Predefined Screen Options Overview - Juniper NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING SCREENOS DEVICES GUIDE REV 01 Manual

Configuring ScreenOS Devices Guide
Table 14: Zone General Properties
Custom Zone Settings
TCP/IP Reassembly for ALG
Block Intrazone Traffic
TCP-RST
Asymmetric VPN
Related
Documentation

Predefined Screen Options Overview

40
For predefined zones, some general properties are already configured for you, such as
the Name and Virtual Router settings. For custom security zones, you can enter a name
and select the virtual router that handles traffic to and from the new zone.
For both predefined and custom zones, you can configure the settings as described in
Table 14 on page 40.
Description
Select this option when using Application Layer Gateway (ALG) filtering on the
security device. By reassembling fragmented IP packets and TCP segments, the
security device can accurately filter traffic.
Select this option to block traffic between hosts within the security zone.
Select this option to return a TCP segment with the RESET flag set to 1 when a TCP
segment with a flag other than SYN is received.
In asymmetrical encryption, one key in a pair is used to encrypt and the other to
decrypt VPN traffic. When configuring multiple VPN tunnels to enable tunnel failover,
enable this option for the Trust zones on each security device in the VPN so that if
an existing session established on one VPN tunnel transfers to another, the security
device at the other end of the tunnel does not reject it.
Predefined Screen Options Overview on page 40
Interface Types in ScreenOS Devices Overview on page 50
Setting Interface Properties Using the General Properties Screen on page 53
Typically, a network forwarding device such as a router or switch does not reassemble
fragmented packets that it receives. It is the responsibility of the destination host to
reconstruct the fragmented packets when they all arrive. Because the purpose of
forwarding devices is the efficient delivery of traffic, queuing fragmented packets,
reassembling them, refragmenting them, and then forwarding them is unnecessary and
inefficient. However, passing fragmented packets through a firewall is insecure. An
attacker can intentionally break up packets to conceal traffic strings that the firewall
otherwise would detect and block.
You can enable predefined screen options that detect and block various kinds of traffic
that the security device determines to be potentially harmful. To secure all connection
attempts, security devices use a dynamic packet filtering method known as stateful
inspection. Using this method, the device notes various components in a packet header,
such as source and destination IP addresses, source and destination port numbers, and
packet sequence numbers. The device uses this information to maintain the state of
each session traversing the firewall.
Copyright © 2010, Juniper Networks, Inc.