Juniper NetScreen Firewall three deployment modes and basic configuration

Juniper NetScreen Firewall three deployment modes and basic configuration

Juniper Firewall in the actual deployment process, there are mainly three modes to choose from, these three modes are:

① the NAT mode based on TCP/IP protocol layer three;

② based on the TCP/IP protocol layer three routing mode;

③ is based on a two-layer protocol transparent mode.

Nat mode when the Juniper Firewall ingress interface (intranet port) is in NAT mode, the firewall

Juniper Firewall in the actual deployment process, there are mainly three modes to choose from, these three modes are:

① the NAT mode based on TCP/IP protocol layer three;

② based on the TCP/IP protocol layer three routing mode;

③ is based on a two-layer protocol transparent mode.

2.1. Nat Mode

When the Juniper Firewall Ingress interface ("intranet port") is in NAT mode, the firewall translates the two components in the IP packet header to the Untrust area (extranet or public network): The source IP address and the source port number.

The firewall replaces the source IP address of the originating host with the IP address of the Untrust zone (extranet or public network) interface, and replaces the source port number with any port number generated by the firewall

Environment features for NAT mode applications:

① the number of registered IP addresses (public network IP addresses) is insufficient;

② the internal network uses a large number of unregistered IP addresses (private IP addresses) that require legal access to the Internet;

③ There are servers in the internal network that require explicit and external services.

2.2. route-Routing Mode

When the Juniper firewall interface is configured for routing mode, the source address and port number in the IP packet header remain the same when the firewall forwards the traffic in different security zones (for example: TRUST/UTRUST/DMZ).

Unlike Nat mode, when the firewall interface is in routing mode, it is not necessary to establish the mapping IP (MIP) and virtual IP (VIP) addresses in order to allow inbound traffic to reach a host ①.

Unlike transparent mode, when the firewall interface is in routing mode, all of its interfaces are in different subnets ②.

Environmental characteristics of the routing pattern application:

① registered IP (public network IP address) the number of more;

② the number of non-registered IP addresses (private network IP addresses) is equal to the number of registered IP addresses (public IP addresses);

The ③ firewall deploys the application completely in the network.

2.3. Transparent mode

When the Juniper firewall interface is in "Transparent" mode, the firewall will filter through the IP packets, but will not modify any information in the IP packet header. The firewall acts more like a 2-layer switch or bridge in the same VLAN, and the firewall is transparent to the user.

Transparent mode is a convenient way to protect the internal network from receiving information from untrusted sources. Using transparent mode has the following advantages:

① does not need to modify the existing network planning and configuration;

② does not need to create a mapping or virtual IP address to reach the protected server;

③ during the deployment of the firewall, the system resource consumption of the firewall is minimal.

Juniper NetScreen Firewall three deployment modes and basic configuration