Management access to a Juniper SRX series device can be via J-Web (using HTTP or HTTPS), SSH or Telnet service. To remotely manage a SRX series device, you need to enable system services and allow host inbound traffic for the zone or interface. This poses a security risk that anybody on the network can get to the J-web login page of you device or launch a brute-force attack against your SSH or telnet service. The threat is more severe if you allowed HTTP, HTTPS, SSH or Telnet host inbound traffic on untrust zone, which allows anybody on the public network launch an attack. This article shows you how to restrict management access to your SRX device by IP address. The idea is to create a firewall filter that drops all packets to ports for SSH, HTTP, HTTPS and telnet, except those packets coming from the specified IP addresses.
Step 1: Create a prefix list
The first step is to configure a prefix-list with the all IP addresses from which to allow access.
policy-options {
prefix-list MANAGEMENT_IP {
86.155.200.60/32;
192.168.2.0/24;
}
}
Run the following commands to create a prefix list like above.
# set policy-options prefix-list MANAGEMENT_IP 86.155.200.60/32 # set policy-options prefix-list MANAGEMENT_IP 192.168.2.0/24
Verify the config
# show policy-options
prefix-list MANAGEMENT_IP {
86.155.200.60/32;
192.168.2.0/24;
}
Step 2: Create a firewall filter
The next step is to create a firewall filter that accepts all TCP packets to destination port ssh, https, telnet, http and from IP addresses in the prefix list. All other packets are logged and discarded. The config must look like below:
firewall {
filter MGMT_FILTER {
term allow_management {
from {
source-prefix-list {
MANAGEMENT_IP;
}
protocol tcp;
destination-port [ ssh https telnet http ];
}
then {
count mgmt-filter-allow_mgmt;
accept;
}
}
term block_management {
from {
source-address {
0.0.0.0/0;
}
destination-address {
0.0.0.0/0;
}
protocol tcp;
}
then {
count mgmt-filter-block_mgmt;
log;
discard;
}
}
term everything_else {
then {
count mgmt-filter-else;
accept;
}
}
}
}
To create this config from command line, run
set firewall filter MGMT_FILTER term allow_management from source-prefix-list MANAGEMENT_IP set firewall filter MGMT_FILTER term allow_management from protocol tcp set firewall filter MGMT_FILTER term allow_management from destination-port ssh set firewall filter MGMT_FILTER term allow_management from destination-port http set firewall filter MGMT_FILTER term allow_management from destination-port https set firewall filter MGMT_FILTER term allow_management from destination-port telnet set firewall filter MGMT_FILTER term allow_management then count mgmt-filter-allow_mgmt accept set firewall filter MGMT_FILTER term block_management from source-address 0.0.0.0/0 set firewall filter MGMT_FILTER term block_management from destination-address 0.0.0.0/0 set firewall filter MGMT_FILTER term block_management from protocol tcp set firewall filter MGMT_FILTER term block_management then count mgmt-filter-block_mgmt log discard set firewall filter MGMT_FILTER term everything_else then count mgmt-filter-else accept
Step 3: Apply filter to lo0 interface
Finally, apply the firewall filter to loopback interface lo0
interfaces {
lo0 {
unit 0 {
family inet {
filter {
input MGMT_FILTER;
}
}
}
}
}
The command to run is:
set interfaces lo0 unit 0 family inet filter input MGMT_FILTER
Note: This is one of the solutions to restric access to Juniper SRX device management. You could also restrict access by creating a security policy for junos-host zone.
