Policy shuffle

Time to get into some access-list tips. I am going to make a management zone and want to control which protocols.First make the address book entry we will use to define our management hosts.

set security zones security-zone trust address-book address CORP-MGMT description "Corporate Management access range"
set security zones security-zone trust address-book address CORP-MGMT 192.168.2.0/24

If you want to learn more about address-book entries then have a read of this post. Now the aim of this lab is to let a range of management hosts in the trust range to access management interfaces. I require HTTPS, FTP, and SSH. This will then be followed by a deny all statement to catch the rogues. I want these attempts to be recorded. This will firstly allow me to block and lock cheeky attempts into management but also identify legitimate attempts with a recorded log.

set security policies from-zone trust to-zone management policy TRUST-TO-MANAGEMENT-PERMIT-DENY-ALL match source-address any
set security policies from-zone trust to-zone management policy TRUST-TO-MANAGEMENT-PERMIT-DENY-ALL match destination-address any
set security policies from-zone trust to-zone management policy TRUST-TO-MANAGEMENT-PERMIT-DENY-ALL match application any
set security policies from-zone trust to-zone management policy TRUST-TO-MANAGEMENT-PERMIT-DENY-ALL then deny
set security policies from-zone trust to-zone management policy TRUST-TO-MANAGEMENT-PERMIT-DENY-ALL then log session-init
set security policies from-zone trust to-zone management policy TRUST-TO-MANAGEMENT-PERMIT-FTP match source-address CORP-MGMT
set security policies from-zone trust to-zone management policy TRUST-TO-MANAGEMENT-PERMIT-FTP match destination-address any
set security policies from-zone trust to-zone management policy TRUST-TO-MANAGEMENT-PERMIT-FTP match application junos-ftp
set security policies from-zone trust to-zone management policy TRUST-TO-MANAGEMENT-PERMIT-FTP then permit
set security policies from-zone trust to-zone management policy TRUST-TO-MANAGEMENT-PERMIT-SSH match source-address CORP-MGMT
set security policies from-zone trust to-zone management policy TRUST-TO-MANAGEMENT-PERMIT-SSH match destination-address any
set security policies from-zone trust to-zone management policy TRUST-TO-MANAGEMENT-PERMIT-SSH match application junos-ssh
set security policies from-zone trust to-zone management policy TRUST-TO-MANAGEMENT-PERMIT-SSH then permit
set security policies from-zone trust to-zone management policy TRUST-TO-MANAGEMENT-PERMIT-HTTPS match source-address CORP-MGMT
set security policies from-zone trust to-zone management policy TRUST-TO-MANAGEMENT-PERMIT-HTTPS match destination-address any
set security policies from-zone trust to-zone management policy TRUST-TO-MANAGEMENT-PERMIT-HTTPS match application junos-https
set security policies from-zone trust to-zone management policy TRUST-TO-MANAGEMENT-PERMIT-HTTPS then permit

So now we have created the ability to access the management zone from trust zone. Now if I look at the order of my policies what will happen? Can you spot it? The deny policy is at the top and that will supersede any full to follow. No traffic at all. Time to re-sequence some policies. A major difference to IOS is that JUNOS uses names on policies that reside on inter zone mappings. IOS has sequence numbers under a particular access-list.

[email protected]# insert security policies from-zone trust to-zone management policy TRUST-TO-MANAGEMENT-PERMIT-DENY-ALL after policy TRUST-TO-MANAGEMENT-PERMIT-HTTPS

There we go. It isn’t too hard at all. Now it is moved we can match the required traffic then block all non matched traffic. I noticed the name of my policy is quite poor for my deny all. Let’s take the PERMIT out of our DENY policies name!

[edit security policies from-zone trust to-zone management]
[email protected]# rename policy TRUST-TO-MANAGEMENT-PERMIT-DENY-ALL to policy TRUST-TO-MANAGEMENT-DENY-ALL

That brings us to the end of this little blog. Control of policies allows quick manipulation of access-list to suit our needs. Think of the ability to quickly flick lines around. Albeit in the future the manual definition of rules will become a little different with SDN and Openflow for now we need to work with what we got.

Leave a Reply

Your email address will not be published. Required fields are marked *

*