host-inbound-traffic

JamesNT · ‎11-23-2011

The SRX100 comes with the trust zone set up in the following default config:

Security-zone trust {

host-inbound-traffic {

system-services {

all;

}

protocols {

all;

}

interfaces {

vlan.0;

fe-0/0/0.2

}

For the system services and protocols, am I choosing what services and protocols to allow through this zone? Isn't that what policies are for? Or is this what I am allowing the SRX to see?

JamesNT

Mattia · ‎03-17-2010

Hi James, as you wrote, security policies are used to specify which traffic can transit the SRX, passing from a zone to another. The host inbound traffic, on the other hand, define the traffic that can reach the device itself (the destination ip is the address of one interface of the SRX). You can configure it at a zone level (and it will be applied to all the interfaces belonging to that zone), or for specific interfaces within a zone (thus overriding the generic host-inbound configuration of the zone). You can find a more detailed explanation here: http://www.juniper.net/techpubs/software/junos-es/junos-es93/junos-es-swconfig-security/configuring-...

.................................................................................
JNCIP-ENT, JNCIS-SEC
(If this post helped you, please mark it as an "Accepted Solution"; kudos are also appreciated!)

JamesNT · ‎11-23-2011

Hello,

Thank you for your response. Based on what you are saying, I would think it prudent to allow only telnet and http to access the machine instead of all services and all protocols since those are the two I use to manage the device.

Opinion?

JamesNT

Mattia · ‎03-17-2010

Yes, if you don't need to enable any protocol or service (I'm not sure if the dhcp service is configured in the factory default configuration) on the interfaces of that zone, but only the management, it seems a good option; you may also configure a firewall filter to apply more restrictive policies to telnet and http traffic (here it is the related KB).

.................................................................................
JNCIP-ENT, JNCIS-SEC
(If this post helped you, please mark it as an "Accepted Solution"; kudos are also appreciated!)

tyw214 · ‎04-16-2012

on a related question, if you set to allow only ssh/telnet to reach the device, would it be able to pass through normal http/ftp traffics on port 80/21 even if you set trust to untrust to permit all? or host-inbound-traffic is specifically for traffics going to the SRX and not the traffic passing through?

karlr · ‎09-20-2010

Yes. Allowing host-inbound-traffic for services/protocols on the zone only affects the access to the device it self.

If you want to limit the traffic going between zones (i.e. passing through) you apply this as security policies.

regards

Karl

host-inbound-traffic

Re: host-inbound-traffic

Re: host-inbound-traffic

Re: host-inbound-traffic

Re: host-inbound-traffic

Re: host-inbound-traffic