Facebook applications apply to which of the following zones of social media?
Application firewall (AppFW) provides policy-based enforcement and control on traffic based on application signatures. By using AppFW, you can block any application traffic not sanctioned by the enterprise. For more information, see the following topics: Show
Application Firewall OverviewThis topic includes the following sections:
Limitations with Stateful FirewallsTraditionally stateful firewalls used to control applications such as HTTP, SMTP, and DNS because these applications used well-known standards ports only. However, now it is possible to run these applications on any port as long as the client and server are using same protocol and same ports. Because of this standard stateful firewalls are not able to detect evasive applications. Additionally, with the growing popularity of Web applications and the shift from traditional full client-based applications to the Web, more and more traffic is being transmitted over HTTP. This limitation of stateful firewalls, in which firewalls inspect traffic based on Layer 3 and Layer 4, left open to allow application layer exploits. Application FirewallJuniper Networks’ application firewall (AppFW) leverages the results from the application identification to make an informed decision to permit, deny, reject, or redirect the traffic based on applications. AppFW enables you to enforce the policy control on Layer 7 traffic. A predefined signature database is available on the Juniper Networks Security Engineering website. This database includes a library of application signatures. See Application Signatures for more details. These signature pages will give you visibility into the application category, group, risk-level, ports, and so on. The AppFW allows you to block the applications based on their application signatures, while still allowing other HTTP traffic to pass through the firewall. For example, an application firewall rule could block HTTP traffic from Facebook but allow Web access to HTTP traffic from MS Outlook. Benefit of Application Firewall
Application Firewall with Unified PoliciesStarting in Junos OS release 18.2R1, you can use unified policies to avail the same functionality of an AppFW configuration. Unified policies leverage the application identity information from the application identification (AppID) service to permit, deny, reject, or redirect the traffic. A unified policy configuration handles all application firewall functionality and simplifies the task of configuring a firewall policy. Read one of the following topic for configuring AppFW:
Application Firewall Support with Unified PoliciesStarting in Junos OS Release 18.2R1, SRX Series devices and vSRX instances support unified policies, allowing granular control and enforcement of Layer 7 dynamic applications within the traditional security policy. Unified policies are the security policies that enable you to use dynamic applications as match conditions as part of the existing 5-tuple or 6-tuple (5-tuple with user firewall) match conditions to detect application changes over time.
For example on configuring a unified policies, see Configuring Unified Security Policies. Example: Configure Application Firewall with Unified PolicyThis example describes how to configure a unified policy to allow or block traffic based on the applications.
System RequirementsSystem Requirements This example uses the following hardware and software components:
Before You Begin
OverviewIn this example, you create a very common scenario to block certain application and application group such as Yahoo-Mail and Facebook-Access. TopologyThis example uses the topology as shown in Figure 1. Figure 1: Topology For Unified Policies Example This example uses following zones and interfaces configuration.
Create a security policy configuration to block certain applications using the following steps:
Configuration
CLI Quick ConfigurationTo quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into
the CLI at the set security dynamic-application profile profile1 redirect-message type custom-text content "THIS APPLICATION IS BLOCKED" set security policies from-zone trust to-zone untrust policy policy-1 match source-address any set security policies from-zone trust to-zone untrust policy policy-1 match destination-address any set security policies from-zone trust to-zone untrust policy policy-1 match application any set security policies from-zone trust to-zone untrust policy policy-1 match dynamic-application junos:YAHOO-MAIL set security policies from-zone trust to-zone untrust policy policy-1 match dynamic-application junos:FACEBOOK-ACCESS set security policies from-zone trust to-zone untrust policy policy-1 then reject profile profile1 set security policies default-policy permit-all set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone trust interfaces ge-0/0/0.0 set security zones security-zone untrust host-inbound-traffic system-services all set security zones security-zone untrust interfaces ge-0/0/1.0 set interfaces ge-0/0/0 unit 0 family inet address 4.0.0.254/24 set interfaces ge-0/0/1 unit 0 family inet address 5.0.0.254/24 ProcedureStep-by-Step ProcedureStep-by-Step ProcedureThe following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User guide. To configure a unified policy using dynamic applications:
ResultsFrom configuration mode, confirm your configuration by entering the
If you are done configuring the device, enter VerificationUse the following procedures to verify if the policy configuration.
Verifying Policy Action
PurposeVerify that the unified policy has blocked that configured applications. ActionFrom your Web browser, try to access the application. For example, Yahoo-Mail. The system displays the redirect message as shown in the following image. MeaningWhenever the security policy rejects traffic based on the dynamic application, the output displays the redirect message as configured by you in the dynamic application profile. Verifying Unified Policy Configuration
PurposeVerify that the unified policy configuration is correct. ActionFrom operational mode, enter the
MeaningThe output displays information about security policy. Verify the following information:
Traditional Application FirewallThis topic includes the following sections:
Understanding How Application Firewall WorksAs you can use existing security policy to enforce traditional firewall controls on the traffic, you can use AppFW module to block certain application traffic, based on their application signatures, while still allowing other HTTP traffic to pass through the firewall. Security device processes traffic in the following sequence when you have configured a AppFW:
Application Firewall Rule Sets and RulesConsider following when configuring application firewall:
Application Firewall with ALGOn your security devices, when you enable ALG, application identification includes the ALG results to identify the applications in the control session. AppFW permits ALG data sessions whenever control sessions are permitted. If the control session is denied, there will be no data sessions. If you disable ALG, application identification relies on signatures to identify the application in the control and data sessions. If a signature match is not found, the application is considered unknown. AppFW handles the applications based on the application identification result. Unknown ApplicationsApplication identification classifies unknown dynamic applications with ID junos:UNKNOWN. AppID uses the reserved keyword junos:UNKNOWN in the following cases
Traffic with an application ID of junos:UNKNOWN matches a rule with a dynamic application of junos:UNKNOWN. If there is no rule defined for junos:UNKNOWN, the default rule is applied. Session Logging for Application FirewallsYou can log the traffic by enabling the log option under a security policy. Note the following while you inspect a log message when AppFW is configured as given in Table 1: Table 1: Session Logging for Application Firewall Configuration
Application Firewall Support in Chassis ClusterWhen your security device is in chassis cluster mode, the AppFW action before and after the failover depends on the application identification state, as shown in Table 2. Table 2: Application Firewall Actions
Note the following when you have your security device in chassis cluster mode:
Creating Redirects in Application FirewallWhen AppFW denies or rejects traffic, it does not notify clients that such action is taken. Clients being unaware that their request is rejected, might keep on trying to access the Web page. To alleviate this inconvenience, the Junos OS allows you to provide an explanation for the action or to redirect the client to an informative webpage. Following examples show you how to create a redirect message.
Redirect with Block MessageUse the ..... rule 1 { match { dynamic-application junos:FACEBOOK-CHAT } then { reject { block-message; } } } ..... When AppFW rejects the traffic, a splash screen displays the following default message to the user: user-name, Application Firewall has blocked your request to application FACEBOOK-CHAT at dst-ip:dst-port accessed from src-ip:src-port. Customize Redirect MessageYou can customize the redirect action by including additional text on the splash screen or by specifying a URL to which you can redirect a user. To customize the block message, you must create a block
message profile at ... profile Redirect-Profile { block-message { type { custom-text { content "YOUR APPLICATION IS BLOCKED AS PER THE ORGANIZATION POLICY"; } } } } ... Next, you refer the block message profile in the AppFW rule set, and apply it to one or more of the rules using the rule-sets Ruleset-1 { rule 1 { match { dynamic-application junos:FACEBOOK-CHAT; } then { reject { block-message; } } } profile Redirect-Profile; } In this case, AppFW displays the configured block message whenever it rejects the traffic based on the configured rule. Customize Redirect Message with URLWhen AppFW rejects or redirects the traffic, you can redirect the client to the specified Web page for further action. The URL can be hosted on either the SRX Series device or an external server. You can set the redirects to the other server by configuring block-message type as custom-redirect-url as shown in the sample below: profile Redirect-Profile { block-message { type { custom-redirect-url { content http://abc.company.com/information; } } } } Next, you refer the block message profile in the AppFW rule set, and apply to one or more of the rules using the rule-sets Ruleset-1 { rule 1 { match { dynamic-application junos:FACEBOOK-CHAT; } then { reject { block-message; } } } profile Redirect-Profile; } In this case, AppFW redirects the use to the URL http://abc.company.com/information whenever it rejects the traffic based on the configured rule. Example: Configuring Application FirewallThis example shows how to configure application firewall rule sets within the security policy.
Before You Begin
System Requirements
OverviewIn this example, you create application firewall for the following two common scenarios as described in Table 3. Table 3: Configure Application Firewall to Permit or Deny Traffic
Note: On all SRX Series devices, J-Web pages for AppSecure Services are preliminary. We recommend using CLI for configuration of AppSecure features. Configuration
Application Firewall Rule to Explicitly Deny Certain Application and Permit All ElseIn this example, you block dynamic-applications junos:FACEBOOK-CHAT junos:FACEBOOK-FARMVILLE and allow remaining traffic.
CLI Quick ConfigurationTo quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the
set security policies from-zone untrust to-zone trust policy policy1 match source-address any set security policies from-zone untrust to-zone trust policy policy1 match destination-address any set security policies from-zone untrust to-zone trust policy policy1 match application junos-http set security policies from-zone untrust to-zone trust policy policy1 then permit application-services application-firewall rule-set rs1 set security application-firewall rule-sets rs1 rule r1 match dynamic-application [junos:FACEBOOK-CHAT,junos:FACEBOOK-FARMVILLE ] set security application-firewall rule-sets rs1 rule r1 then deny set security application-firewall rule-sets rs1 default-rule permit Step-by-Step ProcedureThe following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see CLI User Guide. To configure two security policies with application firewall rule sets that permit or deny traffic from different dynamic applications:
ResultsFrom configuration mode, confirm your configuration by entering the [edit] user@host# show security policies from-zone untrust to-zone trust { policy 1 { match { source-address any; destination-address any; application junos-http; } then { permit { application-services { application-firewall { rule-set rs1; } } } } } } user@host# show security application-firewall rule-sets rs1 { rule r1 { match { dynamic-application [junos:FACEBOOK-CHAT,junos:FACEBOOK-FARMVILLE]; } then { deny; } } default-rule { permit; } } If you are done configuring the device, enter Application Firewall Rule to Explicitly Permit Certain Application and Deny All ElseIn this example, you permit dynamic-applications junos:FACEBOOK-ACCESS and block remaining traffic.
CLI Quick ConfigurationTo quickly
configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the set security policies from-zone untrust to-zone trust policy policy2 match source-address any set security policies from-zone untrust to-zone trust policy policy2 match destination-address any set security policies from-zone untrust to-zone trust policy policy2 match application any set security policies from-zone untrust to-zone trust policy policy2 then permit application-services application-firewall rule-set rs2 set security application-firewall rule-sets rs2 rule r1 match dynamic-application [junos:FACEBOOK-ACCESS junos:UNKNOWN] set security application-firewall rule-sets rs2 rule r1 then permit set security application-firewall rule-sets rs2 default-rule deny Step-by-Step ProcedureThe following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see CLI User Guide. To configure two security policies with application firewall rule sets that permit or deny traffic from different dynamic applications:
ResultsFrom configuration mode, confirm your configuration by entering the [edit] user@host# show security policies from-zone untrust to-zone trust { policy 2 { match { source-address any; destination-address any; application junos:http; } then { permit { application-services { application-firewall { rule-set rs2; } } } } } } user@host# show security application-firewall rule-sets rs2 { rule r1 { match { dynamic-application [junos:FACEBOOK-ACCESS, junos:UNKNOWN]; } then { permit; } } default-rule { deny; } } If you are done configuring the
device, enter VerificationTo confirm that the configuration is working properly, perform these tasks: Verifying Application Firewall Configuration
PurposeVerify information about application firewall support enabled under the security policy. ActionTo verify the security policy configuration enabled with application firewall, enter the MeaningThe output displays information about application firewall enabled policies configured on the system. Verify the following information.
Example: Configuring Application Firewall with Application GroupsThe application identification (AppID) module manages predefined application groups. An application group includes related applications under a single name for simplified, consistent reuse when using in any application services. An application group can contain multiple applications and application groups simultaneously. It is possible to assign one application to multiple groups. You can configure a AppFW rule to permit or to deny traffic by specifying a predefined application group along with applications as match criteria. Advantage of using predefined application groups is - As the application signature database changes, the predefined application group is modified automatically to include new signatures. In this case, if you already have a AppFW rule with predefined application group, the inclusion of new signatures in the application group does not affect the existing AppFW rule. This example shows how to configure application groups in a AppFW rule set.
Before You Begin
System Requirements
OverviewIn this example, you configure a security policy to control outbound traffic from the trust zone to the untrust zone. Next you create a AppFW rule to allow specific application traffic (junos:GOOGLETALK), but deny all other known similar application traffic (social networking traffic) using application group. It is very important to note the order of AppFW rules because, the predefined group junos:social-networking includes the junos:GOOGLETALK application. To allow junos:GOOGLETALK traffic and deny the rest of the group, you must place the rule permitting junos:GOOGLETALK traffic before the rule denying traffic from the rest of the applications in the group. ConfigurationProcedure
CLI Quick ConfigurationTo quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the
set security application-firewall rule-sets social-network rule google-rule match dynamic-application junos:GOOGLETALK set security application-firewall rule-sets social-network rule google-rule then permit set security application-firewall rule-sets social-network rule denied-sites match dynamic-application-groups junos:social-networking set security application-firewall rule-sets social-network rule denied-sites match dynamic-application junos:UNKNOWN set security application-firewall rule-sets social-network rule denied-sites then deny set security application-firewall rule-sets social-network default-rule permit set security policies from-zone trust to-zone untrust policy outbound-traffic match source-address any set security policies from-zone trust to-zone untrust policy outbound-traffic match destination-address any set security policies from-zone trust to-zone untrust policy outbound-traffic match application junos:HTTP set security policies from-zone trust to-zone untrust policy outbound-traffic then permit application-services application-firewall rule-set social-network Step-by-Step ProcedureThe following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode. To configure application firewall rule-sets and security policies for outbound traffic:
ResultsFrom
configuration mode, confirm your configuration by entering the [edit] user@host# show security application-firewall ... rule-sets social-network { rule google-rule { match { dynamic-application junos:GOOGLETALK; } } then { permit ; } rule denied-sites { match { dynamic-application-groups junos:social-networking dynamic-application junos:UNKNOWN; } then { deny ; } } default-rule { permit; } } ... [edit] user@host# show security policies from-zone untrust to-zone trust { ... policy outbound-traffic { match { source-address any; destination-address any; application junos-http; } then { permit { application-services { application-firewall { rule-set social-network } } } } } ... } If you are done configuring the device, enter VerificationVerifying Application Firewall Configuration
PurposeVerify information about application grouping support under the application firewall policy. Action
Example: Configuring Application Firewall When SSL Proxy Is EnabledThis example describes how to configure a AppFW when you have enabled the SSL proxy. For application junos-https, SSL proxy detects an SSL session based on the dynamic application identified for that session. In case if any known Web servers are running nonstandard ports, you can use a custom Junos OS application to identify the application. However, if the Web servers are not known, for example on the Internet, you can use application any. Non-SSL sessions that come across the policy rule are ignored by SSL proxy. A syslog SSL_PROXY_SESSION_IGNORE is sent out for these sessions. Juniper Networks recommends that you use application “any” with caution because this can result in a lot of traffic, incurring initial SSL proxy processing and thereby impacting performance. The security device bypasses SSL proxy services if when SSL proxy profile is attached to the security rule, when none of the services (AppFW, IDP, or AppTrack) are configured
RequirementsBefore you begin:
System Requirements
OverviewIn this example, you configure two security policies with AppFW rule sets to permit or deny traffic from plain text or encrypted traffic:
Configuration
CLI Quick ConfigurationTo quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration,
copy and paste the commands into the CLI at the set security policies from-zone Z_1 to-zone Z_2 policy policy1 match source-address any set security policies from-zone Z_1 to-zone Z_2 policy policy1 match destination-address any set security policies from-zone Z_1 to-zone Z_2 policy policy1 match application junos-https set security policies from-zone Z_1 to-zone Z_2 policy policy1 then permit application-services application-firewall rule-set appfw-rs-1 set security policies from-zone Z_1 to-zone Z_2 policy policy1 then permit application-services ssl-proxy profile-name ssl-profile-1 set security policies from-zone Z_1 to-zone Z_2 policy policy2 match source-address any set security policies from-zone Z_1 to-zone Z_2 policy policy2 match destination-address any set security policies from-zone Z_1 to-zone Z_2 policy policy2 match application junos-http set security policies from-zone Z_1 to-zone Z_2 policy policy2 then permit application-services application-firewall rule-set appfw-rs-2 set security application-firewall rule-sets appfw-rs-1 rule rule1 match dynamic-application [junos:ORACLE] set security application-firewall rule-sets appfw-rs-1 rule rule1 then permit set security application-firewall rule-sets appfw-rs-1 default-rule deny set security application-firewall rule-sets appfw-rs-2 rule rule1 match dynamic-application [junos:HULU] set security application-firewall rule-sets appfw-rs-2 rule rule1 then deny set security application-firewall rule-sets appfw-rs-2 default-rule permit Procedure
Step-by-Step ProcedureThe following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see CLI User Guide.
ResultsFrom configuration mode, confirm your configuration by entering the If you are done configuring the device, enter Note: Verifying Application Firewall In an SSL Proxy Enabled Policy
PurposeVerify that the application is configured correctly when SSL proxy is enabled in a policy. ActionFrom operational mode, enter the The following output shows the options for
the user@host> show security flow session ? Possible completions: <[Enter]> Execute this command application Application protocol name application-firewall Show application-firewall sessions application-firewall-rule-set Show application firewall sessions matching rule-set name brief Show brief output (default) destination-port Destination port (1..65535) destination-prefix Destination IP prefix or address dynamic-application Dynamic application name extensive Show detailed output + encrypted Show encrypted traffic family Show session by family idp Show idp sessions interface Name of incoming or outgoing interface nat Show sessions with network address translation protocol IP protocol number resource-manager Show sessions with resource manager session-identifier Show session with specified session identifier source-port Source port (1..65535) source-prefix Source IP prefix or address summary Show output summary tunnel Show tunnel sessions | Pipe through a command To display SSL encrypted UNKNOWN sessions, use the To display all HTTPS sessions, use the Release History Table 18.2R1 Starting in Junos OS Release 18.2R1 Application Firewall (AppFW) functionality is deprecated— rather than immediately removed—to provide
backward compatibility and an opportunity to bring your configuration into compliance with the new configuration. As a part of this change, the What are the 4 zones of social media?Social media zones include social communities, social publishing, social entertainment, and social commerce. Think about the different ways you use social media and which zones you utilize. You probably use all of the zones.
What is the role of Facebook in social media?Facebook is a social media networking site that allows users to connect with friends, family, co-workers and others, including groups of people who share similar interests. Users can share pictures, videos, articles and opinions with their friends.
What are the areas of social media?Traditional social networking sites. Most of us are familiar with social networking sites like Facebook, Twitter, LinkedIn, and TikTok. ... . Social review sites. ... . Image and video sharing sites. ... . Video hosting sites. ... . Community blogs. ... . Discussion sites.. What are the three types of media applied to the social media?Different Types of Social Media Networks. Social Networks: Facebook, Twitter, LinkedIn.. Media Sharing Networks: Instagram, Snapchat, YouTube.. Discussion Forums: Reddit, Quora, Digg.. Bookmarking & Content Curation Networks: Pinterest, Flipboard.. Consumer Review Networks: Yelp, Zomato, TripAdvisor.. |