Junos Security

Transcription

Junos Security
Junos Security
Chapter 3: Zones
© 2012 Juniper Networks, Inc. All rights reserved. | www.juniper.net | Worldwide Education Services
Chapter Objectives
 After successfully completing this chapter, you will be
able to:
•Describe a zone and its purpose
•Define types of zones
•Explain the application of zones
•Configure zones
•Monitor zones
© 2012 Juniper Networks, Inc. All rights reserved.
Worldwide Education Services
www.juniper.net | 3-2
Agenda: Zones
The Definition of Zones
 Zone Configuration
 Monitoring Security Zones
© 2012 Juniper Networks, Inc. All rights reserved.
Worldwide Education Services
www.juniper.net | 3-3
What Is a Zone?
 A zone is a collection of one or more network
segments sharing identical security requirements
 Security policies control transit traffic between zones
•Null zone:
• Default zone
• Drops all traffic
•Interfaces can pass and accept traffic only if assigned to
non-Null zones
• Exception for special interfaces like fxp0
© 2012 Juniper Networks, Inc. All rights reserved.
Worldwide Education Services
www.juniper.net | 3-4
Review: Packet Flow
Forwarding
Focus of
this chapter
Flow Module
Session-based
Screen
Zones Policy
Options D-NAT Route
No
Match
Session
?
S-NAT Services Session
ALG
First Path
Yes
SCREEN
TCP
Options
NAT
Services
ALG
Fast Path
Per-Packet Filters
Packet-based
Per-Packet Policer
Per-Packet Shaper
Ingress
Packet
© 2012 Juniper Networks, Inc. All rights reserved.
Egress
Packet
Worldwide Education Services
www.juniper.net | 3-5
Hierarchical Dependencies (1 of 2)
 A strict hierarchical linkage exists between zones and
interfaces
•You assign logical interfaces to a zone
•You cannot assign a logical interface to multiple zones
•You can also assign logical interfaces to a routing instance
•You cannot assign a logical interface to multiple routing
instances
•All zone logical interfaces must belong to the same routing
instance
© 2012 Juniper Networks, Inc. All rights reserved.
Worldwide Education Services
www.juniper.net | 3-6
Hierarchical Dependencies (2 of 2)
 Relationship between interfaces, zones, and routing
instances
Juniper Networks Device
Interfaces
F.T.
F.T.
Zones
Routing Instance
Zone A
Zone B
Zone C
Zone D
Forwarding Table
Routing Instance 1
© 2012 Juniper Networks, Inc. All rights reserved.
Routing Instance 2
Worldwide Education Services
www.juniper.net | 3-8
Zone Types
Zone Types
User-defined
(can be configured)
Security
© 2012 Juniper Networks, Inc. All rights reserved.
Functional
System-defined
(cannot be configured)
Null
Worldwide Education Services
www.juniper.net | 3-9
Security Zones
 Security zones:
•A collection of one or more network segments requiring the
regulation of inbound and outbound traffic through the use
of policies
•Used to filter traffic destined for the device itself
•Used to filter transit traffic
• Intrazone and interzone transit traffic flow require security policies
•No defined default security zones
•Cannot share between routing instances
Security
© 2012 Juniper Networks, Inc. All rights reserved.
Worldwide Education Services
User-defined
(can be configured)
Functional
www.juniper.net | 3-10
Functional Zones
 Functional zones are special-purpose zones
•Only one purpose for now—Management Zone
• Used for out-of-band device management
•Cannot specify in policies
•The Management Zone does not pass traffic
•Can define only one Management Zone
User-defined
(can be configured)
Security
© 2012 Juniper Networks, Inc. All rights reserved.
Worldwide Education Services
Functional
www.juniper.net | 3-11
System-Defined Zones (1 of 3)
 Null Zone
•Unconfigurable
•Every interface belongs to the Null Zone by default
•When you delete an interface from a zone, it goes into the
Null zone pool
•The Junos OS rejects all traffic to and from interfaces
belonging to the Null Zone
System-defined
(cannot be configured)
Null
© 2012 Juniper Networks, Inc. All rights reserved.
Worldwide Education Services
www.juniper.net | 3-12
System-Defined Zones (2 of 3)
 Junos-host zone
•You can configure the junos-host zone in a security
policy to control self traffic, host-inbound or host-outbound
• Inbound traffic must first be allowed as host-inbound traffic on a
security zone
• Functional zone management cannot be used in a security policy
Trust
Zone
Untrust
Zone
Web Server
Internet
Junos-host Zone
© 2012 Juniper Networks, Inc. All rights reserved.
Worldwide Education Services
www.juniper.net | 3-13
System-Defined Zones (3 of 3)
 Junos-host zone configuration
•Reference the junos-host zone in the to-zone or
from-zone context of a security policy
[edit security zones]
lab@srxA-1# show
security-zone untrust {
interfaces {
ge-0/0/3.0;
ge-0/0/2.242 {
host-inbound-traffic {
system-services {
ping;
ftp;
}
}
}
}
}
© 2012 Juniper Networks, Inc. All rights reserved.
[edit security policies]
lab@srxA-1# show from-zone untrust to-zone junos-host
policy deny-ping {
match {
source-address 172.20.1.10;
destination-address any;
application junos-ping;
}
then {
deny;
}
}
policy log-ftp-user {
match {
source-address any 10.10.10.1;
destination-address any;
application junos-ftp;
}
then {
permit;
log {
session-init;
}
}
}
Worldwide Education Services
www.juniper.net | 3-14
Factory-Default Zones
 Applicable only to branch
security platforms
 Configuration template
defines two security
zones:
•trust with interface
vlan.0 belonging
to it
•untrust
Factory-Default Zones
Trust
vlan.0
Untrust
Configurable
© 2012 Juniper Networks, Inc. All rights reserved.
Worldwide Education Services
www.juniper.net | 3-15
Agenda: Zones
 The Definition of Zones
Zone Configuration
 Monitoring Security Zones
© 2012 Juniper Networks, Inc. All rights reserved.
Worldwide Education Services
www.juniper.net | 3-16
Zone Configuration Procedure
 Steps:
•Define a security or a functional zone
•Add logical interfaces to the zone
•Optionally, add services and protocols needing permission
into the device through interfaces belonging to the zone
• If you omit this step, the SRX Series device permits no traffic
destined for itself
© 2012 Juniper Networks, Inc. All rights reserved.
Worldwide Education Services
www.juniper.net | 3-17
Defining a Zone
 Zone configuration steps:
•Enter configuration mode
user@srx> configure
Entering configuration mode
[edit]
user@srx#
•Define a security zone or a functional zone:
[edit]
user@srx# set security zones security-zone zone-name
or
[edit]
user@srx# set security zones functional-zone management
•Functional zone specifics:
• You can define one type—management
• It does not have a user-defined name
© 2012 Juniper Networks, Inc. All rights reserved.
Worldwide Education Services
www.juniper.net | 3-18
Adding Logical Interfaces to a Zone
 Add logical interfaces to a zone:
•Security zone:
[edit]
user@srx# edit security zones
[edit security zones]
user@srx# set security-zone HR interfaces ge-0/0/1.0
•Functional zone:
[edit]
user@srx# edit security zones
[edit security zones]
user@srx# set functional-zone management interfaces ge-0/0/1.100
© 2012 Juniper Networks, Inc. All rights reserved.
Worldwide Education Services
www.juniper.net | 3-19
Local Host Traffic (1 of 3)
 A Junos security device does not allow traffic destined
to itself by default
•Use the host-inbound-traffic statement to allow
specific traffic destined to the device coming from a
particular zone or interface
•A Junos security device always allows all outbound traffic
sourced from itself
SRX Series Device
SSH
Telnet
© 2012 Juniper Networks, Inc. All rights reserved.
Ping
Worldwide Education Services
www.juniper.net | 3-20
Local Host Traffic (2 of 3)
 host-inbound-traffic statement choices:
• system-services: Specifies allowed services into the
device through the interfaces belonging to a zone:
• Telnet, SSH, DNS, ping, SNMP, and others
• Specify all option to allow all services on their respective ports
• Specify any-service option to allow all services and open all
ports
• protocols: Specifies allowed protocols into the device
through the interfaces belonging to a zone:
• BFD, BGP, LDP, OSPF, RIP, PIM, and others
• Specify all option to allow all protocols defined in the Junos OS
•Can use the except keyword to isolate exceptions
© 2012 Juniper Networks, Inc. All rights reserved.
Worldwide Education Services
www.juniper.net | 3-21
Local Host Traffic (3 of 3)
 Configurational hierarchy
•Can configure the statement under the entire zone stanza:
[edit security zones]
user@srx# set security-zone HR host-inbound-traffic system-services all
•Can configure the statement under an interface stanza
within a zone:
[edit security zones]
user@srx# set security-zone HR interfaces ge-0/0/1.0 host-inbound-traffic
system-services http
•Interface-level configuration overrides the zone-level
configuration
© 2012 Juniper Networks, Inc. All rights reserved.
Worldwide Education Services
www.juniper.net | 3-24
Check Your Knowledge (1 of 3)
 What does the following configuration do?
security {
zones {
security-zone HR {
host-inbound-traffic {
system-services {
telnet;
ftp;
}
}
interfaces {
ge-0/0/0.0;
ge-0/0/1.0;
}
}
}
© 2012 Juniper Networks, Inc. All rights reserved.
Worldwide Education Services
www.juniper.net | 3-25
Check Your Knowledge (2 of 3)
 What does the following configuration do?
security {
zones {
security-zone HR {
host-inbound-traffic {
system-services {
telnet;
ftp;
}
}
interfaces {
ge-0/0/0.0;
ge-0/0/1.0 {
host-inbound-traffic {
system-services {
snmp;
}
}
}
}
}
}
}
© 2012 Juniper Networks, Inc. All rights reserved.
Worldwide Education Services
www.juniper.net | 3-26
Check Your Knowledge (3 of 3)
 What services
can enter the
device through
interfaces
ge-0/0/0.0 and
ge-0/0/1.0?
© 2012 Juniper Networks, Inc. All rights reserved.
security {
zones {
security-zone zone1 {
host-inbound-traffic {
system-services {
all;
telnet {
except;
}
}
}
interfaces {
ge-0/0/0.0;
ge-0/0/1.0 {
host-inbound-traffic {
system-services {
all;
http {
except;
}
ftp {
except;
}
}
}
}
. . .
Worldwide Education Services
www.juniper.net | 3-27
Agenda: Zones
 The Definition of Zones
 Zone Configuration and Applicability
Monitoring Security Zones
© 2012 Juniper Networks, Inc. All rights reserved.
Worldwide Education Services
www.juniper.net | 3-28
Monitoring Zones
 The show security zones command provides
information about:
•Zone types
•Zone names
•Number of interfaces bound to corresponding zones
•Interface names bound to corresponding zones
user@srx> show security zones
user@srx> show security zones
Functional zone: management
Policy configurable: No
Interfaces bound: 1
Interfaces:
ge-0/0/0.0
Security zone: HR
Send reset for non-SYN session TCP packets: Off
Policy configurable: Yes
Interfaces bound: 1
Interfaces:
ge-0/0/1.0
Functional management zone
with one interface—ge-0/0/0.0
© 2012 Juniper Networks, Inc. All rights reserved.
Security zone HR with one
interface—ge-0/0/1.0
Worldwide Education Services
www.juniper.net | 3-29
Monitoring Traffic Permitted into Interfaces
(1 of 2)
 Additional interface-specific zone information is
available by using the show interfaces
interface-name extensive command:
user@srx> show interfaces ge-0/0/3.200 extensive
Logical interface ge-0/0/3.200 (Index 69) (SNMP ifIndex 47) (Generation 136)
Flags: SNMP-Traps VLAN-Tag [ 0x8100.200 ] Encapsulation: ENET2
Traffic statistics:
Basic zone
…
configuration details
Security: Zone: trust
Allowed host-inbound traffic : bootp bfd bgp dlsw dns dvmrp igmp ldp msdp
nhrp ospf pgm pim rip router-discovery rsvp sap vrrp dhcp finger ftp tftp
ident-reset http https ike netconf ping rlogin rpm rsh snmp snmp-trap ssh
telnet traceroute xnm-clear-text xnm-ssl lsping
Flow Statistics :
Flow Input statistics :
Self packets :
0
Flow input
ICMP packets :
0
statistics
VPN packets :
0
Bytes permitted by policy :
4788966
Connections established :
2
…
© 2012 Juniper Networks, Inc. All rights reserved.
Worldwide Education Services
www.juniper.net | 3-30
Monitoring Traffic Permitted into Interfaces
(2 of 2)
Flow output
statistics
Flow Output statistics:
Multicast packets :
0
Bytes permitted by policy :
0
Flow error statistics (Packets dropped due to):
Address spoofing:
0
Authentication failed:
0
Incoming NAT errors:
0
Invalid zone received packet:
0
Multiple user authentications:
0
Multiple incoming NAT:
0
No parent for a gate:
0
No one interested in self packets: 0
No minor session:
0
No more sessions:
0
No NAT gate:
0
No route present:
0
No SA for incoming SPI:
0
No tunnel found:
0
No session for a gate:
0
No zone or NULL zone binding
0
Policy denied:
0
Security association not active:
0
TCP sequence number out of window: 0
Syn-attack protection:
0
User authentication errors:
0
© 2012 Juniper Networks, Inc. All rights reserved.
Worldwide Education Services
Flow error
statistics
www.juniper.net | 3-31
Summary
 In this chapter, we:
•Described zones and their purpose
•Defined types of zones
•Explained the application of zones
•Described zone configuration
•Described zone monitoring
© 2012 Juniper Networks, Inc. All rights reserved.
Worldwide Education Services
www.juniper.net | 3-32
Review Questions
1. What is the purpose of a zone?
2. What zone types exist in Junos security devices?
Describe the applicability of each zone type.
3. What steps are necessary to configure a zone?
4. How can you specify the types of traffic to be allowed
into a Junos security device?
© 2012 Juniper Networks, Inc. All rights reserved.
Worldwide Education Services
www.juniper.net | 3-33
Lab 1: Configuring and Monitoring Zones
 Perform initial setup and tasks normally associated
with zone configuration and monitoring.
© 2012 Juniper Networks, Inc. All rights reserved.
Worldwide Education Services
www.juniper.net | 3-34
Worldwide Education Services