SRX

Hi

I have Clustered SRX5600 firewalls and want to secure the routing engine by apply filter on the Loopback interface.

So asking if the clustering might be affected?

Regards

Myasin

It would not affect clustering, however, my recommendation is to use the following logic on your loopback.

Drop SSH from anywhere that ISN'T trusted

Drop HTTP/HTTPS from anywhere that ISN"T trusted

Drop ICMP from anywhere that ISN'T trusted.

permit everything else

(Adjust the logic to the ports you want to restrict etc.)

Only drop what you need to and allow everything else, I would use prefix lists...

example:

term ssh from address prefix-list trusted-networks except

term ssh from destination-port 22

term ssh then discard

term https from address prefix-list trusted-networks except

term https from destination-port 443

term https then discard

term permit then accept

And then test ofcourse.

GL

The Hardening Junos Guide has additional details on loopback packet filters.  Also keep in mind that depending on how your device is configured you may also be able to get away with simply using host-inbound-traffic settings on the security zones.

Flannigan is correct on the host inbound traffic; however, the firewall filters on the lo0 interface is the better option as the packets won't get to the RE prior to being dropped.

The hardening guide for securing the routing engine mentioned above is a good one.

Also, the clustering won't be effected by the lo0 filters

Right, host-inbound-traffic is an all or nothing type of security. If you want SSH on an untrust interface, you must allow all SSH on either the interface, or all untrust interfaces, however if you want to allow SSH only from trusted IP's, you must allow all SSH via host-inbound-traffic, then restrict sources with loopback filter or ingress firewall filter to your untrusted interface (loopback interface is preferred as it only impacts control plane traffic).

You must be careful to permit all else on loopback filter because you may inadvertently drop things like DHCP, NTP, SNMP, Routing Protocols. This is the basis for my original suggestion.

GL

Thank You all

Regards

Myasin

Also keep in mind what services does provide your SRX, if it terminates vpns, do not forget to allow necessary traffic (udp/port 500). If your SRX forwards dhcp packets, allow bootp protocol etc.

Best pratice is to create firewall filter which contains very detailed rule for each serivce/protocol, and then define final rule that will permit all traffic and log.  If anything will match final rule, then you need to refine your firewall filter, Until you get zero hits on final rule. After that you can safely apply it to loopback interface.