Tuesday, December 10, 2019

The zone firewalls rules ( juniper paloalto )

A very thinking with security zones is that security admins believe all interfaces in a zone are allowed by a policy rule if that zone is called up in a src/dst.

A rule that has the proper src/dst-address and src/dst-zones for the traffic pairing, will allow only that traffic flow that is listed in the address.

So take a zone with 10 interfaces and is called "trust", All 10 interfaces and network(s) behind them will NOT be automatically allowed by a rule unless you wrote it poorly by using "all or any".

( here's an example of zone named:trust with 5 interfaces )



show security zones trust 

Security zone: trust
  Send reset for non-SYN session TCP packets: Off
  Policy configurable: Yes  
  Interfaces bound: 5
  Interfaces:
    ge-0/0/1.0
    ge-0/0/2.0
    ge-0/0/3.0
    ge-0/0/4.0
    ge-0/0/5.0


( networks 192.168.{1..5}.0/24 }

So a rule written with src-address match and ALL will cover all 5 networks. But that would be a very bad rule unless that is what you really wanted.


A proper rule would have the specific subnets or hosts listed.
set security policies from-zone trust to-zone untrust policy ALLOWDNS match source-address INSIDE_HOST01
set security policies from-zone trust to-zone untrust policy ALLOWDNS match destination-address any
set security policies from-zone trust to-zone untrust policy ALLOWDNS match application junos-dns-udp
set security policies from-zone trust to-zone untrust policy ALLOWDNS match application junos-dns-tcp

set security policies from-zone trust to-zone untrust policy ALLOWDNS then permit


vrs


set security policies from-zone trust to-zone untrust policy ALLOWDNS match source-address any
set security policies from-zone trust to-zone untrust policy ALLOWDNS match destination-address any
set security policies from-zone trust to-zone untrust policy ALLOWDNS match application junos-dns-udp
set security policies from-zone trust to-zone untrust policy ALLOWDNS match application junos-dns-tcp
set security policies from-zone trust to-zone untrust policy ALLOWDNS then permit

The proper rule authoring is a must if you want to be tight within the security policy. The use of "any" should be scrutinized very closely to ensure the proper security practices are being used.

This holds true regardless of the firewall model type or vendor.








NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o

        /  \



Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)