About Secure Context and Router Context

A Services Router running JUNOS software with enhanced services includes two configuration templates that allow the router to run as either a robust, stateful firewall or a router. A Services Router configured as a firewall is in secure context. When the Services Router is configured as a router, it is in router context. These contexts are meant to be starting points from which you can customize the configuration for your network requirements,

Note: By default, the router is configured in secure context. You can change the router to be configured in router context, and if you plan to use the router primarily as a router, then you should make router context your starting point. If you plan to change contexts, you should do so before you configure anything else on your router. If you change contexts after you have configured the router, your configuration is overridden by that of the configuration template for the context. For more information see the JUNOS Software with Enhanced Services Administration Guide.

In secure context, packets are forwarded only if there is a security policy defined that permits such traffic. The basic configuration for secure context includes a predefined interface called ge-/0/0/0, which is bound to a preconfigured zone called trust. All other interfaces are bound to a preconfigured untrust zone. The ge-0/0/0 interface is configured to allow for management access with SSH and HTTP services enabled. The following host-inbound services are configured for the ge-0/0/0 interface in the trust zone: HTTP, HTTPS, SSH, Telnet, and DHCP. For the trust zone, TCP RESET is enabled. The default policy for the trust zone allows transmission of traffic from the trust zone to the untrust zone. All traffic within the trust zone is allowed.

A screen is applied to a zone to protect against attacks launched from within the zone. The following screens are enabled for the untrust zone: ICMP ping-of-death, IP source route options, IP teardrop, TCP land attack, TCP SYN flood (with the following settings: alarm threshold set to 1024, attack threshold set to 200, source threshold set to 1024, destination threshold set to 2048, a queue size of 2000, and a timeout value of 20 seconds). The default policy for the untrust zone is to deny all traffic.

In router context, all packets are forwarded unless there is a security policy defined that denies specific traffic. The default policy is to allow all transit traffic, and all interfaces are bound to the trust zone. As with secure context, no security policy is required to allow inbound traffic for an interface from a directly connected device. In router context, you can use any of the supported system services for JUNOS software with enhanced services.