Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Security Zones

 

A security zone is a collection of one or more network segments requiring the regulation of inbound and outbound traffic through policies. Security zones are logical entities to which one or more interfaces are bound. You can define multiple security zones, the exact number of which you determine based on your network needs.

Security Zones Overview

Interfaces act as a doorway through which traffic enters and exits a Juniper Networks device. Many interfaces can share exactly the same security requirements; however, different interfaces can also have different security requirements for inbound and outbound data packets. Interfaces with identical security requirements can be grouped together into a single security zone.

A security zone is a collection of one or more network segments requiring the regulation of inbound and outbound traffic through policies.

Security zones are logical entities to which one or more interfaces are bound. With many types of Juniper Networks devices, you can define multiple security zones, the exact number of which you determine based on your network needs.

On a single device, you can configure multiple security zones, dividing the network into segments to which you can apply various security options to satisfy the needs of each segment. At a minimum, you must define two security zones, basically to protect one area of the network from the other. On some security platforms, you can define many security zones, bringing finer granularity to your network security design—and without deploying multiple security appliances to do so.

From the perspective of security policies, traffic enters into one security zone and goes out on another security zone. This combination of a from-zone and a to-zone is defined as a context. Each context contains an ordered list of policies. For more information on policies, see Security Policies Overview.

This topic includes the following sections:

Understanding Security Zone Interfaces

An interface for a security zone can be thought of as a doorway through which TCP/IP traffic can pass between that zone and any other zone.

Through the policies you define, you can permit traffic between zones to flow in one direction or in both. With the routes that you define, you specify the interfaces that traffic from one zone to another must use. Because you can bind multiple interfaces to a zone, the routes you chart are important for directing traffic to the interfaces of your choice.

An interface can be configured with an IPv4 address, IPv6 address, or both.

Understanding Functional Zones

A functional zone is used for special purposes, like management interfaces. Currently, only the management (MGT) zone is supported. Management zones have the following properties:

  • Management zones host management interfaces.

  • Traffic entering management zones does not match policies; therefore, traffic cannot transit out of any other interface if it was received in the management interface.

  • Management zones can only be used for dedicated management interfaces.

Understanding Security Zones

Security zones are the building blocks for policies; they are logical entities to which one or more interfaces are bound. Security zones provide a means of distinguishing groups of hosts (user systems and other hosts, such as servers) and their resources from one another in order to apply different security measures to them.

Security zones have the following properties:

  • Policies—Active security policies that enforce rules for the transit traffic, in terms of what traffic can pass through the firewall, and the actions that need to take place on the traffic as it passes through the firewall. For more information, see Security Policies Overview.

  • Screens—A Juniper Networks stateful firewall secures a network by inspecting, and then allowing or denying, all connection attempts that require passage from one security zone to another. For every security zone, you can enable a set of predefined screen options that detect and block various kinds of traffic that the device determines as potentially harmful. For more information, see Reconnaissance Deterrence Overview.

  • Address books—IP addresses and address sets that make up an address book to identify its members so that you can apply policies to them. Address book entries can include any combination of IPv4 addresses, IPv6 addresses, and Domain Name System (DNS) names. For more information, see Example: Configuring Address Books and Address Sets.

  • TCP-RST—When this feature is enabled, the system sends a TCP segment with the RESET flag set when traffic arrives that does not match an existing session and does not have the SYNchronize flag set.

  • Interfaces—List of interfaces in the zone.

Security zones have the following preconfigured zone:

  • Trust zone—Available only in the factory configuration and is used for initial connection to the device. After you commit a configuration, the trust zone can be overridden.

Example: Creating Security Zones

This example shows how to configure zones and assign interfaces to them. When you configure a security zone, you can specify many of its parameters at the same time.

Requirements

Before you begin, configure network interfaces. See the Interfaces Feature Guide for Security Devices.

Overview

An interface for a security zone can be thought of as a doorway through which TCP/IP traffic can pass between that zone and any other zone.

Note

By default, interfaces are in the null zone. The interfaces will not pass traffic until they have been assigned to a zone.

Note

You can configure 2000 interfaces within a security zone on SRX3400, SRX3600, SRX4600, SRX5400, SRX5600, or SRX5800 devices, depending on the Junos OS release in your installation.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User guide.

To create zones and assign interfaces to them:

  1. Configure an Ethernet interface and assign an IPv4 address to it.
  2. Configure an Ethernet interface and assign an IPv6 address to it.
  3. Configure a security zone and assign it to an Ethernet interface.

Results

From configuration mode, confirm your configuration by entering the show security zones security-zone ABC and show interfaces ge-0/0/1 commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

For brevity, this show output includes only the configuration that is relevant to this example. Any other configuration on the system has been replaced with ellipses (...).

[edit]

user@host# show security zones security-zone ABC
[edit]

user@host# show interfaces ge-0/0/1

If you are done configuring the device, enter commit from configuration mode.

Verification

Troubleshooting with Logs

Purpose

Use these logs to identify any issues.

Action

From operational mode, enter the show log messages command and the show log dcd command.

Supported System Services for Host Inbound Traffic

This topic describes the supported system services for host inbound traffic on the specified zone or interface.

For example, suppose a user whose system was connected to interface 203.0.113.4 in zone ABC wanted to telnet into interface 198.51.100.4 in zone ABC. For this action to be allowed, the Telnet application must be configured as an allowed inbound service on both interfaces and a policy must permit the traffic transmission.

See the Options section in system-services (Security Zones Host Inbound Traffic) to view the system services that can be used for host inbound traffic.

Note

On SRX Series Services Gateways, the xnm-clear-text field is enabled in the factory-default configuration. This setting enables incoming Junos XML protocol traffic in the trust zone for the device when the device is operating with factory-default settings. We recommend that you replace the factory-default settings with a user-defined configuration that provides additional security once the box is configured. You must delete the xnm-clear-text field manually by using the CLI command delete system services xnm-clear-text.

See the Options section in protocols (Security Zones Interfaces) to view the supported protocols that can be used for host inbound traffic.

Note

All services (except DHCP and BOOTP) can be configured either per zone or per interface. A DHCP server is configured only per interface because the incoming interface must be known by the server to be able to send out DHCP replies.

Note

You do not need to configure Neighbor Discovery Protocol (NDP) on host-inbound traffic, because the NDP is enabled by default.

Configuration option for IPv6 Neighbor Discovery Protocol (NDP) is available. The configuration option is set protocol neighbor-discovery onlink-subnet-only command. This option will prevent the device from responding to a Neighbor Solicitation (NS) from a prefix which was not included as one of the device interface prefixes.

Note

The Routing Engine needs to be rebooted after setting this option to remove any possibility of a previous IPv6 entry from remaining in the forwarding-table.

Understanding How to Control Inbound Traffic Based on Traffic Types

This topic describes how to configure zones to specify the kinds of traffic that can reach the device from systems that are directly connected to its interfaces.

Note the following:

  • You can configure these parameters at the zone level, in which case they affect all interfaces of the zone, or at the interface level. (Interface configuration overrides that of the zone.)

  • You must enable all expected host-inbound traffic. Inbound traffic destined to this device is dropped by default.

  • You can also configure a zone's interfaces to allow for use by dynamic routing protocols.

This feature allows you to protect the device against attacks launched from systems that are directly or indirectly connected to any of its interfaces. It also enables you to selectively configure the device so that administrators can manage it using certain applications on certain interfaces. You can prohibit use of other applications on the same or different interfaces of a zone. For example, most likely you would want to ensure that outsiders not use the Telnet application from the Internet to log in to the device because you would not want them connecting to your system.

Example: Controlling Inbound Traffic Based on Traffic Types

This example shows how to configure inbound traffic based on traffic types.

Requirements

Before you begin:

Overview

By allowing system services to run, you can configure zones to specify different types of traffic that can reach the device from systems that are directly connected to its interfaces. You can configure the different system services at the zone level, in which case they affect all interfaces of the zone, or at the interface level. (Interface configuration overrides that of the zone.)

You must enable all expected host-inbound traffic. Inbound traffic from devices directly connected to the device's interfaces is dropped by default.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User guide.

To configure inbound traffic based on traffic types:

  1. Configure a security zone.
  2. Configure the security zone to support inbound traffic for all system services.
  3. Configure the Telnet, FTP, and SNMP system services at the interface level (not the zone level) for the first interface.
  4. Configure the security zone to support inbound traffic for all system services for a second interface.
  5. Exclude the FTP and HTTP system services from the second interface.

Results

From configuration mode, confirm your configuration by entering the show security zones security-zone ABC. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

[edit]

user@host# show security zones security-zone ABC

If you are done configuring the device, enter commit from configuration mode.

Verification

Troubleshooting with Logs

Purpose

Use these logs to identify any issues.

Action

From operational mode, enter the show log messages command and the show log dcd command.

Understanding How to Control Inbound Traffic Based on Protocols

This topic describes the inbound system protocols on the specified zone or interface.

Any host-inbound traffic that corresponds to a protocol listed under the host-inbound traffic option is allowed. For example, if anywhere in the configuration, you map a protocol to a port number other than the default, you can specify the protocol in the host-inbound traffic option, and the new port number will be used. Table 1 lists the supported protocols. A value of all indicates that traffic from all of the following protocols is allowed inbound on the specified interfaces (of the zone, or a single specified interface).

Table 1: Supported Inbound System Protocols

Supported System Services

all

igmp

pim

sap

bfd

ldp

rip

vrrp

bgp

msdp

ripng

nhrp

router-discovery

dvmrp

ospf

rsvp

pgm

ospf3

  
Note

If DVMRP or PIM is enabled for an interface, IGMP and MLD host-inbound traffic is enabled automatically. Because IS-IS uses OSI addressing and should not generate any IP traffic, there is no host-inbound traffic option for the IS-IS protocol.

Note

You do not need to configure Neighbor Discovery Protocol (NDP) on host-inbound traffic, because the NDP is enabled by default.

Configuration option for IPv6 Neighbor Discovery Protocol (NDP) is available. The configuration option is set protocol neighbor-discovery onlink-subnet-only command. This option will prevent the device from responding to a Neighbor Solicitation (NS) from a prefix which was not included as one of the device interface prefixes.

Note

The Routing Engine needs to be rebooted after setting this option to remove any possibility of a previous IPv6 entry remaining in the forwarding-table.

Example: Controlling Inbound Traffic Based on Protocols

This example shows how to enable inbound traffic for an interface.

Requirements

Before you begin:

Overview

Any host-inbound traffic that corresponds to a protocol listed under the host-inbound traffic option is allowed. For example, if anywhere in the configuration you map a protocol to a port number other than the default, you can specify the protocol in the host-inbound traffic option, and the new port number will be used.

A value of all indicates that traffic from all of the protocols is allowed inbound on the specified interfaces (of the zone, or a single specified interface).

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User guide.

To configure inbound traffic based on protocols:

  1. Configure a security zone.
  2. Configure the security zone to support inbound traffic based on the ospf protocol for an interface.
  3. Configure the security zone to support inbound traffic based on the ospf3 protocol for an interface.

Results

From configuration mode, confirm your configuration by entering the show security zones security-zone ABC. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

[edit]


user@host# show security zones security-zone ABC

If you are done configuring the device, enter commit from configuration mode.

Verification

Troubleshooting with Logs

Purpose

Use these logs to identify any issues.

Action

From operational mode, enter the show log messages command and the show log dcd command.

Example: Configuring the TCP-Reset Parameter

This example shows how to configure the TCP-Reset parameter for a zone.

Requirements

Before you begin, configure security zones. See Example: Creating Security Zones.

Overview

When the TCP-Reset parameter feature is enabled, the system sends a TCP segment with the RESET flag set when traffic arrives that does not match an existing session and does not have the SYN flag set.

Configuration

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User guide.

To configure the TCP-Reset parameter for a zone:

  1. Configure a security zone.
  2. Configure the TCP-Reset parameter for the zone.
  3. If you are done configuring the device, commit the configuration.

Verification

To verify the configuration is working properly, enter the show security zones command.

Related Documentation