{"id":248,"date":"2017-08-13T16:57:40","date_gmt":"2017-08-13T20:57:40","guid":{"rendered":"http:\/\/puluka.com\/home\/?p=248"},"modified":"2017-08-13T16:57:40","modified_gmt":"2017-08-13T20:57:40","slug":"junos-securing-oob-management-traffic","status":"publish","type":"post","link":"http:\/\/puluka.com\/home\/networking\/junos\/junos-securing-oob-management-traffic\/","title":{"rendered":"JUNOS Securing OOB Management Traffic"},"content":{"rendered":"

Purpose<\/strong>
\nMost JUNOS based equipment provides a dedicated management ethernet port to create a separate management network.\u00a0 This allows connection and management of the devices independent on the operation and access of the production network.\u00a0 This access does not prevent the remote access and management of the devices from the production network only provide the dedicated management network for access.\u00a0 This technique uses a firewall filter (stateless packet filters) to secure the device against access from the production network so that only management network access is permitted.<\/p>\n

Solution<\/strong>
\nJUNOS provides firewall filters to restrict access to interfaces.\u00a0 These are stateless packet filters and not flow based firewall rules.\u00a0 Once a filter is created and applied there is a default deny all rule as the final action for the filter.\u00a0 So all permitted options must be specified or the final rule in the filter must be an allow all rule.<\/p>\n

For the security of the device we need to create rules that allow only the management traffic from the management network and further rules that allow necessary routing information protocols from the production sources.\u00a0 To secure the routing engine firewall filters are applied to the loopback address.<\/p>\n

In this example the loopback address is 192.168.0.254 and the management network is 192.168.0.0\/24.<\/p>\n

Firewall Filter Process<\/em><\/strong>
\nUsing firewall filters is a two step process.\u00a0 The filter is created for general use in the firewall hierarchy.\u00a0 Then the filter is applied to the loopback interface at the interface hierarchy.<\/p>\n

This filter will block ssh and telnet from anywhere except the management network.\u00a0 But allow all other traffic to the routing engine.<\/p>\n

[edit firewall family inet]
\ndev@lab01# show
\nfilter mgmt-filter {
\nterm allow-mgmt{
\nfrom\u00a0 {
\nsource-address {
\n192.168.0.0\/24;
\n}
\n}
\nthen {
\naccept;
\n}
\n}
\nterm block-mgmt {
\nfrom\u00a0 {
\nprotocol\u00a0 tcp{
\ndestination-port [ ssh telent ];
\n}
\n}
\nthen {
\nreject;
\n}
\n}
\nterm accept-traffic {
\nthen accept;
\n}
\n}<\/p>\n

Term \u201caccept-traffic\u201d options for routing engine traffic<\/strong><\/em>
\nThe alternative to accepting all traffic is to specify in detail what protocols are actually used by this routing engine then only accepting this type of traffic.\u00a0 The default deny rule will then drop everything else.\u00a0 These are the items to add to the \u201caccept-traffic\u201d term stanza for specific protocols.\u00a0 Remember to only add those protocols needed from production.\u00a0 The first term already allows everything connecting from the management network.<\/p>\n

For this application add a from stanza to accept-traffic term and include all the protocols needed from the production side networks.<\/p>\n

Term accept-traffic {
\nfrom {
\nadd protocol list from table below
\n}
\nthen {
\naccept;
\n}<\/p>\n\n\n\n\n\n\n\n\n\n\n\n
Term to add in filter<\/td>\nProtocol allowed<\/td>\n<\/tr>\n
protocol icmp;
\nicmp-type [ echo-request echo-reply time-exceeded unreachable ];<\/td>\n		Ping<\/td>\n<\/tr>\n
protocol udp;
\nttl 1;<\/td>\n		Traceroute<\/td>\n<\/tr>\n
\nprotocol udp;
\nsource-port 53;<\/td>\n		DNS<\/td>\n<\/tr>\n
protocol tcp;
\nsource-port bgp;<\/td>\n		BGP<\/td>\n<\/tr>\n
protocol ospf;<\/td>\nOSPF<\/td>\n<\/tr>\n
protocol vrrp;<\/td>\nVRRP<\/td>\n<\/tr>\n
protocol udp:
\nsource-port ntp;<\/td>\n		NTP<\/td>\n<\/tr>\n
\nprotocol udp;
\nsource-port [ snmp snmptrap ];<\/td>\n		SNMP<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Apply Firewall Filter to Loopback address<\/strong>
\nThe firewall filter is applied to the input of the loopback address.
\ninterfaces {
\nlo0 {
\nunit 0 {
\nfamily inet {
\nfilter {
\ninput mgmt-filter;
\n}
\naddress 192.168.0.254\/24;
\n}
\n}
\n}
\n}<\/p>\n

References<\/strong><\/p>\n

JUNOS Documentation<\/strong><\/em>
\nConfiguring the Junos OS the First Time on a Router with a Single Routing Engine
\nConfigure Router<\/a><\/p>\n

Connecting and Configuring an EX Series Switch (CLI Procedure)
\nConfigure EX Switch<\/a><\/p>\n

Configuring SSH Service for Remote Access to the Router or Switch
\nConfigure SSH<\/a><\/p>\n

Loopback Interface Landing page
\nLoopback Page<\/a><\/p>\n

JUNOS as a second language course<\/strong><\/em>
\nChapter 9: Firewall Filters
\nJUNOS as a Second Language<\/a><\/p>\n

\u00a0Knowledge Base Articles<\/strong><\/em><\/p>\n

JUNOS: Securing routing engine for out-of-band management<\/p>\n

KB10880<\/a><\/p>\n

Firewall Filter on loopback interface
\nKB12791<\/a><\/p>\n

Originally Posted December 05, 2010
\nLast Revised on May 28, 2011<\/p>\n","protected":false},"excerpt":{"rendered":"

Purpose Most JUNOS based equipment provides a dedicated management ethernet port to create a separate management network.\u00a0 This allows connection and management of the devices independent on the operation and access of the production network.\u00a0 […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11],"tags":[],"class_list":["post-248","post","type-post","status-publish","format-standard","hentry","category-junos"],"_links":{"self":[{"href":"http:\/\/puluka.com\/home\/wp-json\/wp\/v2\/posts\/248","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/puluka.com\/home\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/puluka.com\/home\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/puluka.com\/home\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/puluka.com\/home\/wp-json\/wp\/v2\/comments?post=248"}],"version-history":[{"count":1,"href":"http:\/\/puluka.com\/home\/wp-json\/wp\/v2\/posts\/248\/revisions"}],"predecessor-version":[{"id":249,"href":"http:\/\/puluka.com\/home\/wp-json\/wp\/v2\/posts\/248\/revisions\/249"}],"wp:attachment":[{"href":"http:\/\/puluka.com\/home\/wp-json\/wp\/v2\/media?parent=248"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/puluka.com\/home\/wp-json\/wp\/v2\/categories?post=248"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/puluka.com\/home\/wp-json\/wp\/v2\/tags?post=248"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}