Following flow chart illustrates packet flow sequences both when SYN flag checking is enabled and when it is disabled.
By default, security TCP check is enabled on all TCP flow sessions. The Junos operating system (Junos OS) performs the following operations during TCP sessions:
- Checks for SYN flags in the first packet of a session and rejects any TCP segments with non- SYN flags that attempt to initiate a session.
- Validates the TCP sequence numbers during stateful inspection.
Reset packet is turned off for non-SYN session TCP packets:
{primary:node0}
root@fw-mgmt-1> show security zones node0: -------------------------------------------------------------------------- Security zone: MGMT1 Send reset for non-SYN session TCP packets: Off Policy configurable: Yes Interfaces bound: 1 Interfaces: reth4.201 Security zone: TSMGMT Send reset for non-SYN session TCP packets: Off Policy configurable: Yes Interfaces bound: 1 Interfaces: reth4.198 Security zone: MGMT2 Send reset for non-SYN session TCP packets: Off Policy configurable: Yes Interfaces bound: 1 Interfaces: reth3.0 |
{primary:node0}[edit]
root@fw-mgmt-1# set security zones security-zone MGMT1 tcp-rst {primary:node0}[edit] root@fw-mgmt-1# set security zones security-zone TSMGMT tcp-rst {primary:node0}[edit] root@fw-mgmt-1# set security zones security-zone MGMT tcp-rst |
root@fw-mgmt-1> show security zones
node0: -------------------------------------------------------------------------- Security zone: MGMT1 Send reset for non-SYN session TCP packets: On Policy configurable: Yes Interfaces bound: 1 Interfaces: reth4.201 Security zone: TSMGMT Send reset for non-SYN session TCP packets: On Policy configurable: Yes Interfaces bound: 1 Interfaces: reth4.198 Security zone: MGMT2 Send reset for non-SYN session TCP packets: On Policy configurable: Yes Interfaces bound: 1 Interfaces:reth3.0 |
Junos OS provides a mechanism for disabling security checks on TCP packets to ensure interoperability with hosts and devices with faulty TCP implementations. During no-SYN-check the Junos OS does not look for the TCP SYN packet for session creation. No-sequence check disables TCP sequence checking validation. Also, increases throughput. SYN check and sequence check are enabled by default. The set security flow command disables TCP SYN checks and TCP sequence checks on all TCP sessions thus reduces security. This may be required in scenarios with customers like big transfer files, or with applications that do not correctly work with standards.
Another reason to disable syn-check and sequence-check is the asymmetric flows in your environment. It is best, whenever possible, to ensure that asymmetric flows do not occur; but this is not always possible. So, you can disable these checks globally on the SRX device.
To disable TCP packet security checks:
set security flow tcp-session no-syn-check
set security flow tcp-session no-sequence-check |
After you disabled the tcp options, tcp-syn-check, and tcp-sequence-check that are configured at global level, you might want to configure TCP packet security checks at the policy level.
Note: Disabling the global SYN check and enforcing the SYN check after policy search will greatly impact the number of packets that the router can process. This in turn will result in intense CPU operations.
Configure the checking for the TCP SYN bit before creating a session:
[edit]
user@host# set security policies from-zone Zone-A to-zone Zone-B policy pol1 then permit tcp-options syn-check-required |
Configure the checking for sequence numbers in TCP segments during stateful inspection:
[edit]
user@host# set security policies from-zone Zone-A to-zone Zone-B policy pol1 then permit tcp-options sequence-check-required |
It is also possible to disable TCP SYN or sequence checking on one policy and enable them on all other policies, an apply-group can be used to complete this configuration based on KB24566.
Reference:
- [J-Series/SRX] Example: Configuring TCP SYN Check options on a per policy basis
- [ SRX ] : How to selectively disable TCP SYN or Sequence checking
- Understanding TCP SYN Checking - Juniper Networks
- Example: Disabling TCP Packet Security Checks for SRX Series Services Gateways
No comments:
Post a Comment