This article explains the control plane protections on Juniper SRX firewalls and the requirements for it. It also shows the configuration example at the end of the article.
As we know, The control plane is responsible for operating most of the system services on the SRX. Connections destined to the SRX for services such as SSH, Telnet, NTP, SNMP, HTTPS, TACACS, RADIUS etc. can come through either fxp0 interface, which is the dedicated interface on the SRX for the out-of-band management or through any data-plane interfaces such as ge-0/0/0, ge-0/0/1 etc.. These connections destined to the SRX are being processed by the control plane of the device so it is very important to protect the control plane of the device against any kind of brute-force attack.
To protect the control plane of the device, stateless firewall filters are used. Stateless firewall filter is a traditional access control list (ACL) and can be applied to fxp0 interface or to any data-plane interfaces such as ge-0/0/0, ge-0/0/1 etc. or to any loopback interface. The access restrictions offered by stateless filters differs based on the interface to which they are applied. The table below explains the access restriction on a per-interface basis.
Filter applied only to the fxp0 interface | Filter applied only to any of the data-plane interface | Filter applied to the loopback interface |
---|---|---|
will protect connections coming through that interface only | will protect connections coming through that interface only | will protect connections coming from fxp interface or data plane interface such as ge-0/0/0, ge-0/0/1 etc. |
Differences between firewall filters and security policies.
- Firewall filters can be applied to either the control plane or the data plane, where security policies are applied to the data plane only.
- Firewall filters are stateless while security policies are stateful.
- Both stateless and stateful security policies can coexist on the data plane, where stateless policies are processed first.
Configuration example
Configure the firewall filter
user@host# set firewall family inet filter FF-CP-PROTECT term SSH-Inbound from source-address 10.10.10.10 user@host# set firewall family inet filter FF-CP-PROTECT term SSH-Inbound from destination-port 22 user@host# set firewall family inet filter FF-CP-PROTECT term SSH-Inbound from protocol tcp user@host# set firewall family inet filter FF-CP-PROTECT term SSH-Inbound then accept log user@host# set firewall family inet filter FF-CP-PROTECT term ICMP-Any from protocol icmp user@host# set firewall family inet filter FF-CP-PROTECT term ICMP-Any then accept user@host# set firewall family inet filter FF-CP-PROTECT term Deny-Else then reject
Apply the firewall filter
user@host# set interfaces lo0 unit 0 family inet filter input FF-CP-PROTECT
we could have also placed this on a fxp0 interface or on a data plane interface such as ge-0/0/0.0, if we wanted to restrict management traffic on only a single interface rather than on all |
I hope you enjoyed reading this article. Feel free to leave any comments or feedback.
*Image source: Juniper SRX series book