SRX Services Gateway
Reply
Contributor
JamesNT
Posts: 27
Registered: ‎11-23-2011
0
Accepted Solution

host-inbound-traffic

The SRX100 comes with the trust zone set up in the following default config:

 

Security-zone trust {

  host-inbound-traffic {

    system-services {

    all; 

    }

    protocols {

    all; 

    }

  }

  interfaces {

    vlan.0;

    fe-0/0/0.2

  }

}

 

For the system services and protocols, am I choosing what services and protocols to allow through this zone?  Isn't that what policies are for?  Or is this what I am allowing the SRX to see? 

 

JamesNT

Recognized Expert
Mattia
Posts: 198
Registered: ‎03-17-2010
0

Re: host-inbound-traffic

[ Edited ]
Hi James, as you wrote, security policies are used to specify which traffic can transit the SRX, passing from a zone to another. The host inbound traffic, on the other hand, define the traffic that can reach the device itself (the destination ip is the address of one interface of the SRX). You can configure it at a zone level (and it will be applied to all the interfaces belonging to that zone), or for specific interfaces within a zone (thus overriding the generic host-inbound configuration of the zone). You can find a more detailed explanation here: http://www.juniper.net/techpubs/software/junos-es/junos-es93/junos-es-swconfig-security/configuring-...
.................................................................................
JNCIP-ENT, JNCIP-SEC, JNCIS-SP
(If this post helped you, please mark it as an "Accepted Solution"; kudos are also appreciated!)


Contributor
JamesNT
Posts: 27
Registered: ‎11-23-2011
0

Re: host-inbound-traffic

Hello,

 

Thank you for your response.  Based on what you are saying, I would think it prudent to allow only telnet and http to access the machine instead of all services and all protocols since those are the two I use to manage the device.

 

Opinion?

 

JamesNT

Recognized Expert
Mattia
Posts: 198
Registered: ‎03-17-2010
0

Re: host-inbound-traffic

Yes, if you don't need to enable any protocol or service (I'm not sure if the dhcp service is configured in the factory default configuration) on the interfaces of that zone, but only the management, it seems a good option; you may also configure a firewall filter to apply more restrictive policies to telnet and http traffic (here it is the related KB).

.................................................................................
JNCIP-ENT, JNCIP-SEC, JNCIS-SP
(If this post helped you, please mark it as an "Accepted Solution"; kudos are also appreciated!)


Visitor
tyw214
Posts: 3
Registered: ‎04-16-2012
0

Re: host-inbound-traffic

on a related question, if you set to allow only ssh/telnet to reach the device, would it be able to pass through normal http/ftp traffics on port 80/21 even if you set trust to untrust to permit all? or host-inbound-traffic is specifically for traffics going to the SRX and not the traffic passing through?

Contributor
karlr
Posts: 37
Registered: ‎09-20-2010
0

Re: host-inbound-traffic

Yes. Allowing host-inbound-traffic for services/protocols on the zone only affects the access to the device it self.

 

If you want to limit the traffic going between zones (i.e. passing through) you apply this as security policies.

 

regards

Karl

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.