Vous êtes sur la page 1sur 30

Junos for Security Platforms

Chapter 3: Zones

© 2010 Juniper Networks, Inc. All rights reserved. | www.juniper.net | Worldwide Education Services
Chapter Objectives

 After successfully completing this chapter, you will be


able to:
•Describe a zone and its purpose
•Define types of zones
•Explain the application of zones
•Configure zones
•Monitor zones

© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 3-2
Agenda: Zones

The Definition of Zones


 Zone Configuration
 Monitoring Security Zones

© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 3-3
What Is a Zone?

 A zone is a collection of one or more network


segments sharing identical security requirements
 Security policies control transit traffic between zones
•Null zone:
• Default zone
• Drops all traffic
•Interfaces can pass and accept traffic only if assigned to
non-Null zones
• Exception for special interfaces like fxp0

© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 3-4
Review: Packet Flow
Focus of this chapter
Forwarding

Flow Module

Session-based SCREEN
D-NAT Route Zones Policy S-NAT Services Session
Options ALG
No First Path

Match Yes SCREEN Services


Session TCP NAT
? Options ALG
Fast Path

Packet-based Per Packet Filters


Per Packet Policer Per Packet Shaper

Ingress Egress
Packet Packet

© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 3-5
Hierarchical Dependencies (1 of 2)

 A strict hierarchical linkage exists between zones and


interfaces
•You assign logical interfaces to a zone
•You cannot assign a logical interface to multiple zones
•You can also assign logical interfaces to a routing instance
•You cannot assign a logical interface to multiple routing
instances
•All zone logical interfaces must belong to the same routing
instance
• Exception when ‘interfaces all’ statement is configured

© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 3-6
Hierarchical Dependencies (2 of 2)

 Relationship between interfaces, zones, and routing


instances
Juniper Networks Device

F.T. F.T. Interfaces


Zones

Routing Instance
Zone A Zone B Zone C Zone D
Forwarding Table
Routing Instance 1 Routing Instance 2

© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 3-8
Zone Types
Zone Types

User-defined System-defined
(can be configured) (cannot be configured)

Security Functional Null

© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 3-9
Security Zones

 Security zones:
•A collection of one or more network segments requiring the
regulation of inbound and outbound traffic through the use
of policies
•Used by traffic destined for the device itself
•Used by transit traffic
• Intrazone and interzone transit traffic flow require security policies
•No defined default security zones
User-defined
•Cannot share between routing instances (can be configured)

Security Functional

© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 3-10
Functional Zones

 Functional zones are special-purpose zones


•Only one purpose for now—Management Zone
• Used for out-of-band device management
•Cannot specify in policies
•The Management Zone does not pass traffic
•Can define only one Management Zone

User-defined
(can be configured)

Security Functional

© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 3-11
System-Defined Zones

 Null Zone
•Unconfigurable
•Every interface belongs to a Null Zone by default
•When you delete an interface from a zone, it goes into the
Null zone pool
•The Junos OS rejects all traffic to and from the interface
belonging to the Null Zone
System-defined
(cannot be configured)

Null

© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 3-12
Factory-Default Zones

 Applicable only to branch


security platforms
 Configuration template
defines two security
zones:
•trust with interface Factory-Default Zones
vlan.0 belonging
to it
Trust
•untrust vlan.0 Untrust

Configurable

© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 3-13
Agenda: Zones

 The Definition of Zones


Zone Configuration
 Monitoring Security Zones

© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 3-14
Zone Configuration Procedure

 Steps:
•Define a security or a functional zone
•Add logical interfaces to the zone
•Optionally, add services and protocols needing permission
into the device through the interface belonging to the zone
• If you omit this step, the SRX Series device permits no traffic
destined for itself

© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 3-15
Defining a Zone

 Enter configuration mode:


user@host> configure
Entering configuration mode

[edit]
user@host#

 Define a security zone or a functional zone:


[edit]
user@host# set security zones security-zone zone-name

or
user@host# set security zones functional-zone management

 Functional zone specifics:


•You can define one type—management
•It does not have a user-defined name

© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 3-16
Adding Logical Interfaces to the Zone

 Add logical interfaces to a zone:


•Security zone:
[edit]
user@host# edit security zones

[edit security zones]


user@host# set security-zone HR interfaces ge-0/0/1.0

•Functional zone:
[edit]
user@host# edit security zones

[edit security zones]


user@host# set functional-zone management interfaces ge-0/0/1.100

© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 3-17
Local Host Traffic (1 of 3)

 A Junos security device does not allow traffic destined


to itself by default
•Use the host-inbound-traffic statement to allow specific
traffic destined to the device coming from a particular zone
or interface
•A Junos security device always allows all outbound traffic
sourced from itself
SRX Series Device

SSH

Telnet
Ping

© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 3-18
Local Host Traffic (2 of 3)

 host-inbound-traffic statement choices:


• system-services: Specifies allowed services into the
device through the interfaces belonging to a zone:
• Telnet, SSH, DNS, ping, SNMP, and others
• Specify all option to allow all services on their respective ports
• Specify any-service option to allow all services and open all
ports
• protocols: Specifies allowed protocols into the device
through the interfaces belonging to a zone:
• BFD, BGP, LDP, OSPF, RIP, PIM, and others
• Specify all option to allow all protocols defined in the Junos OS
•Can use the except keyword to isolate exceptions

© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 3-19
Local Host Traffic (3 of 3)

 Configurational hierarchy
•Can configure the statement under the entire zone stanza:
[edit security zones]
user@host# set security-zone HR host-inbound-traffic system-services all

•Can configure the statement under an interface stanza


within a zone:
[edit security zones]
user@host# set security-zone HR interfaces ge-0/0/1 host-inbound-traffic system-
services http

•Interface-level configuration overrides the zone-level


configuration

© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 3-22
Check Your Knowledge (1 of 3)

 What does the following configuration do?


security {
zones {
security-zone HR {
host-inbound-traffic {
system-services {
telnet;
ftp;
}
}
interfaces {
ge-0/0/0.0;
ge-0/0/1.0;
}
}
}

© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 3-23
Check Your Knowledge (2 of 3)

 What does the following configuration do?


security {
zones {
security-zone HR {
host-inbound-traffic {
system-services {
telnet;
ftp;
}
}
interfaces {
ge-0/0/0.0;
ge-0/0/1.0 {
host-inbound-traffic {
system-services {
snmp;
}
}
}
}
}
}
}

© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 3-24
Check Your Knowledge (3 of 3)

 What services security {


zones {
can enter the security-zone zone1 {
host-inbound-traffic {
system-services {
device through all;
telnet {
interfaces }
except;
}
ge-0/0/0.0 and }
interfaces {
ge-0/0/1.0? ge-0/0/0.0;
ge-0/0/1.0 {
host-inbound-traffic {
system-services {
all;
http {
except;
}
ftp {
except;
}
}
}
}
. . .

© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 3-25
Agenda: Zones

 The Definition of Zones


 Zone Configuration and Applicability
Monitoring Security Zones

© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 3-26
Monitoring Zones

 The show security zones command provides


information about:
•Zone types
•Zone names
•Number of interfaces bound to corresponding zones
•Interface names bound to corresponding zones
user@host> show security zones user@host> show security zones

Functional zone: management Security zone: HR


Policy configurable: No Send reset for non-SYN session TCP packets: Off
Interfaces bound: 1 Policy configurable: Yes
Interfaces: Interfaces bound: 1
ge-0/0/0.0 Interfaces:
ge-0/0/1.0

Functional management zone Security zone HR with one


with one interface—ge-0/0/0.0 interface—ge-0/0/1.0

© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 3-27
Monitoring Traffic Permitted into Interfaces
(1 of 2)

 Additional interface-specific zone information is


available by using the show interfaces interface-name
extensive command:
user@host> show interfaces ge-0/0/3.200 extensive
Logical interface ge-0/0/3.200 (Index 69) (SNMP ifIndex 47) (Generation 136)
Flags: SNMP-Traps VLAN-Tag [ 0x8100.200 ] Encapsulation: ENET2
Traffic statistics:
Basic zone

configuration details
Security: Zone: trust
Allowed host-inbound traffic : bootp bfd bgp dlsw dns dvmrp igmp ldp msdp
nhrp ospf pgm pim rip router-discovery rsvp sap vrrp dhcp finger ftp tftp
ident-reset http https ike netconf ping rlogin rpm rsh snmp snmp-trap ssh
telnet traceroute xnm-clear-text xnm-ssl lsping
Flow Statistics :
Flow Input statistics :
Self packets : 0 Flow input
ICMP packets : 0 statistics
VPN packets : 0
Bytes permitted by policy : 4788966
Connections established : 2

© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 3-28
Monitoring Traffic Permitted into Interfaces
(2 of 2)
Flow output
statistics
Flow Output statistics:
Multicast packets : 0
Bytes permitted by policy : 0

Flow error statistics (Packets dropped due to):


Address spoofing: 0
Authentication failed: 0
Incoming NAT errors: 0
Invalid zone received packet: 0
Multiple user authentications: 0
Multiple incoming NAT: 0 Flow error
No parent for a gate: 0
No one interested in self packets: 0 statistics
No minor session: 0
No more sessions: 0
No NAT gate: 0
No route present: 0
No SA for incoming SPI: 0
No tunnel found: 0
No session for a gate: 0
No zone or NULL zone binding 0
Policy denied: 0
Security association not active: 0
TCP sequence number out of window: 0
Syn-attack protection: 0
User authentication errors: 0

© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 3-29
Summary

 In this chapter, we:


•Described zones and their purpose
•Defined types of zones
•Explained the application of zones
•Described zone configuration
•Described zone monitoring

© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 3-30
Review Questions

1. What is the purpose of a zone?


2. What zone types exist in Junos security devices?
Describe the applicability of each zone type.
3. What steps are necessary to configure a zone?
4. How can you specify the types of traffic to be allowed
into a Junos security device?

© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 3-31
Lab 1: Configuring and Monitoring Zones

 Perform initial setup and tasks normally associated


with zone configuration and monitoring.

© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 3-32
Worldwide Education Services

Vous aimerez peut-être aussi