Junos Security Chapter 3: Zones 2012 Juniper Networks, Inc. All rights reserved. www.juniper.net Worldwide Education Services
Chapter Objectives After successfully completing this chapter, you will be able to: Describe a zone and its purpose Define types of zones Explain the application of zones Configure zones Monitor zones www.juniper.net 3-2
Agenda: Zones The Definition of Zones Zone Configuration Monitoring Security Zones www.juniper.net 3-3
What Is a Zone? A zone is a collection of one or more network segments sharing identical security requirements Security policies control transit traffic between zones Null zone: Default zone Drops all traffic Interfaces can pass and accept traffic only if assigned to non-null zones Exception for special interfaces like fxp0 www.juniper.net 3-4
Review: Packet Flow Focus of Forwarding this chapter Flow Module Session-based No Screen Options D-NAT Route Zones Policy S-NAT Services Session ALG First Path Match Session? Yes SCREEN Options TCP NAT Fast Path Services ALG Packet-based Per-Packet Policer Per-Packet Filters Per-Packet Shaper Ingress Packet Egress Packet www.juniper.net 3-5
Hierarchical Dependencies (1 of 2) A strict hierarchical linkage exists between zones and interfaces You assign logical interfaces to a zone You cannot assign a logical interface to multiple zones You can also assign logical interfaces to a routing instance You cannot assign a logical interface to multiple routing instances All zone logical interfaces must belong to the same routing instance www.juniper.net 3-6
Hierarchical Dependencies (2 of 2) Relationship between interfaces, zones, and routing instances Juniper Networks Device F.T. F.T. Interfaces Zones Zone A Zone B Zone C Zone D Routing Instance Forwarding Table Routing Instance 1 Routing Instance 2 www.juniper.net 3-8
Zone Types Zone Types User-defined (can be configured) System-defined (cannot be configured) Security Functional Null www.juniper.net 3-9
Security Zones Security zones: A collection of one or more network segments requiring the regulation of inbound and outbound traffic through the use of policies Used to filter traffic destined for the device itself Used to filter transit traffic Intrazone and interzone transit traffic flow require security policies No defined default security zones Cannot share between routing instances User-defined (can be configured) Security Functional www.juniper.net 3-10
Functional Zones Functional zones are special-purpose zones Only one purpose for now Management Zone Used for out-of-band device management Cannot specify in policies The Management Zone does not pass traffic Can define only one Management Zone User-defined (can be configured) Security Functional www.juniper.net 3-11
System-Defined Zones (1 of 3) Null Zone Unconfigurable Every interface belongs to the Null Zone by default When you delete an interface from a zone, it goes into the Null zone pool The Junos OS rejects all traffic to and from interfaces belonging to the Null Zone System-defined (cannot be configured) Null www.juniper.net 3-12
System-Defined Zones (2 of 3) Junos-host zone You can configure the junos-host zone in a security policy to control self traffic, host-inbound or host-outbound Inbound traffic must first be allowed as host-inbound traffic on a security zone Functional zone management cannot be used in a security policy Trust Zone Untrust Zone Internet Web Server Junos-host Zone www.juniper.net 3-13
System-Defined Zones (3 of 3) Junos-host zone configuration Reference the junos-host zone in the to-zone or from-zone context of a security policy [edit security zones] lab@srxa-1# show security-zone untrust { interfaces { ge-0/0/3.0; ge-0/0/2.242 { host-inbound-traffic { system-services { ping; ftp; [edit security policies] lab@srxa-1# show from-zone untrust to-zone junos-host policy deny-ping { match { source-address 172.20.1.10; destination-address any; application junos-ping; then { deny; policy log-ftp-user { match { source-address any 10.10.10.1; destination-address any; application junos-ftp; then { permit; log { session-init; www.juniper.net 3-14
Factory-Default Zones Applicable only to branch security platforms Configuration template defines two security zones: trust with interface vlan.0 belonging to it untrust Trust vlan.0 Factory-Default Zones Configurable Untrust www.juniper.net 3-15
Agenda: Zones The Definition of Zones Zone Configuration Monitoring Security Zones www.juniper.net 3-16
Zone Configuration Procedure Steps: Define a security or a functional zone Add logical interfaces to the zone Optionally, add services and protocols needing permission into the device through interfaces belonging to the zone If you omit this step, the SRX Series device permits no traffic destined for itself www.juniper.net 3-17
Defining a Zone Zone configuration steps: Enter configuration mode user@srx> configure Entering configuration mode [edit] user@srx# Define a security zone or a functional zone: [edit] user@srx# set security zones security-zone zone-name or [edit] user@srx# set security zones functional-zone management Functional zone specifics: You can define one type management It does not have a user-defined name www.juniper.net 3-18
Adding Logical Interfaces to a Zone Add logical interfaces to a zone: Security zone: [edit] user@srx# edit security zones [edit security zones] user@srx# set security-zone HR interfaces ge-0/0/1.0 Functional zone: [edit] user@srx# edit security zones [edit security zones] user@srx# set functional-zone management interfaces ge-0/0/1.100 www.juniper.net 3-19
Local Host Traffic (1 of 3) A Junos security device does not allow traffic destined to itself by default Use the host-inbound-traffic statement to allow specific traffic destined to the device coming from a particular zone or interface A Junos security device always allows all outbound traffic sourced from itself SRX Series Device SSH Telnet Ping www.juniper.net 3-20
Local Host Traffic (2 of 3) host-inbound-traffic statement choices: system-services: Specifies allowed services into the device through the interfaces belonging to a zone: Telnet, SSH, DNS, ping, SNMP, and others Specify all option to allow all services on their respective ports Specify any-service option to allow all services and open all ports protocols: Specifies allowed protocols into the device through the interfaces belonging to a zone: BFD, BGP, LDP, OSPF, RIP, PIM, and others Specify all option to allow all protocols defined in the Junos OS Can use the except keyword to isolate exceptions www.juniper.net 3-21
Local Host Traffic (3 of 3) Configurational hierarchy Can configure the statement under the entire zone stanza: [edit security zones] user@srx# set security-zone HR host-inbound-traffic system-services all Can configure the statement under an interface stanza within a zone: [edit security zones] user@srx# set security-zone HR interfaces ge-0/0/1.0 host-inbound-traffic system-services http Interface-level configuration overrides the zone-level configuration www.juniper.net 3-24
Check Your Knowledge (1 of 3) What does the following configuration do? security { zones { security-zone HR { host-inbound-traffic { system-services { telnet; ftp; interfaces { ge-0/0/0.0; ge-0/0/1.0; www.juniper.net 3-25
Check Your Knowledge (2 of 3) What does the following configuration do? security { zones { security-zone HR { host-inbound-traffic { system-services { telnet; ftp; interfaces { ge-0/0/0.0; ge-0/0/1.0 { host-inbound-traffic { system-services { snmp; www.juniper.net 3-26
Check Your Knowledge (3 of 3) What services can enter the device through interfaces ge-0/0/0.0 and ge-0/0/1.0? security { zones { security-zone zone1 { host-inbound-traffic { system-services { all; telnet { except; interfaces { ge-0/0/0.0; ge-0/0/1.0 { host-inbound-traffic { system-services { all; http { except; ftp { except;... www.juniper.net 3-27
Agenda: Zones The Definition of Zones Zone Configuration and Applicability Monitoring Security Zones www.juniper.net 3-28
Monitoring Zones The show security zones command provides information about: Zone types Zone names Number of interfaces bound to corresponding zones Interface names bound to corresponding zones user@srx> show security zones Functional zone: management Policy configurable: No Interfaces bound: 1 Interfaces: ge-0/0/0.0 user@srx> show security zones Security zone: HR Send reset for non-syn session TCP packets: Off Policy configurable: Yes Interfaces bound: 1 Interfaces: ge-0/0/1.0 Functional management zone with one interface ge-0/0/0.0 Security zone HR with one interface ge-0/0/1.0 www.juniper.net 3-29
Monitoring Traffic Permitted into Interfaces (1 of 2) Additional interface-specific zone information is available by using the show interfaces interface-name extensive command: user@srx> show interfaces ge-0/0/3.200 extensive Logical interface ge-0/0/3.200 (Index 69) (SNMP ifindex 47) (Generation 136) Flags: SNMP-Traps VLAN-Tag [ 0x8100.200 ] Encapsulation: ENET2 Traffic statistics: Basic zone configuration details Security: Zone: trust Allowed host-inbound traffic : bootp bfd bgp dlsw dns dvmrp igmp ldp msdp nhrp ospf pgm pim rip router-discovery rsvp sap vrrp dhcp finger ftp tftp ident-reset http https ike netconf ping rlogin rpm rsh snmp snmp-trap ssh telnet traceroute xnm-clear-text xnm-ssl lsping Flow Statistics : Flow Input statistics : Self packets : 0 ICMP packets : 0 VPN packets : 0 Bytes permitted by policy : 4788966 Connections established : 2 Flow input statistics www.juniper.net 3-30
Monitoring Traffic Permitted into Interfaces (2 of 2) Flow Output statistics: Multicast packets : 0 Bytes permitted by policy : 0 Flow output statistics Flow error statistics (Packets dropped due to): Address spoofing: 0 Authentication failed: 0 Incoming NAT errors: 0 Invalid zone received packet: 0 Multiple user authentications: 0 Multiple incoming NAT: 0 No parent for a gate: 0 No one interested in self packets: 0 No minor session: 0 No more sessions: 0 No NAT gate: 0 No route present: 0 No SA for incoming SPI: 0 No tunnel found: 0 No session for a gate: 0 No zone or NULL zone binding 0 Policy denied: 0 Security association not active: 0 TCP sequence number out of window: 0 Syn-attack protection: 0 User authentication errors: 0 Flow error statistics www.juniper.net 3-31
Summary In this chapter, we: Described zones and their purpose Defined types of zones Explained the application of zones Described zone configuration Described zone monitoring www.juniper.net 3-32
Review Questions 1. What is the purpose of a zone? 2. What zone types exist in Junos security devices? Describe the applicability of each zone type. 3. What steps are necessary to configure a zone? 4. How can you specify the types of traffic to be allowed into a Junos security device? www.juniper.net 3-33
Lab 1: Configuring and Monitoring Zones Perform initial setup and tasks normally associated with zone configuration and monitoring. www.juniper.net 3-34
Worldwide Education Services