab Infrastructure Information

IP Addressing

The addresses used throughout the labs are private addresses and may vary depending on the
device’s interface and lab. For addressing details, please refer to the management topology
diagram and the topology diagrams for the individual labs.

Lab Infrastructure

Refer to the Lab Diagrams booklet for topology details for the individual labs in this course.

Lab Notes

Before class begins, make sure the student devices and vr-device are running the correct
version of software and that each device has its respective reset configuration loaded and
committed.
To refresh the state of the student device for the Lab 7 IDP package download, the following
commands will need to be executed in the shell with root privileges. This will remove the IDP
contents and reboot the device:
lab@host1-b> start shell
% su root
Password:
root@host1-b% rm -rf /var/db/idpd/*
root@host1-b% exit
exit
% exit

May 30, 2010 6 of 9


© 2010 Juniper Networks, Inc. All rights reserved.
Junos for Security Platforms Instructor Notes
Worldwide Education Services

exit

lab@host1-b> request system reboot


Reboot the system ? [yes,no] (no) yes

Note
For the America’s delivery environments managed
by Juniper, the student devices and the
vr-device use training1 as the root
password. The student devices should all have a
student user account named lab with a
password of lab123.

Each device will also need to have the IDP license removed by issuing the following command
(Note that the actual license identifier will vary with each device):
lab@host1-a> request system license delete ?
Possible completions:
Junos213067 License key identifier
lab@host1-a> request system license delete Junos213067
Delete license Junos213067 ? [yes,no] (no) yes
Before beginning the first lab, you need to make the student device assignments and provide
the access details for the lab equipment. A sample management network diagram is provided
on the first page in the lab diagrams booklet. You’ll simply need to provide the students with
the access and login details for your designated delivery rack.
It may be worth emphasizing the importance of reading and following the lab notes and
instructions, as this will determine the end result and overall experience for the students. It
may also be helpful to review the textual conventions used in the detailed lab guide,
particularly the convention that identifies commands that the students must modify (italicized
and underlined text). In some situations, students may benefit from post-lab debriefing and
discussion.

Lab 1

This lab establishes the baseline network for each pod. In this lab students use the CLI to
configure and monitor interfaces, security zones, host-inbound traffic and a functional
management zone. Throughout these configuration tasks, the students will become familiar
with the lab topology and zones. Some common problems encountered:
• Initial access to student device or terminal server. It is recommended write the
access details on the board and leave them there for the rest of the course. As
noted above, we use the traditional lab/lab123 credentials for student access.
The access details for the terminal server may change from week to week
depending on your delivery rack.
• Students may configure the incorrect details if they are blindly following the text
examples in the detailed Lab Guide. It is a good idea to emphasize that
commands with underlines should serve as a red flag to students. Not only do
interface names and IP addresses vary between individual devices, the zones,
and later, security policies, NAT and IPsec details may vary as well. There are
differences between srx1 and srx2 within a pod and differences between pods.
The relevant lab diagram must be used. A good understanding of this concept
now will make the remaining labs run much more smoothly.

May 30, 2010 7 of 9


© 2010 Juniper Networks, Inc. All rights reserved.
Junos for Security Platforms Instructor Notes
Worldwide Education Services

• This lab also introduces virtual-router commands. It might be a good idea to go


over the virtual-router concept and how students will be entering commands into
the vr-device.

Lab 2

This lab demonstrates configuration and monitoring of security policy. In this lab students use
the command-line interface (CLI) to configure zone-based address books and associated
security policies. Students will then issue various commands to monitor the effects of their
work. Some common problems encountered:
• In Part 3, there is a scheduler applied to a subset of traffic. This scheduler only
allows this subset of traffic to pass during normal business hours. This traffic may
be needed in subsequent labs as well. As long as labs are being performed during
normal business hours from the student device’s perspective, there should be no
issue. The server device within the rack provides NTP synchronization to the
student devices to accommodate time zone differences. If adjustments are
needed for after-hours lab time, you can make adjustments to the server device
or within each student device’s scheduler configuration.
• Student teams within a pod should work in tandem or they may not see the
expected security log messages. Some results in this lab (and others) are
dependant on the remote student team within the same pod.

Lab 3

This lab demonstrates configuration and monitoring of firewall user authentication. In this lab
you use the command-line interface (CLI) to configure and monitor firewall user authentication.
Some common problems encountered:
• Some students have had difficulty seeing the correct logs in the firewall user
authentication table and the firewall authentication history table. As with many of
the labs, these logs are dependant upon the remote team’s actions within a
particular pod. It is also important to remember that an entry is not populated in
the historical table until that entry is removed (timed out) from the current
authentication table.

Lab 4

This lab demonstrates configuration and monitoring of Junos SCREEN protection. In this lab
you use the command-line interface (CLI) to define, apply, and monitor security SCREENs.
Some common problems encountered:
• Like most of the JSEC labs, some of the steps require the teams within a pod to
communicate and work in tandem.
• Some of the tasks in this lab invoke the use of the scheduled security policy. If the
expected behavior is not produced, make sure the scheduler is active.

Lab 5

This lab demonstrates the configuration and monitoring of Network Address Translation (NAT).
In this lab you use the command-line interface (CLI) to implement and monitor NAT and
proxy-arp. Some common problems encountered:
• Step 3.2 sets up the student device in a unique manner that requires proxy-arp.
Be sure you are familiar with the note associated with this step and it may be a
good idea to go over this with the students.

May 30, 2010 8 of 9


© 2010 Juniper Networks, Inc. All rights reserved.
Junos for Security Platforms Instructor Notes
Worldwide Education Services

Lab 6

This lab demonstrates the configuration and monitoring of a route-based IPsec VPN. In this lab
you use the command-line interface (CLI) to manually create the IPsec VPN tunnel.

Lab 7

This lab demonstrates the installation and configuration of the IDP database and IDP policy
templates. In this lab, you use the command-line interface (CLI) to download and install the
appropriate licenses relative to each student device, to download and install the IDP signature
database, to apply and modify an IDP policy template. Some common problems encountered:
• It is imperative that the student devices have a software refresh/upgrade
performed between classes. If this has not been completed, the IDP license and
database will still be present from the previous class.
• Note that as a part of this lab, the student is instructed to changed the root
password to lab123. This change will be reverted at the end of lab 8 when the
students will reload the reset configuration on each student device.

Lab 8

This lab demonstrates the implementation of a chassis cluster within each student pod. In this
lab you will use the command-line interface (CLI) to form a chassis cluster and monitor the
results, including a simulated redundancy group failover.
• While it is important for the student teams within a pod to work together in all
labs, it is especially important in this lab. It is recommended that the students
within each pod work together as one team for this lab.
• If the students do not finish this lab, the reset configuration files will not be
reloaded and you should perform this step manually at the end of class.

May 30, 2010 9 of 9


© 2010 Juniper Networks, Inc. All rights reserved.

You might also like