SSG 20 Hardware Installation and Configuration Guide
Basic Firewall Protections
Verifying External Connectivity
Basic Firewall Protections
48
The devices are configured with a default policy that permits workstations in the
Trust zone of your network to access any resource in the Untrust security zone,
while outside computers are not allowed to access or start sessions with your
workstations. You can configure policies that direct the device to permit outside
computers to start specific kinds of sessions with your computers. For information
about creating or modifying policies, refer to the Concepts & Examples ScreenOS
Reference Guide.
The SSG 20 device provides various detection methods and defense mechanisms to
combat probes and attacks aimed at compromising or harming a network or
network resource:
ScreenOS SCREEN options secure a zone by inspecting, and then allowing or
denying, all connection attempts that require crossing an interface to that zone.
For example, you can apply port-scan protection on the Untrust zone to stop a
source from a remote network from trying to identify services to target for
further attacks.
The device applies firewall policies, which can contain content-filtering and
Intrusion Detection and Prevention (IDP) components, to the traffic that passes
the SCREEN filters from one zone to another. By default, no traffic is permitted
to pass through the device from one zone to another. To permit traffic to cross
the device from one zone to another, you must create a policy that overrides the
default behavior.
To set ScreenOS SCREEN options for a zone, use the WebUI or CLI as follows:
WebUI
Screening > Screen: Select the zone to which the options apply. Select the
SCREEN options that you want, then click Apply:
CLI
set zone zone screen option
save
For more information about configuring the network-security options available in
ScreenOS, refer to the Concepts & Examples ScreenOS Reference Guide.
To verify that workstations in your network can access resources on the Internet,
start a browser from any workstation in the network and enter the following URL:
www.juniper.net.