SRX

Hello,

 I was reading the srx juniper documentation regarding security policies and it was stated:

For SRX300, SRX320, SRX340, SRX345, and SRX550M devices, a factory default security policy is provided that:

• permits all traffic from the trust zone to the untrust zone.

• denies all traffic from the untrust zone to the trust zone.

• allows all traffic from the trust zone to the untrust zone.

in my company we are using srx340, does this means that we do not have to add the security policy for trust-zone-to-untrust, and untrust-zone-to-trust. Because srx is allready have a default preconfigured security policy?. and if this security policies are not setup that means i need to add them manualy?. is this correct?.

Can you guys verify for me if the following security zone and policys are set the correct way.

1. I would like the test/production application to have access to the internet

2. i would also like to have inside to have acces to the internet.

3. Do i really need to enable intra zone policy (Test-application to-zone Test-application or Production-application to-zone Production-application). As i understand if test-application or production-application are in the same vlan and try to communicate with each other inside the vlan/ broadcast domain, then intra zone policy is not needed?.

policies {
from-zone untrust to-zone trust {
policy allow-all {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone Production-application to-zone untrust {
policy PROD-application-to-Untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone Test-application to-zone untrust {
policy Test-application-to-Untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone untrust {
address-book {
address office-1 x.x.x.x/29;
address office-2 x.x.x.x/29;
address office-3 x.x.x.x/32;
address office-4 x.x.x.x/32;
address office-5 x.x.x.x//29;
address-set office {
address office-1;
address office-2;
address office-3;
address office-4;
address office-5;
}
}
host-inbound-traffic {
system-services {
all;
}
}
interfaces {
ge-0/0/0.1610;
ge-5/0/0.2610;
}
}

security-zone Production-application {
interfaces {
reth1.20 {
host-inbound-traffic {
system-services {
all;
}
}
}
}
}
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
}
interfaces {
reth0.200;
}
}
security-zone Test-application {
interfaces {
reth1.30 {
host-inbound-traffic {
system-services {
all;
}
}
}
}
}
}

Hello Suli,

The SRX series devices ships with the factory default configuration which contains DHCP, Auto-installation, Basic security policies etc.

Most of them will delete the default configuration and add their own configuration or configure it as per their requirement. 

in my company we are using srx340, does this means that we do not have to add the security policy for trust-zone-to-untrust, and untrust-zone-to-trust. Because SRX already has a default preconfigured security policy?. and if this security policies are not setup that means i need to add them manualy?. is this correct?.

A: You can either alter the existing factory default configuration or configure it as per your requirement.

1. I would like the test/production application to have access to the internet

A:  I believe below is the security policy for production -> internet zone. This is configured with ANY ANY ANY which means any source from production can access any destination over the internet with any service.

from-zone Production-application to-zone untrust {
policy PROD-application-to-Untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;

2. i would also like to have inside to have acces to the internet.

A: I'm not sure which is your inside zone, so I can't comment about it. However, you can follow the same as the above-mentioned security policies to access the internet from inside to outside. But I have a concern regarding one of our policies where you have allowed anyone from the Internet can access your Trust side. This means you're exposing your trust side all over the internet.

The appropriate configuration would be,

policies {
from-zone trust to-zone untrust {
policy allow-all {
match {
source-address any;
destination-address any;
application any;
}
then {
permit

3. Do i really need to enable intra zone policy (Test-application to-zone Test-application or Production-application to-zone Production-application). As i understand if test-application or production-application are in the same vlan and try to communicate with each other inside the vlan/ broadcast domain, then intra zone policy is not needed?.

A: If you've had 2 VLANS configured under the same security zone then Intra-zone policy is required.

Thank u this is the best explaination.

2. i would also like to have inside to have acces to the internet.

A: I'm not sure which is your inside zone, so I can't comment about it. However, you can follow the same as the above-mentioned security policies to access the internet from inside to outside. But I have a concern regarding one of our policies where you have allowed anyone from the Internet can access your Trust side. This means you're exposing your trust side all over the internet.

the srx config that i have send is an old config. I have put some limitation on the security policy untrust to zone trust. is only allowed to established ssh and https.

The appropriate configuration would be,

policies {
from-zone trust to-zone untrust {
policy allow-all {
match {
source-address any;
destination-address any;
application any;
}
then {
permit

Hi Suli,

If you allowed even SSH and HTTPS on the Untrust side, it is a security flaw. Do you have any connections originating over the Internet for pass-through traffic?

Hello,

yes, i have  a portforwarding D-NAT towards srx inside network.