SRX

Expand all | Collapse all

Hardening SRX240 Edge Device

  • 1.  Hardening SRX240 Edge Device

    Posted 05-10-2021 16:42
      |   view attached
    Hello - I was hoping to get some help hardening my SRX240 which I use as an edge device (internet facing firewall and edge router).  I currently use Xfinity/Comcast as my ISP.  They have given me a DHCP address on my SRX which has been the same for years.  I don't want to allow any inbound connections at all, except for the VPN port 4656 as can be seen in the configuration below which I forward to an internal server on a separate VLAN from all other devices and this box just forwards traffic outbound for devices connecting via VPN.   The only other inbound connections maybe would be DHCP but i think my SRX would be asking for an IP address via DHCP so could i just use firewall filters to block everything inbound except the traffic destined for 4656?  I currently have security policies in place to block any internet to internal VLAN traffic but see that firewall filters block the connections from the initial connection attempt and the security policies get further along in processing.  To further harden my network against the "internet" I was wondering how to set up a firewall filter for inbound traffic.  All my attempts at doing so have resulted in preventing outbound traffic also. 

    Can someone please review my configuration and let me know if I am doing anything wrong from a security/hardening perspective?

    1. Do I have to have system services DHCP specificed on my ge - 0 / 0 / 0.0 interface (this is the one connected to my ISP)
    2. How do i set up a firewall filter to prevent all inbound traffic not initiated from internal devices except the VPN destination port and apply to the right interface?
    3. Am I missing anything else from a security perspective?
    4. Do i have to do anything more to prevent IPv6 from getting out from internal networks?
    5. Do i have to do anything more to "disable" IPv6 on the SRX?

    I have replaced my external IP address with Y.Y.Y.Y in the configuration.  I do want to block all inter-VLAN traffic and I know i might have gone overboard on the security policies preventing inter-VLAN traffic and junos-host traffic.

    I have also attached an image that shows the config formatted in an easier way to read.

    # Last changed: 2021 - 05 - 05 10: 25: 12 GMT - 6version 12.3X48 - D105.4;
    groups {
    jweb - security - logging {
    system {
    syslog {
    inactive: file loooooooggger {
    any any;
    archive files 1;
    structured - data;
    }
    file logadog {
    any any;
    archive files 1;
    structured - data;
    }
    }
    }
    }
    }
    system {
    host - name SCRUBBED;
    time - zone GMT - 6;
    root - authentication {
    encrypted - password "SCRUBBED";
    }
    name - server {
    208.67.222.222;
    208.67.220.220;
    }
    name - resolution {
    no - resolve - on - input;
    }
    services {
    ssh;
    web - management {
    https {
    system - generated - certificate;
    interface vlan.4;
    }
    session {
    idle - timeout 60;
    }
    }
    dhcp {
    pool 192.168.1.0 / 24 {
    address - range low 192.168.1.2 high 192.168.1.254;
    name - server {
    208.67.222.222;
    208.67.220.220;
    }
    router {
    192.168.1.1;
    }
    }
    pool 192.168.2.0 / 24 {
    address - range low 192.168.2.2 high 192.168.2.254;
    name - server {
    208.67.220.220;
    208.67.222.222;
    }
    router {
    192.168.2.1;
    }
    }
    pool 192.168.3.0 / 24 {
    address - range low 192.168.3.2 high 192.168.3.254;
    name - server {
    208.67.220.220;
    208.67.222.222;
    }
    router {
    192.168.3.1;
    }
    }
    pool 172.16.234.0 / 24 {
    address - range low 172.16.234.2 high 172.16.234.2;
    name - server {
    208.67.222.222;
    208.67.220.220;
    }
    router {
    172.16.234.1;
    }
    }
    }
    }
    syslog {
    archive size 100k files 3;
    user * {
    any emergency;
    }
    file messages {
    any critical;
    authorization info;
    }
    file interactive - commands {
    interactive - commands error;
    }
    file policy_session {
    user info;
    match RT_FLOW;
    archive size 1000k world - readable;
    structured - data;
    }
    inactive: file logadog {
    any any;
    archive files 1;
    structured - data;
    }
    }
    max - configurations - on - flash 5;
    max - configuration - rollbacks 5;
    license {
    autoupdate {
    url https: //ae1.juniper.net/junos/key_retrieval;
    }
    }
    ntp {
    server us.ntp.pool.org;
    }
    }
    security {
    utm {
    feature - profile {
    anti - spam {
    sbl {
    profile junos - as - defaults {
    spam - action tag - subject;
    }
    }
    }
    }
    utm - policy junos - av - policy {
    traffic - options {
    sessions - per - client {
    over - limit log - and - permit;
    }
    }
    }
    utm - policy junos - wf - policy {
    traffic - options {
    sessions - per - client {
    over - limit log - and - permit;
    }
    }
    }
    utm - policy junos - av - wf - policy {
    traffic - options {
    sessions - per - client {
    over - limit log - and - permit;
    }
    }
    }
    }
    screen {
    ids - option untrust - screen {
    alarm - without - drop;
    icmp {
    ip - sweep;
    fragment;
    large;
    flood;
    ping - death;
    icmpv6 - malformed;
    }
    ip {
    bad - option;
    record - route - option;
    timestamp - option;
    security - option;
    stream - option;
    spoofing;
    source - route - option;
    loose - source - route - option;
    strict - source - route - option;
    unknown - protocol;
    block - frag;
    tear - drop;
    ipv6 - malformed - header;
    }
    tcp {
    syn - fin;
    fin - no - ack;
    tcp - no - flag;
    syn - frag;
    port - scan;
    syn - flood {
    alarm - threshold 1024;
    attack - threshold 200;
    source - threshold 1024;
    destination - threshold 2048;
    timeout 20;
    }
    land;
    winnuke;
    }
    udp {
    flood;
    }
    }
    }
    nat {
    source {
    rule - set nsw_srcnat {
    from zone[Home VPN Work Work - Mgmnt];
    to zone Internet;
    rule nsw - src - interface {
    match {
    source - address 0.0.0.0 / 0;
    destination - address 0.0.0.0 / 0;
    }
    then {
    source - nat {
    interface;
    }
    }
    }
    }
    }
    destination {
    pool dst - nat - pool - vpn {
    routing - instance {
    default ;
    }
    address 172.16.234.2 / 32 port 4656;
    }
    pool dst - nat - pool - ptest {
    routing - instance {
    default ;
    }
    address 192.168.2.42 / 32;
    }
    rule - set rs - vpn {
    from interface ge - 0 / 0 / 0.0;
    rule r - vpn - 1 {
    match {
    destination - address Y.Y.Y.Y / 32;
    destination - port {
    4656;
    }
    protocol udp;
    }
    then {
    destination - nat {
    pool {
    dst - nat - pool - vpn;
    }
    }
    }
    }
    }
    }
    proxy - arp {
    interface ge - 0 / 0 / 0.0 {
    address {
    Y.Y.Y.Y / 32;
    }
    }
    }
    }
    policies {
    from - zone Home to - zone Internet {
    policy home - internet {
    match {
    source - address any - ipv4;
    destination - address any - ipv4;
    application any;
    source - identity any;
    }
    then {
    permit;
    }
    }
    }
    from - zone Internet to - zone Home {
    policy internet - home {
    match {
    source - address any;
    destination - address any;
    application any;
    }
    then {
    deny;
    }
    }
    }
    from - zone Work to - zone Internet {
    policy work - internet {
    match {
    source - address any - ipv4;
    destination - address any - ipv4;
    application any;
    source - identity any;
    }
    then {
    permit;
    }
    }
    }
    from - zone Internet to - zone Work {
    policy internet - work - deny {
    match {
    source - address any;
    destination - address any;
    application any;
    }
    then {
    deny;
    }
    }
    }
    from - zone VPN to - zone Internet {
    policy vpn - internet {
    match {
    source - address any - ipv4;
    destination - address any - ipv4;
    application any;
    source - identity any;
    }
    then {
    permit;
    }
    }
    }
    from - zone Internet to - zone VPN {
    policy internet - vpn - allow {
    match {
    source - address any - ipv4;
    destination - address any - ipv4;
    application custom1 - vpn;
    source - identity any;
    }
    then {
    permit;
    }
    }
    policy internet - vpn - deny {
    match {
    source - address any;
    destination - address any;
    application any;
    }
    then {
    deny;
    }
    }
    }
    from - zone Work to - zone Home {
    policy work - home {
    match {
    source - address any;
    destination - address any;
    application any;
    }
    then {
    deny;
    }
    }
    }
    from - zone Home to - zone Work {
    policy home - work {
    match {
    source - address any;
    destination - address any;
    application any;
    }
    then {
    deny;
    }
    }
    }
    from - zone Work to - zone VPN {
    policy work - vpn {
    match {
    source - address any;
    destination - address any;
    application any;
    }
    then {
    deny;
    }
    }
    }
    from - zone VPN to - zone Work {
    policy vpn - work {
    match {
    source - address any;
    destination - address any;
    application any;
    }
    then {
    deny;
    }
    }
    }
    from - zone VPN to - zone Home {
    policy vpn - home {
    match {
    source - address any;
    destination - address any;
    application any;
    }
    then {
    deny;
    }
    }
    }
    from - zone Home to - zone VPN {
    policy home - vpn {
    match {
    source - address any;
    destination - address any;
    application any;
    }
    then {
    deny;
    }
    }
    }
    from - zone Work - Mgmnt to - zone Internet {
    policy block_new_nas_out {
    match {
    source - address new - nas - temp - block;
    destination - address any;
    application any;
    source - identity any;
    }
    then {
    deny;
    }
    }
    policy work - mgmnt - internet {
    match {
    source - address any - ipv4;
    destination - address any;
    application any;
    source - identity any;
    }
    then {
    permit;
    }
    }
    }
    from - zone Internet to - zone Work - Mgmnt {
    policy internet - work - mgmnt {
    match {
    source - address any;
    destination - address any;
    application any;
    source - identity any;
    }
    then {
    deny;
    }
    }
    }
    from - zone Work - Mgmnt to - zone Home {
    policy work - mgnt - home {
    match {
    source - address any;
    destination - address any;
    application any;
    source - identity any;
    }
    then {
    deny;
    }
    }
    }
    from - zone Home to - zone Work - Mgmnt {
    policy home - work - mgnt {
    match {
    source - address any;
    destination - address any;
    application any;
    source - identity any;
    }
    then {
    deny;
    }
    }
    }
    from - zone Work to - zone Work - Mgmnt {
    policy work - work - mgmnt {
    match {
    source - address any;
    destination - address any;
    application any;
    source - identity any;
    }
    then {
    deny;
    }
    }
    }
    from - zone Work - Mgmnt to - zone Work {
    policy work - mgmnt - work - vnc - rdp {
    match {
    source - address work - mgmnt - pool;
    destination - address work - pool;
    application[rdp vnc - tcp vnc - udp];
    source - identity any;
    }
    then {
    permit;
    }
    }
    policy work - mgmnt - work {
    match {
    source - address any;
    destination - address any;
    application any;
    source - identity any;
    }
    then {
    deny;
    }
    }
    }
    from - zone VPN to - zone Work - Mgmnt {
    policy vpn - work - mgmnt {
    match {
    source - address any;
    destination - address any;
    application any;
    source - identity any;
    }
    then {
    deny;
    }
    }
    }
    from - zone Work - Mgmnt to - zone VPN {
    policy work - mgmnt - vpn {
    match {
    source - address any;
    destination - address any;
    application any;
    source - identity any;
    }
    then {
    deny;
    }
    }
    }
    from - zone Work - Mgmnt to - zone junos - host {
    policy work - mgmnt - junos - host {
    match {
    source - address work - mgmnt - pool;
    destination - address any - ipv4;
    application[junos - ssh junos - https];
    source - identity any;
    }
    then {
    permit;
    }
    }
    policy deny - junos - host {
    match {
    source - address any;
    destination - address any;
    application any;
    source - identity any;
    }
    then {
    deny;
    }
    }
    }
    from - zone Work to - zone junos - host {
    policy deny - work - junoshost {
    match {
    source - address any;
    destination - address any;
    application any;
    source - identity any;
    }
    then {
    deny;
    }
    }
    }
    from - zone VPN to - zone junos - host {
    policy deny - vpn - junoshost {
    match {
    source - address any;
    destination - address any;
    application any;
    source - identity any;
    }
    then {
    deny;
    }
    }
    }
    from - zone Home to - zone junos - host {
    policy deny - home - junoshost {
    match {
    source - address any;
    destination - address any;
    application any;
    source - identity any;
    }
    then {
    deny;
    }
    }
    }
    from - zone Internet to - zone junos - host {
    policy internet - junos - deny - all {
    match {
    source - address any;
    destination - address any;
    application any;
    source - identity any;
    }
    then {
    deny;
    }
    }
    }
    global {
    policy denyall {
    match {
    source - address any;
    destination - address any;
    application any;
    source - identity any;
    }
    then {
    deny;
    }
    }
    }
    default - policy {
    deny - all;
    }
    }
    zones {
    security - zone Home {
    interfaces {
    vlan.1 {
    host - inbound - traffic {
    system - services {
    all;
    }
    protocols {
    all;
    }
    }
    }
    ge - 0 / 0 / 1.0;
    ge - 0 / 0 / 2.0;
    ge - 0 / 0 / 3.0;
    ge - 0 / 0 / 4.0;
    ge - 0 / 0 / 5.0;
    ge - 0 / 0 / 6.0;
    ge - 0 / 0 / 7.0;
    }
    }
    security - zone VPN {
    interfaces {
    vlan.2 {
    host - inbound - traffic {
    system - services {
    all;
    }
    protocols {
    all;
    }
    }
    }
    ge - 0 / 0 / 15.0 {
    host - inbound - traffic {
    system - services {
    all;
    }
    protocols {
    all;
    }
    }
    }
    }
    }
    security - zone Work {
    address - book {
    address work - pool {
    range - address 192.168.2.2 {
    to {
    192.168.2.254;
    }
    }
    }
    }
    interfaces {
    vlan.3 {
    host - inbound - traffic {
    system - services {
    all;
    }
    protocols {
    all;
    }
    }
    }
    ge - 0 / 0 / 14.0;
    ge - 0 / 0 / 13.0;
    ge - 0 / 0 / 12.0;
    }
    }
    security - zone Work - Mgmnt {
    address - book {
    address work - mgmnt - pool {
    range - address 192.168.3.2 {
    to {
    192.168.3.254;
    }
    }
    }
    address new - nas - temp - block 192.168.3.88 / 32;
    }
    interfaces {
    vlan.4 {
    host - inbound - traffic {
    system - services {
    all;
    }
    protocols {
    all;
    }
    }
    }
    ge - 0 / 0 / 11.0;
    ge - 0 / 0 / 10.0;
    ge - 0 / 0 / 9.0;
    ge - 0 / 0 / 8.0;
    }
    }
    security - zone Internet {
    address - book {
    }
    screen untrust - screen;
    host - inbound - traffic {
    system - services {
    all;
    }
    protocols {
    all;
    }
    }
    interfaces {
    ge - 0 / 0 / 0.0 {
    host - inbound - traffic {
    system - services {
    dhcp;
    }
    }
    }
    }
    }
    }
    }
    interfaces {
    ge - 0 / 0 / 0 {
    unit 0 {
    family inet {
    dhcp;
    }
    }
    }
    ge - 0 / 0 / 1 {
    unit 0 {
    family ethernet - switching {
    vlan {
    members vlan1;
    }
    }
    }
    }
    ge - 0 / 0 / 2 {
    unit 0 {
    family ethernet - switching {
    vlan {
    members vlan1;
    }
    }
    }
    }
    ge - 0 / 0 / 3 {
    unit 0 {
    family ethernet - switching {
    vlan {
    members vlan1;
    }
    }
    }
    }
    ge - 0 / 0 / 4 {
    unit 0 {
    family ethernet - switching {
    vlan {
    members vlan1;
    }
    }
    }
    }
    ge - 0 / 0 / 5 {
    unit 0 {
    family ethernet - switching {
    vlan {
    members vlan1;
    }
    }
    }
    }
    ge - 0 / 0 / 6 {
    unit 0 {
    family ethernet - switching {
    vlan {
    members vlan1;
    }
    }
    }
    }
    ge - 0 / 0 / 7 {
    unit 0 {
    family ethernet - switching {
    vlan {
    members vlan1;
    }
    }
    }
    }
    ge - 0 / 0 / 8 {
    unit 0 {
    family ethernet - switching {
    vlan {
    members vlan4;
    }
    }
    }
    }
    ge - 0 / 0 / 9 {
    unit 0 {
    family ethernet - switching {
    vlan {
    members vlan4;
    }
    }
    }
    }
    ge - 0 / 0 / 10 {
    unit 0 {
    family ethernet - switching {
    vlan {
    members vlan4;
    }
    }
    }
    }
    ge - 0 / 0 / 11 {
    unit 0 {
    family ethernet - switching {
    vlan {
    members vlan4;
    }
    }
    }
    }
    ge - 0 / 0 / 12 {
    unit 0 {
    family ethernet - switching {
    vlan {
    members vlan3;
    }
    }
    }
    }
    ge - 0 / 0 / 13 {
    unit 0 {
    family ethernet - switching {
    port - mode trunk;
    vlan {
    members[vlan1 vlan3];
    }
    }
    }
    }
    ge - 0 / 0 / 14 {
    unit 0 {
    family ethernet - switching {
    port - mode access;
    vlan {
    members vlan3;
    }
    }
    }
    }
    ge - 0 / 0 / 15 {
    unit 0 {
    family ethernet - switching {
    port - mode access;
    vlan {
    members vlan2;
    }
    }
    }
    }
    vlan {
    unit 1 {
    family inet {
    address 192.168.1.1 / 24;
    }
    }
    unit 2 {
    family inet {
    address 172.16.234.1 / 24;
    }
    }
    unit 3 {
    family inet {
    address 192.168.2.1 / 24;
    }
    }
    unit 4 {
    family inet {
    address 192.168.3.1 / 24;
    }
    }
    }
    }
    protocols {
    stp {
    disable;
    }
    }
    firewall {
    family inet {
    filter deny - all - inbound - internet {
    term "deny all inbound internet" {
    from {
    interface ge - 0 / 0 / 0;
    }
    then {
    discard;
    }
    }
    }
    }
    }
    applications {
    application custom1 - vpn {
    protocol udp;
    destination - port 4656;
    }
    application rdp {
    protocol tcp;
    destination - port 3389;
    }
    application vnc - udp {
    protocol udp;
    destination - port 2500;
    }
    application vnc - tcp {
    protocol tcp;
    destination - port 2500;
    }
    }
    wlan {
    admin - authentication {
    encrypted - password "SCRUBBED";
    }
    }
    vlans {
    vlan1 {
    description Home;
    vlan - id 3;
    interface {
    ge - 0 / 0 / 2.0;
    }
    l3 - interface vlan.1;
    }
    vlan2 {
    description VPN;
    vlan - id 2;
    interface {
    ge - 0 / 0 / 15.0;
    }
    l3 - interface vlan.2;
    }
    vlan3 {
    description Work;
    vlan - id 4;
    interface {
    ge - 0 / 0 / 13.0;
    }
    l3 - interface vlan.3;
    }
    vlan4 {
    description Work - Mgmnt;
    vlan - id 5;
    interface {
    ge - 0 / 0 / 8.0;
    }
    l3 - interface vlan.4;
    }

    ------------------------------
    Kenny
    ------------------------------


  • 2.  RE: Hardening SRX240 Edge Device

    Posted 05-17-2021 14:45

    Hey Kenny,

    I noticed you posted this in another group and @Christian Scholz (chsjuniper) had this great response. Thank you Christian!


    1. Do I have to have system services DHCP specified on my ge - 0 / 0 / 0.0 interface (this is the one connected to my ISP)
    Yes, because if you don't specify DHCP as host-inbound-traffic your SRX will never get an IP Address via DHCP

    2. How do i set up a firewall filter to prevent all inbound traffic not initiated from internal devices except the VPN destination port and apply to the right interface?
    The easiest way is a "lo0-Filter" (even if no lo0 is used, lo0 filters are valid for ALL RE Traffic) - often referred to as "Protect-RE". There are many Articles covering it - and it's extremely granular :)


    set firewall family inet filter protect-RE term tcp-connection-term from source-prefix-list trusted-addresses
    set firewall family inet filter protect-RE term tcp-connection-term from protocol tcp
    set firewall family inet filter protect-RE term tcp-connection-term from tcp-established
    set firewall family inet filter protect-RE term tcp-connection-term then policer tcp-connection-policer
    set firewall family inet filter protect-RE term tcp-connection-term then accept
    set firewall family inet filter protect-RE term icmp-term from source-prefix-list trusted-addresses
    set firewall family inet filter protect-RE term icmp-term from protocol icmp
    set firewall family inet filter protect-RE term icmp-term then policer icmp-policer
    set firewall family inet filter protect-RE term icmp-term then count icmp-counter
    set firewall family inet filter protect-RE term icmp-term then accept​
    set interfaces lo0 unit 0 family inet filter input protect-RE

    A good starting point would be:
    https://www.juniper.net/documentation/us/en/software/junos/routing-policy/topics/example/firewall-filter-stateless-example-rate-limits-based-on-packets-per-second.html

    3. Am I missing anything else from a security perspective?
    I noticed, that you have a lot of policies with just "deny" - you don't really need that, it only makes your ruleset more big and complex.
    The SRX denies everything by default. The only reason why you would need a "deny" additionally to the explicit deny is if you use the option "log".

    4. Do i have to do anything more to prevent IPv6 from getting out from internal networks?
    5. Do i have to do anything more to "disable" IPv6 on the SRX?
    If you haven't enabled flow-mode for ipv6 or packet-based-mode for IPv6 your SRX will not use IPv6.
    Have a look at "show security flow status" - it will tell you if ipv6 is "disabled" or not :)

    Hope this helps. If you need anything else feel free to reach out to me :)
    Christian



    ------------------------------
    Christian Scholz
    Juniper Networks Ambassador | JNCIE-SEC #374
    Mail: chs@ip4.de
    Blog: jncie.eu | Twitter: @chsjuniper | YT-Channel: netchron



    ------------------------------
    Jack Joyce
    ------------------------------