Skip to main content

[ScreenOS] What is a Crypto-policy?

Crypto-policy is a set of access lists that determines the proposals to be used, when configuring VPN phase1 and phase2.
The following types of administrators can configure a crypto-policy:
  • Root administrator.
  • Read-write admin user, without any role attribute assigned.
  • Read-write admin user with a cryptographic role.
The default crypto-policy that is set on the firewall is as follows:

isg2000-> get crypto-policy
crypto policies:
  • encryption alg supported: ALL
  • authentication alg supported: ALL
  • DH group supported: ALL
  • mode supported: ALL
  • authentication method supported: ALL
  • no limitation for P1 lifetime
  • no limitation for P2 lifetime
  • no limitation for P2 lifesize 
To configure the crypto-policy, you have to provide the context via the following command:

isg2000-> set crypto-policy
isg2000(crypto-policy)->

The description of all the parameters that can be configured is as follows:

Encryption ALG-The encryption algorithms that can be configured are as
follows:
isg2000(crypto-policy)-> set encrypt-alg ?

3des 3DES - Encrypt Alg a
aes128 AES(128bits) - Encrypt Alg a
aes192 AES(192bits) - Encrypt Alg a
aes256 AES(256bits) - Encrypt Alg d
des DES - Encrypt Alg

Authentication ALG-The authentication algorithms that can be configured are as follows:

isg2000(crypto-policy)-> set auth-alg ?

md5 HMAC-MD5 - Auth Alg s
sha-1 HMAC-SHA1 - Auth Alg s
sha2-256 HMAC-SHA2-256 - Auth Alg

DH Group-The DH groups that can be configured are as follows:

isg2000(crypto-policy)-> set dh ?  

group1 DH Group 1 g
group14 DH Group 14 g
group19 DH Group 19 g
group2 DH Group 2 g
group20 DH Group 20 g
group5 DH Group 5 n
no-pfs no-pfs (only for p2 sa)

Mode-The configuration to support the Main or Aggressive mode is as follows:

isg2000(crypto-policy)-> set mode ?
 
aggressive Aggressive Mode m
main Main Mode (ID protection)

Authentication mode-This is the configuration that decides whether the preshared key or certificate-based authentication is supported:

isg2000(crypto-policy)-> set auth-method ?
 
dsa-sig Authenticated by DSA Signature e
eap Authenticated by EAP(only in V2 ) e
ecdsa-sig Authenticated by ECDSA Signature p
preshare Authenticated by Preshared Key r
rsa-sig Authenticated by RSA Signature
 
Phase-1 Lifetime- This is to configure the upper-limit on the Phase-1 lifetime:
isg2000(crypto-policy)-> set p1-sa-lifetime upper-threshold ?
 
days Lifetime in (day) h
hours Lifetime in (hour) m
minutes Lifetime in (min) s
seconds Lifetime in (sec)

Phase-2 Lifetime- This is to configure the upper-limit on the Phase-2 lifetime:

isg2000(crypto-policy)-> set p2-sa-lifetime upper-threshold ?

days Lifetime in (day) h
hours Lifetime in (hour) m
minutes Lifetime in (min) s
seconds Lifetime in (sec)
  
Phase-2 Lifesize- This is to configure the upper-limit on the Phase-2 lifesize:

isg2000(crypto-policy)-> set p2-sa-lifesize upper-threshold 

<number> Lifesize



 
Labels:

Comments

Post a Comment

Popular posts from this blog

MTBF MTTR MTTD

Post a Comment
Read more

Juniper SRX : Proxy ARP on Juniper SRX

Proxy ARP ( Address Resolution Protocol ) is a technique by which a intermediate network device like router replies to ARP request for a given IP address that is not part of local network.  The router acts as a proxy for the destination device to which the host wants to communicate and provides its own MAC address as the reply. Note: Proxy ARP can help devices on a network reach remote subnets without the need to configure routing or a default gateway. Disadvantages of Proxy ARP Proxy ARP can lead to security and performance issues on the network.  It poses a security risk by making the network vulnerable to ARP spoofinf attack. In attacks, malicious devices can impersonate proxies. Intercept or modify traffic between devices. It may introduce inconsistency into the network’s topology. Addressing scheme by concealing device locations and identities. Let see when and how proxy ARP is configured in Juniper by answering below questions which often comes to our mind ...
Post a Comment
Read more