Juniper is also big on naming things, in JUNOS everything has a name, the Filter Lists have names, the terms in the Filter Lists have names, and even the address’s you are matching on have names. This is a big concept in JUNOS because it allows you to write snippets of Filter-Lists and use them for many different Filter Lists. JUNOS also supports grouping Filter Lists and applying an entire group of filter to an interface. If you apply Filter groups to a JUNOS interface they individual Filter Lists are evaluated in order sequentially.

To facilitate out discussion of Filter-Lists let’s take a look at a standard anti-spoofing access list which would be applied to most edge routers. First let’s talk about what a vanilla anti-spoofing ACL should contain! A standard ACL at a minimum should block all RFC-1918 address space from the internet, it should also block undesirable types of ICMP traffic, and depending on the setup should block packets with illegal combinations of TCP flags set, for example packets with the SYN-FIN flag set at the same time or FIN-URG-PSH or URG-ACK-PSH-RST-SYN-FIN at the same time. All of these combinations of TCP flags are illegal and should never be together as part of a legitimate packet. So without further ado lets talk about Filter Lists.
Filter Lists are defined under the Firewall section of the JUNOS configuration. Prefix Lists which are groups of networks, IP address ranges, or single hosts such as 1.1.1.1/32 are defined in these lists. These lists can later be used in as many Filter Lists as you define.

Below I will show you the actual Filter Lists as it looks in the configuration and some of the commands to create the list. For brevity I have opted to only show some of the commands used in creating the list as they are basically repetitive. The important thing to remember is that like all Access-Lists the terms in the Filter List are evaluated from top to bottom so it is important that the last term be an allow all statement otherwise the anti-spoofing filter will block all communication even legitimate communication.

[edit]
john#set policy-options prefix-list rfc1918-prefix-list 192.168.0.0/16

[edit]
john#set policy-options prefix-list rfc1918-prefix-list 172.16.0.0/12

[edit]
john#set policy-options prefix-list rfc1918-prefix-list 10.0.0.0/8

[edit]
john# edit firewall

[edit firewall]
john# edit filter anti-spoofing

[edit firewall filter anti-spoofing]
john# edit term block-rfc1918

[edit firewall filter anti-spoofing term block-rfc1918]
john# set from source-prefix-list rfc1918-prefix-list

[edit firewall filter anti-spoofing term block-rfc1918]
john# set then log discard

[edit]
john# show policy-options

prefix-list rfc1918-prefix-list {
    10.0.0.0/8;
    172.16.0.0/12;
    192.168.0.0/16;
}

[edit firewall]
john# show

filter anti-spoofing {
    term block-rfc1918 {
        from {
            source-prefix-list {
                rfc1918-prefix-list; ## 'rfc1918-prefix-list' is not defined
            }
        }
        then {
            log;
            discard;
        }
    }
    term block-fin-urg-psh {
        from {
            protocol tcp;
            tcp-flags fin,psh,urg;
        }
        then {
            log;
            discard;
        }
    }
    term block-syn-fin {
        from {
            protocol tcp;
            tcp-flags fin,syn;
        }
        then {
            log;
            discard;
        }
    }
    term block-urg-ack-syn-fin-rst-psh {
        from {
            protocol tcp;
            tcp-flags urg,ack,psh,rst,fin,syn;
        }
        then {
            log;
            discard;
        }
    }
    term block-icmp {
        from {
            protocol icmp;
            icmp-type-except echo-reply,unreachable,source-quench,time-exceeded;
        }
        then {
            log;
            discard;
        }
    }
    term accept-all {
        then accept;
    }
}

Remember to apply the Filter-List to the interface with the following command:

[edit]
john#set interfaces fe-0/0/0.0 family inet filter input anti-spoofing

Here is a related Article on ACL’s

!
crypto isakmp policy 10        #create crypto policy file
authentication pre-share      #use pre shared key
crypto isakmp key integer address 192.168.1.2 #address of remote tunnel
!
!
!
#use aes encryption and comp-lzs conpression. use transport mode.
crypto ipsec transform-set myset esp-aes esp-md5-hmac comp-lzs
!
mode transport   # transport mode tells IPSEC not to create a tunnel,
                       # this is used when you are using IPSEC for
                       # encryption only and not for tunneling.
!
crypto map mymap 10 ipsec-isakmp   # create the crypto map
set peer 192.168.1.2                      # the peer must match the ISAKMP statement
set transform-set myset                  # use the encyption we defined above
match address match-gre                # encrypt only packets in GRE tunnel
!
!
!
!
interface Tunnel0
ip address 172.20.1.1 255.255.255.252
keepalive 10 3
tunnel source FastEthernet0/0
tunnel destination 192.168.1.2
tunnel path-mtu-discovery
crypto map mymap              # crypto map must be applied to tunnel
!
!
!
!
interface FastEthernet0/1
description LAN INTERFACE
ip address 10.0.0.254 255.255.255.0
ip nat inside
duplex auto
speed auto
!
!
!
!
interface FastEthernet0/0
description Internet Interface
ip address 192.168.1.1 255.255.255.0
ip access-group allow-gre in
ip nat inside
duplex auto
speed auto
crypto map mymap   # crypto map must be applied to tunnel and public interface
!
!
!
!
ip access-list extended allow-gre
permit gre any any               # allow gre through the firewall
permit esp any any              #allow esp for ipsec through the firewall
permit udp any any eq 500    #allow udp port 500 through which ipsec also uses
!
!
#access-list to match tunnel traffic.
#This access list must be in the form (my public ip) (destination public ip)
ip access-list extended match-gre
 permit gre host 192.168.1.1 host 192.168.1.2 log

A lot of engineers prefer to use dedicated systems for network security such as Pix and ASA devices. However the Cisco recommended methodology is to filter packets as close to the egress point as possible thus saving network resources and enhancing security. In times past it was considered better to apply security features on dedicated devices deeper in the network while putting as few strains on the edge routers as possible. This methodology used to be a necessity as routers typically had much less horse power and a significant amount of CPU cycles and memory was used just routing and switching packets, add to that the wide spread use of Port address translation which requires a large amount of CPU cycles and memory to maintain the port translation state table and the situation was dire. It was not uncommon to see a branch office level router such as a 2500, or 2600 series overloaded by P2P programs which open up thousands of ports for connections. In these situations a single user could easily destabilize the network and cause the router to drop packets from the load. Cisco realizing the changing world of networking and the relative cheapness of CPU power released the XM series routers as a stopgap measure until the new integrated services platform routers were available such as the 2800 and 3800 series routers. These new routers are more powerful than ever and allow IPS, stateful firewall features, and deep packet inspection to be performed at the network edge thus enhancing security and availability of network resources.

Besides the IPS features the Cisco routers can also perform CBAC or Content Based Access Control. With CBAC the router can inspect TCP, UDP, and ICMP packets for fragments and irregularities. The IOS can also inspect sever layer 7 protocols, and with the latest 12.4 IOS and current generation of routers this list has expanded to many many layer 7 protocols. When using CBAC the router monitors the outgoing packets on an interface, and dynamically creates holes in the inbound access list to allow only packets that match up to the outgoing request. This means that CBAC enables the IOS to perform true stateful Firewalling.  In the 12.4 IOS CBAC uses deep packet inspection to determine the true protocol of the packet and better protect the network from intrusion. With deep packet inspection the router will recognize an FTP packet and scan it for known issues even if the packet arrives on a port other than the standard FTP control port. The IOS also uses access lists to secure interfaces and drop unwanted traffic at the network edge which will prevent network resources from being wasted.

I hope this brief overview of the Cisco IOS security methodology as it relates to packet filtering was informative. I will follow up later with a more technical article on how to configure CBAC stateful firewalling, and IPS signatures on the Cisco router.