Security Zones
A security zone is a collection of one or more network segments requiring the regulation of inbound and outbound traffic through policies. Security zones are logical entities to which one or more interfaces are bound. You can define multiple security zones, the exact number of which you determine based on your network needs.
Security Zones Overview
Interfaces act as a doorway through which traffic enters and exits a Juniper Networks device. Many interfaces can share exactly the same security requirements; however, different interfaces can also have different security requirements for inbound and outbound data packets. Interfaces with identical security requirements can be grouped together into a single security zone.
A security zone is a collection of one or more network segments requiring the regulation of inbound and outbound traffic through policies.
Security zones are logical entities to which one or more interfaces are bound. With many types of Juniper Networks devices, you can define multiple security zones, the exact number of which you determine based on your network needs.
On a single device, you can configure multiple security zones, dividing the network into segments to which you can apply various security options to satisfy the needs of each segment. At a minimum, you must define two security zones, basically to protect one area of the network from the other. On some security platforms, you can define many security zones, bringing finer granularity to your network security design—and without deploying multiple security appliances to do so.
From the perspective of security policies, traffic
enters into one security zone and goes out on another security zone.
This combination of a from-zone and a to-zone is defined as a context. Each context contains
an ordered list of policies. For more information on policies, see Security Policies Overview.
This topic includes the following sections:
Understanding Security Zone Interfaces
An interface for a security zone can be thought of as a doorway through which TCP/IP traffic can pass between that zone and any other zone.
Through the policies you define, you can permit traffic between zones to flow in one direction or in both. With the routes that you define, you specify the interfaces that traffic from one zone to another must use. Because you can bind multiple interfaces to a zone, the routes you chart are important for directing traffic to the interfaces of your choice.
An interface can be configured with an IPv4 address, IPv6 address, or both.
Understanding Functional Zones
A functional zone is used for special purposes, like management interfaces. Currently, only the management (MGT) zone is supported. Management zones have the following properties:
Management zones host management interfaces.
Traffic entering management zones does not match policies; therefore, traffic cannot transit out of any other interface if it was received in the management interface.
Management zones can only be used for dedicated management interfaces.
Understanding Security Zones
Security zones are the building blocks for policies; they are logical entities to which one or more interfaces are bound. Security zones provide a means of distinguishing groups of hosts (user systems and other hosts, such as servers) and their resources from one another in order to apply different security measures to them.
Security zones have the following properties:
Policies—Active security policies that enforce rules for the transit traffic, in terms of what traffic can pass through the firewall, and the actions that need to take place on the traffic as it passes through the firewall. For more information, see Security Policies Overview.
Screens—A Juniper Networks stateful firewall secures a network by inspecting, and then allowing or denying, all connection attempts that require passage from one security zone to another. For every security zone, you can enable a set of predefined screen options that detect and block various kinds of traffic that the device determines as potentially harmful. For more information, see Reconnaissance Deterrence Overview.
Address books—IP addresses and address sets that make up an address book to identify its members so that you can apply policies to them. Address book entries can include any combination of IPv4 addresses, IPv6 addresses, and Domain Name System (DNS) names. For more information, see Example: Configuring Address Books and Address Sets.
TCP-RST—When this feature is enabled, the system sends a TCP segment with the RESET flag set when traffic arrives that does not match an existing session and does not have the SYNchronize flag set.
Interfaces—List of interfaces in the zone.
Security zones have the following preconfigured zone:
Trust zone—Available only in the factory configuration and is used for initial connection to the device. After you commit a configuration, the trust zone can be overridden.
Example: Creating Security Zones
This example shows how to configure zones and assign interfaces to them. When you configure a security zone, you can specify many of its parameters at the same time.
Requirements
Before you begin, configure network interfaces. See the Interfaces User Guide for Security Devices.
Overview
An interface for a security zone can be thought of as a doorway through which TCP/IP traffic can pass between that zone and any other zone.
By default, interfaces are in the null zone. The interfaces will not pass traffic until they have been assigned to a zone.
You can configure 2000 interfaces within a security zone on SRX3400, SRX3600, SRX4600, SRX5400, SRX5600, or SRX5800 devices, depending on the Junos OS release in your installation.
Configuration
Procedure
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
copy and paste the commands into the CLI at the [edit] hierarchy
level, and then enter commit from configuration mode.
set interfaces ge-0/0/1 unit 0 family inet address 203.0.113.1/24 set interfaces ge-0/0/1 unit 0 family inet6 address 2001:db8:1::1/64 set security zones security-zone ABC interfaces ge-0/0/1.0
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User guide.
To create zones and assign interfaces to them:
Configure an Ethernet interface and assign an IPv4 address to it.
[edit] user@host# set interfaces ge-0/0/1 unit 0 family inet address 203.0.113.1/24
Configure an Ethernet interface and assign an IPv6 address to it.
[edit] user@host# set interfaces ge-0/0/1 unit 0 family inet6 address 2001:db8::1/32
Configure a security zone and assign it to an Ethernet interface.
[edit] user@host# set security zones security-zone ABC interfaces ge-0/0/1.0
Results
From configuration mode, confirm your configuration
by entering the show security zones security-zone ABC and show interfaces ge-0/0/1 commands. If the output does not display
the intended configuration, repeat the configuration instructions
in this example to correct it.
For brevity, this show output includes only the configuration
that is relevant to this example. Any other configuration on the system
has been replaced with ellipses (...).
[edit]
user@host# show security zones security-zone ABC
...
interfaces {
ge-0/0/1.0 {
...
}
}
[edit]
user@host# show interfaces ge-0/0/1
...
unit 0 {
family inet {
address 203.0.113.1/24;
}
family inet6 {
address 2001:db8:1::1/64;
}
}If you are done configuring the device, enter commit from configuration mode.
Supported System Services for Host Inbound Traffic
This topic describes the supported system services for host inbound traffic on the specified zone or interface.
For example, suppose a user whose system was connected
to interface 203.0.113.4 in zone ABC wanted
to telnet into interface 198.51.100.4 in zone ABC. For this action to be allowed, the Telnet application must be configured
as an allowed inbound service on both interfaces and a policy must
permit the traffic transmission.
See the Options section in system-services (Security Zones Host Inbound Traffic) to view the system services that can be used for host inbound traffic.
On SRX Series Firewalls, the xnm-clear-text field is enabled in the
factory-default configuration. This setting enables incoming Junos XML protocol
traffic in the trust zone for the device when the device is operating with
factory-default settings. We recommend that you replace the factory-default settings
with a user-defined configuration that provides additional security once the box is
configured. You must delete the xnm-clear-text field manually by
using the CLI command delete system services xnm-clear-text.
See the Options section in protocols (Security Zones Interfaces) to view the supported protocols that can be used for host inbound traffic.
All services (except DHCP and BOOTP) can be configured either per zone or per interface. A DHCP server is configured only per interface because the incoming interface must be known by the server to be able to send out DHCP replies.
You do not need to configure Neighbor Discovery Protocol (NDP) on host-inbound traffic, because the NDP is enabled by default.
Configuration option for IPv6 Neighbor Discovery Protocol (NDP)
is available. The configuration option is set protocol neighbor-discovery
onlink-subnet-only command. This option will prevent the device
from responding to a Neighbor Solicitation (NS) from a prefix which
was not included as one of the device interface prefixes.
The Routing Engine needs to be rebooted after setting this option to remove any possibility of a previous IPv6 entry from remaining in the forwarding-table.
Understanding How to Control Inbound Traffic Based on Traffic Types
This topic describes how to configure zones to specify the kinds of traffic that can reach the device from systems that are directly connected to its interfaces.
Note the following:
You can configure these parameters at the zone level, in which case they affect all interfaces of the zone, or at the interface level. (Interface configuration overrides that of the zone.)
You must enable all expected host-inbound traffic. Inbound traffic destined to this device is dropped by default.
You can also configure a zone's interfaces to allow for use by dynamic routing protocols.
This feature allows you to protect the device against attacks launched from systems that are directly or indirectly connected to any of its interfaces. It also enables you to selectively configure the device so that administrators can manage it using certain applications on certain interfaces. You can prohibit use of other applications on the same or different interfaces of a zone. For example, most likely you would want to ensure that outsiders not use the Telnet application from the Internet to log in to the device because you would not want them connecting to your system.
Example: Controlling Inbound Traffic Based on Traffic Types
This example shows how to configure inbound traffic based on traffic types.
Requirements
Before you begin:
Configure network interfaces. See Interfaces User Guide for Security Devices.
Understand Inbound traffic types. See Understanding How to Control Inbound Traffic Based on Traffic Types.
Overview
By allowing system services to run, you can configure zones to specify different types of traffic that can reach the device from systems that are directly connected to its interfaces. You can configure the different system services at the zone level, in which case they affect all interfaces of the zone, or at the interface level. (Interface configuration overrides that of the zone.)
You must enable all expected host-inbound traffic. Inbound traffic from devices directly connected to the device's interfaces is dropped by default.
Configuration
Procedure
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
copy and paste the commands into the CLI at the [edit] hierarchy
level, and then enter commit from configuration mode.
set security zones security-zone ABC host-inbound-traffic system-services all set security zones security-zone ABC interfaces ge-0/0/1.3 host-inbound-traffic system-services telnet set security zones security-zone ABC interfaces ge-0/0/1.3 host-inbound-traffic system-services ftp set security zones security-zone ABC interfaces ge-0/0/1.3 host-inbound-traffic system-services snmp set security zones security-zone ABC interfaces ge-0/0/1.0 host-inbound-traffic system-services all set security zones security-zone ABC interfaces ge-0/0/1.0 host-inbound-traffic system-services ftp except set security zones security-zone ABC interfaces ge-0/0/1.0 host-inbound-traffic system-services http except
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User guide.
To configure inbound traffic based on traffic types:
Configure a security zone.
[edit] user@host# edit security zones security-zone ABC
Configure the security zone to support inbound traffic for all system services.
[edit security zones security-zone ABC] user@host# set host-inbound-traffic system-services all
Configure the Telnet, FTP, and SNMP system services at the interface level (not the zone level) for the first interface.
[edit security zones security-zone ABC] user@host# set interfaces ge-0/0/1.3 host-inbound-traffic system-services telnet user@host# set interfaces ge-0/0/1.3 host-inbound-traffic system-services ftp user@host# set interfaces ge-0/0/1.3 host-inbound-traffic system-services snmp
Configure the security zone to support inbound traffic for all system services for a second interface.
[edit security zones security-zone ABC] user@host# set interfaces ge-0/0/1.0 host-inbound-traffic system-services all
Exclude the FTP and HTTP system services from the second interface.
[edit security zones security-zone ABC] user@host# set interfaces ge-0/0/1.0 host-inbound-traffic system-services ftp except user@host# set interfaces ge-0/0/1.0 host-inbound-traffic system-services http except
Results
From configuration mode, confirm your configuration
by entering the show security zones security-zone ABC.
If the output does not display the intended configuration, repeat
the configuration instructions in this example to correct it.
[edit]
user@host# show security zones security-zone ABC
host-inbound-traffic {
system-services {
all;
}
}
interfaces {
ge-0/0/1.3 {
host-inbound-traffic {
system-services {
ftp;
telnet;
snmp;
}
}
}
ge-0/0/1.0 {
host-inbound-traffic {
system-services {
all;
ftp {
except;
}
http {
except;
}
}
}
}
} If you are done configuring the device, enter commit from configuration mode.
Understanding How to Control Inbound Traffic Based on Protocols
This topic describes the inbound system protocols on the specified zone or interface.
Any host-inbound traffic that corresponds to a
protocol listed under the host-inbound traffic option is allowed.
For example, if anywhere in the configuration, you map a protocol
to a port number other than the default, you can specify the protocol
in the host-inbound traffic option, and the new port number will be
used. Table 1 lists the supported protocols.
A value of all indicates that traffic from all of the following
protocols is allowed inbound on the specified interfaces (of the zone,
or a single specified interface).
Supported System Services |
|||
|---|---|---|---|
all |
igmp |
pim |
sap |
bfd |
ldp |
rip |
vrrp |
bgp |
msdp |
ripng |
nhrp |
router-discovery |
dvmrp |
ospf |
rsvp |
pgm |
ospf3 |
||
If DVMRP or PIM is enabled for an interface, IGMP and MLD host-inbound traffic is enabled automatically. Because IS-IS uses OSI addressing and should not generate any IP traffic, there is no host-inbound traffic option for the IS-IS protocol.
You do not need to configure Neighbor Discovery Protocol (NDP) on host-inbound traffic, because the NDP is enabled by default.
Configuration option for IPv6 Neighbor Discovery Protocol (NDP)
is available. The configuration option is set protocol neighbor-discovery
onlink-subnet-only command. This option will prevent the device
from responding to a Neighbor Solicitation (NS) from a prefix which
was not included as one of the device interface prefixes.
The Routing Engine needs to be rebooted after setting this option to remove any possibility of a previous IPv6 entry remaining in the forwarding-table.
Example: Controlling Inbound Traffic Based on Protocols
This example shows how to enable inbound traffic for an interface.
Requirements
Before you begin:
Configure security zones. See Example: Creating Security Zones.
Configure network interfaces. See the Interfaces User Guide for Security Devices.
Overview
Any host-inbound traffic that corresponds to a protocol listed under the host-inbound traffic option is allowed. For example, if anywhere in the configuration you map a protocol to a port number other than the default, you can specify the protocol in the host-inbound traffic option, and the new port number will be used.
A value of all indicates that traffic from all of
the protocols is allowed inbound on the specified interfaces (of the
zone, or a single specified interface).
Configuration
Procedure
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
copy and paste the commands into the CLI at the [edit] hierarchy
level, and then enter commit from configuration mode.
set security zones security-zone ABC interfaces ge-0/0/1.0 host-inbound-traffic protocols ospf set security zones security-zone ABC interfaces ge-0/0/1.0 host-inbound-traffic protocols ospf3
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User guide.
To configure inbound traffic based on protocols:
Configure a security zone.
[edit] user@host# edit security zones security-zone ABC
Configure the security zone to support inbound traffic based on the ospf protocol for an interface.
[edit security zones security-zone ABC] user@host# set interfaces ge-0/0/1.0 host-inbound-traffic protocols ospf
Configure the security zone to support inbound traffic based on the ospf3 protocol for an interface.
[edit security zones security-zone ABC] user@host# set interfaces ge-0/0/1.0 host-inbound-traffic protocols ospf3
Results
From configuration mode, confirm your configuration
by entering the show security zones security-zone ABC.
If the output does not display the intended configuration, repeat
the configuration instructions in this example to correct it.
[edit]
user@host# show security zones security-zone ABC
interfaces {
ge-0/0/1.0 {
host-inbound-traffic {
protocols {
ospf;
ospf3;
}
}
}
}If you are done configuring the device, enter commit from configuration mode.
Example: Configuring the TCP-Reset Parameter
This example shows how to configure the TCP-Reset parameter for a zone.
Requirements
Before you begin, configure security zones. See Example: Creating Security Zones.
Overview
When the TCP-Reset parameter feature is enabled, the system sends a TCP segment with the RESET flag set when traffic arrives that does not match an existing session and does not have the SYN flag set.
Configuration
Procedure
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User guide.
To configure the TCP-Reset parameter for a zone:
Configure a security zone.
[edit] user@host# edit security zones security-zone ABC
Configure the TCP-Reset parameter for the zone.
[edit security zones security-zone ABC] user@host# set tcp-rst
If you are done configuring the device, commit the configuration.
[edit] user@host# commit
Verification
To verify the configuration is working properly,
enter the show security zones command.