You
cannot manage the SRX Services Gateway as you would a router. The SRX is a
locked-down device. You can’t even ping an interface on the SRX initially, even
if it has a valid IP address. The SRX uses the concept of nested
security zones. Zones are a critical concept in SRX configuration. No
traffic goes in or out unless the security zones are configured properly on the
SRX interfaces.
To
configure a security zone, you need to associate the interface with a security
zone, and then the security zones need to be bound with a routing instance (if
there are multiple routing instances).
It
sounds complicated, but it’s not. First, you configure the zones and then you
associate the interfaces with the zones. Here, we're assuming that you’re using
only one routing instance. You can configure a zone with more than one
interface. However, each interface can belong to only one zone.
Now,
establish two security zones for a simple SRX configuration. One zone is for a
local LAN called admins (administration) on
interface ge-0/0/0.0, and the other zone is for two links to the Internet
called untrust with interfacesge-0/0/1.0 and ge-0/0/2.0:
root# edit security zones
[edit security zones]
root# set security zone admins
root# set security zone untrust
root# set security zone admins
interfaces ge-0/0/0.0
root# set security zone untrust
interfaces ge-0/0/1.0
root# set security zone untrust
interfaces ge-0/0/2.0
Always
configure zones from the perspective of the SRX you are configuring. Many other
zones may be on the LAN (trust,accounting, and so on). But this SRX only links
to admins anduntrust.
Now
you can add services to the zones you just configured. Assume that inbound ssh,
ftp, and ping traffic is permitted from the untrusted zone.
This
is just an example. Before you enable any services at all on your SRX, make
sure you truly need them. FTP in particular is often considered risky because
FTP has no real security, and you just punched a big hole for it in your
security zone.
[edit security zones]
root# set security zone untrust
host-inbound-traffic ssh
root# set security zone untrust
host-inbound-traffic ftp
root# set security zone untrust
host-inbound-traffic ping
Your
configuration now looks like this:
[edit security]
zones {
security-zone untrust {
host-inbound-traffic {
system-services {
ssh;
ftp;
ping;
}
}
interfaces {
ge-0/0/1.0;
ge-0/0/2.0;
}
}
security-zone admins {
interfaces {
ge-0/0/0.0;
}
}
If
you haven’t yet configured routing and applied licensing to your SRX, you will
get a fetch error message when you try and commit the security configuration.
This error will go away when configuration is complete.
No comments:
Post a Comment