Continuation to the last post of MPF on Cisco ASA series, Juniper’s nextGen firewalls (SRX series that run JunOS software) can also be used for blocking unwanted sites. While SRX supports integration to SurfControl/WebSense etc, this post is more focused on the inbuilt capabilities just like what Cisco’s ASA had.
UTM feature (Unified Threat Management) is integrated into SRX devices. So in order to block a site(s);
1. First create a custom block lists to contain the websites that you want to block.
custom-objects {
url-pattern {
badsite {
value www.facebook.com;
}
addictivesite {
value www.twitter.com;
}
}
custom-url-category {
bad-sites {
value [ addictivesite badsite ];
}
}
}
As you can see, the custom URL category block list above contains the site ‘www.facebook.com’ and ‘www.twitter.com’ and based on the preferences time-eating sites like facebook/twitter/myspace etc can be used in here. Again, the advantage is that it doesn’t deal with ip addresses and hence very effective how many ever servers are hosted around the world.
2. Then create a web filtering policy to allow the traffic after screening the type/site to which the traffic is going to, as below;
policies {
from-zone trust to-zone untrust {
policy utm {
match {
source-address any;
destination-address any;
application any;
}
then {
permit {
application-services {
utm-policy wf-block-specfic-categories;
}
}
}
}
}
}
utm {
feature-profile {
web-filtering {
url-blacklist bad-sites; #This causes sites in the bad-sites category to be blocked
utm-policy wf-block-specfic-categories {
web-filtering {
http-profile block-selected-sites;
}
}
}
Along with this, SRX also supports usage of ‘Custom Block Messages’ and also make this time bound. Say if you don’t want to block it completely but just block it during business hours that is possible too by scheduling policies.
By default if you want to allow rdp access to a machine inside the PIX from internet, you need to have static defined for nat and an access-list to allow that traffic.
For example, if we want to do this with the ip assigned on the outside interface, we’d do it this way;
static (inside,outside) tcp interface 3389 <PrivateIP_Internal_Desktop> 3389
access-list <Name> permit tcp any interface outside eq 3389
access-group <Name> in interface outside
Where <Name> would be replaced by the acl which you already would be having and in the acl, you can replace ‘any’ with ‘host x.x.x.x’ if you want to allow access from a specific ip in the internet.
The same if you want to do using an available public ip address which is not assigned on the outside interface then you do it this way;
static (inside,outside) tcp <Public_IP> 3389 <Private_IP> 3389
access-list <Name> permit tcp any host <Public_IP> eq 3389
access-group <Name> in interface outside
In the VPN configuration this seems to be a host discussion; so here we go
There are 2 options of internet traffic for the VPN users;
- Split-Tunneling enabled :: This means all the corporate traffic goes through the vpn tunnel and all the internet (local browsing etc) goes through the user’s local internet connection which improves the browsing speed/experience for the end user.
- Split-Tunneling disabled :: This means all the corporate traffic and local user traffic to internet traverse over the vpn tunnel and the internet traffic first goes to the vpn end-point and then exits to internet
Now, point 1 seems to be interesting to some security professionals for the reason that, while connected through VPN there is no local interaction and thus no ” security risk “. The argument being while connected to the corporate through VPN, the public internet is secluded and thus there is more security in terms of somebody/something from internet gets to the corporate!
Well, let me see; the way I see it – First of all it makes the internet browsing poor for the end user who is probably browsing more but still is *ON* VPN just for mail checking in the late evening (If that is happening 
). Now security-wise, does it mean by just disabling the split-tunneling, an administrator can be assured that the user won’t harm the corporate ? I don’t think so;
How About users’ machine infected with a Virus/Trojan/Some Crap, whether you have enabled split-tunneling or not, this is going to enter corporate ???? YES.
So what security are we talking about ?
The best approach would be to have Network Access/Admission Control which is integrated with an AntiVirus/AntiSpyware/IPS and Firewall module.
Now is there something obvious I’m not seeing here? May be somebody can shed some light and I would really appreciate that!
Ever faced a situation where-in you have your servers in a single Vlan (same subnet) and you want to prevent them talking to each other? You may want to do it for security purposes, what you are securing is that if any one of the server gets infected you don’t want that to be spread to others. However, each product has its own way of doing things.
So for a 6500 Cisco switch, you do it as below;
For Catalyst OS:
set security acl mac <AclName> deny <FirstServerMacAddress> <SecondServerMacAddress>
commit security acl <AclName>
Take a peek to this config guide at Cisco Site.
[Click to Redirect to the Guide]