Zulkizahn However, in some instances more information is needed. The majority of the features are shared across the platforms, so as you read through the rest of the book, you will be learning a skill set that you can apply to small hand-sized firewalls as well as larger devices. The source address group is inside-users. It has the majority of the EX Series switching features with the same configuration set. An address-set is simply a grouping of address books.
|Published (Last):||6 June 2004|
|PDF File Size:||18.12 Mb|
|ePub File Size:||11.43 Mb|
|Price:||Free* [*Free Regsitration Required]|
Security Policy Security policies , sometimes called firewall rules, are a method of selectively allowing traffic through a network. In a sense, security policies control who can talk to whom or rather, what systems can talk to which other systems , and more importantly, how the conversation takes place. Security policies also provide the means for logging, authentication, and accounting of network traffic. The SRX evaluates every packet that passes through its zones and determines whether the traffic is permitted, dropped, logged, or more deeply inspected, or if it requires further authentication.
This chapter explores how the SRX evaluates traffic and performs security policy lookups, how to configure those security policies, and some common issues to avoid. It does this to see whether the packet is already part of an existing session.
If the packet is part of an existing session, it takes what is referred to as the fast path. If it is not found to be part of an existing session, it goes down the slow path. The fast path has fewer steps involved in checking the packet, and as a result, it is much faster at processing the packet. Where policy evaluation in the SRX packet flow takes place Why does the security policy lookup take place after so many other checks?
The SRX is a zone-based firewall, meaning that all security policies are associated with zones and those zones are tied to interfaces. The SRX must perform a route lookup to determine the destination zone context before it can examine the correct security policies.
Any of these steps might result in the packet being dropped, even before security policy evaluation. By default, three security zones come preconfigured on the SRX: the Trust zone , the Untrust zone, and the junos-global zone. Once a new zone has been created there are a few features that can be turned on. What does that mean? Well, it basically means that if a session has timed out or is started improperly, the SRX will tell the source node that it needs to restart the TCP connection.
Additional zone configuration items include: Host-inbound-traffic This tells the SRX what to allow to this security zone. Any protocols or system services that need to be allowed to go to the SRX should be configured under host-inbound-traffic. Destination zone The destination, or to-zone, is labeled as Internet. Policy This is a descriptive name assigned to the policy. Source address The source address group is inside-users.
A source address is a collection or a single IP address used in policy to dictate whom is initiating this connection. Destination address In the example allow-users policy, the destination address is any. The destination address again is a collection or a single IP address that the source is talking to. In this case, any means any destination. Service In the example allow-users policy, the service is any.
These items are all a part of the match statement which details to what and to whom this policy applies. The last line of the example policy is an action configured to take place if the traffic matches the criteria of the first lines, referred to as the then statement. If traffic is initiated from the Trust zone, has a destination address in the Internet zone, and is from the inside-users segment, the SRX permits the traffic. The then statement describes what action should be taken. The security policy is what matches traffic and tells the SRX to send the packet or flow for deeper inspection.
Keep in mind that multiple actions can be configured inside the then statement. As the network security process evaluates an incoming packet, if a matching policy is found no further policies will be evaluated. First, not all configured policies are evaluated when the SRX does its policy processing. Only the policies that have been configured between the matching from-zone to-zone are evaluated. Second, the policy tables are evaluated in a top-down fashion, which means the order of your policies is very important.
When the SRX finds a matching policy it takes whatever action that policy has. So, in this instance, when the SRX does its policy lookup, the second policy never gets hit and the inside-users network is never protected from accessing those bad hosts. This means you cannot write global policies that apply to all zones. We will discuss proper policy processing throughout this chapter.
It really is key to establishing secure and efficient premises, and it depends on how you create the policies. The SRX will do exactly what you tell it to do. That means when you are configuring policies you must ensure that if a destination NAT is configured, the security policies are using the new NATed address instead of the nontranslated original address. While viewing the security policies you can issue the optional detail command at the end of any policy lookup.
The detail switch gives you additional information regarding the security policies, such as their address books and applications. Policies must be written to allow traffic to pass between the security zones. By default, there are two configured policies: the default-permit from Trust to Internet and the default-deny from Internet to Trust. Any additional behaviors must be configured to block or permit the desired traffic. Remember, if additional access is needed from the Internet zone to the Trust zone when a new security policy is configured, it must be placed before the default-deny.
The order of policies is very important. Another way to view a specific policy instead of looking at a large list is to view it by policy-name. The count statement then enables counters for the specific policy. This tells the SRX to keep track of statistics on this policy. Note You must configure counting directly on each policy on which counting is needed. The session ramp rate is the number of sessions per second sps in the preceding output that the SRX has handled as a result of this policy.
Policy counters allow for much more visibility into the details of a policy, but do proceed with caution. Policy counters can add a bit of overhead to the policy processing, and if the device is a lower-end SRX it might be wise to limit the number of policies that have counters enabled to only those that are truly needed. On the higher-end models, policy counters will add a minor amount of overhead, but it is much less noticeable. To reset policy counters back to zero use the clear security policies statistics command.
Note An event script is an automated script that runs directly on the SRX when triggered by a certain event or log. Event scripts are outside the scope of this book. The session table is a real-time list of current sessions going through the SRX.
One very important thing to note is that if a flow is in the session table, it has already been permitted by policy and the session has been created—the SRX has allowed this connection and all return traffic for this flow to pass through. The timeout is 1, seconds or 30 minutes; 30 minutes is the default timeout for TCP traffic. Both the source IP, Even so, the ability to search through the session table is extremely important, and Juniper has added some great filters to assist with this.
As always, use the question mark? Another feature that has been added in Junos but was not available in ScreenOS is the ability to not only search by a source IP or destination IP, but also by an entire subnet. In the following output, two filters have been applied: the source-prefix filter and the destination port filter. The new address-book has been assigned the label of web1, and the IP address of web1 is Warning Some address-book names are reserved internally for the SRX and cannot be used.
An address-set is simply a grouping of address books. Think of the address-book as a business card with information such as a phone number and name. Those business cards can all be stored into a single Rolodex or an address-set. Creating an address-set is similar to creating an address-book. Now, when policy is written later, instead of writing policy for both web1 and web2 we can just use web-servers and it is applied to both. The SRX comes with a large list of preconfigured applications with much of the hard work already done.
The protocol, source port, destination port, and other values have already been configured. All we need to do is to assign it to a policy. These predefined applications start with junos-. This is a useful feature that replaces the need to write the same policy again and again just to permit a single additional service. You must configure the following items when configuring a custom application: Application name This is a label assigned to the custom application.
Source-port This is the source port for the application. Keep in mind that most of the time the source port is a randomly assigned port between and Any is not an accepted configuration option; however, a range can be used. Destination-port This is the destination port or range. Inactivity-timeout This is how long the SRX will let the connection go idle before removing it from the session table.
This value is configured in seconds and is optional. The first policy to create is to allow system administrators on the Trust zone to manage the web servers on the web-dmz zone and log the traffic. Dept-A data path to web servers Blocking Unwanted Traffic The next thing we need to do as we explore our sample policy structure is to deny unwanted outbound traffic from the users zone. In cases of Trust to Untrust, there is a default permit.
Network operators may wish to block undesired programs and protocols from being used on the network using this default permit, such as instant messaging clients, outbound email with the exception of email going through the corporate email servers , and many popular P2P applications. In this type of situation, we would need to explicitly block them.
The packet is dropped and logged if configured to do so. Although reject drops the packet and logs if configured to do so , it will also send an ICMP Port Unreachable packet to the initiating source for every packet that is rejected. This is used to inform the end host that the traffic was dropped. In nearly all cases, the authors of this book highly recommend using deny instead of reject.
For the same reason as the zone TCP-RST configuration, policies configured with reject could allow for malicious users to notice the SRX on your network and assist in mapping out your security policies.
JUNOS SECURITY O REILLY PDF
Security Policy Security policies , sometimes called firewall rules, are a method of selectively allowing traffic through a network. In a sense, security policies control who can talk to whom or rather, what systems can talk to which other systems , and more importantly, how the conversation takes place. Security policies also provide the means for logging, authentication, and accounting of network traffic. The SRX evaluates every packet that passes through its zones and determines whether the traffic is permitted, dropped, logged, or more deeply inspected, or if it requires further authentication. This chapter explores how the SRX evaluates traffic and performs security policy lookups, how to configure those security policies, and some common issues to avoid.
Junos Security by Rob Cameron, Brad Woodberg, Patricio Giecco, Timothy Eberhard, James Quinn
Juniper SRX Series