SRX Services Gateway
Reply
Trusted Contributor
mawr
Posts: 236
Registered: ‎06-11-2010
0

How do you protect management interfaces on JUNOS-ES devices?

[ Edited ]

Greetings,

 

Today it occured to me that applying a firewall filter to protect management interfaces seems unnecessary considering the slew of options JUNOS-ES provides with zones and screens.  What are your thoughts?  Do you use these these types of filters on your JUNOS-ES devices?  And also, do you assign your lo0 interface to a security zone?

 

Below is what I'm using in addition to some commentary.

 

/* could be replaced with ip block-frag and icmp fragment screens */
term tcp-fragment-protection {
    from {
        fragment-offset 1-5;
    }
    then {
        discard;
    }
}
/* syn flooding could be handled by tcp syn-flood screens but there is no way I’m aware of to handle fin and rst rate limiting.  I've heard that implicit rate limiting exist between the control and forwarding planes though, although I haven't been able to find the parameters. */
term tcp-denial-of-service-protection {
    from {
        protocol tcp;
        tcp-flags "(syn & !ack) | fin | rst";
    }
    then {
        policer routing-engine-tcp-policer;
        syslog;
        accept;
    }
}
/* could be handled by icmp flood screens */
term icmp-denial-of-service-protection {
    from {
        protocol icmp;
        icmp-type [ echo-request echo-reply unreachable time-exceeded ];
    }
    then {
        policer routing-engine-icmp-policer;
        syslog;
        accept;
    }
}
/* would be unnecessary */
term allow-surf-control-traffic {
    from {
        protocol udp;
        source-port 9020;
        interface fe-0/0/0.0;
    }
    then accept;
}
/* would be unnecessary */
term allow-ntp-traffic {
    from {
        source-address {
            129.6.15.28/32;
            192.43.244.18/32;
        }
        protocol udp;
        source-port ntp;
    }
    then accept;
}
/* could be replaced by host-inbound-traffic system-services snmp and community client restrictions */
term allow-snmp-traffic {
    from {
        source-address {
            192.168.1.10/32;
        }
        protocol udp;
        destination-port 161;
    }
    then accept;
}
/* would be unnecessary */
term allow-dns-traffic {
    from {
        source-address {
            208.67.222.222/32;
            208.67.220.220/32;
        }
        protocol [ tcp udp ];
        source-port domain;
    }
    then accept;
}
/* could be replaced by host-inbound-traffic system-services dhcp */
term allow-dhcp-traffic {
    from {
        protocol udp;
        destination-port dhcp;
        interface fe-0/0/1.0;
    }
    then accept;
}
/* could be replaced by host-inbound-traffic system-services https and ssh and perimeter interface firewall filters where restrictions are necessary */
term allow-management-traffic {
    from {
        source-address {
            /* Trust Network */
            192.168.1.0/24;
        }
        source-prefix-list {
            wan-management-ips;
        }
        protocol tcp;
        source-port 1024-65535;
        destination-port [ ssh https ];
    }
    then accept;
}
/* would be unnecessary */
term discard-remaining-traffic {
    then {
        log;
        syslog;
        discard;
    }
}
policer routing-engine-tcp-policer {
    filter-specific;
    if-exceeding {
        bandwidth-limit 500k;
        burst-size-limit 15k;
    }
    then discard;
}
policer routing-engine-icmp-policer {
    filter-specific;
    if-exceeding {
        bandwidth-limit 1m;
        burst-size-limit 15k;
    }
    then discard;
}

 

Thanks,

 

mawr

Trusted Contributor
bufo333
Posts: 52
Registered: ‎12-22-2009
0

Re: How do you protect management interfaces on JUNOS-ES devices?

I use almost the exact same routing engine protection policy on my m and j series loopbacks. I would say that while you are correct that most of that could be deleted. I think the ability to police traffic flooding to the routing engine is important.

John Burns
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.