Security

 View Only

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



Expand all | Collapse all

Internet/WAN/Untrust interface protection for VPN connections

This thread has been viewed 5 times
  • 1.  Internet/WAN/Untrust interface protection for VPN connections

    This message was posted by a user wishing to remain anonymous
    Posted 03-17-2022 05:31
    This message was posted by a user wishing to remain anonymous

    Scenario 

    - I am utilising a policy based VPN 

    - The WAN/Untrust security zone will have IKE enabled on it 

    - The WAN/Untrsut security zone/interface is also the outbound interface for internet traffic 

    - I want to ensure that only the source address of 1.2.3.4 can initiate an IKE/IPSEC session with the interface 

      

    Questions 

    - Is there a feature already enabled that prevents initiation attempts that don't match the given ike gateway address?  

      - i.e "set security ike gateway IKE-GW address 1.2.3.4" 

    - If not, what is the best way to go about this? 

    - Due to the stateless nature of firewall filters it seems like this wouldn't be a good solution 

    - Would security policy be the better option? And if so, what would look like as there are no WAN to Trust rules (Untrust to Trust) 

      

    I understand that a VPN connection attempt won't succeed if there are mismatch of settings/secrets etc, but my preference is to reduce the potential attack surface and reconnaissance where possible. 

      

    Below is not the exact configuration I'm using, but is basically identical. It is ripped straight Juniper vLabs. 

    ## Site A
    set security ike proposal standard authentication-method pre-shared-keys
    set security ike policy IKE-POL mode main
    set security ike policy IKE-POL proposals standard
    set security ike policy IKE-POL pre-shared-key ascii-text "1234"
    set security ike gateway IKE-GW ike-policy IKE-POL
    set security ike gateway IKE-GW address 10.100.12.2
    set security ike gateway IKE-GW external-interface ge-0/0/1
    set security ipsec proposal standard
    set security ipsec policy IPSEC-POL proposals standard
    set security ipsec vpn VPN-to-Site-B ike gateway IKE-GW
    set security ipsec vpn VPN-to-Site-B ike ipsec-policy IPSEC-POL
    set security ipsec vpn VPN-to-Site-B establish-tunnels immediately
    set security address-book Site-A address Site-A-Net 10.100.11.0/24
    set security address-book Site-A attach zone trust
    set security address-book Site-B address Site-B-Net 10.100.22.0/24
    set security address-book Site-B attach zone untrust
    set security policies from-zone trust to-zone trust policy default-permit match source-address any
    set security policies from-zone trust to-zone trust policy default-permit match destination-address any
    set security policies from-zone trust to-zone trust policy default-permit match application any
    set security policies from-zone trust to-zone trust policy default-permit then permit
    set security policies from-zone trust to-zone untrust policy default-permit match source-address any
    set security policies from-zone trust to-zone untrust policy default-permit match destination-address any
    set security policies from-zone trust to-zone untrust policy default-permit match application any
    set security policies from-zone trust to-zone untrust policy default-permit then permit
    set security policies from-zone untrust to-zone trust policy VPN-IN match source-address Site-B-Net
    set security policies from-zone untrust to-zone trust policy VPN-IN match destination-address Site-A-Net
    set security policies from-zone untrust to-zone trust policy VPN-IN match application any
    set security policies from-zone untrust to-zone trust policy VPN-IN then permit tunnel ipsec-vpn VPN-to-Site-B
    set security policies from-zone trust to-zone untrust policy VPN-OUT match source-address Site-A-Net
    set security policies from-zone trust to-zone untrust policy VPN-OUT match destination-address Site-B-Net
    set security policies from-zone trust to-zone untrust policy VPN-OUT match application any
    set security policies from-zone trust to-zone untrust policy VPN-OUT then permit tunnel ipsec-vpn VPN-to-Site-B
    set security zones security-zone trust host-inbound-traffic system-services all
    set security zones security-zone trust interfaces ge-0/0/0.0
    set security zones security-zone untrust host-inbound-traffic system-services ike
    set security zones security-zone untrust interfaces ge-0/0/1.0
    set interfaces ge-0/0/0 unit 0 family inet address 10.100.11.1/24
    set interfaces ge-0/0/1 unit 0 family inet address 10.100.12.1/24
    set routing-options static route 10.100.22.0/24 next-hop 10.100.12.2
    
    
    
    
    ## Site B
    set security ike proposal standard authentication-method pre-shared-keys
    set security ike policy IKE-POL mode main
    set security ike policy IKE-POL proposals standard
    set security ike policy IKE-POL pre-shared-key ascii-text "1234"
    set security ike gateway IKE-GW ike-policy IKE-POL
    set security ike gateway IKE-GW address 10.100.12.1
    set security ike gateway IKE-GW external-interface ge-0/0/1
    set security ipsec proposal standard
    set security ipsec policy IPSEC-POL proposals standard
    set security ipsec vpn VPN-to-Site-A ike gateway IKE-GW
    set security ipsec vpn VPN-to-Site-A ike ipsec-policy IPSEC-POL
    set security ipsec vpn VPN-to-Site-A establish-tunnels immediately
    set security address-book Site-A address Site-A-Net 10.100.11.0/24
    set security address-book Site-A attach zone untrust
    set security address-book Site-B address Site-B-Net 10.100.22.0/24
    set security address-book Site-B attach zone trust
    set security policies from-zone trust to-zone trust policy default-permit match source-address any
    set security policies from-zone trust to-zone trust policy default-permit match destination-address any
    set security policies from-zone trust to-zone trust policy default-permit match application any
    set security policies from-zone trust to-zone trust policy default-permit then permit
    set security policies from-zone trust to-zone untrust policy VPN-OUT match source-address Site-B-Net
    set security policies from-zone trust to-zone untrust policy VPN-OUT match destination-address Site-A-Net
    set security policies from-zone trust to-zone untrust policy VPN-OUT match application any
    set security policies from-zone trust to-zone untrust policy VPN-OUT then permit tunnel ipsec-vpn VPN-to-Site-A
    set security policies from-zone trust to-zone untrust policy default-permit match source-address any
    set security policies from-zone trust to-zone untrust policy default-permit match destination-address any
    set security policies from-zone trust to-zone untrust policy default-permit match application any
    set security policies from-zone trust to-zone untrust policy default-permit then permit
    set security policies from-zone untrust to-zone trust policy VPN-IN match source-address Site-A-Net
    set security policies from-zone untrust to-zone trust policy VPN-IN match destination-address Site-B-Net
    set security policies from-zone untrust to-zone trust policy VPN-IN match application any
    set security policies from-zone untrust to-zone trust policy VPN-IN then permit tunnel ipsec-vpn VPN-to-Site-A
    set security zones security-zone trust host-inbound-traffic system-services all
    set security zones security-zone trust interfaces ge-0/0/0.0
    set security zones security-zone untrust host-inbound-traffic system-services ike
    set security zones security-zone untrust interfaces ge-0/0/1.0
    set interfaces ge-0/0/0 unit 0 family inet address 10.100.22.1/24
    set interfaces ge-0/0/1 unit 0 family inet address 10.100.12.2/24
    set routing-options static route 10.100.11.0/24 next-hop 10.100.12.1


    Thank you.



  • 2.  RE: Internet/WAN/Untrust interface protection for VPN connections

    Posted 03-17-2022 05:40
    As you noticed the host inbound traffic stanza is just for the protocol at all being allowed and does not allow any detailed restrictions.

    To add security policies for traffic terminating on the SRX we use the junos-host zone.  Junos refers to this as "self traffic".  In your case you would need to add policies to restrict vpn traffic to only the gateways you want to connect.

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB24227

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------