1. About This Report
1.1.
Organisation
1.2.
Conventions
2. Security Audit
2.1.
Introduction
2.2.
Policy Lists
2.3.
Administrative HTTP Redirect
2.4.
Conclusions
3. Device Configuration
3.1.
Introduction
3.2.
General
3.3.
Services
3.4.
Administrative Settings
3.5.
Authentication Servers
3.6.
Simple Network Management Protocol
3.7.
Interfaces
3.8.
Security Zones
3.9.
Policy Lists
3.10.
IP Address Name Mappings
4. Appendix
4.1.
Abbreviations
4.2.
Common Ports
4.3.
Logging Severity Levels
4.4.
Time Zones
4.5.
Nipper Details
1. About This Report
This Juniper NetScreen Firewall netscreen1 report was produced by Nipper on Saturday 22 March 2008. The report contains the following sections:
- a security audit report section that details any identified security-related issues. Each security issue includes a description of the issue, its impact, how easy it would be to exploit and a recommendation. The recommendations include, where appropriate, the command(s) to resolve the issue;
- a configuration report section that details the configuration settings;
- an abbreviations appendix section that expands any abbreviations used within the report;
- a common ports appendix section that details the TCP and UDP port numbers for the common services outlined within the report;
- an appendix section detailing the logging severity levels used by the logging facility;
- a time zones appendix section that details a number of the most commonly used time zones;
- an appendix section detailing the software used to produce this report.
This report makes use of the text conventions outlined in Table 1.
Table 1: Report text conventions
| Convention |
Description |
command | This text style represents the Juniper NetScreen Firewall command text that has to be entered literally. |
string | This text style represents the Juniper NetScreen Firewall command text that the you have to enter. |
[ ] | Used to enclose a Juniper NetScreen Firewall command option. |
{ } | Used to enclose a Juniper NetScreen Firewall command requirement. |
| | Divides command option or requirement choices. |
Nipper performed a security audit of the Juniper NetScreen Firewall netscreen1 on Saturday 22 March 2008. This section details the findings of the security audit together with the impact and recommendations.
Observation: Policy lists are used to determined which network traffic is allowed and which is dropped between different zones (interzone), between interfaces in the same zone (intrazone) and the global zone. If a policy has not been configured, any network traffic is blocked by default.
Nipper identified five insecure policy list rules, these are listed in Table 2.
Table 2: Insecure policy list rules
| From Zone |
To Zone |
Global Zone |
ID |
Description |
| Trust | Untrust | No | 0 | Allows access from any source to any address.
Allows access from any address to any destination.
Allows access from any address to any destination service. |
| Trust | Untrust | No | N/A | Policy list does not end with a deny all and log. |
| Untrust | Trust | No | 1 | Does not log denied access. |
Impact: If policy lists are not sufficiently restrictive, an attacker may be able to access services or network devices that should not be accessible. Furthermore, an attacker who had compromised a device could install a backdoor which could listen on a network port that was not filtered.
Ease: N/A
Recommendation: Nipper recommends that the policy lists be reviewed and, where possible, modified to ensure that:
- policy rules do not allow access from any source;
- policy rules do not allow access from entire source networks;
- policy rules do not allow access to any destination;
- policy rules do not allow access to entire destination networks;
- policy rules do not allow access to any destination port;
- policy rules log denied access;
- disabled policy rules are removed;
- policy rules should not reject packets;
- policy lists end with a deny all and log.
However, in certain circumstances, such as a public web server, a more relaxed configuration may be required to allow any host to access specific hosts and services.
Observation: The HTTP redirection setting redirects HTTP administrative traffic to the security device to HTTPS (on port 443 by default). This ensures that all web-based administration is performed using the secure HTTPS protocol.
Nipper determined that the ScreenOS device netscreen1 was not configured with the HTTP redirect setting. However, it should be noted that the HTTP redirect setting is enabled by default on ScreenOS versions 5.1.0 or latter.
Impact: An attacker who was able to monitor network traffic could capture authentication credentials for the device netscreen1.
Ease: Network packet and password sniffing tools are widely available on the Internet. Once authentication credentials have been captured, an attacker with access to the devices management services could use them to gain access.
Recommendation: Nipper recommends the HTTP redirect administration setting be configured to force access to the device using the cryptographically secure HTTPS protocol. The following command will set the administrative HTTP redirect setting:
set admin http redirect
Nipper performed a security audit of the Juniper NetScreen Firewall device netscreen1 on Saturday 22 March 2008 and identified two security-related issues. Nipper determined that:
- insecure policy lists were configured;
- administrative HTTP access does not redirect to HTTPS.
This section details the configuration settings of the Juniper NetScreen Firewall device netscreen1.
Table 3: General device settings
| Description |
Setting |
| Hostname | netscreen1 |
| Default Firewall Policy | Deny |
Table 4: Device services
| Service |
Status |
| SSH | Disabled |
Table 5: Administrative settings
| Description |
Setting |
| Administrative User | netscreen |
| Encrypted Administrative Password | nKVUM2rwMUzPcrkG5sWIHdCtqkAibn |
| Admin Password Length | Any Length (upto 31 characters) |
| Admin Login Attempts | 3 |
| Admin Privilages | Default |
| Admin Management IP | 192.168.0.0 255.255.255.0 |
| Console Only Administration | No |
| Authentication Server | Local |
| Administration Timeout | 10 mins |
| HTTP Redirection | Unconfigured |
| Mail Alerts | Yes |
| Configuration Format | DOS |
Table 6: Authentication servers
| ID |
Server Name |
Type |
Server |
Backup(s) |
Timeout |
Forced Timeout |
Interface |
Secret / Key |
| 0 | Local | Built-in | Local | | 10 mins | None | | |
Table 7: SNMP configuration
| Description |
Setting |
| System Name | netscreen1 |
| SNMP Port | 161 |
| SNMP Trap Port | 162 |
| Authentication Traps | Disabled |
Table 8: Interfaces
| Interface |
Active |
IP Address |
Zone |
Ident Reset |
MTrace |
NS Management |
Ping |
SNMP |
SSH |
SSL |
Telnet |
Web |
| trust | Yes | 192.168.0.40/24 | Trust | On | On | On | On | On | On | On | On | On |
| untrust | Yes | 10.20.30.254/24 | Untrust | Off | Off | Off | Off | Off | Off | Off | Off | Off |
| vlan1 | Yes | 10.20.40.254/24 | | Off | Off | Off | Off | Off | Off | Off | Off | Off |
Juniper NetScreen Firewall security zones enable the sectioning of a network in order to apply network filtering and other security options. Juniper NetScreen Firewall must have at least two security zones configured in order to facilitate filtering between network areas and each security zone will have at least one network interface bound to it, the global zone will use mapped or virtual IP.
Table 9: Security zones
| Name |
ID |
VLAN |
Block |
Policy |
Tunnel |
Virtual Router |
| Trust | - | - | No | None | None | trust-vr |
| Untrust | - | - | Yes | None | None | trust-vr |
| MGT | - | - | Yes | None | None | None |
| V1-Untrust | - | - | No | None | None | None |
Table 10: Trust zone security settings
| Description |
Setting |
| Send TCP resets for nonsync packets | Yes |
| Relay DHCP requests to other zones | Yes |
| Reassemble HTTP and FTP fragmented packets for ALG | No |
| Generate attack alarms but do not block | No |
| Apply the security settings to tunnels | N/A |
| Drop fragmented packets | No |
| Drop HTTP traffic containing ActiveX | No |
| Drop HTTP traffic containing Java | No |
| Drop HTTP traffic containing executables | No |
| Drop HTTP traffic containing ZIP files | No |
| Drop HTTP traffic containing malformed URL | No |
| Drop packets with illegal flags | No |
| Drop ICMP traffic flood | No |
| Drop ICMP traffic with fragments flag | No |
| Drop ICMP frames larger than 1024 | No |
| Drop packets with invalid IP options | No |
| Drop packets with IP source route option | No |
| Drop packets with no or malformed flags | No |
| Drop IP frames with a protocol number greater than 135 | No |
| Drop ping of death attacks | No |
| Prevent spoofing attacks | No |
| Prevent IP sweep attacks | No |
| Prevent port scans after 10 ports | Per 5000 microseconds |
| Prevent Land attacks | No |
| Prevent SYN ACK ACK attacks | No |
| Prevent SYN flood attacks | No |
| Detect SYN FIN attacks | No |
| Prevent SYN frag attacks | No |
| Prevent tear drop attacks | No |
| Prevent UDP floods | No |
| Log packets with a loose IP source route | No |
| Log packets with the record route option | No |
| Log packets with the security option | No |
| Log packets with the stream option | No |
| Log packets with the strict source option | No |
| Log packets with the timestamp option | No |
| Limit concurrent sessions | 128 sessions |
| Detect and modify NetBIOS attack packets | No |
Table 11: Untrust zone security settings
| Description |
Setting |
| Send TCP resets for nonsync packets | No |
| Relay DHCP requests to other zones | Yes |
| Reassemble HTTP and FTP fragmented packets for ALG | No |
| Generate attack alarms but do not block | No |
| Apply the security settings to tunnels | N/A |
| Drop fragmented packets | No |
| Drop HTTP traffic containing ActiveX | No |
| Drop HTTP traffic containing Java | No |
| Drop HTTP traffic containing executables | No |
| Drop HTTP traffic containing ZIP files | No |
| Drop HTTP traffic containing malformed URL | No |
| Drop packets with illegal flags | No |
| Drop ICMP traffic flood | No |
| Drop ICMP traffic with fragments flag | No |
| Drop ICMP frames larger than 1024 | No |
| Drop packets with invalid IP options | No |
| Drop packets with IP source route option | Yes |
| Drop packets with no or malformed flags | No |
| Drop IP frames with a protocol number greater than 135 | No |
| Drop ping of death attacks | Yes |
| Prevent spoofing attacks | No |
| Prevent IP sweep attacks | No |
| Prevent port scans after 10 ports | Per 5000 microseconds |
| Prevent Land attacks | Yes |
| Prevent SYN ACK ACK attacks | No |
| Prevent SYN flood attacks | Yes |
| Detect SYN FIN attacks | No |
| Prevent SYN frag attacks | No |
| Prevent tear drop attacks | Yes |
| Prevent UDP floods | No |
| Log packets with a loose IP source route | No |
| Log packets with the record route option | No |
| Log packets with the security option | No |
| Log packets with the stream option | No |
| Log packets with the strict source option | No |
| Log packets with the timestamp option | No |
| Limit concurrent sessions | 128 sessions |
| Detect and modify NetBIOS attack packets | No |
Table 12: MGT zone security settings
| Description |
Setting |
| Send TCP resets for nonsync packets | Yes |
| Relay DHCP requests to other zones | Yes |
| Reassemble HTTP and FTP fragmented packets for ALG | No |
| Generate attack alarms but do not block | No |
| Apply the security settings to tunnels | N/A |
| Drop fragmented packets | No |
| Drop HTTP traffic containing ActiveX | No |
| Drop HTTP traffic containing Java | No |
| Drop HTTP traffic containing executables | No |
| Drop HTTP traffic containing ZIP files | No |
| Drop HTTP traffic containing malformed URL | No |
| Drop packets with illegal flags | No |
| Drop ICMP traffic flood | No |
| Drop ICMP traffic with fragments flag | No |
| Drop ICMP frames larger than 1024 | No |
| Drop packets with invalid IP options | No |
| Drop packets with IP source route option | No |
| Drop packets with no or malformed flags | No |
| Drop IP frames with a protocol number greater than 135 | No |
| Drop ping of death attacks | No |
| Prevent spoofing attacks | No |
| Prevent IP sweep attacks | No |
| Prevent port scans after 10 ports | Per 5000 microseconds |
| Prevent Land attacks | No |
| Prevent SYN ACK ACK attacks | No |
| Prevent SYN flood attacks | No |
| Detect SYN FIN attacks | No |
| Prevent SYN frag attacks | No |
| Prevent tear drop attacks | No |
| Prevent UDP floods | No |
| Log packets with a loose IP source route | No |
| Log packets with the record route option | No |
| Log packets with the security option | No |
| Log packets with the stream option | No |
| Log packets with the strict source option | No |
| Log packets with the timestamp option | No |
| Limit concurrent sessions | 128 sessions |
| Detect and modify NetBIOS attack packets | No |
Table 13: V1-Untrust zone security settings
| Description |
Setting |
| Send TCP resets for nonsync packets | No |
| Relay DHCP requests to other zones | No |
| Reassemble HTTP and FTP fragmented packets for ALG | No |
| Generate attack alarms but do not block | No |
| Apply the security settings to tunnels | N/A |
| Drop fragmented packets | No |
| Drop HTTP traffic containing ActiveX | No |
| Drop HTTP traffic containing Java | No |
| Drop HTTP traffic containing executables | No |
| Drop HTTP traffic containing ZIP files | No |
| Drop HTTP traffic containing malformed URL | No |
| Drop packets with illegal flags | No |
| Drop ICMP traffic flood | No |
| Drop ICMP traffic with fragments flag | No |
| Drop ICMP frames larger than 1024 | No |
| Drop packets with invalid IP options | No |
| Drop packets with IP source route option | Yes |
| Drop packets with no or malformed flags | No |
| Drop IP frames with a protocol number greater than 135 | No |
| Drop ping of death attacks | Yes |
| Prevent spoofing attacks | No |
| Prevent IP sweep attacks | No |
| Prevent port scans after 10 ports | Per 5000 microseconds |
| Prevent Land attacks | Yes |
| Prevent SYN ACK ACK attacks | No |
| Prevent SYN flood attacks | Yes |
| Detect SYN FIN attacks | No |
| Prevent SYN frag attacks | No |
| Prevent tear drop attacks | Yes |
| Prevent UDP floods | No |
| Log packets with a loose IP source route | No |
| Log packets with the record route option | No |
| Log packets with the security option | No |
| Log packets with the stream option | No |
| Log packets with the strict source option | No |
| Log packets with the timestamp option | No |
| Limit concurrent sessions | 128 sessions |
| Detect and modify NetBIOS attack packets | No |
A policy is a set of rules that will determine whether traffic between security zones (interzone), between interfaces in the same zone (intrazone) or between addresses in the global zone are permitted or denied. Each interface can be assigned to a different security zone, and multiple interfaces can be assigned to a single security zone.
The policy will be processed from the top to the bottom with the first policy rule that applies taking effect. If no rule matches, the default policy will take effect, which is set to deny by default on Juniper NetScreen Firewall. Policies are applied in the following order:
- Intrazone policies (does nothing unless block intrazone traffic is enabled on the zone);
- Zone to zone policies;
- Global zone policy;
- Default policy (deny by default).
Table 14: Zone Trust to zone Untrust policy list
| ID |
Disabled |
Permission |
Source |
Destination |
Service |
Log |
| 0 | No | Permit | Any | Any | Any | Yes |
Table 15: Zone Untrust to zone Trust policy list
| ID |
Disabled |
Permission |
Source |
Destination |
Service |
Log |
| 1 | No | Deny | Any | Any | Any | No |
Table 16: Zone Trust name mappings
| Name |
IP Address / FQDN |
Net Mask |
Comment |
| Local | 10.0.0.0 | 255.255.255.0 | |
| ALG | Application Layer Gateway |
| DHCP | Dynamic Host Configuration Protocol |
| DOS | Disk Operating System |
| FTP | File Transfer Protocol |
| HTTP | HyperText Transfer Protocol |
| HTTPS | HyperText Transfer Protocol over SSL |
| ICMP | Internet Control Message Protocol |
| IP | Internet Protocol |
| SNMP | Simple Network Management Protocol |
| SSH | Secure Shell |
| SSL | Secure Sockets Layer |
| TCP | Transmission Control Protocol |
Table 17: Common ports
| Service |
Port |
| FTP | 21 |
| SSH | 22 |
| DHCP | 67 |
| HTTP | 80 |
| SNMP | 161 |
| HTTPS | 443 |
Table 18: Logging message severity levels
| Level |
Level Name |
Description |
| 0 | Emergencies | System is unstable |
| 1 | Alerts | Immediate action is required |
| 2 | Critical | Critical conditions |
| 3 | Errors | Error conditions |
| 4 | Warnings | Warning conditions |
| 5 | Notifications | Significant conditions |
| 6 | Informational | Informational messages |
| 7 | Debugging | Debugging messages |
Table 19: Common time zone acronyms
| Region |
Acronym |
Time Zone |
UTC Offset |
| Australia | CST | Central Standard Time | +9.5 hours |
| Australia | EST | Eastern Standard/Summer Time | +10 hours |
| Australia | WST | Western Standard Time | +8 hours |
| Europe | BST | British Summer Time | +1 hour |
| Europe | CEST | Central Europe Summer Time | +2 hours |
| Europe | CET | Central Europe Time | +1 hour |
| Europe | EEST | Eastern Europe Summer Time | +3 hours |
| Europe | EST | Eastern Europe Time | +2 hours |
| Europe | GMT | Greenwich Mean Time | |
| Europe | IST | Irish Summer Time | +1 hour |
| Europe | MSK | Moscow Time | +3 hours |
| Europe | WEST | Western Europe Summer Time | +1 hour |
| Europe | WET | Western Europe Time | +1 hour |
| USA and Canada | ADT | Atlantic Daylight Time | -3 hours |
| USA and Canada | AKDT | Alaska Standard Daylight Saving Time | -8 hours |
| USA and Canada | AKST | Alaska Standard Time | -9 hours |
| USA and Canada | AST | Atlantic Standard Time | -4 hours |
| USA and Canada | CDT | Central Daylight Saving Time | -5 hours |
| USA and Canada | CST | Central Standard Time | -6 hours |
| USA and Canada | EDT | Eastern Daylight Time | -4 hours |
| USA and Canada | EST | Eastern Standard Time | -5 hours |
| USA and Canada | HST | Hawaiian Standard Time | -10 hours |
| USA and Canada | MDT | Mountain Daylight Time | -6 hours |
| USA and Canada | MST | Mountain Standard Time | -7 hours |
| USA and Canada | PDT | Pacific Daylight Time | -7 hours |
| USA and Canada | PST | Pacific Standard Time | -3 hours |
This report was generated using Nipper version 0.11.5. Nipper is an Open Source tool designed to assist security professionals and network system administrators securely configure network infrastructure devices. The latest version of Nipper can be found at the following URL:
http://nipper.sourceforge.net.