Quick Intro to the Juniper SRX Series Security Services Gateway Part V

JamesNT Juniper SRX Gateway

This will be the last part of our Quick Intro series.  Further posts on the Juniper SRX will be more about doing actual configurations.  Be sure to read up on Part I, Part II, Part III, and Part IV.

In this part, we will discuss a feature of the Juniper SRX that seems to be unique amongst security devices made by its worthy competitors such as Cisco.  This feature is the concept of the Zone.

According to the documentation, “a zone is a logical construct that is applied to an interface as is used as a building block for security policies. . .”  In most devices, security policies allow traffic to go from point A to point B, such as from the local area network to the Internet. or vice versa.  Adding a Zone creates a new dimension in that it simplifies management.  You can have multiple logical interfaces that require similar security grouped into one Zone.

Zones are where you see default names like “Trust,” “Untrust,” and “DMZ” scattered throughout the Juniper documentation.  In earlier products, those were the default zones.  Starting with the SRX, you can rename your zones to what you want and have as many zones as you want.

As we mentioned earlier, logical interfaces are added to a zone.  We also know that each physical interface can have many logical interfaces, called Units.  So with this much granularity, one physical interface can handle traffic, at the same time, for a wide variety of purposes.  You can have physical interface fe-0/0/3 handle traffic for 5 different VLANs, each VLAN belonging to a different zone.  Just remember that a logical interface can be a member of only one zone.

The following is an example of the default zones that come with the SRX once you do the initial configuration:

security-zone trust {
     host-inbound-traffic {
          all;
     }
     protocols {
          all;
     }
     interfaces {
          vlan.0;
     }

Notice that we have created a security zone called “trust”.  For inbound traffic, we are allowing everything as the keyword “all” indicates to pass to the SRX.  We are also allowing all protocols.  And we are binding this policy to the vlan.0 interface.  Note that physical interface fe-0/0/1 through fe-0/0/7 was assigned to the VLAN as switching interfaces.  What this means is that ports 1 – 7 on the front of the device are all going to behave like a regular network switch and all all traffic to pass through them as long as that traffic is on the same VLAN.  Of course, this begs the question:  What about Internet traffic?

security-zone untrust {
     interfaces {
          fe-0/0/0 {
               host-inbound-traffic {
                    system-services {
                         dhcp;
                         tftp;
                    }
               }
          }
     }
}

Notice that we have another zone called “untrust.”  Appropriate name given that we are allowing Internet traffic.  Notice that, in contrast to the “trust” zone we are not allowing anywhere near as much latitude.  We allow only dhcp and tftp to pass through this zone straight to the physical interface fe-0/0/0.  So, yes, we can bind a physical interface to a zone, not just a logical one.  And we can severely restrict traffic.  DHCP is allow, of course, in the event that we do not have a static IP address from our ISP.  I’m not sure why the default configuration allows tftp.  I typically remove that.  Do keep in mind that the host-inbound traffic part of a zone is the traffic that goes to the SRX itself, not what is passed from one host to the next.  Security Policies are used to govern traffic from one host to the next.  We’ll talk about those later.

In wrapping this up, we can have a physical interface bound directly to a zone or to any number of logical interfaces that can then be bound to zones.  Zones then have Security Policies.  Obviously, we would bind interfaces, physical or logical, that have like security requirements to one particular zone.  Take a few moments to think about this arrangement and I do believe we can see how we can handle traffic in a very large number of ways.  Also, do keep in mind that all of this ability is even on the low end SRX100 which is a only a few hundred bucks.  You do not have to purchase a $5000 device to obtain what we have talked about thus far.

There is much more to discuss regarding zones, but this is only a quick intro.  As time moves on and I begin configuring the device, more we be explained in higher detail.

James

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s