Monday, May 6, 2013

Zoning Juniper Style

One of big place of confusion between security admins & those that move from a non-Juniper to Juniper platform ; is the zone concept. A lot of confusion develops when you mention zone in the firewall engineer community. We will discuss zones in this post and provide a brief  overview of the zones concepts.

Juniper supports multiple zone concepts, but in reality it's just 2 styles of zone { security and functional zones ) .

By default all  interface are in a functional zone called "null". Yes you do not have to configure anything and those interfaces are in the functional-zone "null" right out the box, until you install them into another zone.  The functional zones  do  NOT carry traffic across the unit into another interface or ZONE.  As matter of fact you can't even configure fwpolicies to these zone , nor do you need any policies. Other  examples of a functional would be a management-only interface or dedicate management interface.

The main zone that one would encounter,  are the security-zones.

These zones typical are typically label as  trust , untrust , guest or dmz. You will need to configured fwpolices between interfaces  assign to these security zones in order for traffic to transverse the firewall unit.

In a way you can look at juniper zones in the same way as cisco PIX/ASA security-level, where traffic between security levels ( zones for us juniper guys/gals ) need fwpolicies, but as with cisco you only need fwpolicies  ( ACL ) when going from a lower security_level to a higher.

Juniper needs fwpolicies regardless of the  the security zone and direction. Fortigate shares this same requirement with the added requirement of a  src/dst port in the fwpolicies.

note: Also as far as direction, the juniper only needs one-way fwpolicies and will open the dynamic pinhole for traffic established.

To craft zones you will need configuration  access. It would be best to review your current  zones via the "show security zone" cmd. Upon execution of this command, you will be presented with a list of ones that you have enabled and the type.

A few things to consider in your zone design and concepts. You probably want to keep your zone name clear so you don't have to remember what they are.



Now one more key-point, you can place a interface into only one zone. And if the zone doesn't exist, you can not install firewall policies. Yes, I know sounds simple but you will  not believe me if I told you how many firewall admins misses this step or does not quite understand the concept.

Okay so let's craft some zones;

set security zones security-zone untrust
set security zones security-zone inside1
set security zones security-zone inside2
set security zones security-zone guest1
set security zones security-zone dmz1
set security zones security-zone dmz2

Okay simple. Now let's bind interfaces into these zones;

set security zones security-zone untrust interfaces ge-0/0/1.0

set security zones security-zone inside1 interfaces ge-0/0/2.0
set security zones security-zone inside2 interfaces ge-0/0/3.0
Okay simple , up to this point you can now  craft fwpolicies for traffic between zones. Without the zones, you would not be able to do much.  With zones established you now can craft  firewall policies and address objects;

set security policies from-zone inside1 to-zone untrust policy permit-all match application any

Another junior mistake that I've seen time over time, vpn and gre interfaces needs to be installed into a security zone also. So always ensure theses interfaces are in a zone.

I hope you find this post helpful.

Ken Felix
Freelance Security/Network Engineer
kfelix -a-t- hyperfeed  --d-o-t--  com

No comments:

Post a Comment