Zones
Ok ,difficult to explain.
First a Firewall can be divided into "virtual" firewalls.
When you create a NEW routing Instance.
The routing instance will have.
- Routing tables
- Interfaces that belong to these routing tables
- Routing option configurations
This is an SRX.
We will divide the interfaces into two routing instances.
We will divide the interfaces into two routing instances.
Now we have TWO firewalls.
To create this on the SRX we will write the following.
Set routing-instances INSTANCE1 #this is the name of the routing instance.
set routing-instances INSTANCE1 instance-type virtual-router
A virtual-router has
Set routing-instances INSTANCE1 #this is the name of the routing instance.
set routing-instances INSTANCE1 instance-type virtual-router
A virtual-router has
Routing tables
Interfaces that belong to it
Routing protocol options.
Routing protocol options.
So we created a routing-instance called INSTANCE1
Now we can allocated the interfaces.
set routing-instances INSTANCE1 interface GE-0/0/0
set routing-instances INSTANCE1 interface GE-0/0/1
set routing-instances INSTANCE1 interface GE-0/0/2
etc etc
We basically gave it a name, set the type and added some interfaces.
We basically gave it a name, set the type and added some interfaces.
Ok, now just to show you that this Virtual-instance can have it's own protocol settings we can set up OSPF on it.
set routing-instances INSTANCE1 protocols OSPF area 0.0.0.0 interface GE-0/0/0
There, created an OSPF for it and added an interface.
That sums up the routing instance for now.
So .
There, created an OSPF for it and added an interface.
That sums up the routing instance for now.
So .
We have TWO firewalls.
Now we can set up zones in each firewall.
(A zone can only belong in ONE routing instance).
Now we can set up zones in each firewall.
(A zone can only belong in ONE routing instance).
Okay,
I made up some fake zones.
Internet GE-0/0/1
I made up some fake zones.
Internet GE-0/0/1
HR GE-0/0/0
Sales GE-0/0/3
Sales GE-0/0/3
Sales GE-0/0/4
now in routing instance TWO
we have
Cloud Datacenter GE-0/0/6
Company Email GE-0/0/7
So now you can see. Some Zones are in Routing instance INSTANCE1
the other ones are INSTANCE2.
Also you can see that Zone SALES. Has 2 interfaces.
GE-0/0/3
GE-0/0/4
the other ones are INSTANCE2.
Also you can see that Zone SALES. Has 2 interfaces.
GE-0/0/3
GE-0/0/4
OK.
So to sum this part up.
A zone can only be in ONE routing instance.
A logical interface can only be in ONE zone.
So to sum this part up.
A zone can only be in ONE routing instance.
A logical interface can only be in ONE zone.
This is another way of viewing this.
This is the Juniper example from the PDF.
Remember an interface can only be in one zone
a zone can only be in one routing interface.
Each routing interface can have its own Forwarding table, routing table, routing options etc.
This is the Juniper example from the PDF.
Remember an interface can only be in one zone
a zone can only be in one routing interface.
Each routing interface can have its own Forwarding table, routing table, routing options etc.
Okay, back to the Zones.
Let's set up our first zone.
Let's set up our first zone.
SRX#set security zones security-zone HR interfaces ge-0/0/0
So we set up a Zone called it "HR" and added the interface ge-0/0/0
Second one.
SRX#set security zones security-zone Internet interfaces ge-0/0/1
SRX#set security zones security-zone Sales interfaces ge-0/0/3
SRX#set security zones security-zone Sales interfaces ge-0/0/4
So HR, Sales, Internet are set up.
All of the above are Security Zones. We use them for setting up security of traffic.
There are two other types of zones.
System zones- the only zone here is the NULL. All interfaces start as NULL .
NULL will drop all traffic.
There are two other types of zones.
System zones- the only zone here is the NULL. All interfaces start as NULL .
NULL will drop all traffic.
Functional-zone - this zone is only for the management interfaces it cannot route anything. The name of it is easy it is management.
You can only add more interfaces to it.
You can only add more interfaces to it.
lab@srxB-1# show security zones
functional-zone management {
interfaces {
ge-0/0/2.0; # in this case I added ge-0/0/2
In a bigger SRX the management interface will belong to it.
so let's sum it up.
so let's sum it up.
Many security zones
one functional zone - called management
one system zone - called NULL which is basically a black hole where all traffic gets dropped.
Ok, this is important.
Remember we have High-end SRX and "branch" SRX.
High-End SRX have everything configured in the NULL zone. So all the interfaces are in the NULL. No traffic can pass at all as it is all in the NULL black hole. You need to explicitly allow traffic.
The Branch SRX was made for an easier deployment. So in the factory-default configuration.
You have two zones.
Trust - Which is the LAN
Remember we have High-end SRX and "branch" SRX.
High-End SRX have everything configured in the NULL zone. So all the interfaces are in the NULL. No traffic can pass at all as it is all in the NULL black hole. You need to explicitly allow traffic.
The Branch SRX was made for an easier deployment. So in the factory-default configuration.
You have two zones.
Trust - Which is the LAN
Untrust - Which will be the WAN.
in order to return a branch SRX to factory-default type
#load factory-default # this sets it up as Factory default
#set system root-authentication plain-text-password #this sets up the root password
technically, I don't like factory mode at all.
I prefer to delete all when playing with the SRX.
However the exams ask about this.
#set system root-authentication plain-text-password #this sets up the root password
technically, I don't like factory mode at all.
I prefer to delete all when playing with the SRX.
However the exams ask about this.
Purchasing an SRX for the labs.
Go on Ebay.
SRX100B is the base model- It is cheap but it does not run UTM which you will need later.
SRX100H is the "high" model - with high memory. It is more expensive and will run UTM.
Don't bother with the 200 or 550,650 etc. They all use the same JUNOS language.
Go on Ebay.
SRX100B is the base model- It is cheap but it does not run UTM which you will need later.
SRX100H is the "high" model - with high memory. It is more expensive and will run UTM.
Don't bother with the 200 or 550,650 etc. They all use the same JUNOS language.
You will also need some devices for the LAN and the WAN.
I suggest some cheap Cisco's. I used Cisco1841 it has an FE port and does routing.
The last thing is a Terminal server.
A terminal server allows you to console to many devices. You can get a Cisco one or a 3rd party.
I simply bought a Serial Port PCI card and stuck it in the back of an old PC.
I suggest some cheap Cisco's. I used Cisco1841 it has an FE port and does routing.
The last thing is a Terminal server.
A terminal server allows you to console to many devices. You can get a Cisco one or a 3rd party.
I simply bought a Serial Port PCI card and stuck it in the back of an old PC.
To each connector you connect a console cable. Not pretty but "cheap".
Juniper has a lab, however it is for partners only.
Juniper has a lab, however it is for partners only.
https://virtuallabs.juniper.net
The labs on it are terribly scripted and I did not learn a thing on them.
However you can type the commands on them.
The labs on it are terribly scripted and I did not learn a thing on them.
However you can type the commands on them.
If you want to purchase the full thing simply contact www.myriadsupply.com
and buy yourself some Juniper SRX with proper support.
The cost can be offset by leaving your job and getting a raise.
The cost can be offset by leaving your job and getting a raise.
This is the lab of Scott Morris.
I am sure he is paid a bit more than me.... :(
Alright back to zones.
Alright.
We have a Routing instance. On it we have a zone. The zone has X interfaces.
The last thing we set up on a zone is WHAT traffic can hit the SRX through the zone and the interfaces.
So logically break it up in your head.
There is traffic that flows from-zone to-zone this is called a Policy.
And there is traffic that flows to the zone and to the interfaces.
For example :
If I want to telnet to the SRX I will be sending traffic through the zone using an interface to the SRX.
We have a Routing instance. On it we have a zone. The zone has X interfaces.
The last thing we set up on a zone is WHAT traffic can hit the SRX through the zone and the interfaces.
So logically break it up in your head.
There is traffic that flows from-zone to-zone this is called a Policy.
And there is traffic that flows to the zone and to the interfaces.
For example :
If I want to telnet to the SRX I will be sending traffic through the zone using an interface to the SRX.
If I want to telnet to a server on the LAN my traffic will flow through from-zone INTERNET to-zone LAN.
Ok,so anything that hits the SRX and the target of the traffic is the SRX is controlled in the zone.
The way you do this is.
SRX#set security zones security-zone Sales host-inbound-traffic
yes, it says in plain English. host bound traffic
you can set it up for the whole zone "Sales"
or per interface. This is an example of interface.
SRX#set security zones security-zone Sales interface ge-0/0/4 host-inbound-traffic
see interface.
Now you have two options of the type of traffic you want to allow to go directly to the SRX.
system-services # these will be things like telnet, http, icmp
Now you have two options of the type of traffic you want to allow to go directly to the SRX.
system-services # these will be things like telnet, http, icmp
protocols # these will be protocols like OSPF , BGP , RIP.
So if you want to be able to ping the device or have routing protocols reach the device.
You need to think of setting the "host-inbound-traffic".
Set it up on a zone
or an interface (interface has priority)
You need to think of setting the "host-inbound-traffic".
Set it up on a zone
or an interface (interface has priority)
alright,
How to check your zones.
How to check your zones.
First in configure mode
lab@srxB-1# show security zones
functional-zone management {
interfaces {
ge-0/0/2.0;
}
}
security-zone HR {
interfaces {
ge-0/0/0.0;
}
}
almost all Juniper commands have an equivalent in the operational mode.
Operational mode is the > mode
before you type "configure" to reach the # mode.
Operational mode is the > mode
before you type "configure" to reach the # mode.
So operational mode >
> show security zone
> show security zone
Functional zone: management
Policy configurable: No
Interfaces bound: 1
Interfaces:
ge-0/0/2.0
Security zone: HR
Send reset for non-SYN session TCP packets: Off
Policy configurable: Yes
Interfaces bound: 1
Interfaces:
ge-0/0/0.0
Security zone: junos-host
Send reset for non-SYN session TCP packets: Off
Policy configurable: Yes
Interfaces bound: 0
Interfaces:
Ok,
we have some random zones.
Let's have a look.
Let's have a look.
Functional zone : management # we already talked about this zone, it is used for the management ports
policy configurable # not really, you can't really configure any policy as it does not route.
interface bound # I added 1 interface ge-0/0/2 so it shows 1.
interfaces: # here it actually details the interfaces that are bound
ok.
Second zone.
Second zone.
Security zone # remember, many security zones .This is one example
Send reset for non-SYN session TCP packets #Okay, first TCP packet that is NOT already in
session, needs to have SYN marked
#if it does not have SYN it resets the connection
session, needs to have SYN marked
#if it does not have SYN it resets the connection
Interface bound # by now you got this right.
So, if we look back at the TCP packet.
We have the SYN.
The way TCP starts is.
A sends SYN to B
B sends SYN, ACK to A
A sends ACK to B
The way TCP starts is.
A sends SYN to B
B sends SYN, ACK to A
A sends ACK to B
and then the data will flow.
The Juniper Zones can protect themselves against DDoS attacks by doing the following.
A. Check if I have a session. Remember the Flow session ?? if I have a sessions then use the session.
B. If I do not have a session. I need to create a new one. So if I have the SYN marked. I will create
a new one. If the SYN is unmarked. That is fishy. So DROP it.
The way Juniper writes this is.
"" receives a non-SYN TCP segment that does not belong to an existing session, it drops the packet and sends the source host to a TCP RST""
The Juniper Zones can protect themselves against DDoS attacks by doing the following.
A. Check if I have a session. Remember the Flow session ?? if I have a sessions then use the session.
B. If I do not have a session. I need to create a new one. So if I have the SYN marked. I will create
a new one. If the SYN is unmarked. That is fishy. So DROP it.
The way Juniper writes this is.
"" receives a non-SYN TCP segment that does not belong to an existing session, it drops the packet and sends the source host to a TCP RST""
So basically the Juniper SRX assumes there is something bad and says. HOLD ON , start again from the beginning.
Normally this is disabled. If you use HA it is good it is disabled.
Juniper recommends enabling it.
To enable it run.
Normally this is disabled. If you use HA it is good it is disabled.
Juniper recommends enabling it.
To enable it run.
lab@srxB-1# set security zones security-zone HR tcp-rst
Ok.
what else is on show.
lab@srxB-1> show interfaces ge-0/0/2 extensive
Security: Zone: HR
Allowed host-inbound traffic : bfd bgp dvmrp igmp ldp msdp nhrp ospf ospf3
pgm pim rip ripng router-discovery rsvp sap vrrp
I guess with extensive you can check what is allowed directly.
You can also look at FLOW statistics.
Flow Statistics :
Flow Input statistics :
Self packets : 0
ICMP packets : 0
VPN packets : 0
Multicast packets : 0
Fun fun.
So let's re-coop.
So let's re-coop.
set security zones security-zone NAME interface xx-0/0/x HOST-INBOUND-TRAFFIC
with the protocols/system-services.
Then to see the results.
show security zone NAME
and show interface xx-0/0/x extensive.
Voila.
Those are ZONES.
Those are ZONES.
Some questions.
What is the purpose of a zone.
A zone is a collection of logical interfaces sharing the same security requirements.
So if I want the same security rules on ge-0/0/3-4 then I will use a zone.
What zone types do you have.
User defined - Security or functional (management)
system defined- NULL, the blackhole of firewalls.
What are the steps for configuring a zone.
Pick a name. Then just go set security zones security-zone NAME
then add interfaces and set up SRX bound traffic .
How do you specify the traffic allowed to the device.
set security zones security-zone host-inbound-traffic
set up the host inbound traffic with protocols or system-services.
C U.
great work
ReplyDeletenice
ReplyDelete