Thursday, 18 June 2020

Sample Juniper Firewall Configuration to Protect Routing Engines


Here's sample firewall configuration in protecting the box and its services.

ICMP:
ICMP message types are essential for network administration and troubleshooting. There are quite a number of ICMP parameters, you can refer to IANA ICMP Parameters for the list or if you want to learn more details about ICMP can refer to RFC792.
Here's the 4 types I consider useful for troubleshooting and need to be allowed.


Type 0 — Echo Reply --> response from target to host
Type 8 — Echo Request--> host to target
Type 11 — Time Exceeded --> returned to host when doing traceroute
Type 3 — Destination Unreachable --> for MTU path discovery

Pre-config (create a policer)
set firewall policer limit-128k if-exceeding bandwidth-limit 128k
set firewall policer limit-128k if-exceeding burst-size-limit 15k
set firewall policer limit-128k then discard

Juniper Configuration:
set firewall family inet filter FIREWALL-RE term ICMP_PING from protocol icmp
set firewall family inet filter FIREWALL-RE term ICMP_PING from icmp-type echo-request
set firewall family inet filter FIREWALL-RE term ICMP_PING from icmp-type echo-reply
set firewall family inet filter FIREWALL-RE term ICMP_PING then policer limit-128k
set firewall family inet filter FIREWALL-RE term ICMP_PING then count ICMP
set firewall family inet filter FIREWALL-RE term ICMP_PING then accept

set firewall family inet filter FIREWALL-RE term ICMP_TTL from protocol icmp
set firewall family inet filter FIREWALL-RE term ICMP_TTL from icmp-type time-exceeded
set firewall family inet filter FIREWALL-RE term ICMP_TTL from icmp-type unreachable
set firewall family inet filter FIREWALL-RE term ICMP_TTL then policer limit-128k
set firewall family inet filter FIREWALL-RE term ICMP_TTL then accept

SSH:
It is recommended to use SSH for remote access for better security. Telnet is strictly discourage because of unencrypted communication for potential network sniffing.

Juniper Configuration:
set firewall family inet filter FIREWALL-RE term REMOTE_ACCESS from source-prefix-list SSH-PREFIX-LIST
set firewall family inet filter FIREWALL-RE term REMOTE_ACCESS from protocol tcp
set firewall family inet filter FIREWALL-RE term REMOTE_ACCESS from port ssh
set firewall family inet filter FIREWALL-RE term REMOTE_ACCESS then count REMOTE_ACCESS
set firewall family inet filter FIREWALL-RE term REMOTE_ACCESS then accept

set policy-options prefix-list SSH-PREFIX-LIST 192.168.10.101/32
set policy-options prefix-list SSH-PREFIX-LIST 192.168.10.102/32

where: 192.168.10.101 & 102 are the authorized IPs that are allowed to SSH into the device.


AAA(Tacacs):
Juniper Configuration:
set firewall family inet filter FIREWALL-RE term AAA_ALLOW from source-prefix-list TACACS-PREFIX-LIST
set firewall family inet filter FIREWALL-RE term AAA_ALLOW from protocol tcp
set firewall family inet filter FIREWALL-RE term AAA_ALLOW from source-port tacacs
set firewall family inet filter FIREWALL-RE term AAA_ALLOW then count AAA
set firewall family inet filter FIREWALL-RE term AAA_ALLOW then accept

set policy-options prefix-list TACACS-PREFIX-LIST  192.168.10.200/32

where: 192.168.10.200 is Tacacs Server


SNMP:
Juniper Configuration:
set firewall family inet filter FIREWALL-RE term SNMP_ALLOW from source-prefix-list SNMP-PREFIX-LIST
set firewall family inet filter FIREWALL-RE term SNMP_ALLOW from protocol udp
set firewall family inet filter FIREWALL-RE term SNMP_ALLOW from destination-port snmp
set firewall family inet filter FIREWALL-RE term SNMP_ALLOW then count SNMP
set firewall family inet filter FIREWALL-RE term SNMP_ALLOW then accept

set policy-options prefix-list SNMP-PREFIX-LIST  192.168.20.200/32

where: 192.168.20.200 is SNMP Polling Server


NTP:
Juniper Configuration:
set firewall family inet filter FIREWALL-RE term NTP_ALLOW from source-prefix-list NTP-PREFIX-LIST
set firewall family inet filter FIREWALL-RE term NTP_ALLOW from protocol udp
set firewall family inet filter FIREWALL-RE term NTP_ALLOW from port ntp
set firewall family inet filter FIREWALL-RE term NTP_ALLOW then policer limit-128k
set firewall family inet filter FIREWALL-RE term NTP_ALLOW then count NTP
set firewall family inet filter FIREWALL-RE term NTP_ALLOW then accept

set policy-options prefix-list NTP-PREFIX-LIST  192.168.30.200/32

where: 192.168.30.200 is NTP Server


IP Protocols
OSPF
set firewall family inet filter FIREWALL-RE term OSPF_ALLOW from protocol ospf
set firewall family inet filter FIREWALL-RE term OSPF_ALLOW then count OSPF
set firewall family inet filter FIREWALL-RE term OSPF_ALLOW then accept

LDP
set firewall family inet filter FIREWALL-RE term LDP_ALLOW from protocol tcp
set firewall family inet filter FIREWALL-RE term LDP_ALLOW from protocol udp
set firewall family inet filter FIREWALL-RE term LDP_ALLOW from port 646
set firewall family inet filter FIREWALL-RE term LDP_ALLOW then count LDP
set firewall family inet filter FIREWALL-RE term LDP_ALLOW then accept
set firewall family inet filter FIREWALL-RE term LDP_ALLOW then accept

RSVP
set firewall family inet filter FIREWALL-RE term RSVP_ALLOW from protocol rsvp
set firewall family inet filter FIREWALL-RE term RSVP_ALLOW then count RSVP
set firewall family inet filter FIREWALL-RE term RSVP_ALLOW then accept

PIM
set firewall family inet filter FIREWALL-RE term PIM_ALLOW from protocol pim
set firewall family inet filter FIREWALL-RE term PIM_ALLOW then count PIM
set firewall family inet filter FIREWALL-RE term PIM_ALLOW then accept

IGMP
set firewall family inet filter FIREWALL-RE term IGMP_ALLOW from protocol igmp
set firewall family inet filter FIREWALL-RE term IGMP_ALLOW then count IGMP
set firewall family inet filter FIREWALL-RE term IGMP_ALLOW then accept

MSDP
set firewall family inet filter FIREWALL-RE term MSDP_ALLOW from protocol tcp
set firewall family inet filter FIREWALL-RE term MSDP_ALLOW from protocol udp
set firewall family inet filter FIREWALL-RE term MSDP_ALLOW from port msdp
set firewall family inet filter FIREWALL-RE term MSDP_ALLOW then count MSDP

BGP
set firewall family inet filter FIREWALL-RE term BGP_ALLOW from source-prefix-list BGP-PREFIX-LIST
set firewall family inet filter FIREWALL-RE term BGP_ALLOW from protocol tcp
set firewall family inet filter FIREWALL-RE term BGP_ALLOW from port bgp
set firewall family inet filter FIREWALL-RE term BGP_ALLOW then count BGP
set firewall family inet filter FIREWALL-RE term BGP_ALLOW then accept

set policy-options prefix-list BGP-PREFIX-LIST  192.168.40.0/24

Others
BFD
set firewall family inet filter FIREWALL-RE term BFD_ALLOW from protocol udp
set firewall family inet filter FIREWALL-RE term BFD_ALLOW from source-port 49152-65535
set firewall family inet filter FIREWALL-RE term BFD_ALLOW from destination-port 3784
set firewall family inet filter FIREWALL-RE term BFD_ALLOW then count BFD
set firewall family inet filter FIREWALL-RE term BFD_ALLOW then accept

Traceroute
set firewall family inet filter FIREWALL-RE term TRACEROUTE from protocol udp
set firewall family inet filter FIREWALL-RE term TRACEROUTE from destination-port 33434-33678
set firewall family inet filter FIREWALL-RE term TRACEROUTE then policer limit-128k
set firewall family inet filter FIREWALL-RE term TRACEROUTE then count TRACEROUTE
set firewall family inet filter FIREWALL-RE term TRACEROUTE then accept

FINALLY.... need to put this "discard" statement at the end.

set firewall family inet filter FIREWALL-RE term REJECT_ALL then count REJECT_ALL
set firewall family inet filter FIREWALL-RE term REJECT_ALL then discard


Apply:
set interfaces lo0 unit 0 family inet filter input FIREWALL-RE


How does it looks like?

Policer:
lab@vMX-1> show configuration firewall policer limit-128k 
if-exceeding {
    bandwidth-limit 128k;
    burst-size-limit 15k;
}
then discard;

Firewall:
lab@vMX-1> show configuration firewall 
family inet {
    filter FIREWALL-RE {
        term ICMP_PING {
            from {
                protocol icmp;
                icmp-type [ echo-request echo-reply ];
            }
            then {
                policer limit-128k;
                count ICMP;
                accept;
            }
        }
        term ICMP_TTL {
            from {
                protocol icmp;
                icmp-type [ time-exceeded unreachable ];
            }
            then {
                policer limit-128k;
                accept;
            }
        }
        term REMOTE_ACCESS {            
            from {
                source-prefix-list {
                    SSH-PREFIX-LIST;
                }
                protocol tcp;
                port ssh;
            }
            then {
                count REMOTE_ACCESS;
                accept;
            }
        }
        term AAA_ALLOW {
            from {
                source-prefix-list {
                    TACACS-PREFIX-LIST;
                }
                protocol tcp;
            }
        }
        term SNMP_ALLOW {
            from {
                source-prefix-list {    
                    SNMP-PREFIX-LIST;
                }
                protocol udp;
                destination-port snmp;
            }
            then {
                count SNMP;
                accept;
            }
        }
        term NTP_ALLOW {
            from {
                source-prefix-list {
                    NTP-PREFIX-LIST;
                }
                protocol udp;
                port ntp;
            }
            then {
                policer limit-128k;
                count NTP;
                accept;
            }                           
        }
        term OSPF_ALLOW {
            from {

Prefix-sets

lab@vMX-1> show configuration policy-options 
prefix-list SSH-PREFIX-LIST {
    192.168.10.101/32;
    192.168.10.102/32;
}
prefix-list TACACS-PREFIX-LIST {
    192.168.10.200/32;
}
prefix-list SNMP-PREFIX-LIST {
    192.168.20.200/32;
}
prefix-list NTP-PREFIX-LIST {
    192.168.30.200/32;
}
prefix-list BGP-PREFIX-LIST {
    192.168.40.0/24;
}


                protocol ospf;
            }
            then {
                count OSPF;
                accept;
            }
        }
        term LDP_ALLOW {
            from {
                protocol [ tcp udp ];
                port 646;
            }
            then {
                count LDP;
                accept;
            }
        }
        term RSVP_ALLOW {
            from {
                protocol rsvp;          
            }
            then {
                count RSVP;
                accept;
            }
        }
        term PIM_ALLOW {
            from {
                protocol pim;
            }
            then {
                count PIM;
                accept;
            }
        }
        term IGMP_ALLOW {
            from {
                protocol igmp;
            }
            then {
                count IGMP;
                accept;
            }                           
        }
        term MSDP_ALLOW {
            from {
                protocol [ tcp udp ];
                port msdp;
            }
            then count MSDP;
        }
        term BGP_ALLOW {
            from {
                source-prefix-list {
                    BGP-PREFIX-LIST;
                }
                protocol tcp;
                port bgp;
            }
            then {
                count BGP;
                accept;
            }
        }
        term BFD_ALLOW {
            from {                      
                protocol udp;
                source-port 49152-65535;
                destination-port 3784;
            }
            then {
                count BFD;
                accept;
            }
        }
        term TRACEROUTE {
            from {
                protocol udp;
                destination-port 33434-33678;
            }
            then {
                policer limit-128k;
                count TRACEROUTE;
                accept;
            }
        }
        term REJECT_ALL {
            then {
                count REJECT_ALL;       
                discard;
            }
        }
    }
}
policer limit-128k {
    if-exceeding {
        bandwidth-limit 128k;
        burst-size-limit 15k;
    }
    then discard;
}

Apply in interface loopback

lab@vMX-1> show configuration interfaces lo0 
unit 0 {
    family inet {
        filter {
            input FIREWALL-RE;
        }
    }
}

No comments:

Post a Comment