Posts Tagged ‘firewall’

Here are two handy firewall filters to apply to any internet facing interface on your JUNOS network device.

BOGON List
- Apply as input on Internet facing interface
- You should also add any Public Address space that you have inside your network

[plain]
set firewall family inet filter BOGON-DENY term discard-bogon-net from source-address 10.0.0.0/8
set firewall family inet filter BOGON-DENY term discard-bogon-net from source-address 127.0.0.0/8
set firewall family inet filter BOGON-DENY term discard-bogon-net from source-address 169.254.0.0/16
set firewall family inet filter BOGON-DENY term discard-bogon-net from source-address 172.16.0.0/12
set firewall family inet filter BOGON-DENY term discard-bogon-net from source-address 192.0.0.0/24
set firewall family inet filter BOGON-DENY term discard-bogon-net from source-address 192.0.2.0/24
set firewall family inet filter BOGON-DENY term discard-bogon-net from source-address 192.168.0.0/16
set firewall family inet filter BOGON-DENY term discard-bogon-net from source-address 198.18.0.0/15
set firewall family inet filter BOGON-DENY term discard-bogon-net from source-address 198.51.100.0/24
set firewall family inet filter BOGON-DENY term discard-bogon-net from source-address 203.0.113.0/24
set firewall family inet filter BOGON-DENY term discard-bogon-net from source-address 224.0.0.0/3
set firewall family inet filter BOGON-DENY term discard-bogon-net then count BOGONS
set firewall family inet filter BOGON-DENY term discard-bogon-net then discard
set firewall family inet filter BOGON-DENY term allow-everything-else then accept
[/plain]

Private Address Reject
- Apply as output on Internet facing interface

[plain]
set firewall family inet filter PRIVATE-REJECT term reject-rfc-1918 from destination-address 10.0.0.0/8
set firewall family inet filter PRIVATE-REJECT term reject-rfc-1918 from destination-address 172.16.0.0/12
set firewall family inet filter PRIVATE-REJECT term reject-rfc-1918 from destination-address 192.168.0.0/16
set firewall family inet filter PRIVATE-REJECT term reject-rfc-1918 then count RFC-1918
set firewall family inet filter PRIVATE-REJECT term reject-rfc-1918 then reject
set firewall family inet filter PRIVATE-REJECT term allow-everything-else then accept
[/plain]

So application identification / firewall / secure has made it way to the branch. This is awesome news. So I have managed to obtain a 30 day trial to see how it performs on my home SRX100. With ym simple rule base I have seen 1ms increase in my latency!!

After adding the license you can now perform the following:

Install Application identification

request services application-identification download

Check the status:

  • request services application-identification download status
    Application package 1980 is installed successfully.

Create a Application Ruleset

All that is ahppening here is youtube is BLOCKED, everything else is allowed.

[plain]
set security application-firewall rule-sets block-webtraffic rule youtube match dynamic-application junos:YOUTUBE
set security application-firewall rule-sets block-webtraffic rule youtube then deny
set security application-firewall rule-sets block-webtraffic default-rule permit
[/plain]

Add to a security policy:

There is now the 'application-firewall' settings to apply to policies ...

cooper@noona-gw# set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit application-services ?
Possible completions:
> application-firewall  Application firewall services
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
gprs-gtp-profile     Specify GPRS Tunneling Protocol profile name
gprs-sctp-profile    Specify GPRS stream control protocol profile name
idp                  Intrusion detection and prevention
redirect-wx          Set WX redirection
reverse-redirect-wx  Set WX reverse redirection
> uac-policy           Enable unified access control enforcement of policy
utm-policy           Specify utm policy name

Example Policy:

[plain]
set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit application-services application-firewall rule-set block-webtraffic
set security policies from-zone trust to-zone untrust policy trust-to-untrust then log session-init
set security policies from-zone trust to-zone untrust policy trust-to-untrust then log session-close
[/plain]

TODO: Play with 'application-tracking'. Will update blog post once I have.

So it's that simple ... Application firewalling is now accross the whole SRX range ... win.

So a co-worker and I spent some time playing around with JunOS 11's (I believe it came in with 11 - correct me if wrong) reth's ability to now be LACP interfaces, as well as just plain redundant. It was not immediately clear how the switch was required to be set up in order to facilitate this new, awesome feature.

- This was used with a ex4200 virtual chassis cluster and SRX Chassis Cluster -

Here is how we got it happily working (assuming you have a chassis cluster up and running):

SRX Config:

set interfaces ge-2/0/0 gigether-options redundant-parent reth1
set interfaces ge-2/0/1 gigether-options redundant-parent reth1
set interfaces ge-2/0/2 gigether-options redundant-parent reth1
set interfaces ge-2/0/3 gigether-options redundant-parent reth1
set interfaces ge-11/0/0 gigether-options redundant-parent reth1
set interfaces ge-11/0/1 gigether-options redundant-parent reth1
set interfaces ge-11/0/2 gigether-options redundant-parent reth1
set interfaces ge-11/0/3 gigether-options redundant-parent reth1

set interfaces reth1 redundant-ether-options redundancy-group 1
set interfaces reth1 redundant-ether-options lacp passive

EX Config:

set interfaces ge-0/0/0 ether-options 802.3ad ae1
set interfaces ge-0/0/1 ether-options 802.3ad ae2
set interfaces ge-0/0/2 ether-options 802.3ad ae1
set interfaces ge-0/0/3 ether-options 802.3ad ae2

set interfaces ge-1/0/0 ether-options 802.3ad ae2
set interfaces ge-1/0/1 ether-options 802.3ad ae1
set interfaces ge-1/0/2 ether-options 802.3ad ae2
set interfaces ge-1/0/3 ether-options 802.3ad ae1

set interfaces ae1 aggregated-ether-options lacp active
set interfaces ae2 aggregated-ether-options lacp active

Now we have LACP bandwidth and redundancy - Either the switch or SRX can die, in theory.

* Have not tested the failover yet - But will before this set up goes to production - Will update the post *