ScreenOS Firewalls (NOT SRX)
ScreenOS Firewalls (NOT SRX)

Juniper Best Practice

‎04-14-2008 07:59 AM

Does Juniper have a document of best firewalling practices? I am specifically looking for the official reccomendations regarding Virtual Routers - by default only the trust-vr is active, does this mean only one vr is reccomended? I am asking in relation to PCI compliance.





ScreenOS Firewalls (NOT SRX)

Re: Juniper Best Practice

‎04-17-2008 02:33 PM

I don't know of a document that speaks to best practice regarding vrouters.  You should use as many vrouters as you need, and no more.  If you can do the task with one, you should use only one.  A unnecessarily complex firewall is a less-secure firewall.


However, one thing that seems like a good idea is to place the interface you use to manage the firewall in the trust-vr (firewalls with dedicated mgt interfaces do this), and all other interfaces in the untrust-vr.  Also turn off all management protocols on the non-mgt interfaces.  This is useful so you can route mgt traffic differently from forwarding traffic, for instance to a dedicated management network.


Regarding VISA PCI, if you are being required to "separate" PCI from non-PCI traffic but don't have separate physical firewalls to do it, the virtualization capabilities in Netscreen firewalls are quite useful.  VSYS and vrouters are two features you can use to great effect.


For example, you can certainly put the PCI zones/interfaces into a "PCI" vrouter, and all non-PCI zones/interfaces into a different vrouter.  Its probable this would be sufficient, but you can also use VSYS if you need to go an additional step further.


Generally PCI doesn't get to specific implementation details, but concentrates on protection and integrity.  When it comes to audits, you want to be able to easily and clearly show you are handling the PCI traffic in accordance with the PCI requirements.  Anything you can do that helps with the clarification is worthwhile.