Protect the Junos managament plane
Firewall filters have been a long time with networking people as must know command reference tools. Implementing the same firewall filters on JunOS networking operating system is to visualize and think about the fxp or the Loopback interface as the traffic control semaphor.
Interface loopback 0 is used in filtering any traffic that is destined and coming from the routing engine of the JunOS capable device. Everything is sent first to the Routing engine, and then it is evaluated by the firewall filters. Transit traffic is simply passed by the ASIC hardware.
So let's get on to it. First we should create a firewall policy.
[edit]
root@JunOS01# edit firewall family inet filter secure_RE
The we define the terms. I have used the 192.168.1.0/24 network simulated with a virtual box PC that will be used to test the managament on the JunOS device.
[edit firewall family inet filter secure_RE]
root@JunOS01# set term term_access from protocol tcp
root@JunOS01# set term term_access from port ssh
root@JunOS01# set term term_access from port telnet
root@JunOS01# set term term_access then accept
The term term_access is used to evaluate the 192.168.1.0/24 network and allow TCP protocol with telnet and ssh ports inside the router. I there very any other firewall filters they would be evaulated first if those filters were on the ingress interface.
[edit firewall family inet filter secure_RE]
root@JunOS01# set term denied_term from protocol tcp
root@JunOS01# set term denied_term from port ssh
root@JunOS01# set term denied_term from port telnet
root@JunOS01# set term denied_term then reject
root@JunOS01# set term DEFAULT then accept
Second term denied_term filters all other traffic with source IP addresses other than 192.168.1.0/24 and rejects it. And like in Cisco ACLs we should use the default term to allow any other traffic to the routing engine. If the last term is not implied then processes like BGP, OSPF, IS-IS, RIP would not pass. This could create a serious impact in a production network.
We now have to apply the the filter to the Loopback interface to take effect.
root@JunOS01# set interfaces lo0 unit 0 family inet filter input secure_RE
I have attached a virtual box PC to the simulation to test the remote managament after the final configs applied. The scripts look like this in the small GNS3 scenario.
The term term_access is used to evaluate the 192.168.1.0/24 network and allow TCP protocol with telnet and ssh ports inside the router. I there very any other firewall filters they would be evaulated first if those filters were on the ingress interface.
[edit firewall family inet filter secure_RE]
root@JunOS01# set term denied_term from protocol tcp
root@JunOS01# set term denied_term from port ssh
root@JunOS01# set term denied_term from port telnet
root@JunOS01# set term denied_term then reject
root@JunOS01# set term DEFAULT then accept
Second term denied_term filters all other traffic with source IP addresses other than 192.168.1.0/24 and rejects it. And like in Cisco ACLs we should use the default term to allow any other traffic to the routing engine. If the last term is not implied then processes like BGP, OSPF, IS-IS, RIP would not pass. This could create a serious impact in a production network.
We now have to apply the the filter to the Loopback interface to take effect.
root@JunOS01# set interfaces lo0 unit 0 family inet filter input secure_RE
I have attached a virtual box PC to the simulation to test the remote managament after the final configs applied. The scripts look like this in the small GNS3 scenario.
interfaces {
em0 {
unit 0 {
family inet {
address 192.168.1.1/24;
}
}
}
lo0 {
unit 0 {
family inet {
filter {
input secure_RE;
}
address 10.0.0.1/32;
}
}
}
}
firewall {
family inet {
filter secure_RE {
term term_access {
from {
address {
192.168.1.0/24;
}
protocol tcp;
port [ ssh telnet ];
}
then accept;
}
term denied_term {
from {
protocol tcp;
port [ ssh telnet ];
}
then {
reject;
}
}
term DEFAULT {
then accept;
}
}
}
After testing the ping and telnet traffic we see that we can log on to the router and ping traffic is passing correctly from our desired subnet.
ping
telnet
ping after address change
telnet
Finally we can see that we have achieved the desired security effect. Normal traffic like ICMP that is destined to the Routing engine passed to the router, but the telnet traffic we filtered and denied via firewall filters is denied at the port level.
This is one of the basic methods one can protect a JunOS router.
Several others follow.
Thanks.
No comments:
Post a Comment