Quiz: //networkdirection.net/labsandquizzes/quizzes/juniper-jncia/firewall-filters
Lab: //networkdirection.net/labsandquizzes/labs/jncia-labs/firewall-filters
Notes
Firewall filters are the Junos version of an ACL. They are used to match traffic and apply an action. This can be for security [allow or deny traffic], but it can also be for a policy [such as a routing or CoS policy].
Generally, firewall filters are stateless. The SRX and MX platforms can support statful firewall filters as well.
Firewall filters contain terms. A term is an individual rule in the firewall filter.
Within a term, we have ‘from’ statements, which are used to match conditions [like source and destination addresses]. Multiple from statements are fine, but they all need to match for an action to be applied.
Also within the term are ‘then’ statements. These apply actions to matching traffic. Actions include accept, reject, discard, log, count, sample, next-term, and others.
The ‘reject’ action will deny a packet and send an ICMP response. The ‘discard’ action will deny a packet silently.
Actions may be terminating or non-terminating. Accept, reject, and discard are terminating actions. That means that once the action is applied, processing the firewall filter stops.
A non-terminating action [eg, log, count, etc] can be applied, and the firewall filter can continue to be processed for more actions.
If no terminating action is applied to a term, an implicit accept is used. Alternatively, next-term can be used to continue processing at the next-term.
To be effective, firewall filters need to be applied somewhere. For stateless firewall filtering, they can be applied to an interface. This is applied in a particular direction [input or output].
We can nest firewall filters. In this case, terms will reference other firewall filters. In a case like this, we would only apply the root filter to an interface.
Alternatively, we could apply a list of firewall filters to an interface. Filters are evaluated in order of the list, from left to right. We can use the ‘next-policy’ non-terminating action to prematurely move to the next filter in the list.
Firewall filters have an address family. If no family is applied, then ‘inet’ [IPv4] is assumed.
Command Summary
Command | Mode | Description |
set firewall family inet filter NAME | Configuration | Create an empty filter |
set firewall family inet filter NAME term NAME from CONDITION | Configuration | Match a condition within a term |
set firewall family inet filter NAME term NAME then ACTION | Configuration | Apply an action within a term |
set interfaces INTERFACE unit ID family inet filter < input | output > FILTER-NAME | Configuration | Apply a filter to an interface |
show interfaces filters | match inet | Operational | Show filters applied to the interface |
Additional References
Understanding Multiple Firewall Filters in a Nested Configuration
//www.juniper.net/documentation/en_US/junos/topics/concept/firewall-filter-option-multiple-nested-overview.html
Understanding Multiple Firewall Filters Applied as a List
//www.juniper.net/documentation/en_US/junos/topics/concept/firewall-filter-option-multiple-listed-overview.html
Understanding the Loopback Interface
//www.juniper.net/documentation/en_US/junos/topics/concept/interface-security-loopback-understanding.html
Time: 46 hours Free Certificate Course Introduction
The first network was invented in the late 1960s with the birth of ARPAnet, a project launched by the US Department of Defense [DoD]. That network advanced into what is now known as the Internet and has grown into a global phenomenon to become an integral part of our daily lives. The Internet connects the world on a social, business, and governmental level. So much information is stored and transferred online that the Internet has become a target for criminals. Any devices connected to the Internet must be protected from unauthorized disclosure using tools prescribed by the discipline of information security.
This course covers information security principles, an area of study that engages in protecting the confidentiality, integrity, and availability of information. Information security continues to grow with advancements in technology – as technology advances, so do threats, attacks, and our efforts to mitigate them. In this course, we discuss the modes of threats and attacks on information systems. We also discuss an important area of threat mitigation that saw rapid development in the twentieth century: cryptography. Information security is concerned with user identification and authentication and access control based on individual or group privileges. The basic access control models and the fundamentals of identification and authentication methods are included in this course.
Without networks, our focus would primarily be on controlling unauthorized physical access. Instead, networks are the way we keep data in motion, making information security a more complex task. We discuss methods to design secure networks using firewalls, tunneling, and encryption, and we describe some tools to secure networks such as honeypots, network sniffers, and packet capturing. Operating systems that connect to a network must be hardened to prevent unauthorized disclosure. Methods and tools such as patching, logging, antivirus, and antimalware tools are discussed.
The last topic in this course is global privacy laws. When unauthorized disclosure or a breach of information occurs, there are adverse effects and penalties placed on individuals or organizations depending on the area of jurisdiction. Laws are diverse and vary greatly throughout the world, and we are still trying to develop laws that will protect privacy globally.
In this course, you will learn the fundamentals of information security, security threats, modes of attack, and cryptographic models. Access control, identification, and authentication are also addressed. Network security and operating system [OS] hardening are explained along with intrusion detection and prevention. The course concludes with global privacy laws.
Only Unit 1 is available while browsing as a guest. Please sign up for a free account to view the rest of the course.
Unit 1: Introduction to Information Security
This course begins with an overview of information security and its evolution. This first section introduces the core goals of information security; the CIA triad. Some common information security terms and processes used in the information security industry are defined and outlined. Types of controls and their function are categorized so the learner can comprehend the design of a defense-in-depth system. The unit concludes with a justification of why humans are known as the weakest link in information security and describes how security awareness training can serve to mitigate this risk. The topics in this unit are in preparation for the more detailed security topics in the following units.
Completing this unit should take you approximately 6 hours.
Unit 2: Threats and Attack Modes
Restricted Not available unless: You are not a[n] Guest
Unit 3: Cryptographic Models
Restricted Not available unless: You are not a[n] Guest
Unit 4: Access Control
Restricted Not available unless: You are not a[n] Guest
Unit 5: Identification and Authentication
Restricted Not available unless: You are not a[n] Guest
Unit 6: Network Security
Restricted Not available unless: You are not a[n] Guest
Unit 7: Operating System [OS] Security
Restricted Not available unless: You are not a[n] Guest
Unit 8: Intrusion Detection and Prevention Systems
Restricted Not available unless: You are not a[n] Guest
Unit 9: Privacy Laws, Penalties, and Privacy Issues
Restricted Not available unless: You are not a[n] Guest
Study Guide
Restricted Not available unless: You are not a[n] Guest
Course Feedback Survey
Restricted Not available unless: You are not a[n] Guest
Certificate Final Exam
Restricted Not available unless: You are not a[n] Guest