How to: junos-host zone Alan Gravett

Starting with Junos OS 11.4 Juniper introduced junos-host zone. So long awaited functionality that helps fine tune the security parameters for host inbound traffic. But how is it working?

As we knew it: host-inbound-traffic

Host-inbound-traffic configuration statement was available under security zone, where you could use it globally for whole zone (=for all interfaces configured under zone), or more specifically under specific interface in this zone. The result was, that everything coming from the interface(s) was allowed according to the host-inbound-traffic configuration.
Now, what if I wanted to allow the traffic for a specific source-address, hanging on one of the interface(s), only. There was no such an option at the security policies level. You could use the firewall filters applied to lo0 interface.

Option we have today: junos-host zone

By introducing the junos-host zone, which represents the device itself, this task become as simple as possible. You just specify your source address and create policy that allows the traffic.
Think about it as a public office building. Till now we had to open the door for everyone. Now we can put a guard in front of the door and check the IDs of incomers.

As usually, there are always some buts, so lets begin with the first one:

1. Host-inbound-traffic must be still configured
The building must be still opened. This is the first step you have to do. Tell the system, from where you expect the traffic to come. As in the old times, you can do it per interface or per zone.

2. From anywhere to junos-host = implicit allow
By configuring security policy that specifies traffic to your junos-host zone, you only specified who can enter. But you are not blocking anyone. Makes no sense, right? Well…
By configuring host-inbound-traffic you opened the door for every one. It is like allow all coming to the device itself. To block it, you have to do the oposite – explicit deny all by creating a policy that blocks everyone else coming to the junos-host zone.

Examples

1. Configure host-inbound-traffic

security-zone Juniper-SV {
    host-inbound-traffic {
        system-services {
            all;
        }
        protocols {
            all;
        }
    }
    interfaces {
        ge-0/0/4.101;
    }
}

This will allow to accept pings to your SRX device on ge-0/0/4.101 interface from anyone coming through that cable.

2. Configure security policy to junos-host

from-zone Juniper-SV to-zone junos-host {
    policy allow_icmp {
        match {
            source-address 112.223.112.223;
            destination-address any;
            application junos-icmp-ping;
        }
        then {
            permit;
        }                               
    }                                   
}

Looks simple, right? But you only told the system to accept the pings from 112.223.112.223. Because of the implicit allow, this configuration will not alter the behavior.

3. Configure explicit deny all

from-zone Juniper-SV to-zone junos-host {
    policy allow_icmp {
        match {
            source-address 112.223.112.223;
            destination-address any;
            application junos-icmp-ping;
        }
        then {
            permit;
        }                               
    }                                   
    policy deny_all {         
        match {                         
            source-address any;         
            destination-address any;    
            application any;            
        }                               
        then {                          
            deny;                       
        }                               
    }                                   
}

Finally, this is the right configuration. This will allow icmp-ping only from the user with source address 112.223.112.223 and nobody else. Make sure the deny_all policy is always at the end, so more specific matching patterns are hit first.

Hint at the end

By applying the explicit deny in the third example you blocked all other services and protocols destined to the device from the particular security zone. In case you expect some other services or protocols to reach your srx, you should add them to your security policy, or alter the deny_all policy to match icmp-ping only = all other services/protocols will be allowed.

Feel free to comment under this article.

Written by Alan Gravett on

Leave a comment