Restricting Management Access on Juniper SRX

Posted on 05th September 2019

Management access to a Juniper SRX series device can be via J-Web (using HTTP or HTTPS), SSH or Telnet service. To remotely manage a SRX series device, you need to enable system services and allow host inbound traffic for the zone or interface. This poses a security risk that anybody on the network can get to the J-web login page of you device or launch a brute-force attack against your SSH or telnet service. The threat is more severe if you allowed HTTP, HTTPS, SSH or Telnet host inbound traffic on untrust zone, which allows anybody on the public network launch an attack. This article shows you how to restrict management access to your SRX device by IP address. The idea is to create a firewall filter that drops all packets to ports for SSH, HTTP, HTTPS and telnet, except those packets coming from the specified IP addresses.

Step 1: Create a prefix list

The first step is to configure a prefix-list with the all IP addresses from which to allow access.

policy-options {
    prefix-list MANAGEMENT_IP {
        86.155.200.60/32;
        192.168.2.0/24;
    }
}

Run the following commands to create a prefix list like above.

# set policy-options prefix-list MANAGEMENT_IP 86.155.200.60/32
# set policy-options prefix-list MANAGEMENT_IP 192.168.2.0/24

Verify the config

# show policy-options
  
   prefix-list MANAGEMENT_IP {
	86.155.200.60/32;
	192.168.2.0/24;
   } 

Step 2: Create a firewall filter

The next step is to create a firewall filter that accepts all TCP packets to destination port ssh, https, telnet, http and from IP addresses in the prefix list. All other packets are logged and discarded. The config must look like below:

firewall {
    filter MGMT_FILTER {
        term allow_management {
            from {
                source-prefix-list {
                    MANAGEMENT_IP;
                }
                protocol tcp;
                destination-port [ ssh https telnet http ];
            }
            then {
                count mgmt-filter-allow_mgmt;
                accept;
            }
        }
        term block_management {
            from {
                source-address {
                    0.0.0.0/0;
                }
                destination-address {
                    0.0.0.0/0;
                }
                 protocol tcp;
            }
            then {
                count mgmt-filter-block_mgmt;
                log;
                discard;
            }
        }
        term everything_else {
            then {
                count mgmt-filter-else;
                accept;
            }
        }
    }
}

To create this config from command line, run

set firewall filter MGMT_FILTER term allow_management from source-prefix-list MANAGEMENT_IP
set firewall filter MGMT_FILTER term allow_management from protocol tcp
set firewall filter MGMT_FILTER term allow_management from destination-port ssh
set firewall filter MGMT_FILTER term allow_management from destination-port http
set firewall filter MGMT_FILTER term allow_management from destination-port https
set firewall filter MGMT_FILTER term allow_management from destination-port telnet
set firewall filter MGMT_FILTER term allow_management then count mgmt-filter-allow_mgmt accept

set firewall filter MGMT_FILTER term block_management from source-address 0.0.0.0/0
set firewall filter MGMT_FILTER term block_management from destination-address 0.0.0.0/0
set firewall filter MGMT_FILTER term block_management from protocol tcp
set firewall filter MGMT_FILTER term block_management then count mgmt-filter-block_mgmt log discard

set firewall filter MGMT_FILTER term everything_else then count mgmt-filter-else accept

Step 3: Apply filter to lo0 interface

Finally, apply the firewall filter to loopback interface lo0

interfaces {
    lo0 {
        unit 0 {
            family inet {
                filter {
                    input MGMT_FILTER; 
                }
            }
        }
    }
}

The command to run is:

set interfaces lo0 unit 0 family inet filter input MGMT_FILTER

Note: This is one of the solutions to restric access to Juniper SRX device management. You could also restrict access by creating a security policy for junos-host zone.


Post a comment

Comments

Nothing yet..be the first to share wisdom.