SRX

Hi , 

Can someone please explain to me what a Junos-host zone is used for. I'm very new to security and I'm preparing for JNCIS-SEC. I do have the fast track pdf's with me. 

It says ----- 

The Junos-host zone a system-defined zone. You can configure the junos-host zone in a security policy toprovide granular control for which host-inbound or host-outbound traffic is allowed in or out of a securityzone on the SRX device.
Functional zones, such as the management zone, cannot be used in a security policy. For inbound traffic to be processed by the junos-host zone, the traffic has first to be allowed by the host-inbound-traffic setting of an ingress security zone, after which a normal policy lookup will be done from the ingress zone to the junos-host zone. You can also use the junos-host zone to control or apply services to host outbound traffic. An example of controlling services to host-outbound traffic would be to configure a security policy to allow host-outbound traffic through a policy-based VPN. Traffic is permitted through the junos-host zone unless otherwise explicitlydenied by a user-defined security policy.

So , there are 2 system defined zones - Null zone and Junos-host zones .

Security zones are the ones used to control transit traffic

Functional zones for management traffic

Null zones is the default zone and all traffic for the interfaces in null zones are dropped.

I understand security zones, functional zones and null zones. Where does Junos-host zone come in ?Can one of you please explain to me , why exacly we use Junos-host zone , and where it comes to use ?

Any help is much appreciated !

Thanks,

Pradeep

in simple words these zones are equivalent to "loopback filters" we use to protect the device. The diffrence is filters are stateless but if you use junos-host-zone and write policies its statefull.

for example, if you want restrict ssh access to particular hosts in your subnet you you achive it in 2 ways

apply a loopback filter as below

family inet {
    filter routerProtect {
        term allowManagementHosts {
            from {
                source-prefix-list {
                    managementHosts;
                }
                protocol tcp;
                port ssh;
            }
            then {
                count allowSSH;
                accept;
            }
        }
        term denyManagementOtherHosts {
            from {
                protocol tcp;
                port ssh;
            }
            then {
                count denySSHCounter;
                discard;
            }
        }
        term allowAllOtherTraffic {
            then accept;
        }
    }

***managementHosts is the prefix list you defined

The other wasy is to create a policy and restric it..

    policies {
        from-zone test to-zone junos-host {
            policy routerProtect {
                match {
                    source-address managementHosts ;
                    destination-address any;
                    application [ junos-ssh ];
                }
                then {
                    deny;
                }
            


I hope this helps.

Thanks,
Suraj

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too

Can we not do the same thing using a normal security zone ? 

By filering out ssh traffic from the respective interfaces ? 

What's special about hostzone ?

you can use that to restrict traffic originated from system... YOu cannot dio that using normal security zones..

Like the ospf packets..

Thanks,

Suraj

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too

so normal security zones can be used to filter inbound traffic , and it cannot be used to filter outbound traffic.

For that , we use host zones. Am i right ?

Best,

Pradeep

You are correct Pradeep.

Thanks,

Suraj

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too

Thanks for the help Suraj . I appreciate it .