Thursday, 15 November 2012

Security Zones

[I wanted to publish this post before the post on 'Security Policy Overview', however the post was not scheduled properly. Better late than never, here it is...]

Security Zones are another topic listed on the JNCIE-SEC exam blueprint. Security zones are used to group logical interfaces that have the same or similar security requirements. This post will provide a framework for overall security configuration.

A security zone can has the following configurable properties;

Logical Interfaces: Logical interfaces are configured under a zone. Logical interfaces can only be a member of a single zone.

Host-Inbound-Traffic: Host inbound traffic is used to allow services to the SRX device itself. These can be configured for the entire zone, or under the logical interfaces in the zone. Configuration under the interface takes precedence over configuration under the zone. The screen capture below outlines all of the available host-inbound-services that can be configured. Note that they are under two categories, protocols and system services. It is also important to keep in mind that security policies are NOT used when traffic is destine to the SRX device, only host-inbound-traffic is used to allow/deny the traffic.

Address Book Objects: Address book objects can be host ( or network ( objects consisting of an IP address/Mask and a name. They can be referenced in security policies.

Screens: Screens are configurable protection mechanism that can be used to detect and potentially block traffic. We will review screens as a topic later on.

TC-RST: This parameter allows you to to send a TCP reset packet if the traffic does not match a policy. By default if the connection  is dropped no TCP reset (reply) is sent to the host. Keep in mind that this specifies an action for the zone. You can also specify this type of action within a specific security policy.

Below is a basic configuration example where a new zones 'INTERNET' and 'TRUST' are created and some host-inbound services are configured.

The output below outlines the configuration of the 'INTERNET' zone. The host-inbound-traffic 'ping' is allowed.

The output below outlines the configuration of the 'TRUST' zone. The host-inbound-traffic ping, ssh and https are allowed.


The command 'show security zones' can be used to display the list of configured zones.

The next post will focus on Advanced Security Policy Options and will pick up from the previous post.Security Policy Overview.

No comments:

Post a Comment