HIT that interface

Juniper works very different to IOS. If you have been following my blog recently you will have discovered I have been on the Sauce. Fresh of the JNCIA Junos pass I am diving into JNCIS-SEC. I am going to explain today how host-inbound-traffic works and how it can be used to lock down a Security Zone. First of all is my lab. Here I am using an SRX110H-VA. This device has two zones on it. trust and OOB-Opengear.

Security Zones

Alright. So to demonstrate the following lab I have an iMac in the Server vlan and an Opengear 5004-G-E console server in the OOB-access vlan. I want to achieve the following objectives:

  1. Assign Server VLAN and associated interfaces interfaces to trust security zone.
  2. Assign OOB-Access VLAN and associated interfaces interfaces to the OOB-Opengear zone.
  3. Create inter-zone access policy that permits any source and any destination from trust to OOB-Opengear allowing all protocols
  4. Only permit the DHCP system-services to the zone interfaces in the OOB-Opengear security zone. Allow all protocols.
  5. Allow all protocols and system-services to the zone interfaces in the trust zone
  6. BONUS – Restrict access allowed from trust to OOB-opengear to just SSH.
1. Assign Server VLAN and associated interfaces to trust security zone.
Now lets add the interface including the vlan interface to the trust security zone.
set security zones security-zone trust interfaces fe-0/0/2.0
set security zones security-zone trust interfaces vlan.2
2. Assign OOB-Access VLAN and associated interfaces to trust security zone.
Now lets add the interface including the vlan interface to the trust security zone.
set security zones security-zone OOB-Opengear interfaces fe-0/0/7.0
set security zones security-zone OOB-Opengear interfaces vlan.100

3. Create inter-zone access by Permitting any source and any destination from trust to OOB-Opengear allowing all protocols

set security policies from-zone trust to-zone OOB-Opengear policy trust-OOB-Opengear description " Allow access from trust to OOB "
set security policies from-zone trust to-zone OOB-Opengear policy trust-OOB-Opengear match source-address any
set security policies from-zone trust to-zone OOB-Opengear policy trust-OOB-Opengear match destination-address any
set security policies from-zone trust to-zone OOB-Opengear policy trust-OOB-Opengear match application any
set security policies from-zone trust to-zone OOB-Opengear policy trust-OOB-Opengear then permit

Now to verify

[email protected]> show security policies policy-name trust-OOB-Opengear 
From zone: trust, To zone: OOB-Opengear
  Policy: trust-OOB-Opengear, State: enabled, Index: 5, Scope Policy: 0, Sequence number: 1
    Source addresses: any
    Destination addresses: any
    Applications: any
    Action: permit

So we have created a policy that allows traffic marked any, any, all protocols, to go from the zone named trust to the zone named OOB-Opengear.

4. Only permit the DHCP system-services to the zone interfaces in the OOB-Opengear security zone. Allow all protocols.

This is the crux of the blog. Here we need to control what protocols heading from this security zone that plan to terminate on the device are permitted. This OOB-Opengear network is my 3G serial router box which gives me access over the cellular network back to my network infrastructure at home. I do not want someone getting on here then having a platform to attack my SRX. I have determined at all I want the SRX to respond to is DHCP. Remember that this is not an access-list.

set security zones security-zone OOB-Opengear host-inbound-traffic system-services dhcp
set security zones security-zone OOB-Opengear host-inbound-traffic protocols all

5. Allow all protocols and system-services to the zone interfaces in the trust zone

set security zones security-zone OOB-Opengear host-inbound-traffic system-services all
set security zones security-zone OOB-Opengear host-inbound-traffic protocols all

Now lets checked detailed interface stats to confirm our HIT settings.

[email protected]> show interfaces fe-0/0/1 detail    
Physical interface: fe-0/0/1, Enabled, Physical link is Up
  Interface index: 141, SNMP ifIndex: 521, Generation: 144
  Link-level type: Ethernet, MTU: 1514, Link-mode: Full-duplex, Speed: 100mbps,<output omitted="">Security: Zone: trust Allowed host-inbound traffic : bootp bfd bgp dns dvmrp igmp ldp msdp nhrp ospf pgm pim rip router-discovery rsvp sap vrrp dhcp finger ftp tftp ident-reset http https ike netconf ping reverse-telnet reverse-ssh rlogin rpm rsh snmp snmp-trap ssh telnet traceroute xnm-clear-text xnm-ssl lsping ntp sip r2cp</output>

Now lets check the OOB-Opengear zone.

[email protected]&gt; show interfaces fe-0/0/7 detail    
Physical interface: fe-0/0/7, Enabled, Physical link is Up
  Interface index: 141, SNMP ifIndex: 521, Generation: 144
  Link-level type: Ethernet, MTU: 1514, Link-mode: Full-duplex, Speed: 100mbps,<output omitted="">Security: Zone: OOB-Opengear Allowed host-inbound-traffic : dhcp</output>

Devices in the trust zone will be allowed to make inbound requests that are destined to the SRX such as TFTP, SSH, HTTPS because all is defined in the system-services all command. Our verification proves this.

6. BONUS – Restrict access allowed from trust to OOB-opengear to just SSH.

Alright. Now to restrict traffic from trust to OOB-opengear to use just SSH we need to adjust our security policy. By default Juniper has a list of default applications that can be controlled.

delete security policies from-zone trust to-zone OOB-Opengear policy trust-OOB-Opengear match application all
set security policies from-zone trust to-zone OOB-Opengear policy trust-OOB-Opengear match application junos-ssh

Now lets see what JUNOS thinks of this.

[email protected]> show security policies policy-name trust-OOB-Opengear 
From zone: trust, To zone: OOB-Opengear
  Policy: trust-OOB-Opengear, State: enabled, Index: 5, Scope Policy: 0, Sequence number: 1
    Source addresses: any
    Destination addresses: any
    Applications: junos-ssh
    Action: permit

Now lets test with SSH from iMac in trusted to Opengear box in the OOB-Opengear VLAN which is allowed and HTTP, IMCP, which are not.

anthonys-iMac:~ pandom$ ifconfig en0
en0: flags=8863 mtu 1500
	ether 00:16:cb:8d:06:b5 
	inet6 fe80::216:cbff:fe8d:6b5%en0 prefixlen 64 scopeid 0x4 
	inet 192.168.2.10 netmask 0xffffff00 broadcast 192.168.2.255
	media: autoselect (100baseTX )
	status: active

anthonys-iMac:~ pandom$ ssh [email protected]
Password:
#
anthonys-iMac:~ pandom$ ping 192.168.220.10
PING 192.168.220.10 (192.168.220.10): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
Request timeout for icmp_seq 3
^C
--- 192.168.220.10 ping statistics ---
5 packets transmitted, 0 packets received, 100.0% packet loss

Finally, let us prove HTTPS access isn’t allowed.

Success!

It is also possible to make application sets which are groups of defined protocols that can be referenced by a policy statement. Another blog for another day.

The scalability and hierarchical nature of JUNOS allows simplicity with configuration. It also allows easy troubleshooting and also  the ability to throughly control zones without dozens of lines of configurations. I hope this has been informative for you and I thank you for reading.

 

 

 

 

 

 

 

 

 

 

 

One thought on “HIT that interface

  1. Pingback: HIT that interface

Leave a Reply

Your email address will not be published. Required fields are marked *

*