SRX Services Gateway
Showing results for 
Search instead for 
Do you mean 
Reply
Distinguished Expert
Posts: 1,127
Registered: ‎01-10-2008
Accepted Solution

"manager-ip" solution on srx

Hi, I wrote something about controling management access to a SRX (or J-serie of course) what might be usefull to to other memebers of this forum:

 

Introduction.

 

A lot of engineers who switch from ScreenOS to JUNOS are missing the manager-ip functionality found in ScreenOS. This technote gives a similar functionality for a srx or J-series.

 

Solution.

 

The solution found here is described is many documents, but I tried to make a small summary. Look for “protecting the Routing Engine” when looking for background information.

 

 The srx does not have the manager-ip build-in. Coming from the packetbased JUNOS version something can be build to achieve the same functionality. The core of this are stateless firewall filters. This filters can be applied to interfaces. But instead of applying it to all interfaces it’s applied between the PFE (packet forwarding engine) and the RE (Routing Engine). Consider that as at the point traffic enters the SRX itself instead of being forwarded. They way to do this is to apply a filter to the loopback interface. The loopback stack is used in sending traffic from PFE to RE.

On packetbased JUNOS you have to write rather complex filters, but for the SRX most for the work is already done in zone or interface host-inbound-traffic settings.

The add-on done here is to filter on prefixes.

 

The first step in the config is to create a list of networks (or hosts) allowed to manage. For this you can use a prefix-list:

 

 

 

 

policy-options {

    prefix-list manager-ip {

        10.0.0.0/8;

        192.168.4.254/32;

    }

}

 

This list is referenced in the actual filter, so this is where you can change your manager-ip’s!

 

The next step is to write a filter. On tricky thing here is you have to include all your management services in the first term! (Don’t forget NSM when you use it)

 

firewall {

    filter manager-ip {

        term block_non_manager {

            from {

                source-address {

                    0.0.0.0/0;

                }

                source-prefix-list {

                    manager-ip except;

                }

                protocol tcp;

                destination-port [ ssh https telnet http ];

            }

            then {

                discard;

            }

        }

        term accept_everything_else {

            then accept;

        }

    }

}

 

As you can see management traffic (when using a port listed in destination port) is rejected except when coming from an address listed in the prefix-list “manager-ip”.

 

 

Finally we have to apply this filter to the loopback interface:

 

interfaces {

        lo0 {

        unit 0 {

            family inet {

                filter {

                    input manager-ip;

                }

            }

        }

    }

}

 

And don’t forget to commit confirmed when trying this on a remote system…….

 

For those of you who want to copy the code with copy paste into the config: (You should start reading on load terminal, but this is maybe easier)

 

set policy-options prefix-list manager-ip 192.168.4.254/32

set policy-options prefix-list manager-ip 10.0.0.0/8

set firewall filter manager-ip term block_non_manager from source-address 0.0.0.0/0

set firewall filter manager-ip term block_non_manager from source-prefix-list manager-ip except

set firewall filter manager-ip term block_non_manager from protocol tcp

set firewall filter manager-ip term block_non_manager from destination-port ssh

set firewall filter manager-ip term block_non_manager from destination-port https

set firewall filter manager-ip term block_non_manager from destination-port telnet

set firewall filter manager-ip term block_non_manager from destination-port http

set firewall filter manager-ip term block_non_manager then discard

set firewall filter manager-ip term accept_everything_else then accept

set interfaces lo0 unit 0 family inet filter input manager-ip

 

best regards,

Screenie.
Juniper Ambassador,
JNCIA IDP AC WX JNCIS FW SSL JNCIP SEC ENT SP JNCI

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Distinguished Expert
Posts: 2,409
Registered: ‎01-29-2008
0 Kudos

Re: "manager-ip" solution on srx

Hey Screenie - sweet! Nice work.

Kevin Barker
JNCIP-SEC
JNCIS-ENT, FWV, SSL, WLAN
JNCIA-ER, EX, IDP, UAC, WX
Juniper Networks Certified Instructor
Juniper Networks Ambassador

Juniper Elite Reseller
J-Partner Service Specialist - Implementation

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Trusted Contributor
Posts: 236
Registered: ‎06-11-2010
0 Kudos

Re: "manager-ip" solution on srx

Thanks for the information Screenie!

Super Contributor
Posts: 313
Registered: ‎09-30-2009
0 Kudos

Re: "manager-ip" solution on srx

Yeah, very nice example; thanks!

Contributor
Posts: 192
Registered: ‎06-17-2008
0 Kudos

Re: "manager-ip" solution on srx

I actually thought you would do it on the fxp.

Anyway I read the same in a JUNOS book that you should just protect the RE/Control Plane.

When you look at how juniper converts from ScreenOS to JUNOS Security it would put a filter on EACH interface.

This way is much nicer and you do not have to 'pollute' the configuration as much.

 

Thanks for the insightful information Screenie.

 

Cheers


Best Regards

Tom Roholm
JNCIS-ENT, FWV, SEC, SA, WLAN
Contributor
Posts: 192
Registered: ‎06-17-2008
0 Kudos

Re: "manager-ip" solution on srx

Does not seem to work for me on SRX 210 runnin 10.2R2.

Created it likes this:

 

filter manager-ip {
    term block_non_manager {
        from {
            source-address {
                0.0.0.0/0;
            }
            source-prefix-list {
                manager-ip except;
            }
            protocol [ tcp icmp ];
            icmp-type echo-request;
            destination-port [ ssh https ];
        }
        then {
            discard;
        }
    }
    term accept_everything_else {
        then accept;
    }
}

--------------------------------------

 

I can connect from an IP not in my list :s

 

 


Best Regards

Tom Roholm
JNCIS-ENT, FWV, SEC, SA, WLAN
Contributor
Posts: 192
Registered: ‎06-17-2008
0 Kudos

Re: "manager-ip" solution on srx

Shouldn't you put some policying to avoid downing theRE if you allow management from the outside ?

 

 


Best Regards

Tom Roholm
JNCIS-ENT, FWV, SEC, SA, WLAN
Contributor
Posts: 192
Registered: ‎06-17-2008
0 Kudos

Re: "manager-ip" solution on srx

My apologies.

It DOES work.

 

I need some time to get used to that after successfull commit it still takes a few minutes for the SRX 210 to actually active the changes.

 

Cheers :-)


Best Regards

Tom Roholm
JNCIS-ENT, FWV, SEC, SA, WLAN
Trusted Contributor
Posts: 236
Registered: ‎06-11-2010
0 Kudos

Re: "manager-ip" solution on srx


TRK-NKA wrote:

My apologies.

It DOES work.

 

I need some time to get used to that after successfull commit it still takes a few minutes for the SRX 210 to actually active the changes.

 

Cheers :-)


This should NOT be the case.  If you continue experiencing problems please open a case with JTAC so that the bug can be resolved.

Contributor
Posts: 192
Registered: ‎06-17-2008
0 Kudos

Re: "manager-ip" solution on srx

I guess the delay in activation confused me.

It actually does not work.

I can see that in messages

ppl trying to get in :<

 

Cheers


Best Regards

Tom Roholm
JNCIS-ENT, FWV, SEC, SA, WLAN
Visitor
Posts: 4
Registered: ‎01-21-2008
0 Kudos

Re: "manager-ip" solution on srx

Hi,

Please excuse my ignorance, I am still trying to learn JUNOS.  Base on what your described, wouldn't the https traffic from lets say 192.168.1.1 bound for the Internet be blocked as well?  I mean 192.168.1.1 is not part of the manager-ip and according you by applying the filter to loopback interface, it will take care of all traffic enter SRX.

 

I guess I don't understand how the traffic flows in and out of the filter.  could you explain, let say, 192.168.1.1 is part of the trust zone and it is trying to reach some https site on the Internet through the untrust zone.

 

Thanks

Trusted Contributor
Posts: 236
Registered: ‎06-11-2010
0 Kudos

Re: "manager-ip" solution on srx

[ Edited ]

 


misconfig wrote:

Hi,

Please excuse my ignorance, I am still trying to learn JUNOS.  Base on what your described, wouldn't the https traffic from lets say 192.168.1.1 bound for the Internet be blocked as well?  I mean 192.168.1.1 is not part of the manager-ip and according you by applying the filter to loopback interface, it will take care of all traffic enter SRX.

 

I guess I don't understand how the traffic flows in and out of the filter.  could you explain, let say, 192.168.1.1 is part of the trust zone and it is trying to reach some https site on the Internet through the untrust zone.

 

Thanks


 

No question is a bad question.  The filter only intercepts traffic destined to the SRX, not through the SRX.  For transit traffic you'd most often use security flows.  Filters are really only for restricting management traffic and CoS in my opinion.

 

mawr

Distinguished Expert
Posts: 1,127
Registered: ‎01-10-2008
0 Kudos

Re: "manager-ip" solution on srx

Hi Guys,

 

I'm happy to see I didn't put the effort is for nothing. I really like to read the discussions that follow. And nawr you're right  twice. There indeed is no such thing as a bad question. And yes you're right about  the difference between transit traffic and exception traffic.  The filter on the loopback only affects traffic to the device self!

best regards,

Screenie.
Juniper Ambassador,
JNCIA IDP AC WX JNCIS FW SSL JNCIP SEC ENT SP JNCI

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Contributor
Posts: 62
Registered: ‎07-08-2010
0 Kudos

Re: "manager-ip" solution on srx

Hi,

 

How could we do when accessing from untrust? Do we also need to specify some IP from untrust?

 

Actually, I have:

 

 

filter input-untrust {
    term allow-ssh {
        from {
            source-address {
                home.158.31/32;
            }
            destination-address {
                pulic.143.2/32;
            }
            protocol tcp;
            destination-port ssh;
        }
        then accept;
    }
    term block-ssh-from-others {
        from {
            protocol tcp;
            destination-port ssh;
        }
        then {
            count discardSSH;
            discard;
        }
    }
    term allow-https {
        from {
            source-address {
                home.158.31/32;
            }
            destination-address {
                public.143.2/32;
            }
            protocol tcp;
            destination-port https;
        }
        then accept;
    }
     term pass-to-flow-policies {
        then accept;
    }
}

 

reth0 {
    redundant-ether-options {
        redundancy-group 1;
    }
    unit 0 {
        family inet {
            filter {
                input input-untrust;
            }
            address public.143.2/29;
        }
    }
}

 

 

 

 

Contributor
Posts: 192
Registered: ‎06-17-2008
0 Kudos

Re: "manager-ip" solution on srx

Have an IP whitelist makes sure that only known IP adresses can connect to the control plane, at least if you apply the filter the loopback interface. That is easier than having to put filters and all your interfaces.

Also you can control the services on the interfaces in the security zone context.


Best Regards

Tom Roholm
JNCIS-ENT, FWV, SEC, SA, WLAN
Trusted Contributor
Posts: 110
Registered: ‎08-01-2008
0 Kudos

Re: "manager-ip" solution on srx

Team Cymru has some great resources on restricting access to the SRX (and JUNOS as a whole).  They provide filters and policers to minimize a DoS on the management interfaces as well.

 

 

http://www.cymru.com/gillsr/documents/junos-template.htm

---
JNCIE-SEC #69, JNCIE-ENT #492, JNCSP-SEC, JNCSP-ENT, JNCIS-SP, JNCDS-DC, JNCDS-SEC
New User
Posts: 1
Registered: ‎04-17-2017
0 Kudos

Re: "manager-ip" solution on srx

How do you do this in J-Web. I've been cracking on this one and I can't put a finger on it.

Highlighted
Distinguished Expert
Posts: 1,127
Registered: ‎01-10-2008
0 Kudos

Re: "manager-ip" solution on srx

Totaly missed the reply on this old post, sorry! You can configure things like I described and use point-and-click cli to manage the list. Or use the technique not available when I wrote the article: junos-host policy. On SRX device you now can write a policy from a zone to junos-host and list in that policy who get access. This policy you can manage in the gui ofcourse! 

best regards,

Screenie.
Juniper Ambassador,
JNCIA IDP AC WX JNCIS FW SSL JNCIP SEC ENT SP JNCI

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.