O'Reilly logo

Junos Security by James Quinn, Timothy Eberhard, Patricio Giecco, Brad Woodberg, Rob Cameron

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Case Study 4-1

Objective: Set up basic firewall policy for the company’s network, including web and email access for the users, and inbound as well as outbound access for the servers.

Our strategies to achieve that objective are as follows:

  • Create a security policy that allows access to the web server DMZ from anywhere on the Internet.

  • Allow access to the mail servers on the mail server DMZ from the internal user networks 10.1.0.0/24 and 10.1.2.0/24, and inbound/outbound mail access to the mail server from the Internet.

  • Create a custom application with a 60-minute timeout for TCP port 6667 and apply that custom application on the web server DMZ to the Internet.

  • Create a policy that requires users on the trust network 10.1.0.0/24 to authenticate for web browsing during business hours to comply with the company’s Internet access policy.

Figure 4-8 shows our topology for Case Study 4-1.

Case Study 4-1’s objective

Figure 4-8. Case Study 4-1’s objective

First, we need to write a policy for access to the web server DMZ from the Internet. This is a basic permit policy with any source. Since it’s a web server facing the public Internet logging will be enabled. Let’s start with the following:

[edit]
juniper@SRX5800# set security zones security-zone web-dmz address-book address
web_server 172.31.100.60/32
[edit]
juniper@SRX5800# edit security policies from-zone internet to-zone web-dmz
[edit security policies from-zone internet to-zone web-dmz]
juniper@SRX5800# set policy "allow_http_from_web" match source-address any
destination-address web1 application junos-http
[edit security policies from-zone internet to-zone web-dmz]
juniper@SRX5800# set policy "allow_http_from_web" then permit
[edit security policies from-zone internet to-zone web-dmz]
juniper@SRX5800# set policy "allow_http_from_web" then log session-close
session-init

Next, we need to write a couple of policies that make the mail server work. To do this, we’ll create one policy that allows the user segments to access the mail server and another policy to allow both inbound and outbound mail access from the mail server itself.

First we need to create the address-books. An address-set will combine both user segments into a single address-set:

[edit security policies from-zone internet to-zone web-dmz]
juniper@SRX5800# top
[edit]
juniper@SRX5800# edit security zones security-zone dept-a address-book
[edit security zones security-zone dept-a address-book]
juniper@SRX5800# set address users1 10.1.0.0/24
[edit security zones security-zone dept-a address-book]
juniper@SRX5800# set address users2 10.1.2.0/24
[edit security zones security-zone dept-a address-book]
juniper@SRX5800# set address-set users_segments address users1
[edit security zones security-zone dept-a address-book]
juniper@SRX5800# set address-set users_segments address users2

Now, we need to create the mail server DMZ and configure an address-book for that server:

[edit security zones security-zone dept-a address-book]
juniper@SRX5800# top
[edit]
juniper@SRX5800# set security zones security-zone mail-dmz
[edit]
juniper@SRX5800# set security zones security-zone mail-dmz address-book
address mail_server 172.31.100.70/32

We need to configure an application-set to allow the various mail services:

juniper@SRX5800# edit applications application-set
[edit applications application-set]
juniper@SRX5800# set mail_services application junos-imap
[edit applications application-set]
juniper@SRX5800# set mail_services application junos-smtp
[edit applications application-set]
juniper@SRX5800# set mail_services application junos-pop3

Once that is complete, we can configure the first policy that allows users to access the mail server:

[edit applications application-set]
juniper@SRX5800# top
[edit]
juniper@SRX5800# edit security policies from-zone dept-a to-zone mail-dmz
[edit security policies from-zone dept-a to-zone mail-dmz]
juniper@SRX5800# set policy "allow_users_to_mail" match source-address
users_segments destination-address mail_server application mail_services
[edit security policies from-zone dept-a to-zone mail-dmz]
juniper@SRX5800# set policy "allow_users_to_mail" then permit

Now that users are allowed to access the mail servers, the mail servers need to send email out as well as receive mail from the Internet.

Here is the code to send email from mail-dmz to the Internet:

[edit security policies from-zone dept-a to-zone mail-dmz]
juniper@SRX5800# top
[edit]
juniper@SRX5800# edit security policies from-zone mail-dmz to-zone internet
[edit security policies from-zone mail-dmz to-zone internet]
juniper@SRX5800# set policy "permit_outbound_mail"
match source-address mail_server destination-address any
application mail_services
[edit]
juniper@SRX5800# set policy "permit_outbound_mail" then permit

Now, here’s the code to reverse connectivity:

juniper@SRX5800# top
[edit]
juniper@SRX5800# edit security policies from-zone internet to-zone mail-dmz
[edit security policies from-zone internet to-zone mail-dmz]
juniper@SRX5800# set policy "permit_inbound_mail" match source-address any
destination-address mail_server application mail_services
[edit security policies from-zone internet to-zone mail-dmz]
juniper@SRX5800# set policy "permit_inbound_mail" then permit
[edit security policies from-zone internet to-zone mail-dmz]
juniper@SRX5800# set policy "permit_inbound_mail" then log session-init
session-close

You might have noticed that logging was enabled. It is a best practice to log anything coming in from the Internet, at the very least. Here, both the web server and the mail server inbound connections from the Internet are logged.

Another service that needs to be permitted is TCP port 6667 with an inactivity timeout of 60 minutes; we also need to allow the web server to connect to any destination on the Internet with that port. Since timeouts are configured in seconds, our timeout will need to be 3,600 seconds:

juniper@SRX5800# top
[edit]
juniper@SRX5800# set applications application tcp_6667 protocol tcp
source-port 6667 destination-port 1-65000 inactivity-timeout 3600
[edit]
juniper@SRX5800# edit security policies from-zone web-dmz to-zone internet
[edit security policies from-zone web-dmz to-zone internet]
juniper@SRX5800# set policy "permit_irc" match source-address web1
destination-address any application tcp_6667
[edit]
juniper@SRX5800# set policy "permit_irc" then permit

The last few configurations we need to make are to create a policy that forces users on the Dept-A segment to authenticate for HTTP access during business hours. We can do this by creating a scheduler and then configuring pass-through authentication for HTTP.

But before we can configure anything, we must set a scheduler for the normal business hours of 8:00 a.m. to 5:00 p.m., excluding weekends, to enforce company policy:

juniper@SRX5800# top
[edit]
juniper@SRX5800# edit schedulers scheduler
[edit schedulers scheduler]
juniper@SRX5800# set "http-business-hours" daily start-time 08:00:00
stop-time 17:00:00
[edit schedulers scheduler]
juniper@SRX5800# set "http-business-hours" sunday exclude
[edit schedulers scheduler]
juniper@SRX5800# set  "http-business-hours" saturday exclude

Now we can set up a pass-through authentication profile:

juniper@SRX5800# top
[edit]
juniper@SRX5800# set access profile web-allow-group radius-server 10.3.4.100
secret radius_secret_key retry 2
[edit]
juniper@SRX5800# set access firewall-authentication pass-through
default-profile web-allow-group http banner login
"PLEASE ENTER IN YOUR ACCOUNT INFO. FOR SUPPORT PLEASE CALL THE NOC AT
1-800-555-1212"

OK, now we need to write our policy to reference both the scheduler and the pass-through access profile:

[edit]
juniper@SRX5800# edit security policies from-zone dept-a to-zone internet
[edit security policies from-zone dept-a to-zone internet]
juniper@SRX5800# set policy "http_auth" match source-address users_segments
destination-address any application junos-https
[edit security policies from-zone dept-a to-zone internet]
juniper@SRX5800# set policy "http_auth" scheduler-name http-business-hours
[edit security policies from-zone dept-a to-zone internet]
juniper@SRX5800# set policy "http_auth" then permit firewall-authentication
pass-through access-profile web-allow-group

Finally, let’s take a look at the entire configuration and ensure that everything commits correctly:

juniper@SRX5800# show | compare
[edit security zones security-zone web-dmz address-book]
       address web2 { ... }
+      address web_server 172.31.100.60/32;
[edit security zones]
     security-zone CDN { ... }
+    security-zone internet;
+    security-zone dept-a {
+        address-book {
+            address users1 10.1.0.0/24;
+            address users2 10.1.2.0/24;
+            address-set users_segments {
+                address users1;
+                address users2;
+            }
+        }
+    }
+    security-zone mail-dmz {
+        address-book {
+            address mail_server 172.31.100.70/32;
+        }
+    }
[edit security]
+   policies {
+       from-zone internet to-zone web-dmz {
+           policy allow_http_from_web {
+               match {
+                   source-address any;
+                   destination-address web1;
+                   application junos-http;
+               }
+               then {
+                   permit;
+                   log {
+                       session-init;
+                       session-close;
+                   }
+               }
+           }
+       }
+       from-zone dept-a to-zone mail-dmz {
+           policy allow_users_to_mail {
+               match {
+                   source-address users_segments;
+                   destination-address mail_server;
+                   application mail_services;
+               }
+               then {
+                   permit;
+               }
+           }
+       }
+       from-zone mail-dmz to-zone internet {
+           policy permit_outbound_mail {
+               match {
+                   source-address mail_server;
+                   destination-address any;
+                   application mail_services;
+               }
+               then {
+                   permit;
+               }
+           }
+       }
+       from-zone internet to-zone mail-dmz {
+           policy permit_inbound_mail {
+               match {
+                   source-address any;
+                   destination-address mail_server;
+                   application mail_services;
+               }
+               then {
+                   permit;
+                   log {
+                       session-init;
+                       session-close;
+                   }
+               }
+           }
+       }
+       from-zone web-dmz to-zone internet {
+           policy permit_irc {
+               match {
+                   source-address web1;
+                   destination-address any;
+                   application tcp_6667;
+               }
+               then {
+                   permit;
+               }
+           }
+       }
+       from-zone dept-a to-zone internet {
+           policy http_auth {
+               match {
+                   source-address users_segments;
+                   destination-address any;
+                   application junos-https;
+               }
+               then {
+                   permit {
+                       firewall-authentication {
+                           pass-through {
+                               access-profile web-allow-group;
+                           }
+                       }
+                   }
+               }
+               scheduler-name http-business-hours;
+           }
+       }
+   }
[edit]
+  access {
+      profile web-allow-group {
+          radius-server {
+              10.3.4.100 {
+                  secret
"$9$VZsoGDjq5T3gonCu0cSjikPz6pu1hclp0Eyrex7F36Au1SyKMX-";
## SECRET-DATA
+                  retry 2;
+              }
+          }
+      }
+      firewall-authentication {
+          pass-through {
+              default-profile web-allow-group;
+              http {
+                  banner {
+                      login "PLEASE ENTER IN YOUR ACCOUNT INFO.
FOR SUPPORT PLEASE CALL THE NOC AT 1-800-555-1212";
+                  }
+              }
+          }
+      }
+  }
[edit applications]
    application windows_rdp { ... }
+   application tcp_6667 {
+       protocol tcp;
+       source-port 6667;
+       destination-port 1-65000;
+       inactivity-timeout 3600;
+   }
[edit applications]
    application-set web_mgt { ... }
+   application-set mail_services {
+       application junos-imap;
+       application junos-smtp;
+       application junos-pop3;
+   }
[edit]
+  schedulers {
+      scheduler http-business-hours {
+          daily {
+              start-time 08:00:00 stop-time 17:00:00;
+          }
+          sunday exclude;
+          saturday exclude;
+      }
+  }
[edit]
juniper@SRX5800# commit check
configuration check succeeds

After reviewing the changes and performing a commit check, everything looks good. Our SRX is now set up for the company when users come into the office.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required