SRX

Thanks for any responses!

Here is the configuration that was on the Router (factory default - I think). Below is what I replaced it with just to get things up and running. Could someone explain this first section to me?  I tried putting certain interfaces in certain zones to make it work, but it didn't.

Which zone should the interface with the link to the Internet Modem go (ge-0/0/1)?  Where should my trunk port to my switch go (ge-0/0/0)? Where should my subinterfaces on my routers trunk port go(ge-0/0/0.25, ge-0/0/0.50 and ge-0/0/0.100)? Each subinterface on the Router's ge-0/0/0 is a GateWay for the Vlans on the switch.

Is it enough to just add the correct interfaces into the correct zones and then one will be up and running to the Internet (just with respect to security not blocking the Internet connection)? I want to enable Internet connectivity without giving up security that can be gotten on a Juniper SRX. Is the factory default zones here give strong protection?

security {
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    nat {
        source {
            rule-set trust-to-untrust {
                from zone trust;
                to zone untrust;
                rule source-nat-rule {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                vlan.0;
            }
        }
        security-zone untrust {
            screen untrust-screen;
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            dhcp;
                            tftp;
                        }
                    }
                }
            }
        }
    }
}
vlans {
    vlan-trust {
        vlan-id 3;
        l3-interface vlan.0;
    }
}

¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬

I deleted all this and put:

security {
    policies {
        default-policy {
            permit-all;
        }
    }
    zones {
        security-zone PUBLIC {
            host-inbound-traffic {
                system-services {
                    telnet;
                    ssh;
                    http;
                    ping;
                }
                protocols {
                    ospf;
                    all;
                }
            }
            interfaces {
                ge-0/0/0.0;
                t1-2/0/0.0;
                lo0.0;
                ge-0/0/2.25;
                ge-0/0/2.50;
                ge-0/0/3.0;
                ge-0/0/2.100;
            }
        }
    }
}

THANKS,

robin hood

Could someone explain this first section to me?  I tried putting certain interfaces in certain zones to make it work, but it didn't.

Your policy must be written in the format which includes:

from zone and to zone

policy name

matching traffic

Then statement (permit)

In your case just copy directly the original policy

For internet traffic you also need that nat rule to nat the traffic to the egress interface or it will not work.  Again copy that original rule

Which zone should the interface with the link to the Internet Modem go (ge-0/0/1)? 

this is the untrust zone

Where should my trunk port to my switch go (ge-0/0/0)? Where should my subinterfaces on my routers trunk port go(ge-0/0/0.25, ge-0/0/0.50 and ge-0/0/0.100)? Each subinterface on the Router's ge-0/0/0 is a GateWay for the Vlans on the switch.

These can all be in the trust zone or you can create additional zones to segment traffic.  A zone is a collection of interfaces/subnets that have the same security requirements.  this allows us to write rules for their access and treat them as a group.

Is it enough to just add the correct interfaces into the correct zones and then one will be up and running to the Internet (just with respect to security not blocking the Internet connection)? I want to enable Internet connectivity without giving up security that can be gotten on a Juniper SRX. Is the factory default zones here give strong protection?

The factory default configuration is appropriate for a simple small location connection to the internet.  You would want to maintain the screen settings on the untrust zone for security as well as setting up the internal interfaces for egress.

Tighter controls are possible but the nature of these will vary by use case and security needs.

Thanks for responding Spuluka.

your last line:You would want to maintain the screen settings on the untrust zone for security as well as setting up the internal interfaces for egress, I do not understand.

What does the screen settings refer to?

In the second part, do you mean that you put some firewall filters on the interfaces to limit what can go out?

Thanks,

robin hood

You can use screen options on SRX Series devices to prevent attacks, such as IP address sweeps, port scans, denial of service (DOS) attacks, ICMP, UDP, session table attacks, etc.

They help filter out known malicious packets before they progress further into the device and be processed.(see the flow module)

Screen settings offer basic protections against common attacks for interfaces.  The Screen section you deleted above is a good default setting for an interfacing zone.  

This creates the screen

security {
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }

This applies it to the zone

        security-zone untrust {
            screen untrust-screen;

On firewalls we use security policies and NAT to permit internet access creating stateful session tables and not packet based firewall filters.

This creates you security policy for internet access.

 policies {
        from-zone trust to-zone untrust {
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }

Some organizations will not allow all out to the internet but add some port restrictions here to only permit known internal application ports.  Starting with the basic internet ports and adding as known applications are discovered.  This adds some additional security as malicious software frequently uses custom ports outbound and needs the communication to be open.  But you do have to do some discovery on your network first to determine what the intial list needs to look like so you don't impact operations with the block.  You do this by adding logging to the allow all rule and investigate the unknown ports to confirm they should be permitted and what application uses them for documentation.

This provides NAT and PAT for the RFC1918 addresses into the interface address.

nat {
        source {
            rule-set trust-to-untrust {
                from zone trust;
                to zone untrust;
                rule source-nat-rule {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }

Thanks for the very great breakdown Spuluka!  You really set the stage for me to put the security back on.  Sadly, I am still stuck on getting the switch to be able to ping the Internet through the SRX210H2E right now. I spend almost a whole day on it yesterday at my client's place of buiness.

I am going back today to try some other ideas but I tried almost everything I could think of yesterday. I am going to maybe bring some equipment from my lab to see if I can find another way around the problem and then maybe implement that. But it sure seems like I should be able to do it all with the switch and the firewall going to the Comcast modem.

I posted the detailed issue under Can't ping from switch to Internet, but can from Router

This is almost the exact same issue I posted about two weeks ago in my lab and you all helped me to make that work. I tried all the things you said in this situation but to no avail.

THANKS,

robin hood