Understanding the control plane protection using firewall-filters on Juniper SRX

This article explains the control plane protections on Juniper SRX firewalls and the requirements for it. It also shows the configuration example at the end of the article.

As we know, The control plane is responsible for operating most of the system services on the SRX. Connections destined to the SRX for services such as SSH, Telnet, NTP, SNMP, HTTPS, TACACS, RADIUS etc. can come through either fxp0 interface, which is the dedicated interface on the SRX for the out-of-band management or through any data-plane interfaces such as ge-0/0/0, ge-0/0/1 etc.. These connections destined to the SRX are being processed by the control plane of the device so it is very important to protect the control plane of the device against any kind of brute-force attack.

To protect the control plane of the device, stateless firewall filters are used. Stateless firewall filter is a traditional access control list (ACL) and can be applied to fxp0 interface or to any data-plane interfaces such as ge-0/0/0, ge-0/0/1 etc. or to any loopback interface. The access restrictions offered by stateless filters differs based on the interface to which they are applied. The table below explains the access restriction on a per-interface basis.

Differences between firewall filters and security policies.

• Firewall filters can be applied to either the control plane or the data plane, where security policies are applied to the data plane only.
• Firewall filters are stateless while security policies are stateful.
• Both stateless and stateful security policies can coexist on the data plane, where stateless policies are processed first.

Configuration example

Configure the firewall filter

user@host# set firewall family inet filter FF-CP-PROTECT term SSH-Inbound from source-address 10.10.10.10
user@host# set firewall family inet filter FF-CP-PROTECT term SSH-Inbound from destination-port 22
user@host# set firewall family inet filter FF-CP-PROTECT term SSH-Inbound from protocol tcp
user@host# set firewall family inet filter FF-CP-PROTECT term SSH-Inbound then accept log
user@host# set firewall family inet filter FF-CP-PROTECT term ICMP-Any from protocol icmp
user@host# set firewall family inet filter FF-CP-PROTECT term ICMP-Any then accept
user@host# set firewall family inet filter FF-CP-PROTECT term Deny-Else then reject

Apply the firewall filter

user@host# set interfaces lo0 unit 0 family inet filter input FF-CP-PROTECT

I hope you enjoyed reading this article. Feel free to leave any comments or feedback.

*Image source: Juniper SRX series book 

Bài liên quan

Understanding VLAN Trunking Protocol (VTP) in Cisco Switch

Redistribute BGP Route into OSPF in Cisco IOS Router

Cấu hình Access-list (ACLs) trên thiết bị Cisco

Configure HSRP in Cisco IOS Router

Configure Route-based site2site VPN on Juniper SRX

LINK AGGREGATION – PART 1 (LINK AGGREGATION CONTROL PROTOCOL, LACP)

Configure LACP EtherChannel in Cisco IOS Switch

Backup startup-config và iOS trên thiết bị Cisco

Configure Dynamic (Remote Access) VPN in Juniper SRX

Install JunOS From Loader

Run a packet capture on a Juniper SRX

LINK AGGREGATION – PART 4 (LAG CONFIGURATION ON ALCATEL-LUCENT DEVICES)

Configure Reth Interface in Junos (SRX)

Juniper SRX IPsec LAN-to-LAN VPN Part 2

Configure VRF in Cisco IOS Router

Understanding VLANs in Switching World

Configure Private VLANs in Juniper Switch

Configure IPSec VPN With Dynamic IP in Cisco IOS Router

Configure DHCP Server for Multiple VLANs in JunOS

Configuration of Link Aggregation Control Protocol (LACP) with Vmware ESXi/ESX and Dell Switches

Kết nối EX8208 tới External Routing Engines XRE200

Configure PAgP EtherChannel in Cisco IOS Switch

Configure Load Balancing on Cisco EIGRP

Configure Static NAT in Cisco IOS Router

Secure Spanning-tree on Cisco IOS switches

prev next