SRX

Hi All,

    Does anyone know of a good doc or example which shows how to properly lock down management access to an SRX device. 

   I am fairly good with Junos and know that in the J/M series you can apply filters on loopback 0 to filter telnet and ssh access but now with the SRX it seems a bit dfferent since we can lock down by interface with Host inbound Services.

If anyone know the best practises approach to this it would be great!

Thanks

Reading the information on configuring stateless firewall filters in the documentation would be a good idea.  All of the examples deal with constructing a policy to protect the routing engine.  My configuration below largely mimicks what can be found there.

firewall {
    family inet {
        filter routing-engine-incoming-policy {
            term tcp-fragment-protection {
                from {
                    fragment-offset 1-5;
                }
                then {
                    discard;
                }
            }
            term tcp-denial-of-service-protection {
                from {
                    protocol tcp;
                    tcp-flags "(syn & !ack) | fin | rst";
                }
                then {
                    policer routing-engine-tcp-policer;
                    accept;
                }
            }
            term icmp-denial-of-service-protection {
                from {
                    protocol icmp;
                    icmp-type [ echo-request echo-reply unreachable time-exceeded ];
                }
                then {
                    policer routing-engine-icmp-policer;
                    count icmp-counter;
                    accept;
                }
            }
            term allow-ntp-traffic {
                from {
                    source-address {
                        129.6.15.28/32;
                    }
                    protocol udp;
                    source-port ntp;
                    destination-port [ ntp 1024-65535 ];
                }
                then accept;
            }
            term allow-dns-traffic {
                from {
                    source-address {
                        208.67.222.222/32;
                        208.67.220.220/32;
                    }
                    protocol [ tcp udp ];
                    source-port domain;
                    destination-port [ domain 1024-65535 ];
                }
                then accept;
            }
            term allow-internal-dhcp-traffic {
                from {
                    protocol udp;
                    destination-port dhcp;
                    interface vlan.0;
                }
                then accept;
            }
            term allow-management-traffic {
                from {
                    source-address {
                        xxx.xxx.xxx.xxx/24;
                        xxx.xxx.xxx.xxx/32;
                        xxx.xxx.xxx.xxx/32;
                    }
                    protocol tcp;
                    source-port 1024-65535;
                    destination-port [ ssh https ];
                }
                then accept;
            }
            term discard-remaining-traffic {
                then {
                    syslog;
                    discard;
                }
            }
        }
    }
    policer routing-engine-tcp-policer {
        filter-specific;
        if-exceeding {
            bandwidth-limit 500k;
            burst-size-limit 15k;
        }
        then discard;
    }
    policer routing-engine-icmp-policer {
        filter-specific;
        if-exceeding {
            bandwidth-limit 1m;
            burst-size-limit 15k;
        }
        then discard;
    }
}

If you choose this approach dont you then need to add a permit policy for each routing protocol the Firewall/router will use?

Yes, you would.  There is an example for BGP here.