Junos Security
Transcription
Junos Security
Junos Security Chapter 3: Zones © 2012 Juniper Networks, Inc. All rights reserved. | www.juniper.net | Worldwide Education Services Chapter Objectives After successfully completing this chapter, you will be able to: •Describe a zone and its purpose •Define types of zones •Explain the application of zones •Configure zones •Monitor zones © 2012 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 3-2 Agenda: Zones The Definition of Zones Zone Configuration Monitoring Security Zones © 2012 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 3-3 What Is a Zone? A zone is a collection of one or more network segments sharing identical security requirements Security policies control transit traffic between zones •Null zone: • Default zone • Drops all traffic •Interfaces can pass and accept traffic only if assigned to non-Null zones • Exception for special interfaces like fxp0 © 2012 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 3-4 Review: Packet Flow Forwarding Focus of this chapter Flow Module Session-based Screen Zones Policy Options D-NAT Route No Match Session ? S-NAT Services Session ALG First Path Yes SCREEN TCP Options NAT Services ALG Fast Path Per-Packet Filters Packet-based Per-Packet Policer Per-Packet Shaper Ingress Packet © 2012 Juniper Networks, Inc. All rights reserved. Egress Packet Worldwide Education Services www.juniper.net | 3-5 Hierarchical Dependencies (1 of 2) A strict hierarchical linkage exists between zones and interfaces •You assign logical interfaces to a zone •You cannot assign a logical interface to multiple zones •You can also assign logical interfaces to a routing instance •You cannot assign a logical interface to multiple routing instances •All zone logical interfaces must belong to the same routing instance © 2012 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 3-6 Hierarchical Dependencies (2 of 2) Relationship between interfaces, zones, and routing instances Juniper Networks Device Interfaces F.T. F.T. Zones Routing Instance Zone A Zone B Zone C Zone D Forwarding Table Routing Instance 1 © 2012 Juniper Networks, Inc. All rights reserved. Routing Instance 2 Worldwide Education Services www.juniper.net | 3-8 Zone Types Zone Types User-defined (can be configured) Security © 2012 Juniper Networks, Inc. All rights reserved. Functional System-defined (cannot be configured) Null Worldwide Education Services www.juniper.net | 3-9 Security Zones Security zones: •A collection of one or more network segments requiring the regulation of inbound and outbound traffic through the use of policies •Used to filter traffic destined for the device itself •Used to filter transit traffic • Intrazone and interzone transit traffic flow require security policies •No defined default security zones •Cannot share between routing instances Security © 2012 Juniper Networks, Inc. All rights reserved. Worldwide Education Services User-defined (can be configured) Functional www.juniper.net | 3-10 Functional Zones Functional zones are special-purpose zones •Only one purpose for now—Management Zone • Used for out-of-band device management •Cannot specify in policies •The Management Zone does not pass traffic •Can define only one Management Zone User-defined (can be configured) Security © 2012 Juniper Networks, Inc. All rights reserved. Worldwide Education Services Functional www.juniper.net | 3-11 System-Defined Zones (1 of 3) Null Zone •Unconfigurable •Every interface belongs to the Null Zone by default •When you delete an interface from a zone, it goes into the Null zone pool •The Junos OS rejects all traffic to and from interfaces belonging to the Null Zone System-defined (cannot be configured) Null © 2012 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 3-12 System-Defined Zones (2 of 3) Junos-host zone •You can configure the junos-host zone in a security policy to control self traffic, host-inbound or host-outbound • Inbound traffic must first be allowed as host-inbound traffic on a security zone • Functional zone management cannot be used in a security policy Trust Zone Untrust Zone Web Server Internet Junos-host Zone © 2012 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 3-13 System-Defined Zones (3 of 3) Junos-host zone configuration •Reference the junos-host zone in the to-zone or from-zone context of a security policy [edit security zones] lab@srxA-1# show security-zone untrust { interfaces { ge-0/0/3.0; ge-0/0/2.242 { host-inbound-traffic { system-services { ping; ftp; } } } } } © 2012 Juniper Networks, Inc. All rights reserved. [edit security policies] lab@srxA-1# show from-zone untrust to-zone junos-host policy deny-ping { match { source-address 172.20.1.10; destination-address any; application junos-ping; } then { deny; } } policy log-ftp-user { match { source-address any 10.10.10.1; destination-address any; application junos-ftp; } then { permit; log { session-init; } } } Worldwide Education Services www.juniper.net | 3-14 Factory-Default Zones Applicable only to branch security platforms Configuration template defines two security zones: •trust with interface vlan.0 belonging to it •untrust Factory-Default Zones Trust vlan.0 Untrust Configurable © 2012 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 3-15 Agenda: Zones The Definition of Zones Zone Configuration Monitoring Security Zones © 2012 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 3-16 Zone Configuration Procedure Steps: •Define a security or a functional zone •Add logical interfaces to the zone •Optionally, add services and protocols needing permission into the device through interfaces belonging to the zone • If you omit this step, the SRX Series device permits no traffic destined for itself © 2012 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 3-17 Defining a Zone Zone configuration steps: •Enter configuration mode user@srx> configure Entering configuration mode [edit] user@srx# •Define a security zone or a functional zone: [edit] user@srx# set security zones security-zone zone-name or [edit] user@srx# set security zones functional-zone management •Functional zone specifics: • You can define one type—management • It does not have a user-defined name © 2012 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 3-18 Adding Logical Interfaces to a Zone Add logical interfaces to a zone: •Security zone: [edit] user@srx# edit security zones [edit security zones] user@srx# set security-zone HR interfaces ge-0/0/1.0 •Functional zone: [edit] user@srx# edit security zones [edit security zones] user@srx# set functional-zone management interfaces ge-0/0/1.100 © 2012 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 3-19 Local Host Traffic (1 of 3) A Junos security device does not allow traffic destined to itself by default •Use the host-inbound-traffic statement to allow specific traffic destined to the device coming from a particular zone or interface •A Junos security device always allows all outbound traffic sourced from itself SRX Series Device SSH Telnet © 2012 Juniper Networks, Inc. All rights reserved. Ping Worldwide Education Services www.juniper.net | 3-20 Local Host Traffic (2 of 3) host-inbound-traffic statement choices: • system-services: Specifies allowed services into the device through the interfaces belonging to a zone: • Telnet, SSH, DNS, ping, SNMP, and others • Specify all option to allow all services on their respective ports • Specify any-service option to allow all services and open all ports • protocols: Specifies allowed protocols into the device through the interfaces belonging to a zone: • BFD, BGP, LDP, OSPF, RIP, PIM, and others • Specify all option to allow all protocols defined in the Junos OS •Can use the except keyword to isolate exceptions © 2012 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 3-21 Local Host Traffic (3 of 3) Configurational hierarchy •Can configure the statement under the entire zone stanza: [edit security zones] user@srx# set security-zone HR host-inbound-traffic system-services all •Can configure the statement under an interface stanza within a zone: [edit security zones] user@srx# set security-zone HR interfaces ge-0/0/1.0 host-inbound-traffic system-services http •Interface-level configuration overrides the zone-level configuration © 2012 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 3-24 Check Your Knowledge (1 of 3) What does the following configuration do? security { zones { security-zone HR { host-inbound-traffic { system-services { telnet; ftp; } } interfaces { ge-0/0/0.0; ge-0/0/1.0; } } } © 2012 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 3-25 Check Your Knowledge (2 of 3) What does the following configuration do? security { zones { security-zone HR { host-inbound-traffic { system-services { telnet; ftp; } } interfaces { ge-0/0/0.0; ge-0/0/1.0 { host-inbound-traffic { system-services { snmp; } } } } } } } © 2012 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 3-26 Check Your Knowledge (3 of 3) What services can enter the device through interfaces ge-0/0/0.0 and ge-0/0/1.0? © 2012 Juniper Networks, Inc. All rights reserved. security { zones { security-zone zone1 { host-inbound-traffic { system-services { all; telnet { except; } } } interfaces { ge-0/0/0.0; ge-0/0/1.0 { host-inbound-traffic { system-services { all; http { except; } ftp { except; } } } } . . . Worldwide Education Services www.juniper.net | 3-27 Agenda: Zones The Definition of Zones Zone Configuration and Applicability Monitoring Security Zones © 2012 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 3-28 Monitoring Zones The show security zones command provides information about: •Zone types •Zone names •Number of interfaces bound to corresponding zones •Interface names bound to corresponding zones user@srx> show security zones user@srx> show security zones Functional zone: management Policy configurable: No Interfaces bound: 1 Interfaces: ge-0/0/0.0 Security zone: HR Send reset for non-SYN session TCP packets: Off Policy configurable: Yes Interfaces bound: 1 Interfaces: ge-0/0/1.0 Functional management zone with one interface—ge-0/0/0.0 © 2012 Juniper Networks, Inc. All rights reserved. Security zone HR with one interface—ge-0/0/1.0 Worldwide Education Services www.juniper.net | 3-29 Monitoring Traffic Permitted into Interfaces (1 of 2) Additional interface-specific zone information is available by using the show interfaces interface-name extensive command: user@srx> show interfaces ge-0/0/3.200 extensive Logical interface ge-0/0/3.200 (Index 69) (SNMP ifIndex 47) (Generation 136) Flags: SNMP-Traps VLAN-Tag [ 0x8100.200 ] Encapsulation: ENET2 Traffic statistics: Basic zone … configuration details Security: Zone: trust Allowed host-inbound traffic : bootp bfd bgp dlsw dns dvmrp igmp ldp msdp nhrp ospf pgm pim rip router-discovery rsvp sap vrrp dhcp finger ftp tftp ident-reset http https ike netconf ping rlogin rpm rsh snmp snmp-trap ssh telnet traceroute xnm-clear-text xnm-ssl lsping Flow Statistics : Flow Input statistics : Self packets : 0 Flow input ICMP packets : 0 statistics VPN packets : 0 Bytes permitted by policy : 4788966 Connections established : 2 … © 2012 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 3-30 Monitoring Traffic Permitted into Interfaces (2 of 2) Flow output statistics Flow Output statistics: Multicast packets : 0 Bytes permitted by policy : 0 Flow error statistics (Packets dropped due to): Address spoofing: 0 Authentication failed: 0 Incoming NAT errors: 0 Invalid zone received packet: 0 Multiple user authentications: 0 Multiple incoming NAT: 0 No parent for a gate: 0 No one interested in self packets: 0 No minor session: 0 No more sessions: 0 No NAT gate: 0 No route present: 0 No SA for incoming SPI: 0 No tunnel found: 0 No session for a gate: 0 No zone or NULL zone binding 0 Policy denied: 0 Security association not active: 0 TCP sequence number out of window: 0 Syn-attack protection: 0 User authentication errors: 0 © 2012 Juniper Networks, Inc. All rights reserved. Worldwide Education Services Flow error statistics www.juniper.net | 3-31 Summary In this chapter, we: •Described zones and their purpose •Defined types of zones •Explained the application of zones •Described zone configuration •Described zone monitoring © 2012 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 3-32 Review Questions 1. What is the purpose of a zone? 2. What zone types exist in Junos security devices? Describe the applicability of each zone type. 3. What steps are necessary to configure a zone? 4. How can you specify the types of traffic to be allowed into a Junos security device? © 2012 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 3-33 Lab 1: Configuring and Monitoring Zones Perform initial setup and tasks normally associated with zone configuration and monitoring. © 2012 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 3-34 Worldwide Education Services