Introduction to the ScreenOS Security Features

This chapter will cover the nuts and bolts of the security features in Juniper Networks' NetScreen firewall products. As you've no doubt already discovered, these devices are packed with features that make life easier for administrators easy to configure VPNs (virtual private networks), built-in DHCP (Dynamic Host Control Protocol) servers, advanced Network Address Translation (NAT) functionality, support for a wide range of routing protocols, and much more. But a firewall's primary responsibility has always been security keeping the bad bits out, and letting the good bits in.

In addition to the strong feature set found for network administration is an equally strong set of protective tools. NetScreen firewalls have always protected owners from classic attacks such as Land, Teardrop, and other network layer-based attacks. These defensive SCREEN features allow for zone-specific settings based upon the risk factor of the facing network segment.

And while protecting at the network layer is both important and efficient, in today's world of application layer-specific attacks, it's not sufficient security coverage all by itself. Starting with tentative steps for application layer coverage in ScreenOS 4.0 with the Malicious URL feature, NetScreen firewalls now have full application layer coverage for typical Internet-facing protocols with Deep Inspection (DI), found in ScreenOS version 5.0 and later.

Combine the application layer gateway features with the advanced filtering features and antivirus (AV) protection, and a complete coverage picture emerges. But what are we protecting ourselves from?

Understanding the Anatomy of an Attack

There are almost as...