Friday, 2 November 2012

System Services - Telnet, SSH and J-Web

Telnet, SSH (Secure Shell) and J-Web are all methods that can be used to manage the SRX device. This post will outline the protocols with configuration examples.


Telnet
Telnet is a legacy protocol used for terminal emulation. Telnet can be used to remotely access the CLI of the Juniper SRX device. It is not recommended to use Telnet as information including passwords is passed over the wire in clear-text format. SSH is a good alternative.

The output below displays the configuration for telnet. Aside from enabling the protocol some extra parameters can be applied such as limits on the number of connections and the number of connections per minute. Also the Telnet protocol needs to be specified under host-inbound-traffic as Telnet sessions are made to the device itself.



SSH
SSH (Secure Shell) is also a protocol used for accessing the CLI of a Juniper SRX device. Unlike Telnet SSH encrypts communication between the client and device.

The output below displays the configuration for SSH. SSH version 2 should be used because it has fixed some weaknesses that existed in the original SSH protocol. Limits on concurrent sessions and connections per minute are applied. The root user has complete access to the system, for this reason you can allow or deny root logins from SSH. Also the SSH protocol needs to be specified under host-inbound-traffic as SSH sessions are made to the device itself.



J-web
J-web is the name of the Graphical User Interface. It is accessed via a web browser.

The output below displays the configuration for J-Web. Https should always be used over http for security reasons. In this example I used a self-signed certificate, in enterprise networks PKI should be leveraged to use a trusted certificate. The idle-timeout will automatically log out users if they have been idle for the specified time. The session-limit will allow a maximum of two users to be logged in at the same time. Also the HTTPS protocol needs to be specified under host-inbound-traffic as HTTPS sessions are made to the device itself.


No comments:

Post a Comment