I'm doing some more work with Juniper SRX's recently and I've done some reading on
Junos SRX host inbound system-services such as the below example and I wanted to check my understanding:
set security zones security-zone trust interfaces irb.0 host-inbound-traffic system-services https
set security zones security-zone trust interfaces irb.0 host-inbound-traffic system-services dhcp
Could anyone help to clarify if my understanding of the below is correct or any caveats around it:
1) "host-inbound-traffic system-services" are basically used to enable/permit services to that SRX interfaces that enable the SRX to provide services to clients/sources requesting services from the SRX?
2) For "host-inbound-traffic system-services" does the SRX process this traffic from a security perspective before or after the interfaces security policies?
- For example if you had "host-inbound-traffic system-services ntp" enabled on an interface but had security policies with a source and destination being the security zone associate with that interface and those security policies only permitted 4 source hosts from the subnet in the security zone to query NTP how does the SRX process that?
eg. (Assume associated NTP configuration is setup on the SRX and working and there is a global deny):
set security zones security-zone trust interfaces irb.0 host-inbound-traffic system-services NTP
set security zones security-zone INSIDE address-book address IRB-0_IP 192.168.1.1/32
set security zones security-zone INSIDE address-book address NTP_PERMIT 192.168.1.8/30
set security policies from-zone INSIDE to-zone Internet policy INSIDE-Internet match source-address NTP_PERMIT
set security policies from-zone INSIDE to-zone Internet policy INSIDE-Internet match destination-address IRB-0_IP
set security policies from-zone INSIDE to-zone Internet policy INSIDE-Internet match application ntp
3) If you have the reverse and an "Outside" interface eg for an Internet link which is needing to communicate with the ISP via "Chap" is the most secure/appropriate way to do this via Security Policies or is there another way for interface level services via "host-outbound-traffic system-service"?
Thanks.
------------------------------
Dave N
------------------------------