Question

Juniper Netscreen Firewall

Asked by: poolsec

Hi,

I am performing some configuration on a Netscreen 5GT and it seems like the model/license which I have does not have the "DMZ" zone unless I upgrade it to extended version. I do notice that there are 2 zones called "Work" and "Home". Can someone familiar with Netscreen tell me the difference between a true "DMZ" and the "Work" or "Home" zones? Can I place my proxy server in a "Work" or "Home" zone so that it is segregated from the "Trust" internal LAN?

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2009-10-13 at 20:21:01ID24810075
Topic

Enterprise Firewalls

Participating Experts
1
Points
500
Comments
13

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. HELP!!!  ISA 2004 migrating to Netscreen firewall
    Scenario: I have an ISA 2004 box at the edge right now. It handles everything including firewall duties, VPN access, and proxy duties. I am replacing this box with a Juniper SSG520 (Netscreen OS), and we have decided NOT to keep the ISA around behind the Netscreen. I can ...
  2. Recommendations on Netscreen Firewalls
    Its not a question as such, More a, what experiances have people had and what are the good and bad points of a Managed NETSCREEN 5GT EXTENDED firewall We currently have a managed Firebox firewall and the ISP who manage this are recommending we change now to a NETSCREEN 5GT E...
  3. Netscreen licensing.
    HI, How it can be check the license of the Netscreen juniper firewall? is it active or expired. I did not found any thing on the GUI.
  4. juniper - Netscreen NS5GT-issue
    i am having Juniper Netscreen NS5GT router. which stop working on yesterday but am able to login to the console when i check the log it shows Notif: The physical state of the interface trust has changed to up Alert:SCCP ALG enabled on the device Alert:SCCP ALG registered lin...
  5. juniper netscreen Router
    i am having Juniper Netscreen NS5GT box in my office. i already set up trust untrust policy in that. but i was not able to block some websites like youtube.com, friendster.com rather than these site all other sites i was able to block without any issue. i even try to block...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: sangamcPosted on 2009-10-13 at 20:35:41ID: 25567044

The home zone is segregated from the work zone by the hardware. from what i remember even creating a policy to allow traffic from home to zone will not work. However traffic from the Work zone can go to the home zone without any problem.

When in Home/Work zone there is no trust zone. The work zone essentially replaces the trust zone. The home zone by no means a DMZ, but i believe you can target it by creating MIPs or VIPs from the untrust zone

 

by: poolsecPosted on 2009-10-13 at 20:58:18ID: 25567129

OK, so effectively, I will not be able to deploy a proxy server in the "Home" zone. I have got some suggestions that a customized zone can be created and this new customized zone can be used as a DMZ whereby I should be able to host my proxy server. In this way, policies can be created to allow only http communication between my clients in the "Trusted" or "Work" zone and the new customized zone. Am I correct to say this? In addition, what difference will this setup be from an extended licensed Juniper box which comes with a "DMZ" zone option by default? Will there be any difference in the level of security which can be enforced?

 

by: sangamcPosted on 2009-10-13 at 21:36:55ID: 25567274

The main difference is that DMZ is assigned to interface 3 and 4 on the netscreen. This will allow you to create a different subnet from the trust zone and assign it to these ports.

You could however create a sub interface on the trust network, and assign it to a custom zone. you can then plug the proxy server into the netscreen and configure it with a static ip on the same subnet as the sub-interface. You can then setup policies to control the traffic between the two zones just like you would with a DMZ

 

by: poolsecPosted on 2009-10-13 at 22:41:37ID: 25567590

Am I right to say that this will only work in the "Trust-Untrust" mode and not in the "Home-Work" mode?

 

by: sangamcPosted on 2009-10-14 at 06:12:27ID: 25570024

It will work in both modes. It will even work in dual untrustworthy mode Which I use alot to setup primamry and backup ISP connections.

 

by: poolsecPosted on 2009-10-15 at 18:23:21ID: 25586351

We finally had the chance to test it out as the Internet line was installed. Surprisingly, the home-work mode worked well without the need to create a customized zone and binding it to a sub-interface. We deployed the proxy server in the "Home" zone and internal LAN in the "Work" zone. What you said was correct; the policy for "Home to Work" has a "deny any any" rule by default and we are not able to modify that or add permit rules. But clients were able to acces the Internet (eg HTTP) via the proxy server in the "Home" zone. We figured out that this is probably due to the fact that the "Work" zone is allowed to initiate connection to the "Home" zone and therefore the proxy server in the "Home" zone can response to these requests. But initiating a request from "Home" zone to "Work" zone will definitely not be possible due to the default limitations of the "Home-Work" mode.

 

by: sangamcPosted on 2009-10-15 at 18:48:01ID: 25586440

I am glad it worked for you !  Out of the box the ns5gt has some limitations built in. But with a little creativty you can still get a lot accomplished.

In my previous post I mentioned the dual untrustworthy port mode. That was a typo. My iPhone auto spell has a reblious streak and often tries to think for me. Sorry bout that.

 

by: sangamcPosted on 2009-10-15 at 18:48:02ID: 25586441

I am glad it worked for you !  Out of the box the ns5gt has some limitations built in. But with a little creativty you can still get a lot accomplished.

In my previous post I mentioned the dual untrustworthy port mode. That was a typo. My iPhone auto spell has a reblious streak and often tries to think for me. Sorry bout that.

 

by: poolsecPosted on 2009-10-15 at 19:32:22ID: 25586590

Thank you very much for the assistance. You suggestions were very interesting and informative and could be very useful in future. Just one more question regarding the policy portion. By default I do not see any policy for the "Untrust to trust" portion. Does it mean that Netscreen has an implicit "deny any any" which blocks all traffic from outside?

 

by: sangamcPosted on 2009-10-15 at 19:43:31ID: 25586678

A good question! The netscreen does not allow any traffic for which there is no policy created. So traffic from untrust to trust is always blocked. The interesting part is that you need to create a policy with the destination as a MIP or a VIP, and the source as untrust to allow traffic from the outside into your LAN. the mapped ip can then target a specific destination such as a web server or email and allow traffic to that destination.

A good thing to have is a default rule after all the others (last on the list) with source=any, dest=any, action=deny, and logging on. this will allow you to see logs of all traffic that doesnt match a rule and is useful for troubleshooting

 

by: poolsecPosted on 2009-10-15 at 20:48:17ID: 25586915

At this moment, we do not need anything from outside to connect to our internal DMZ servers, so there will be no policy at all for this portion.

Talking about MIP, I am trying to create an MIP which will map an IP from my existing internal LAN to the actual IP for the proxy server. The following shows the scenario.

"Work" zone interface IP: 10.1.1.1
"Home" zone interface IP: 200.1.1.1
Proxy server in "Home" zone: 200.1.1.20

I created an MIP in the "Work" interface with mapped IP 10.1.1.20 and host IP 200.1.1.20 and created a policy which allows "any to 10.1.1.20" in the "work to home" portion. However, it is not functioning well. Did I miss any step?

For the policy logging am I right to say that the logging will only start if I have specify an external syslog server?



 

by: sangamcPosted on 2009-10-15 at 21:17:29ID: 25586997

Did you make the policy source Destination the actual ip of the proxy or the mip?

As far as logging goes. From the web interface you will see an icon on the policy under the options column that you can click on to display the logs. A syslog server will give you more comprehensive analysis. But for a quick look the web display works great.
             

 

by: poolsecPosted on 2009-10-15 at 22:58:14ID: 25587283

I entered the destination IP manually initially. Realised that's where my mistake lies; I should have choosen the MIB IP from the drop-down box. Now it's working well.

The log is showing now as well. Initially, everything was blank for quite a while even though I was sure I had traffic passing through the firewall. I guess it took a while for these to be registered.

Thanks a lot for the great advise!

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...