Configuring Secure Connections In Screenos Devices Using Nsm Overview - Juniper NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING SCREENOS DEVICES GUIDE REV 01 Manual

Configuring ScreenOS Devices Guide

Configuring Secure Connections in ScreenOS Devices Using NSM Overview

Table 33: SSL Settings
SSL Settings Your Action
Redirect HTTP to You can enable HTTP redirection for SSL troubleshooting, if desired.
HTTPS
Certificate By default, the security device uses an auto-generated self-signed certificate for SSL. To change
the certificate used for SSL, select a certificate from the list of available certificates.
Port The default port for SSL connections is 443; to change this default, enter a different port number.
162
Secure Sockets Layer (SSL) is a set of protocols that can provide a secure connection
between a Web client and a Web server communicating over a TCP/IP network. SSL
consists of the SSL Handshake Protocol (SSLHP), which enables a client and server to
authenticate each other and negotiate an encryption method, and the SSL Record
Protocol (SSLRP), which provides basic security services to higher level protocols such
as HTTP. Using certificates, SSL authenticates the server (the security device), and then
encrypts the traffic sent during the session. Juniper Networks supports authentication
only of the server (the security device), not the client (the device administrator); the
device authenticates itself to the device administrator, but the device administrator does
not use SSL to authenticate to the device. However, the device administrator must
connect using a Web browser with SSL version 3 compatibility (not version 2). Netscape
Communicator 4.7x and later and Internet Explorer 5.x and later are SSL version 3
compatible.
During the SSL handshake, the security device sends the device administrator its
self-signed certificate. The device admin encrypts a random number with the public key
contained in the certificate and sends the number back to the device, which uses its
private key to decrypt the number. Both participants then use the shared random number
and a negotiated secret key cipher (3DES, DES, RC4, or RC4-40) to create a shared secret
key, which they use to encrypt traffic between themselves. They also use an agreed-upon
compression method (PKZip or gzip) to compress data and an agreed-upon hash
algorithm (SHA-1, SHA-2, or MD5) to generate a hash of the data to provide message
integrity.
Additionally, the device administrator must use a permitted IP address to initiate an HTTP
connection to the device, and the SSL service option must be enabled for the interface
that the device administrator connects to on the device.
By default, SSL is disabled. To ensure that all HTTP connections to the Web UI are secure,
you should enable this option. When enabled, the device automatically redirects
administrative traffic using HTTP (default port 80) to HTTPs (SSL, default port 443)
and authenticates using the local certificate. For a device running ScreenOS 5.1 and later,
SSL uses the autogenerated, self-signed certificate on the device.
You can change the SSL configuration by editing the SSL settings as described in Table
33 on page 162.
Copyright © 2010, Juniper Networks, Inc.