JN0-335 Exam Dumps : Security, Specialist (JNCIS-SEC)

• A stateful firewall in SRX Series devices keeps track of the state of network connections, distinguishing legitimate packets for different types of connections and allowing only packets that match a known active connection. Sessions are created when a TCP SYN packet is received and permitted by the security policy1.
• A security policy is a set of rules that defines how traffic is processed by the SRX Series device. A security policy applies the security rules to the transit traffic within a context (from-zone to to-zone) and each policy is uniquely identified by its name. The traffic is classified by matching the source and destination zones, the source and destination addresses, and the application that the traffic carries in its protocol headers with the policy database in the data plane2.
• A Layer 3 route is a path that a packet takes to reach its destination based on the destination IP address. The SRX Series device performs a longest-match Layer 3 route table lookup to determine the next hop for the packet3.
• An Application Layer Gateway (ALG) is a software component that provides application-level awareness, security, and control for specific protocols. An ALG inspects the application-layer payload of a packet and modifies it if necessary to allow the application to traverse the SRX Series device. For example, an ALG can rewrite IP addresses and port numbers in the payload of FTP or SIP packets4.
• The sequence that an SRX Series device uses when implementing stateful session security policies using Layer 3 routes is as follows3:

References:

• 1: Traffic Processing on SRX Series Firewalls Overview | Junos OS | Juniper Networks
• 2: Best Practices for Defining Policies on High-End SRX Series Devices - TechLibrary - Juniper Networks
• 3: [SRX] Example: Configuring TCP SYN Check options on a per-policy basis
• 4: Application Layer Gateways Overview | Junos OS | Juniper Networks

SSL proxy uses application identification services to dynamically detect if a particular session is SSL encrypted.

Policy Enforcer is a Junos Space Security Director component that allows updated security policies to be deployed across Juniper SRX Series firewalls, MX Series 5G Universal Routing Platforms, EX Series Ethernet Switches, QFX Series Switches, and third-party network devices1. Policy Enforcer can leverage the DDoS protection feature of Juniper devices to detect and mitigate DDoS attacks on the network. The DDoS protection feature is based on two main components: the classification of host-bound control plane traffic and a hierarchical set of individual- and aggregate-level policers that cap the volume of control plane traffic that each protocol type is able to send to the Routing Engine (RE) for processing2. The DDoS protection feature is supported on MX Series routers and QFX Series switches, among other devices3. Therefore, the correct devices to use for DDoS protection with Policy Enforcer are MX and QFX.

The other options are not correct for the following reasons:

• vQFX is a virtual switch that emulates the QFX Series switches for testing and development purposes. It does not support the DDoS protection feature4.
• vMX is a virtual router that emulates the MX Series routers for testing and development purposes. It does not support the DDoS protection feature.

References: Policy Enforcer DDoS Protection Case Study Protection against distributed denial of service (DDoS) attacks vQFX10000 Overview [vMX Overview]