Understanding the control plane protection using firewall-filters on Juniper SRX

LinkedIn
Facebook
Facebook
Google+
http://netfixpro.com/understanding-the-control-plane-protection-using-firewall-filters/
RSS
Follow by Email

This article explains the control plane protections on Juniper SRX firewalls and the requirements for it. It also shows the configuration example at the end of the article.

As we know, The control plane is responsible for operating most of the system services on the SRX. Connections destined to the SRX for services such as SSH, Telnet, NTP, SNMP, HTTPS, TACACS, RADIUS etc. can come through either fxp0 interface, which is the dedicated interface on the SRX for the out-of-band management or through any data-plane interfaces such as ge-0/0/0, ge-0/0/1 etc.. These connections destined to the SRX are being processed by the control plane of the device so it is very important to protect the control plane of the device against any kind of brute-force attack.

To protect the control plane of the device, stateless firewall filters are used. Stateless firewall filter is a traditional access control list (ACL) and can be applied to fxp0 interface or to any data-plane interfaces such as ge-0/0/0, ge-0/0/1 etc. or to any loopback interface. The access restrictions offered by stateless filters differs based on the interface to which they are applied. The table below explains the access restriction on a per-interface basis.

Filter applied only to the fxp0 interface Filter applied only to any of the data-plane interface Filter applied to the loopback interface
will protect connections coming through that interface only will protect connections coming through that interface only will protect connections coming from fxp interface or data plane interface such as ge-0/0/0, ge-0/0/1 etc.
Differences between firewall filters and security policies.
  • Firewall filters can be applied to either the control plane or the data plane, where security policies are applied to the data plane only.
  • Firewall filters are stateless while security policies are stateful.
  • Both stateless and stateful security policies can coexist on the data plane, where stateless policies are processed first.
Configuration example

Configure the firewall filter

[email protected]# set firewall family inet filter FF-CP-PROTECT term SSH-Inbound from source-address 10.10.10.10
[email protected]# set firewall family inet filter FF-CP-PROTECT term SSH-Inbound from destination-port 22
[email protected]# set firewall family inet filter FF-CP-PROTECT term SSH-Inbound from protocol tcp
[email protected]# set firewall family inet filter FF-CP-PROTECT term SSH-Inbound then accept log
[email protected]# set firewall family inet filter FF-CP-PROTECT term ICMP-Any from protocol icmp
[email protected]# set firewall family inet filter FF-CP-PROTECT term ICMP-Any then accept
[email protected]# set firewall family inet filter FF-CP-PROTECT term Deny-Else then reject

Apply the firewall filter

[email protected]# set interfaces lo0 unit 0 family inet filter input FF-CP-PROTECT
NOTE:
we could have also placed this on a fxp0 interface or on a data plane interface such as ge-0/0/0.0, if we wanted to restrict management traffic on only a single interface rather than on all

I hope you enjoyed reading this article. Feel free to leave any comments or feedback.

*Image source: Juniper SRX series book 

LinkedIn
Facebook
Facebook
Google+
http://netfixpro.com/understanding-the-control-plane-protection-using-firewall-filters/
RSS
Follow by Email

Ashutosh Patel

Ashutosh Patel is the Author and editor of netfixpro.com. He currently works as a Network Security Architect. Follow him on following social media to know more about him.

Leave a Reply

Your email address will not be published. Required fields are marked *

Show Buttons
Hide Buttons

Enjoy this article? Please spread the word :)