がらくたネット


SSG-5

SSG-5

JuniperのSSG-5を使った

SSG-5は標準でメモリ256MBモデルだが128MBモデルも存在する

違いはSSG-5のオプションライセンスが有効にならない事のみ

transparentモードに移行

ssg5-serial-> unset interface bgroup0 ip
ssg5-serial-> set interface ethernet0/0 zone V1-Untrust
ssg5-serial-> set interface ethernet0/1 zone V1-DMZ
ssg5-serial-> set interface bgroup0 zone V1-Trust
Changed to pure l2 mode
ssg5-serial-> set interface vlan1 ip <IP Address>/<Mask>
ssg5-serial-> set interface vlan1 manage web
ssg5-serial-> set interface vlan1 manage ping
ssg5-serial-> set route 0.0.0.0/0 interface vlan1 gateway <DGW IP Address>

bgroup0に規定値で192.168.1.1/24が割当られているため vlan1に同じセグメントのIPは割り当てられない

V1-Untrust ZONEで以下を許可するにはコマンド入力

https接続 set zone V1-Untrust manage ssl
ping応答 set zone V1-Untrust manage ping
SNMP応答 set zone V1-Untrust manage snmp
http接続 set zone V1-Untrust manage web

基本情報

  • 起動にかかる時間は約2分半程度
  • 192.168.1.1/24
  • netscreen/netscreen
  • ethernet0/0はUntrust Zone
  • ethernet0/1はDMZ Zone
  • ethernet0/2~0/6はbgroup0に割当、Trust Zone、192.168.1.1/24
  • bgroup0はNAT
  • bgroup0でdhcpが有効、192.168.1.33-126
  • TrustからUntrustへは全て許可のポリシー
  • timezoneは0
  • 再起動コマンドはresetだと…焦るよね…

規定値に戻す方法1、コンソール接続から

 hostname>unset all
 Erase all system config, are you sure y/[n] ? y
 hostname>reset
 Configuration modified, save? [y]/n n
 System reset, are you sure? y/[n] y
 In reset ...

規定値に戻す方法2、リセットボタン

 後ろ側のReset phinholeを4〜6秒間押し続ける
 StatusLEDが赤点滅する
 その後StatusLEDが緑点滅するのでpinholeを押すのをやめる
 2秒待つ
 再度4〜6秒間pinholeを押し続ける

処理系

get config設定情報表示
save config設定情報保存
set 何がし何がし項目の設定
get 何がし何がし項目の表示

snmp trap

SNMP TRAPはホスト名の後に数字が入る
この数字はNS-TRAP.MIBで定義されている

    SYNTAX        INTEGER {

        -- Traffic per-second threshold
        traffic-sec(1),
        -- Traffic per-minute threshold
        traffic-min(2),
        -- Winnuke pak
        winnuke(4),
        -- Syn attack
        syn-attack(5),
        -- tear-drop attack
        tear-drop(6),
        -- Ping of Death attack
        ping-death(7),
        -- IP spoofing attack
        ip-spoofing(8),
        -- IP source routing attack
        ip-src-route(9),
        -- land attack
        land(10),
        -- ICMP flooding attack
        icmp-flood(11),
        -- UDP flooding attack
        udp-flood(12),
        -- Illegal server IP to connect to CMS port
        illegal-cms-svr(13),
        -- URL blocking server connection alarm
        url-block-srv(14),
        -- Port Scan attack
        port-scan(16),
        -- address sweep attack
        addr-sweep(17),
        -- memory low
        low-memory(20),
        -- DNS server unreachable
        dns-srv-down(21),
        -- Fan, Power Supply failure
        generic-HW-fail(22),
        -- Load balance server unreachable
        lb-srv-down(23),
        -- log buffer overflow
        log-full(24),
        -- X509 related
        x509(25),
        -- VPN and IKE related
        vpn-ike(26),
        -- admin realted
        admin(27),
        -- Illegal src ip to connect to sme port
        sme(28),
        -- DHCP related
        dhcp(29),
        -- CPU usage is high
        cpu-usage-high(30),
        -- Interface IP conflict
        ip-conflict(31),
        -- Microsoft IIS server vulnerability
        attact-malicious-url(32),
        -- session threshold is exceeded
        session-threshold(33),
        -- SSH related alarms
        ssh-alarm(34),
        -- VPN tunnel from down to up
        vpn-tunnel-up(40),
        -- VPN tunnel from up to down
        vpn-tunnel-down(41),
        -- VPN replay detected
        vpn-replay-attack(42),
        -- VPN tunnel removed
        vpn-l2tp-tunnel-remove(43),
        -- VPN tunnel removed and error detected
        vpn-l2tp-tunnel-remove-err(44),
        -- VPN call removed
        vpn-l2tp-call-remove(45),
        -- VPN call removed and error detected
        vpn-l2tp-call-remove-err(46),
        -- Number of IAS exceeds configured maximum
                vpn-ias-too-many(47),
        -- Number of IAS crossed configured upper threshold
                vpn-ias-over-threshold(48),
        -- Number of IAS crossed configured lower threshold
                vpn-ias-under-threshold(49),
        -- IKE error occured for the IAS session
                vpn-ias-ike-error(50),
        -- allocated session exceed threshold
        allocated-session-threshold(51),
                -- AV Scan Manager Alarm, sofeware trap
                av-scan-mgr(554),
        -- NSRP rto self unit status change from up to down
        nsrp-rto-up(60),
        -- NSRP rto self unit status change from down to up
        nsrp-rto-down(61),
        -- NSRP track ip successed
        nsrp-trackip-success(62),
        -- NSRP track ip failed
        nsrp-trackip-failed(63),
        -- NSRP track ip fail over
        nsrp-trackip-failover(64),
        -- NSRP inconsistent configuration between master and backup
        nsrp-inconsistent-configuration(65),
        -- NSRP vsd group status change to elect
        nsrp-vsd-init(70),
        -- NSRP vsd group status change to master
        nsrp-vsd-master(71),
        -- NSRP vsd group status change to primary backup
        nsrp-vsd-pbackup(72),
        -- NSRP vsd group status change to backup
        nsrp-vsd-backup(73),
        -- NSRP vsd group status change to ineligible
        nsrp-vsd-ineligible(74),
        -- NSRP VSD group status change to inoperable
        nsrp-vsd-inoperable(75),
        -- NSRP VSD request heartbeat from 2nd HA path
        nsrp-vsd-req-hearbeat-2nd(76),
        -- NSRP VSD reply to 2nd path request
        nsrp-vsd-reply-2nd(77),
        -- NSRP duplicated RTO group found
        nsrp-rto-duplicated(78),
        -- DC fails to re-connect to MC
        dc-fail-reconnect-mc(79),
        -- MC fails to re-connect to Db
        mc-fail-reconnect-db(80),
        -- DC fails to initialize
        dc-fail-init(81),
        -- MC fails to initialize
        mc-fail-init(82),
        -- Unknown device trying to connect to a DC
        unknown-connect-attempt-dc(83),
        -- DC has been reinitialized/restarted (similar meaning as the cold
        -- start trap generated by the device)
        dc-reinit(84),
        -- MC has been restarted
        mc-reinit(85),
        -- DC fails to authenticate to a device
        dc-fail-auth(86),
        -- DC / MC are not running the same version
        dc-mc-version-unmatch(87),
        -- DC's traffic log files are full
        dc-log-full(88),
        -- NetScreen device connected to Global PRO
        device-connect-dc(89),
        -- NetScreen device dis-connected from Global PRO
        device-disconnect-dc(90),
                -- A USB key is plug/unplug from USB port
                usb-device-operation(93),
        -- No ppp IP pool configured
        ppp-no-ip-cfg(95),
        -- IP pool exhausted. No ip to assign
        ppp-no-ip-in-pool(96),
        -- Interface IPv6 address conflict
        ipv6-conflict(101),
        -- DIP utilization reaches raised threshold limit
                dip-util-raise(102),
        -- DIP utilization reaches clear threshold limit
                dip-util-clear(103),
        -- Errors in route module (exceed limit, malloc failure, add-perfix failure etc)
        route-alarm(205),
        -- LSA/Hello packets flood in OSPF, route redistribution exceed limit,
        ospf-flood(206),
        -- Update packet floods in RIP
        rip-flood(207),
        -- Peer forms adjacency completely
        bgp-established(208),
        -- Peer's adjacency is torn down, goes to Idle state
        bgp-backwardtransition(209),
        -- change in virtual link's state (down, point-to-point etc)
        ospf-virtifstatechange(210),
        -- change in neighbor's state on regular interface (down, 2way, full etc)
        ospf-nbrstatechange(211),
        -- change in neighbor's state on virtual link (down, full etc)
        ospf-virtnbrstatechange(212),
        -- authentication mismatch/area mismatch etc on regular interface
        ospf-ifconfigerror(213),
        -- authentication mismatch/area mismatch etc on virtual link
        ospf-virtifconfigerror(214),
        -- Authentication eror on regular interface
        ospf-ifauthfailure(215),
        -- Authentication eror on virtual link
        ospf-virtifauthfailure(216),
        -- lsa received with invalid lsa-type on regular interface
        ospf-ifrxbadpacket(217),
        -- lsa received with invalid lsa-type on virtual link
        ospf-virtifrxbadpacket(218),
        -- retransmission to neighbor on regular interface
        ospf-txretransmit(219),
        -- retransmission to neighbor on virtual link
        ospf-virtiftxretransmit(220),
        -- new LSA generated by local router
        ospf-originatelsa(221),
        -- LSA aged out
        ospf-maxagelsa(222),
        -- when total LSAs in database exceed predefined limit
        ospf-lsdboverflow(223),
        -- when total LSAs in database approach predefined limit
        ospf-lsdbapproachingoverflow(224),
        -- change in regular interface state (up/down, dr/bdr etc)
        ospf-ifstatechange(225),
        -- block java/active-x component
        ids-component(400),
        -- icmp flood attack
        ids-icmp-flood(401),
        -- udp flood attack
        ids-udp-flood(402),
        -- winnuke attack
        ids-winnuke(403),
        -- port scan attack
        ids-port-scan(404),
        -- address sweep attack
        ids-addr-sweep(405),
        -- tear drop attack
        ids-tear-drop(406),
        -- syn flood attack
        ids-syn(407),
        -- ip spoofing attack
        ids-ip-spoofing(408),
        -- ping of death attack
        ids-ping-death(409),
        -- filter ip packet with source route option
        ids-ip-source-route(410),
        -- land attack
        ids-land(411),
        -- screen syn fragment attack
        syn-frag-attack(412),
        -- screen tcp packet without flag attack
        tcp-without-flag(413),
        -- screen unknown ip packet
        unknow-ip-packet(414),
        -- screen bad ip option
        bad-ip-option(415),
        -- Dst IP-based session limiting
        dst-ip-session-limit(430),
        -- HTTP component blocking for .zip files
        ids-block-zip(431),
        -- HTTP component blocking for Java applets
        ids-block-jar(432),
        -- HTTP component blocking for .exe files
        ids-block-exe(433),
        -- HTTP component blocking for ActiveX controls
        ids-block-activex(434),
        -- screen icmp fragment packet
        icmp-fragment(435),
        -- screen too large icmp packet
        too-large-icmp(436),
        -- screen tcp flag syn-fin set
        tcp-syn-fin(437),
        -- screen tcp fin without ack
        tcp-fin-no-ack(438),
        -- avoid replying to syns after excessive 3 way TCP handshakes from
        -- same src ip but not proceeding with user auth. (not replying to
        -- username/password)..
        ids-tcp-syn-ack-ack(439),
        -- ip fragment
        ids-ip-block-frag(440),
        -- icmp ping id 0
        ids-icmp-ping-id-zero(441),
        --Shared to fair transition forced
        cpu-limit-s2f-forced(800),
        --Shared to fair transition auto
        cpu-limit-s2f-auto(801),
        --Fair to shared transition forced
        cpu-limit-f2s-forced(802),
        --Fair to shared transition because of timeout
        cpu-limit-f2s-timeout(803),
        --Fair to shared transition auto
        cpu-limit-f2s-auto(804)
    }