12-01-2010 04:37 AM - edited 12-01-2010 04:40 AM
We're going to replace Cisco ASA 5510 which interconnects several /24 networks in branch with several /16 networks in headquarters with Juniper SRX240 device. It also provides several NAT rules to Internet access.
Unlike SRX, ASA is not zone-based firewall by itself(or it is? ), so all traffic flow contol relies on access-lists only. As far as I know, SRX can control traffic flow between zones by means of security policies or by firewall filters on either ingress or egress interfaces.
Our ASA has at least 100 rules on a single traffic flow direction. And I wonder how to migrate those rules to Junos. My plan is to make some major security policies to control traffic between zones, and some minor firewall filter rules for strict access control. Is that solution acceptable or there is better practice? What is the best practice of using policies and filters? Is it better to create and use only security policies no matter how huge they will be and without use of firewall filters ? Or control only by firewall filters having security policies set to permit all traffic?
12-01-2010 08:48 AM
As "I" understand it... Firewall filters would be Packet based filtering and Policy actually gets into the flow module for First Path / Fast Path lookups that are obvioulsy session based. I would restrict SRX access via PF and ACLs on ASA that pertain to service with policy. Is that what your asking? Anyways, thanks!
12-01-2010 11:10 AM - edited 12-01-2010 11:10 AM
Stick with the flow based policies and only add the firewall filters if you have a special case.
By default JUNOS will not allow traffic between zones or even between interfaces in the same zone..
If you connect the SRX so that each of those subnets is connected to a different interface in a different zone building the rules to allow traffic between them should be very easy.
You probably will not need to go down to firewall filters unless you are trying to block access to services on the firewall it self or are doing QoS/CoS type rules as they are not currently policy based.
12-02-2010 05:17 AM
Well, I guess i should have read guideance on SRXs more carefully, especially about packet and flow processing.
You're both are right in common thing - that pf is usually used to protect device itself, but also to some packet-based management, and that to protect interzonal communication one should use security policies.
Packet filtering occurs right after per-packetppolicer on interface but before session lookup. So, theoretically, if i don't want to packets from some specific hosts/networks to be processed at all, i can use packet filter. It should lead to less system resource usage, shouldn't it? If that is true, this approach is quite useful, don't you think?
12-02-2010 08:05 AM
I don't think you will have to worry about performance levels from the flow based filters unless you have underspeced the SRX for your needs.
And yes, again the PF can be combined with flow based filters to protect the device, do QoS/CoS, as well as improve performance or created special types of filtering.. However day to day allow this to that type stuff is best done with polices.