SRX

Hi, I wrote something about controling management access to a SRX (or J-serie of course) what might be usefull to to other memebers of this forum:

Introduction.

A lot of engineers who switch from ScreenOS to JUNOS are missing the manager-ip functionality found in ScreenOS. This technote gives a similar functionality for a srx or J-series.

Solution.

The solution found here is described is many documents, but I tried to make a small summary. Look for “protecting the Routing Engine” when looking for background information.

 The srx does not have the manager-ip build-in. Coming from the packetbased JUNOS version something can be build to achieve the same functionality. The core of this are stateless firewall filters. This filters can be applied to interfaces. But instead of applying it to all interfaces it’s applied between the PFE (packet forwarding engine) and the RE (Routing Engine). Consider that as at the point traffic enters the SRX itself instead of being forwarded. They way to do this is to apply a filter to the loopback interface. The loopback stack is used in sending traffic from PFE to RE.

On packetbased JUNOS you have to write rather complex filters, but for the SRX most for the work is already done in zone or interface host-inbound-traffic settings.

The add-on done here is to filter on prefixes.

The first step in the config is to create a list of networks (or hosts) allowed to manage. For this you can use a prefix-list:

policy-options {

    prefix-list manager-ip {

        10.0.0.0/8;

        192.168.4.254/32;

    }

}

This list is referenced in the actual filter, so this is where you can change your manager-ip’s!

The next step is to write a filter. On tricky thing here is you have to include all your management services in the first term! (Don’t forget NSM when you use it)

firewall {

    filter manager-ip {

        term block_non_manager {

            from {

                source-address {

                    0.0.0.0/0;

                }

                source-prefix-list {

                    manager-ip except;

                }

                protocol tcp;

                destination-port [ ssh https telnet http ];

            }

            then {

                discard;

            }

        }

        term accept_everything_else {

            then accept;

        }

    }

}

As you can see management traffic (when using a port listed in destination port) is rejected except when coming from an address listed in the prefix-list “manager-ip”.

Finally we have to apply this filter to the loopback interface:

interfaces {

        lo0 {

        unit 0 {

            family inet {

                filter {

                    input manager-ip;

                }

            }

        }

    }

}

And don’t forget to commit confirmed when trying this on a remote system…….

For those of you who want to copy the code with copy paste into the config: (You should start reading on load terminal, but this is maybe easier)

set policy-options prefix-list manager-ip 192.168.4.254/32

set policy-options prefix-list manager-ip 10.0.0.0/8

set firewall filter manager-ip term block_non_manager from source-address 0.0.0.0/0

set firewall filter manager-ip term block_non_manager from source-prefix-list manager-ip except

set firewall filter manager-ip term block_non_manager from protocol tcp

set firewall filter manager-ip term block_non_manager from destination-port ssh

set firewall filter manager-ip term block_non_manager from destination-port https

set firewall filter manager-ip term block_non_manager from destination-port telnet

set firewall filter manager-ip term block_non_manager from destination-port http

set firewall filter manager-ip term block_non_manager then discard

set firewall filter manager-ip term accept_everything_else then accept

set interfaces lo0 unit 0 family inet filter input manager-ip

Hey Screenie - sweet! Nice work.

Thanks for the information Screenie!

Yeah, very nice example; thanks!

I actually thought you would do it on the fxp.

Anyway I read the same in a JUNOS book that you should just protect the RE/Control Plane.

When you look at how juniper converts from ScreenOS to JUNOS Security it would put a filter on EACH interface.

This way is much nicer and you do not have to 'pollute' the configuration as much.

Thanks for the insightful information Screenie.

Cheers

Does not seem to work for me on SRX 210 runnin 10.2R2.

Created it likes this:

filter manager-ip {
    term block_non_manager {
        from {
            source-address {
                0.0.0.0/0;
            }
            source-prefix-list {
                manager-ip except;
            }
            protocol [ tcp icmp ];
            icmp-type echo-request;
            destination-port [ ssh https ];
        }
        then {
            discard;
        }
    }
    term accept_everything_else {
        then accept;
    }
}

--------------------------------------

I can connect from an IP not in my list :s

Shouldn't you put some policying to avoid downing theRE if you allow management from the outside ?

My apologies.

It DOES work.

I need some time to get used to that after successfull commit it still takes a few minutes for the SRX 210 to actually active the changes.

Cheers 🙂

---

@TRK-NKA wrote:

My apologies.

It DOES work.

 

I need some time to get used to that after successfull commit it still takes a few minutes for the SRX 210 to actually active the changes.

 

Cheers 🙂

---

This should NOT be the case.  If you continue experiencing problems please open a case with JTAC so that the bug can be resolved.

I guess the delay in activation confused me.

It actually does not work.

I can see that in messages

ppl trying to get in :<

Cheers

Hi,

Please excuse my ignorance, I am still trying to learn JUNOS.  Base on what your described, wouldn't the https traffic from lets say 192.168.1.1 bound for the Internet be blocked as well?  I mean 192.168.1.1 is not part of the manager-ip and according you by applying the filter to loopback interface, it will take care of all traffic enter SRX.

I guess I don't understand how the traffic flows in and out of the filter.  could you explain, let say, 192.168.1.1 is part of the trust zone and it is trying to reach some https site on the Internet through the untrust zone.

Thanks

---

@misconfig wrote:

Hi,

Please excuse my ignorance, I am still trying to learn JUNOS.  Base on what your described, wouldn't the https traffic from lets say 192.168.1.1 bound for the Internet be blocked as well?  I mean 192.168.1.1 is not part of the manager-ip and according you by applying the filter to loopback interface, it will take care of all traffic enter SRX.

 

I guess I don't understand how the traffic flows in and out of the filter.  could you explain, let say, 192.168.1.1 is part of the trust zone and it is trying to reach some https site on the Internet through the untrust zone.

 

Thanks

---

No question is a bad question.  The filter only intercepts traffic destined to the SRX, not through the SRX.  For transit traffic you'd most often use security flows.  Filters are really only for restricting management traffic and CoS in my opinion.

mawr

Hi Guys,

I'm happy to see I didn't put the effort is for nothing. I really like to read the discussions that follow. And nawr you're right  twice. There indeed is no such thing as a bad question. And yes you're right about  the difference between transit traffic and exception traffic.  The filter on the loopback only affects traffic to the device self!

Hi,

How could we do when accessing from untrust? Do we also need to specify some IP from untrust?

Actually, I have:

filter input-untrust {
    term allow-ssh {
        from {
            source-address {
                home.158.31/32;
            }
            destination-address {
                pulic.143.2/32;
            }
            protocol tcp;
            destination-port ssh;
        }
        then accept;
    }
    term block-ssh-from-others {
        from {
            protocol tcp;
            destination-port ssh;
        }
        then {
            count discardSSH;
            discard;
        }
    }
    term allow-https {
        from {
            source-address {
                home.158.31/32;
            }
            destination-address {
                public.143.2/32;
            }
            protocol tcp;
            destination-port https;
        }
        then accept;
    }
     term pass-to-flow-policies {
        then accept;
    }
}

reth0 {
    redundant-ether-options {
        redundancy-group 1;
    }
    unit 0 {
        family inet {
            filter {
                input input-untrust;
            }
            address public.143.2/29;
        }
    }
}

Have an IP whitelist makes sure that only known IP adresses can connect to the control plane, at least if you apply the filter the loopback interface. That is easier than having to put filters and all your interfaces.

Also you can control the services on the interfaces in the security zone context.

Team Cymru has some great resources on restricting access to the SRX (and JUNOS as a whole).  They provide filters and policers to minimize a DoS on the management interfaces as well.

http://www.cymru.com/gillsr/documents/junos-template.htm

How do you do this in J-Web. I've been cracking on this one and I can't put a finger on it.

Totaly missed the reply on this old post, sorry! You can configure things like I described and use point-and-click cli to manage the list. Or use the technique not available when I wrote the article: junos-host policy. On SRX device you now can write a policy from a zone to junos-host and list in that policy who get access. This policy you can manage in the gui ofcourse!