Routing

 View Only
last person joined: 5 days ago 

Ask questions and share experiences about ACX Series, CTP Series, MX Series, PTX Series, SSR Series, JRR Series, and all things routing, including portfolios and protocols.
  • 1.  SRX300 make secure

    Posted 17 days ago
    Hello,
    As I am new to network technology, I need some help. I have an SRX300 in the office which receives a public IP address on WAN7 via DHCP (BOOTP). A /29 network from the ISP is routed to this WAN7 IP. This network is then to be statically assigned to various firewalls and servers. This also works perfectly, so my config works. However, I have the problem that the config is not secure. The SSH port and all possible services are open. I want the SSH service to be accessible only from my external static home IP, and all other system services (such as NTP, DNS...) of the SRX should be closed, but at the same time all traffic from the rear devices should pass through unfiltered. The SRX should only serve as a gateway. 
    I have already experimented a little with the zones but I lock myself out or it stops working. I have the config below as it works.
      login {
            retry-options {
                tries-before-disconnect 3;
                backoff-threshold 2;
                backoff-factor 10;
            }
        }
        services {
            ssh {
                root-login allow;
                protocol-version v2;
                max-sessions-per-connection 1;
                client-alive-interval 30;
            }
            netconf {
                inactive: ssh;
            }
            inactive: web-management {
                https {
                    system-generated-certificate;
                }
            }
        }
        domain-name root;
        time-zone Europe/Amsterdam;
        name-server {
            8.8.8.8;
            8.8.4.4;
        }
        name-resolution {
            no-resolve-on-input;
        }
        syslog {
            archive size 100k files 3;
            user * {
                any emergency;
            }
            file interactive-commands {
                interactive-commands any;
            }
            file messages {
                any notice;
                authorization info;
            }
        }
        max-configurations-on-flash 5;
        max-configuration-rollbacks 5;
        license {
            autoupdate {
                url https://ae1.juniper.net/junos/key_retrieval;
            }
        }
    }
    security {
        policies {
            from-zone trust to-zone trust {
                policy trust-to-trust {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
            from-zone trust to-zone untrust {
                policy trust-to-untrust {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                        log {
                            session-init;
                            session-close;
                        }
                    }
                }
            }
            from-zone untrust to-zone trust {
                policy untrust-to-trust {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
        }
        zones {
            security-zone trust {
                host-inbound-traffic {
                    system-services {
                        ssh;
                        ping;
                    }
                    protocols {
                        all;
                    }
                }
                interfaces {
                    irb.0;
                }
            }
            security-zone untrust {
                interfaces {
                    ge-0/0/7.0 {
                        host-inbound-traffic {
                            system-services {
                                ssh;
                                dhcp;
                                ping;
                                bootp;
                            }
                            protocols {
                                all;
                            }
                        }
                    }
                }
            }
        }
    }
    interfaces {
        ge-0/0/0 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        ge-0/0/1 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        ge-0/0/2 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        ge-0/0/3 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        ge-0/0/4 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        ge-0/0/5 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        ge-0/0/6 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        ge-0/0/7 {
            description WAN;
            unit 0 {
                family inet {
                    dhcp {
                        vendor-id Juniper-srx300;
                    }
                }
            }
        }
        irb {
            unit 0 {
                family inet {
                    address 37.37.x.x/29;
                }
            }
        }
    }
    vlans {
        vlan-trust {
            vlan-id 3;
            l3-interface irb.0;
        }
    }
    protocols {
        l2-learning {
            global-mode switching;
        }
        rstp {
            interface all;
        }
    }


    ------------------------------
    PASCAL DENGG
    ------------------------------


  • 2.  RE: SRX300 make secure

    Posted 17 days ago

    What you need to adjust are the security policy for the untrust to trust zone.  Currently this is open and allows all inbound traffic to all addresses.

    Security policy for outbound initiated traffic is covered by the trust to untrust rule and sounds like you don't want restrictions there.

    The trick will be to create the allow rules you need before removing the allow all rule you want to remove.

    Also note that new rules will appear after the existing ones so will need to be inserted before that allow all rule to take effect.

    you create an address object for the specific addresses that will be referenced in the rule.

    Set the protocols that the rule allows.

    And create the full rule with the specific parameters desired.

    example documentation section is here.

    https://www.juniper.net/documentation/us/en/software/junos/security-policies/topics/topic-map/security-policy-configuration.html#id-example-configuring-a-security-policy-to-permit-or-deny-selected-traffic



    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
    http://puluka.com/home
    ------------------------------