Juniper supports multiple zone concepts, but in reality it's just 2 styles of zone { security and functional zones ) .
By default all interface are in a functional zone called "null". Yes you do not have to configure anything and those interfaces are in the functional-zone "null" right out the box, until you install them into another zone. The functional zones do NOT carry traffic across the unit into another interface or ZONE. As matter of fact you can't even configure fwpolicies to these zone , nor do you need any policies. Other examples of a functional would be a management-only interface or dedicate management interface.
The main zone that one would encounter, are the security-zones.
These zones typical are typically label as trust , untrust , guest or dmz. You will need to configured fwpolices between interfaces assign to these security zones in order for traffic to transverse the firewall unit.
In a way you can look at juniper zones in the same way as cisco PIX/ASA security-level, where traffic between security levels ( zones for us juniper guys/gals ) need fwpolicies, but as with cisco you only need fwpolicies ( ACL ) when going from a lower security_level to a higher.
Juniper needs fwpolicies regardless of the the security zone and direction. Fortigate shares this same requirement with the added requirement of a src/dst port in the fwpolicies.
note: Also as far as direction, the juniper only needs one-way fwpolicies and will open the dynamic pinhole for traffic established.
To craft zones you will need configuration access. It would be best to review your current zones via the "show security zone" cmd. Upon execution of this command, you will be presented with a list of ones that you have enabled and the type.
A few things to consider in your zone design and concepts. You probably want to keep your zone name clear so you don't have to remember what they are.
e.g
vrs
Now one more key-point, you can place a interface into only one zone. And if the zone doesn't exist, you can not install firewall policies. Yes, I know sounds simple but you will not believe me if I told you how many firewall admins misses this step or does not quite understand the concept.
Okay so let's craft some zones;
set security zones
security-zone untrust
set security zones
security-zone inside1
set security zones
security-zone inside2
set security zones
security-zone guest1
set security zones
security-zone dmz1
set security zones
security-zone dmz2
Okay simple. Now let's bind interfaces into these zones;
set security zones
security-zone untrust interfaces ge-0/0/1.0
set
security zones security-zone inside1 interfaces ge-0/0/2.0
set
security zones security-zone inside2 interfaces ge-0/0/3.0
set security policies
from-zone inside1 to-zone untrust policy permit-all match application any
Another junior mistake that I've seen time over time, vpn and gre interfaces needs to be installed into a security zone also. So always ensure theses interfaces are in a zone.
I hope you find this post helpful.
Ken Felix
Freelance Security/Network Engineer
kfelix -a-t- hyperfeed --d-o-t-- com
No comments:
Post a Comment