Ip (security screen) – techlibrary – juniper systems
Contents
- Release Information
- Description
- Options
- Needed Privilege Level
- Standoff Between Deputy and Security Guard at IRS Office
Release Information
Statement introduced in Junos OS Release
8.5. Support for IPv6 bad-option extension header screens put in
Junos OS Release 12.1X46-D10.
Description
Configure IP layer IDS options.
Options
-
bad-option—Detect and drop any packet
by having an incorrectly formatted IP option within the IP packet header. The
device records the big event within the screen counters list for that ingress
interface. This screen choice is relevant to IPv4 and IPv6.
-
block-frag—Enable IP packet fragmentation
blocking.
-
loose-source-route-option—Detect
packets in which the IP choice is 3 (loose source routing), and record
the big event within the screen counters list for that ingress interface. This
option specifies an incomplete route list for any packet to defend myself against its
journey from source to destination. The packet must proceed within the
order of addresses specified, but it’s permitted to feed other
devices among individuals specified. The kind routing header from the
loose source route choice is the only real related header defined in IPv6
.
-
record-route-option—Detect packets
in which the IP choice is 7 (record route), and record the big event within the
screen counters list for that ingress interface. Presently, this screen
choice is relevant simply to IPv4.
-
security-option—Detect packets where
the IP choice is 2 (security), and record the big event within the screen
counters list for that ingress interface. Presently, this screen option
is relevant simply to IPv4.
-
source-route-option—Detect packets,
and record the big event within the screen counters list for that ingress interface.
-
spoofing—Prevent spoofing attacks.
Spoofing attacks occur when unauthorized agents make an effort to bypass
firewall security by imitating valid client IP addresses. While using
spoofing option invalidates such false source Ip connections.
The default behavior
would be to base spoofing decisions on individual interfaces.
-
stream-option—Detect packets where
the IP choice is 8 (stream ID), and record the big event within the screen
counters list for that ingress interface. Presently, this screen option
is relevant simply to IPv4.
-
strict-source-route-option—Detect
packets in which the IP choice is 9 (strict source routing), and record
the big event within the screen counters list for that ingress interface. This
option specifies the entire route list for any packet to defend myself against its
journey from source to destination. The final address within the list replaces
the address within the destination field. Presently, this screen option
is relevant simply to IPv4.
-
tear-drop—Block the teardrop attack.
Teardrop attacks occur when fragmented IP packets overlap and cause
the host trying to reassemble the packets to crash. The teardrop
option directs the unit to decrease any packets which have this type of discrepancy.
-
timestamp-option—Detect packets
in which the IP option list includes option 4 (Internet timestamp), and
record the big event within the screen counters list for that ingress interface.
Presently, this screen choice is relevant simply to IPv4.
-
unknown-protocol—Discard all received
IP frames with protocol figures more than 137 for IPv4 and 139
for IPv6. Such protocol figures are undefined or reserved.
Needed Privilege Level
security—To view this statement
within the configuration.
security-control—To
add this statement towards the configuration.
Resourse: https://juniper.internet/documentation/en_US/junos/topics/reference/configuration-statement/
