Junos Security. Chapter 3: Zones Juniper Networks, Inc. All rights reserved. Worldwide Education Services

Similar documents
Junos Security. Chapter 4: Security Policies Juniper Networks, Inc. All rights reserved. Worldwide Education Services

Not For Reproduction. Operating Enhanced Services for JUNOS Software. 9.a. Detailed Lab Guide

Junos Security. Chapter 8: IPsec VPNs Juniper Networks, Inc. All rights reserved. Worldwide Education Services

Lab 1. JUNOS CLI & Initial Configuration. Overview. Introduction to JUNOS Software & Routing Essentials

Juniper Exam JN0-696 Security Support, Professional (JNCSP-SEC) Version: 9.0 [ Total Questions: 71 ]

User Role Firewall Policy

Juniper JN Security, Specialist (JNCIS-SEC)

Network Configuration Example

Overview 1. Service Features 1

Configuring a Zone-Based Firewall on the Cisco ISA500 Security Appliance

EXAM - JN ACX, Specialist (JNCIS-ACX) Buy Full Product.

Network Configuration Example

Access Rules. Controlling Network Access

Appendix B Policies and Filters

To implement LPTS features mentioned in this document you must understand the following concepts:

SecBlade Firewall Cards NAT Configuration Examples

A. Verify that the IKE gateway proposals on the initiator and responder are the same.

HP 6125 Blade Switch Series

About the H3C S5130-HI configuration guides

HPE FlexFabric 5950 Switch Series

BRANCH SRX SERIES AND J SERIES CHASSIS CLUSTERING

Implementing LPTS. Prerequisites for Implementing LPTS. Information About Implementing LPTS

HC-711 Q&As. HCNA-CBSN (Constructing Basic Security Network) - CHS. Pass Huawei HC-711 Exam with 100% Guarantee

Configuring Control Plane Policing

Excessive ARP Punt Protection was supported.

Junos OS Release 12.1X47 Feature Guide

CISCO EXAM QUESTIONS & ANSWERS

Network Configuration Example

About the HP MSR Router Series

Lab 4. Firewall Filters and Class of Service. Overview. Introduction to JUNOS Software & Routing Essentials

Configuring Control Plane Policing

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

Junos OS. 2nd edition FOR. Walter Goralski, Cathy Gadecki, and Michael Bushong. John Wiley & Sons, Inc. WILEY

Volume 2: Fundamentals

HP 6125 Blade Switch Series

QUICKSTART GUIDE FOR BRANCH SRX SERIES SERVICES GATEWAYS

Network Configuration Example

Junos Enterprise Switching

SecBlade Firewall Cards Attack Protection Configuration Example

DPtech ADX3000 Series Application Delivery Gateway User Configuration Guide

HPE FlexNetwork MSR Router Series

HPE FlexNetwork MSR Router Series

Hands-On TCP/IP Networking

Exam Questions JN0-633

Vendor: Juniper. Exam Code: JN Exam Name: FWV, Specialist (JNCIS-FWV) Version: Demo

Quidway NetEngine 20E/20 Series Router Product Specification

About the HP A7500 Configuration Guides

Firewalls, Tunnels, and Network Intrusion Detection

Juniper JN0-101 Questions & Answers

Switch shall have 4 SFP 1000 Mb/s ports (2 Port dual-personality ports; 10/100/1000BASE-T or SFP and 2 Fixed 1G SFP port)

JUNIPER JN0-342 EXAM QUESTIONS & ANSWERS

Chapter 5 Software Overview

HP High-End Firewalls

Router 6000 R17 Training Programs. Catalog of Course Descriptions

Chapter 6 Software Overview

CONFIGURING AND DEPLOYING THE AX411 WIRELESS ACCESS POINT

Cisco CCIE Security Written.

TCP/IP Filtering. Main TCP/IP Filtering Dialog Box. Route Filters Button. Packet Filters Button CHAPTER

Junos OS Multiple Instances for Label Distribution Protocol Feature Guide Release 11.4 Published: Copyright 2011, Juniper Networks, Inc.

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Chapter 8 roadmap. Network Security

Configuring VRF-lite CHAPTER

Chapter 7 Interface Commands

ipro-04n Security Configuration Guide

J Series / SRX Series Multipoint VPN Configuration with Next-Hop Tunnel Binding

Cisco Cookbook. Kevin Dooley and IanJ. Brown. O'REILLY 4 Beijing Cambridge Farnham Koln Paris Sebastopol Taipei Tokyo

Chapter 3 Command List

Review of Important Networking Concepts

ETSF10 Internet Protocols Routing on the Internet

Integrating WX WAN Optimization with Netscreen Firewall/VPN

CBA850 3G/4G/LTE Wireless WAN Bridge Application Guide

Router and ACL ACL Filter traffic ACL: The Three Ps One ACL per protocol One ACL per direction One ACL per interface

Network Security. Thierry Sans

Table of Contents. 1 Introduction 1-1 Related Manuals 1-1 Volume Introduction 1-1

Transparent or Routed Firewall Mode

JN Juniper JNCIS-SEC. JN0-331 Dumps JN0-331 Braindumps JN0-331 Real Questions JN0-331 Practice Test JN0-331 dumps free

About the H3C S5130-EI configuration guides

Distributed Systems. 29. Firewalls. Paul Krzyzanowski. Rutgers University. Fall 2015

ISG-600 Cloud Gateway

Int ernet w orking. Internet Security. Literature: Forouzan: TCP/IP Protocol Suite : Ch 28

Configuring Control Plane Policing

Junos Security (JSEC)

Gigabit SSL VPN Security Router

Deployment Guide for SRX Series Services Gateways in Chassis Cluster Configuration

Information about Network Security with ACLs

Router Lab Reference

Systrome Next Gen Firewalls

Testinside. Exam : Juniper Networks JN Title : ER, Associate (JNCIA-ER) Version : V4.24. Testinside -help you pass any IT exam!

HP High-End Firewalls

Network Configuration Example

Patch For AR450S Routers

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

Mediant MSBR. Version 6.8. Security Setup. Configuration Guide. Version 6.8. AudioCodes Family of Multi-Service Business Routers (MSBR)

version 10.2R3.10; Configuring Basic System Information system { domain-name foo.bar; time-zone America/New_York;

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

DrayTek Vigor Technical Specifications. PPPoE, PPTP, DHCP client, static IP, L2TP*, Ipv6. Redundancy. By WAN interfaces traffic volume

GoCertify Advanced Cisco CCIE Lab Scenario # 1

3Com Switch 4800G Series, Version Release Notes. Customer Support. Documentation

Network Configuration Example

Appendix C Software Specifications

Transcription:

Junos Security Chapter 3: Zones 2012 Juniper Networks, Inc. All rights reserved. www.juniper.net Worldwide Education Services

Chapter Objectives After successfully completing this chapter, you will be able to: Describe a zone and its purpose Define types of zones Explain the application of zones Configure zones Monitor zones www.juniper.net 3-2

Agenda: Zones The Definition of Zones Zone Configuration Monitoring Security Zones www.juniper.net 3-3

What Is a Zone? A zone is a collection of one or more network segments sharing identical security requirements Security policies control transit traffic between zones Null zone: Default zone Drops all traffic Interfaces can pass and accept traffic only if assigned to non-null zones Exception for special interfaces like fxp0 www.juniper.net 3-4

Review: Packet Flow Focus of Forwarding this chapter Flow Module Session-based No Screen Options D-NAT Route Zones Policy S-NAT Services Session ALG First Path Match Session? Yes SCREEN Options TCP NAT Fast Path Services ALG Packet-based Per-Packet Policer Per-Packet Filters Per-Packet Shaper Ingress Packet Egress Packet www.juniper.net 3-5

Hierarchical Dependencies (1 of 2) A strict hierarchical linkage exists between zones and interfaces You assign logical interfaces to a zone You cannot assign a logical interface to multiple zones You can also assign logical interfaces to a routing instance You cannot assign a logical interface to multiple routing instances All zone logical interfaces must belong to the same routing instance www.juniper.net 3-6

Hierarchical Dependencies (2 of 2) Relationship between interfaces, zones, and routing instances Juniper Networks Device F.T. F.T. Interfaces Zones Zone A Zone B Zone C Zone D Routing Instance Forwarding Table Routing Instance 1 Routing Instance 2 www.juniper.net 3-8

Zone Types Zone Types User-defined (can be configured) System-defined (cannot be configured) Security Functional Null www.juniper.net 3-9

Security Zones Security zones: A collection of one or more network segments requiring the regulation of inbound and outbound traffic through the use of policies Used to filter traffic destined for the device itself Used to filter transit traffic Intrazone and interzone transit traffic flow require security policies No defined default security zones Cannot share between routing instances User-defined (can be configured) Security Functional www.juniper.net 3-10

Functional Zones Functional zones are special-purpose zones Only one purpose for now Management Zone Used for out-of-band device management Cannot specify in policies The Management Zone does not pass traffic Can define only one Management Zone User-defined (can be configured) Security Functional www.juniper.net 3-11

System-Defined Zones (1 of 3) Null Zone Unconfigurable Every interface belongs to the Null Zone by default When you delete an interface from a zone, it goes into the Null zone pool The Junos OS rejects all traffic to and from interfaces belonging to the Null Zone System-defined (cannot be configured) Null www.juniper.net 3-12

System-Defined Zones (2 of 3) Junos-host zone You can configure the junos-host zone in a security policy to control self traffic, host-inbound or host-outbound Inbound traffic must first be allowed as host-inbound traffic on a security zone Functional zone management cannot be used in a security policy Trust Zone Untrust Zone Internet Web Server Junos-host Zone www.juniper.net 3-13

System-Defined Zones (3 of 3) Junos-host zone configuration Reference the junos-host zone in the to-zone or from-zone context of a security policy [edit security zones] lab@srxa-1# show security-zone untrust { interfaces { ge-0/0/3.0; ge-0/0/2.242 { host-inbound-traffic { system-services { ping; ftp; [edit security policies] lab@srxa-1# show from-zone untrust to-zone junos-host policy deny-ping { match { source-address 172.20.1.10; destination-address any; application junos-ping; then { deny; policy log-ftp-user { match { source-address any 10.10.10.1; destination-address any; application junos-ftp; then { permit; log { session-init; www.juniper.net 3-14

Factory-Default Zones Applicable only to branch security platforms Configuration template defines two security zones: trust with interface vlan.0 belonging to it untrust Trust vlan.0 Factory-Default Zones Configurable Untrust www.juniper.net 3-15

Agenda: Zones The Definition of Zones Zone Configuration Monitoring Security Zones www.juniper.net 3-16

Zone Configuration Procedure Steps: Define a security or a functional zone Add logical interfaces to the zone Optionally, add services and protocols needing permission into the device through interfaces belonging to the zone If you omit this step, the SRX Series device permits no traffic destined for itself www.juniper.net 3-17

Defining a Zone Zone configuration steps: Enter configuration mode user@srx> configure Entering configuration mode [edit] user@srx# Define a security zone or a functional zone: [edit] user@srx# set security zones security-zone zone-name or [edit] user@srx# set security zones functional-zone management Functional zone specifics: You can define one type management It does not have a user-defined name www.juniper.net 3-18

Adding Logical Interfaces to a Zone Add logical interfaces to a zone: Security zone: [edit] user@srx# edit security zones [edit security zones] user@srx# set security-zone HR interfaces ge-0/0/1.0 Functional zone: [edit] user@srx# edit security zones [edit security zones] user@srx# set functional-zone management interfaces ge-0/0/1.100 www.juniper.net 3-19

Local Host Traffic (1 of 3) A Junos security device does not allow traffic destined to itself by default Use the host-inbound-traffic statement to allow specific traffic destined to the device coming from a particular zone or interface A Junos security device always allows all outbound traffic sourced from itself SRX Series Device SSH Telnet Ping www.juniper.net 3-20

Local Host Traffic (2 of 3) host-inbound-traffic statement choices: system-services: Specifies allowed services into the device through the interfaces belonging to a zone: Telnet, SSH, DNS, ping, SNMP, and others Specify all option to allow all services on their respective ports Specify any-service option to allow all services and open all ports protocols: Specifies allowed protocols into the device through the interfaces belonging to a zone: BFD, BGP, LDP, OSPF, RIP, PIM, and others Specify all option to allow all protocols defined in the Junos OS Can use the except keyword to isolate exceptions www.juniper.net 3-21

Local Host Traffic (3 of 3) Configurational hierarchy Can configure the statement under the entire zone stanza: [edit security zones] user@srx# set security-zone HR host-inbound-traffic system-services all Can configure the statement under an interface stanza within a zone: [edit security zones] user@srx# set security-zone HR interfaces ge-0/0/1.0 host-inbound-traffic system-services http Interface-level configuration overrides the zone-level configuration www.juniper.net 3-24

Check Your Knowledge (1 of 3) What does the following configuration do? security { zones { security-zone HR { host-inbound-traffic { system-services { telnet; ftp; interfaces { ge-0/0/0.0; ge-0/0/1.0; www.juniper.net 3-25

Check Your Knowledge (2 of 3) What does the following configuration do? security { zones { security-zone HR { host-inbound-traffic { system-services { telnet; ftp; interfaces { ge-0/0/0.0; ge-0/0/1.0 { host-inbound-traffic { system-services { snmp; www.juniper.net 3-26

Check Your Knowledge (3 of 3) What services can enter the device through interfaces ge-0/0/0.0 and ge-0/0/1.0? security { zones { security-zone zone1 { host-inbound-traffic { system-services { all; telnet { except; interfaces { ge-0/0/0.0; ge-0/0/1.0 { host-inbound-traffic { system-services { all; http { except; ftp { except;... www.juniper.net 3-27

Agenda: Zones The Definition of Zones Zone Configuration and Applicability Monitoring Security Zones www.juniper.net 3-28

Monitoring Zones The show security zones command provides information about: Zone types Zone names Number of interfaces bound to corresponding zones Interface names bound to corresponding zones user@srx> show security zones Functional zone: management Policy configurable: No Interfaces bound: 1 Interfaces: ge-0/0/0.0 user@srx> show security zones Security zone: HR Send reset for non-syn session TCP packets: Off Policy configurable: Yes Interfaces bound: 1 Interfaces: ge-0/0/1.0 Functional management zone with one interface ge-0/0/0.0 Security zone HR with one interface ge-0/0/1.0 www.juniper.net 3-29

Monitoring Traffic Permitted into Interfaces (1 of 2) Additional interface-specific zone information is available by using the show interfaces interface-name extensive command: user@srx> show interfaces ge-0/0/3.200 extensive Logical interface ge-0/0/3.200 (Index 69) (SNMP ifindex 47) (Generation 136) Flags: SNMP-Traps VLAN-Tag [ 0x8100.200 ] Encapsulation: ENET2 Traffic statistics: Basic zone configuration details Security: Zone: trust Allowed host-inbound traffic : bootp bfd bgp dlsw dns dvmrp igmp ldp msdp nhrp ospf pgm pim rip router-discovery rsvp sap vrrp dhcp finger ftp tftp ident-reset http https ike netconf ping rlogin rpm rsh snmp snmp-trap ssh telnet traceroute xnm-clear-text xnm-ssl lsping Flow Statistics : Flow Input statistics : Self packets : 0 ICMP packets : 0 VPN packets : 0 Bytes permitted by policy : 4788966 Connections established : 2 Flow input statistics www.juniper.net 3-30

Monitoring Traffic Permitted into Interfaces (2 of 2) Flow Output statistics: Multicast packets : 0 Bytes permitted by policy : 0 Flow output statistics Flow error statistics (Packets dropped due to): Address spoofing: 0 Authentication failed: 0 Incoming NAT errors: 0 Invalid zone received packet: 0 Multiple user authentications: 0 Multiple incoming NAT: 0 No parent for a gate: 0 No one interested in self packets: 0 No minor session: 0 No more sessions: 0 No NAT gate: 0 No route present: 0 No SA for incoming SPI: 0 No tunnel found: 0 No session for a gate: 0 No zone or NULL zone binding 0 Policy denied: 0 Security association not active: 0 TCP sequence number out of window: 0 Syn-attack protection: 0 User authentication errors: 0 Flow error statistics www.juniper.net 3-31

Summary In this chapter, we: Described zones and their purpose Defined types of zones Explained the application of zones Described zone configuration Described zone monitoring www.juniper.net 3-32

Review Questions 1. What is the purpose of a zone? 2. What zone types exist in Junos security devices? Describe the applicability of each zone type. 3. What steps are necessary to configure a zone? 4. How can you specify the types of traffic to be allowed into a Junos security device? www.juniper.net 3-33

Lab 1: Configuring and Monitoring Zones Perform initial setup and tasks normally associated with zone configuration and monitoring. www.juniper.net 3-34

Worldwide Education Services

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback