This paper explains how to restrict management access to the Juniper SRX firewall. Instead of using firewall filters bound to an interface, I show how to use policy rules and address book objects.
Contents
Overview
In order to protect the SRX firewall beyond the default settings we need to control which IP addresses are permitted access to the management ports.
In particular, if you really need to manage the SRX via it’s external or Internet interface then you’ll need to configure the addresses allowed and block all others.
At my place of work, we have a number of client SRX firewalls that we normally manage in-band via a site-to-site IPSec VPN. The trouble here, is that if the VPN goes down or we need to change the way it works then we need to manage the client SRX in a way that is out of band from the normal VPN access. In order to do that, we enable management on the external interface of the remote SRX and carefully restrict the IP addresses that can connect to it.
Requirements
The requirements are fairly straightforward:
- Permit SRX management access only from the specified IP addresses
- Deny SRX management from any other addresses
How to Configure the SRX
The old way of doing this was to use firewall filters, these were ACLs that would be bound to an interface to filter incoming packets at a low level. If you’ve been using Google to search for a solution to this problem then a lot of the hits will be using this method.
A better way is to use the security policy rules. With this method, instead of using a usual destination zone of dmz or trust we use the junos-host zone to say that the destination is the SRX device itself.
First of all, configure the IP address from which you want to manage the device. This can be either a single CIDR address or a group. Here’s the definition for a simple group:
|
1 2 3 4 5 6 7 8 |
[edit security zones security-zone untrust address-book] root@SRX# show address mgmt_address-1 192.168.98.0/24; address mgmt_address-2 192.168.65.10/32; address-set mgmt_addresses { address mgmt_address-1; address mgmt_address-2; } |
Here’s the policy code:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 |
[edit security policies] root@SRX# show [...] from-zone untrust to-zone junos-host { policy permit-mgmt { match { source-address mgmt_addresses; destination-address any; application [ junos-ssh junos-https ]; } then { permit; log { session-init; } } } policy deny-mgmt { match { source-address any; destination-address any; application [ junos-ssh junos-https ]; } then { deny; } } policy permit-all-others { match { source-address any; destination-address any; application any; } then { permit; } } } [...] |
A few points are worth noting here.
Firstly, note that I allow https and ssh from the addresses in the address book, and then block all others to those ports. If I need to, I could add logging to the blocking rule.
Note that I also allow all others to go through at the last rule – this isn’t a typo. By doing this the SRX will fall back to the services allowed on the interface or the zone that the interface belongs to. If I did the usual firewall-like rule of blocking everything at the end then other things like pings and IKE for VPNs will stop working. Probably not what you want to do.
The same sort of policy could also be used to restrict other system services and protocols from reaching the SRX – services such as IKE, BGP, and so on.
Verification
Verify that the policy change has been configured properly:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
root@SRX> show security policies from-zone untrust to-zone junos-host From zone: untrust, To zone: junos-host Policy: permit-mgmt, State: enabled, Index: 32, Scope Policy: 0, Sequence number: 1 Source addresses: mgmt_addresses Destination addresses: any Applications: junos-ssh, junos-https Action: permit, log Policy: deny-mgmt, State: enabled, Index: 33, Scope Policy: 0, Sequence number: 2 Source addresses: any Destination addresses: any Applications: junos-ssh, junos-https Action: deny Policy: permit-all-others, State: enabled, Index: 34, Scope Policy: 0, Sequence number: 3 Source addresses: any Destination addresses: any Applications: any Action: permit root@SRX> |
The command show security policies from-zone untrust to-zone junos-host detail will show you more information about the policy.
Testing
Testing is fairly easy:
- Test ssh and https access from an allowed client IP, connections should be permitted
- Test ssh and https access from a client which is not allowed, connections should be denied
Also check that your logging options are logging the access.