Junos Network Secure Overview - Juniper ACX1000 Configuration Manual

ACX Series Universal Access Router Configuration Guide
Related
Documentation

Junos Network Secure Overview

1020
Junos Network Secure Overview on page 1020
Configuring Stateful Firewall Rules on page 1023
Understanding Service Sets on page 1028
Configuring Service Sets for Network Address Translation on page 1030
Configuring Service Sets to Be Applied to Services Interfaces on page 1031
Routers use firewalls to track and control the flow of traffic. Adaptive Services and
MultiServices PICs employ a type of firewall called a stateful firewall. Contrasted with a
stateless firewall that inspects packets in isolation, a stateful firewall provides an extra
layer of security by using state information derived from past communications and other
applications to make dynamic control decisions for new communication attempts.
NOTE: On ACX Series routers, the stateful firewall configuration is supported
only on the ACX500 indoor routers.
Stateful firewalls group relevant flows into conversations. A flow is identified by the
following five properties:
Source address
Source port
Destination address
Destination port
Protocol
A typical Transmission Control Protocol (TCP) or User Datagram Protocol (UDP)
conversation consists of two flows: the initiation flow and the responder flow. However,
some conversations, such as an FTP conversation, might consist of two control flows
and many data flows.
Firewall rules govern whether the conversation is allowed to be established. If a
conversation is allowed, all flows within the conversation are permitted, including flows
that are created during the life cycle of the conversation.
You configure stateful firewalls using a powerful rule-driven conversation handling path.
A rule consists of direction, source address, source port, destination address, destination
port, IP protocol value, and application protocol or service. In addition to the specific
values you configure, you can assign the value
which allows them to match any input value. Finally, you can optionally negate the rule
objects, which negates the result of the type-specific match.
Firewall rules are directional. For each new conversation, the router software checks the
initiation flow matching the direction specified by the rule.
any to rule objects, addresses, or ports,
Copyright © 2017, Juniper Networks, Inc.