안녕하세요.

 

오늘은 [2024][Juniper SRX #12] application and application-set입니다. 

 

Juniper 방화벽 정책을 설정 시 Source port 또는 Destination port에 TCP/UDP, 또는 port number를 지정할 때 사용 합니다. 

자세한 내용은 Juniper SRX 공식 홈페이지를 참조 바랍니다.

https://www.juniper.net/documentation/us/en/software/junos/security-policies/topics/topic-map/policy-application-sets-configuration.html

 

Security Policy Applications and Application Sets | Junos OS | Juniper Networks

When you create a policy, you must specify an application, or service, for it to indicate that the policy applies to traffic of that type. Sometimes the same applications or a subset of them can be present in multiple policies, making it difficult to manag

www.juniper.net

 

Applications은 두 가지로 분류됩니다.

1. standard

2. custom applications

 

standard way는 이미 Juniper SRX에서 정의된 포트를 말합니다. 주로 well-known port를 의미합니다. 

set applications application standard-way application-protocol http

root# set applications application KK application-protocol ?
Possible completions:
  dns                  Domain Name Service
  ftp                  File Transfer Protocol
  ftp-data             File Transfer Protocol Data Session
  gprs-gtp-c           GPRS Tunneling Control Plane
  gprs-gtp-u           GPRS Tunneling User Plane
  gprs-gtp-v0          GPRS Tunneling Version 0
  gprs-sctp            GPRS Stream Control Protocol
  http                 Hypertext Transfer Protocol
  https                Hypertext Transfer Protocol
  ignore               Ignore application type
  ike-esp-nat          IKE/ESP with NAT
  imap                 Internet Mail Access Protocol
  imaps                Internet Mail Access Protocol Over TLS
  mgcp-ca              MGCP-CA
  mgcp-ua              MGCP-UA
  ms-rpc               Microsoft RPC
  none                 None
  pop3                 Post Office Protocol 3 Protocol
  pop3s                Post Office Protocol 3 Protocol Over TLS
  pptp                 Point-to-Point Tunneling Protocol
  q931                 Q.931
  ras                  RAS
  realaudio            RealAudio        
  rsh                  Remote Shell
  rtsp                 Real Time Streaming Protocol
  sccp                 Skinny Client Control Protocol
  sip                  Session Initiation Protocol
  smtp                 Simple Mail Transfer Protocol
  smtps                Simple Mail Transfer Protocol Over TLS
  sqlnet-v2            Oracle SQL*Net Version 2
  ssh                  Secure Shell Protocol
  sun-rpc              Sun Microsystems RPC
  talk                 Talk Program
  telnet               Telnet Protocol
  tftp                 Trivial File Transfer Protocol
  twamp                Two Way Active Meaurement Protocol
[edit]

 

이번에는 custom 방식에 대해서 알아보겠습니다.

Protocol -> tcp

Source-port - 0-65535 -> source port는 랜덤으로 선택됩니다. 특정 Application은 source-port가 특정 포트로 동작하는 APP도 있습니다

Destination-port - 23

inactivity-timeout - 20초

set applications application telnet-1 protocol tcp 
set applications application telnet-1 source-port 0-65535
set applications application telnet-1 destination-port 23
set applications application telnet-1 inactivity-timeout 20

 

방화벽 정책 설정 시 application를 아래처럼 불러와서 사용 가능 합니다.

set security policies from-zone trust to-zone untrust policy p1 match application telnet-1

 

만약에 하나에 방화벽 정책에 여러 개 application를 사용하고 싶으면 아래와 같이 설정 가능 합니다

set applications application http-1 protocol tcp 
set applications application http-1 source-port 0-65535
set applications application http-1 destination-port 80
set applications application http-1 inactivity-timeout 20

아래처럼 application 정책을 계속 추가해야 합니다. 

set security policies from-zone trust to-zone untrust policy p1 match application telnet-1
set security policies from-zone trust to-zone untrust policy p1 match application http-1

 

하지만 application-set을 이용하면 하나에 정책에 많은 application 추가해서 사용할 수 있습니다. 

 

application-set에 http-1이랑 telnet-1을 할당합니다.

set applications application-set app-group application http-1
set applications application-set app-group application telnet-1

 

그리고 방화벽 정책에 application-set를 설정합니다.

set security policies from-zone trust to-zone untrust policy p1 match application-set app-group

 

application 설정값 확인 하는 명령어

root> show configuration applications | display set 
set applications application standard-way application-protocol http
set applications application http-1 protocol tcp
set applications application http-1 source-port 0-65535
set applications application http-1 destination-port 80
set applications application http-1 inactivity-timeout 20
set applications application telnet-1 protocol tcp
set applications application telnet-1 source-port 0-65535
set applications application telnet-1 destination-port 23
set applications application telnet-1 inactivity-timeout 20
set applications application-set app-group application http-1
set applications application-set app-group application telnet-1

root> 

 

지금까지 [2024][Juniper SRX #12] application and application-set 글을 읽어주셔서 감사합니다. 

저작자표시

'JUNIPER > SRX 방화벽' 카테고리의 다른 글

[2024][Juniper SRX #14] firewall policy 순서 변경  (0) 2024.07.26
[2024][Juniper SRX #13] firewall policy  (0) 2024.07.25
[2024][Juniper SRX #10] Administrator access restriction settings for MGMT  (0) 2024.07.22
[2024][Juniper SRX #9] SSH, Telnet and web-management 설정하기  (0) 2024.07.21
[2024][Juniper SRX #8] Zone configuration  (1) 2024.07.20

안녕하세요.

 

오늘은 [2024][Juniper SRX #11] address book and address set에 대해서 알아보겠습니다.

 

Juniper SRX방화벽은 정책을 만들 때 곧바로 IP주소를 입력할 수 없고 Address book를 만들어서 IP주소를 정의해야 합니다.

그래야지 방화벽 정책에서 address book 이름을 불러올 수 있습니다.

 

자세한 내용은 Juniper 공식 address book이랑 address set에 대한 내용은 확인 부탁드립니다.

https://www.juniper.net/documentation/us/en/software/junos/security-policies/topics/topic-map/security-address-books-sets.html

 

Address Books and Address Sets | Junos OS | Juniper Networks

In this example, you create source and destination address books, SOUR-ADDR and DES-ADDR, and add source and destination addresses to it. You create source and destination address sets, as1 and as2, and group source and destination addresses to them. Then

www.juniper.net

 

Address-book은 크게 두 가지로 나누어집니다.

1. global(default) - 모든 zone에서 address book를 불러올 수 있습니다

2. custorm(Must be binded to a zone) - address-book이 특정 Zone에서만 사용할 수 있습니다. 

 

address-book를 정의할 때는 아래와 같이 5가지 사용 가능 합니다.

1. Prefix - EX) 192.168.10.0/24

2. address-range - EX) 192.168.11.10 to 192.168.11.199

3. wildcard_address - EX) 10.0.10.0/255.7.255.0 -

4. DNS_name - EX) cisco.com

5. Any - 모든 트래픽

 

그럼 Juniper SRX에서 address-book를 설정해 보겠습니다.

1. Prefix를 이용하는 방법

 

global - global address book 정의 

N-192.168.1.0/24 - address book이름

192.168.1.0/24 - Prefix Target IP 정의

set security address-book global address N-192.168.1.0/24 192.168.1.0/24

 

2. address-range 이용하는 방법

global - global address book 정의 

H-192.168.1.0-to-10 - adress book 이름 정의

192.168.1.0 to 192.168.1.10 - 실제 Target IP정의

set security address-book global address H-192.168.1.0-to-10 range-address 192.168.1.0 to 192.168.1.10

 

3. Wildcard_address 이용하는 방법

global - global address book 정의 

wildcard - adress book 이름 정의

192.168.0.11/255.255.0.255 - 192.168.*. 11을 의미 - 즉 192.168.1.11 , 192.168.3.11 - 3번째 octoc은 아무 숫자나 허

set security address-book global address wildcard wildcard-address 192.168.0.11/255.255.0.255

 

4. dns_name를 이용하는 방법

global - global address book 정의 

dns_filter - adress book 이름 정의

cisco.com - dns name이 cisco.com를 정의함. 

set security address-book global address dns_filter dns-name cisco.com

 

이번에는 address-set에 대해서 정의해 보겠습니다. 

만약에 위에 모든 정책을 destination IP에 정의를 한다고 하면 똑같은 설정을 4번을 해야 합니다. 

 

방화벽 정책 설정은 추후 강일에서 진행하겠습니다. 아래 설정값은 이해하는 용도로 사용됩니다. 

set security policies from-zone trust to-zone untrust policy p1 match destination-address N-192.168.1.0/24 
set security policies from-zone trust to-zone untrust policy p1 match destination-address H-192.168.1.0-to-10  
set security policies from-zone trust to-zone untrust policy p1 match destination-address wildcard  
set security policies from-zone trust to-zone untrust policy p1 match destination-address dns_filter

 

방화벽 정책 숫자가 적고 source address book과 destination address book이 조금 이면 이렇게 설정해도 상관없지만, adress book수가 많으면, 추후에 정책 설정값을 보거나 show 커맨드로 사용해서 특정값을 출력할 때도 너무 많은 정도들이 올라와서 불편합니다. 

 

address-set를 하나 만들고 여기에 address-book를 포함하면 위에 설정값이 한 줄로 줄어듭니다. 

 

global - global address book 정의 

destination-group - adress-set 이름 정의

address N-192.168.1.0/24, H-192.168.1.0-to-10, wildcard 그리고 dns_filter를 address-set destination-group에 포함시킵니다.

set security address-book global address-set destination-group address N-192.168.1.0/24
set security address-book global address-set destination-group address H-192.168.1.0-to-10
set security address-book global address-set destination-group address wildcard
set security address-book global address-set destination-group address dns_filter

 

그리고 방화벽 정책에서 destination를 정의할 때 한 줄로 사용 가능 합니다.

destination-address에서 destination-group를 불러오면 위에 정의한 address-book 4개를 정의할 수 있습니다. 

set security policies from-zone trust to-zone untrust policy p1 match destination-address destination-group

 

여기까지 Global Address-book에 대해서 설명했습니다. Global address-book은 아무 zone에서 address-book를 불러올 수 있습니다.

 

trust_zone - global address book이 아닌 name를 정의합니다. 

N-10.1.1.0/8 - address book이름 정의

10.1.1.0/8 - 실제 IP대역 target ip address

그리고 trust_zone를 trust zone에게 attach 하면 이 address-book은 turst zone만 사용 가능 하게 됩니다. 

set security address-book trust_zone address N-10.1.1.0/8 10.1.1.0/8
set security address-book trust_zone attach zone trust    

 

지금까지 설정한 address-book 출력하기

주의 사항: root> 여기에서는 show security address-book 커맨드가 없기 때문에 확인 불가능 합니다. 

꼭 configuration mode에서 확인하시길 바랍니다. 

root# show security address-book | display set | no-more 
set security address-book global address N-192.168.1.0/24 192.168.1.0/24
set security address-book global address H-192.168.1.0-to-10 range-address 192.168.1.0 to 192.168.1.10
set security address-book global address wildcard wildcard-address 192.168.0.11/255.255.0.255
set security address-book global address dns_filter dns-name cisco.com
set security address-book global address-set destination-group address N-192.168.1.0/24
set security address-book global address-set destination-group address H-192.168.1.0-to-10
set security address-book global address-set destination-group address wildcard
set security address-book global address-set destination-group address dns_filter
set security address-book trust_zone address N-10.1.1.0/8 10.1.1.0/8

또는 

root> show configuration security address-book | display set 
set security address-book global address N-192.168.1.0/24 192.168.1.0/24
set security address-book global address H-192.168.1.0-to-10 range-address 192.168.1.0 to 192.168.1.10
set security address-book global address wildcard wildcard-address 192.168.0.11/255.255.0.255
set security address-book global address dns_filter dns-name cisco.com
set security address-book global address-set destination-group address N-192.168.1.0/24
set security address-book global address-set destination-group address H-192.168.1.0-to-10
set security address-book global address-set destination-group address wildcard
set security address-book global address-set destination-group address dns_filter

root> 

 

지금까지 [2024][Juniper SRX #11] address book and address set 글을 읽어주셔서 감사합니다. 

저작자표시

안녕하세요.

 

[2024][Juniper SRX #10] Administrator access restriction settings for MGMT입니다. 

 

Juniper SRX에 SSH 또는 Telnet 또는 J-web를 설정하여 Juniper SRX 관리할 수 있지만 보안 설정을 안 하면 모든 IP대역이 Juniper SRX를 SSH 또는 Telent 또는 J-web를 접속하여 로그인할 수 있습니다.

 

회사에서 보안상 특정 IP대역만 Juniper SRX MGMT IP를 통하여 주니퍼 방화벽을 관리해야 하는 경우에는 아래와 같이 설정 가능 합니다.

 

토폴로지 

 

 

Juniper SRX 기본 설정은 아래와 같습니다. 

root> show configuration | display set | no-more 
set version 21.3R1.9
set system root-authentication encrypted-password "$6$Ea7ce5UJ$33Cef6CXrDrf7O1iHX0Skwii8sjgCAeFvM5CXzEbX3/5QyNQxTMpRtregTUO/84DdvZhnEXel5WPvXKOu0hyx1"
set system login user juniper uid 2000
set system login user juniper class super-user
set system login user juniper authentication encrypted-password "$6$.zIMNUej$r05Ie68YwDsLLShNbIIYdL.TjI9p/ndcvxF0YOuOAbD.OlQWmgaABWskuOtmcU9ZRhp.VqM/tVcA2.tZMwc.W/"
set system services ssh root-login allow
set system services telnet
set system services web-management https system-generated-certificate
set system services web-management https interface fxp0.0
set interfaces fxp0 unit 0 family inet address 192.168.10.220/24
set routing-options static route 0.0.0.0/0 next-hop 192.168.10.253

 

Cisco 스위치 기본 설정입니다.

Switch#conf t
Switch(config)#hostname SW1
SW1(config)#int g0/0
SW1(config-if)#no sw
SW1(config-if)#ip add dhcp
SW1(config-if)#no sh

 

Juniper Interface를 상태를 확인합니다.

root> show interfaces terse 
Interface               Admin Link Proto    Local                 Remote
ge-0/0/0                up    up
gr-0/0/0                up    up
ip-0/0/0                up    up
lsq-0/0/0               up    up
lt-0/0/0                up    up
mt-0/0/0                up    up
sp-0/0/0                up    up
sp-0/0/0.0              up    up   inet    
                                   inet6   
sp-0/0/0.16383          up    up   inet    
ge-0/0/1                up    up
ge-0/0/2                up    up
dsc                     up    up
fti0                    up    up
fxp0                    up    up
fxp0.0                  up    up   inet     192.168.10.220/24
gre                     up    up
ipip                    up    up
irb                     up    up
lo0                     up    up
lo0.16384               up    up   inet     127.0.0.1           --> 0/0
lo0.16385               up    up   inet     10.0.0.1            --> 0/0
                                            10.0.0.16           --> 0/0
                                            128.0.0.1           --> 0/0
                                            128.0.0.4           --> 0/0
                                            128.0.1.16          --> 0/0
lo0.32768               up    up  
lsi                     up    up
mtun                    up    up
pimd                    up    up
pime                    up    up
pp0                     up    up
ppd0                    up    up
ppe0                    up    up
st0                     up    up
tap                     up    up
vlan                    up    down

root> 

 

Cisco Interface를 확인합니다.

SW1#show ip int brie
Interface              IP-Address      OK? Method Status                Protocol
GigabitEthernet0/1     unassigned      YES unset  up                    up      
GigabitEthernet0/2     unassigned      YES unset  up                    up      
GigabitEthernet0/3     unassigned      YES unset  up                    up      
GigabitEthernet0/0     192.168.10.104  YES DHCP   up                    up      
GigabitEthernet1/0     unassigned      YES unset  up                    up      
GigabitEthernet1/1     unassigned      YES unset  up                    up      
GigabitEthernet1/2     unassigned      YES unset  up                    up      
GigabitEthernet1/3     unassigned      YES unset  up                    up      
SW1#  

 

Juniper SRX fxp0 IP: 192.168.10.220

Cisco Gi0/0 IP: 192.168.10.104

 

Cisco에서 Juniper fxp0로 Ping를 시도합니다

SW1#ping 192.168.10.220
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.220, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/2 ms
SW1#

 

Telnet Test - 정상적으로 동작합니다.

SW1#telnet 192.168.10.220
Trying 192.168.10.220 ... Open
login: juniper
Password:
Last login: Thu Jun 20 09:49:37 from 172.16.10.15

--- JUNOS 21.3R1.9 Kernel 64-bit XEN JNPR-12.1-20210828.6e5b1bf_buil
juniper> 

 

SSH Test - 정상적으로 동작합니다.

SW1#ssh -l root 192.168.10.220
Password:
Last login: Sat Jun 22 06:12:39 2024
--- JUNOS 21.3R1.9 Kernel 64-bit XEN JNPR-12.1-20210828.6e5b1bf_buil
root@:~ # 

 

현재 Cisco IP주소는 192.168.10.104인데, 보안 설정을 192.168.10.105만 Juniper SRX로 접속 가능 하게 설정해 보겠습니다.

 

1. IP 대상을 입력합니다. 여러 IP를 허용하면 여러 개를 입력합니다. 

set policy-options prefix-list manager-ip 192.168.10.105/32

 

2. IP를 이용해서 Filter 정책을 만듭니다. 

IP: 192.168.10.105 

Protocol: tcp

Destination port: telnet https ssh

만 허용합니다. 그리고 나머지는 차단합니다. 

set firewall filter manager-ip term accept_manager from prefix-list manager-ip
set firewall filter manager-ip term accept_manager from protocol tcp
set firewall filter manager-ip term accept_manager from destination-port telnet
set firewall filter manager-ip term accept_manager from destination-port https
set firewall filter manager-ip term accept_manager from destination-port ssh
set firewall filter manager-ip term accept_manager then accept
set firewall filter manager-ip term block_non_manager then discard

 

3. MGMT interface fxp0에 filter를 적용합니다.

set interfaces fxp0 unit 0 family inet filter input manager-ip

commit

 

그리고 설정을 적용합니다. 

 

Cisco Side

Telent를 시도합니다. Juniper Filter정책 때문에 Telnet 접속이 실패합니다. 

SW1#telnet 192.168.10.220     
Trying 192.168.10.220 ... 
% Connection timed out; remote host not responding

SW1#

 

SSH를 시도합니다. Juniper Filter정책 때문에 SSH 접속이 실패합니다. 

SW1#ssh -l root 192.168.10.220
SW1#

 

Cisco Switch에서 IP주소를 192.168.10.105로 변경 후 Telnet과 SSH를 시도해 보겠습니다.

SW1(config)#int g0/0
SW1(config-if)#ip add 192.168.10.105 255.255.255.0
SW1(config-if)#no sh

SW1#show ip int brie
Interface              IP-Address      OK? Method Status                Protocol
GigabitEthernet0/1     unassigned      YES unset  up                    up      
GigabitEthernet0/2     unassigned      YES unset  up                    up      
GigabitEthernet0/3     unassigned      YES unset  up                    up      
GigabitEthernet0/0     192.168.10.105  YES manual up                    up      
GigabitEthernet1/0     unassigned      YES unset  up                    up      
GigabitEthernet1/1     unassigned      YES unset  up                    up      
GigabitEthernet1/2     unassigned      YES unset  up                    up      
GigabitEthernet1/3     unassigned      YES unset  up                    up      
SW1#

 

Telnet 시도 - 허용된 IP이기 때문에 telnet이 성공합니다.

SW1#telnet 192.168.10.220     
Trying 192.168.10.220 ... Open
login: juniper
Password:
Last login: Sat Jun 22 06:19:21 from 192.168.10.104

--- JUNOS 21.3R1.9 Kernel 64-bit XEN JNPR-12.1-20210828.6e5b1bf_buil
juniper> 

 

SSH 시도 - 허용된 IP이기 때문에 ssh가 성공합니다.

SW1#ssh -l root 192.168.10.220
Password:

Last login: Sat Jun 22 06:20:40 2024 from 192.168.10.104
--- JUNOS 21.3R1.9 Kernel 64-bit XEN JNPR-12.1-20210828.6e5b1bf_buil
root@:~ # 

 

지금까지 [2024][Juniper SRX #10] Administrator access restriction settings for MGMT글을 읽어주셔서 감사합니다. 

저작자표시

'JUNIPER > SRX 방화벽' 카테고리의 다른 글

[2024][Juniper SRX #13] firewall policy  (0) 2024.07.25
[2024][Juniper SRX #12] application and application-set  (2) 2024.07.24
[2024][Juniper SRX #9] SSH, Telnet and web-management 설정하기  (0) 2024.07.21
[2024][Juniper SRX #8] Zone configuration  (1) 2024.07.20
[2024][Juniper SRX #7] host-inbound-traffic  (0) 2024.07.19

안녕하세요. 

 

[2024][Juniper SRX #9] SSH and Telnet 설정하기입니다. 

 

Juniper SRX은 fxp0이 MGMT interface입니다. 여기에 IP주소를 설정하고 외부에서 SSH나 Telent를 통해서 접속해 보겠습니다. 

 

토폴로지는 아래와 같습니다.

기본적으로 설정값들을 지웁니다. 

root# delete 
This will delete the entire configuration
Delete everything under this level? [yes,no] (no) yes 

root# set system root-authentication plain-text-password 
New password:
Retype new password:

root# commit 
commit complete

[edit]
root# commit 
commit complete

 

fxp0에 IP주소를 할당합니다. 

DHCP기능이 동작하면 자동으로 IP주소를 받을 수 있고 또는 수동으로 설정 가능 합니다.

 

DHCP로 IP주소 받기

root# set interfaces fxp0 unit 0 family inet dhcp            

[edit]
root# commit 

 

Interface에 IP 확인하기

root> show interfaces terse 
Interface               Admin Link Proto    Local                 Remote
ge-0/0/0                up    up
gr-0/0/0                up    up
ip-0/0/0                up    up
lsq-0/0/0               up    up
lt-0/0/0                up    up
mt-0/0/0                up    up
sp-0/0/0                up    up
sp-0/0/0.0              up    up   inet    
                                   inet6   
sp-0/0/0.16383          up    up   inet    
ge-0/0/1                up    up
ge-0/0/2                up    up
dsc                     up    up
fti0                    up    up
fxp0                    up    up
fxp0.0                  up    up   inet     192.168.10.220/24
gre                     up    up
ipip                    up    up
irb                     up    up
lo0                     up    up
lo0.16384               up    up   inet     127.0.0.1           --> 0/0
lo0.16385               up    up   inet     10.0.0.1            --> 0/0
                                            10.0.0.16           --> 0/0
                                            128.0.0.1           --> 0/0
                                            128.0.0.4           --> 0/0
                                            128.0.1.16          --> 0/0
lo0.32768               up    up  
lsi                     up    up
mtun                    up    up
pimd                    up    up
pime                    up    up
pp0                     up    up
ppd0                    up    up
ppe0                    up    up
st0                     up    up
tap                     up    up
vlan                    up    down

root> 

 

수동으로 IP주소 설정하기

delete interfaces fxp0 unit 0 family inet dhcp
commit

root# set interfaces fxp0 unit 0 family inet address 192.168.10.104/24            
root# set routing-options static route 0.0.0.0/0 next-hop 192.168.10.253

[edit]
root# commit 

root> show interfaces terse 
Interface               Admin Link Proto    Local                 Remote
ge-0/0/0                up    up
gr-0/0/0                up    up
ip-0/0/0                up    up
lsq-0/0/0               up    up
lt-0/0/0                up    up
mt-0/0/0                up    up
sp-0/0/0                up    up
sp-0/0/0.0              up    up   inet    
                                   inet6   
sp-0/0/0.16383          up    up   inet    
ge-0/0/1                up    up
ge-0/0/2                up    up
dsc                     up    up
fti0                    up    up
fxp0                    up    up
fxp0.0                  up    up   inet     192.168.10.220/24
gre                     up    up
ipip                    up    up
irb                     up    up
lo0                     up    up
lo0.16384               up    up   inet     127.0.0.1           --> 0/0
lo0.16385               up    up   inet     10.0.0.1            --> 0/0
                                            10.0.0.16           --> 0/0
                                            128.0.0.1           --> 0/0
                                            128.0.0.4           --> 0/0
                                            128.0.1.16          --> 0/0
lo0.32768               up    up  
lsi                     up    up
mtun                    up    up
pimd                    up    up
pime                    up    up
pp0                     up    up
ppd0                    up    up
ppe0                    up    up
st0                     up    up
tap                     up    up
vlan                    up    down

root> 

 

Juniper SRX에 SSH 설정합니다. 

root# set system services ssh root-login allow 

[edit]
root# commit 
commit complete

 

노트북에서 putty 또는 CRT를 이용해서 접속을 테스트합니다.

 

정상적으로 동작합니다.

 

이번에는 Telent를 설정합니다.

root# set system services telnet 

[edit]
root# commit 
commit complete

 

 

telnet은 기본적으로 root를 허용하지 않습니다. root계정으로 로그인을 시도해도 실패합니다. 

 

만약에 telnet를 사용해야 하는 경우에는 user를 따로 생성합니다.

root# set system login user juniper class super-user 

[edit]
root# set system login user juniper authentication plain-text-password    
New password:
Retype new password:

[edit]
root# commit 
commit complete

 

juniper 계정을 새로 생성하였고 로그인을 시도합니다.

 

성공적으로 로그인됩니다. 

 

Juniper SRX는 Web 기반에 방화벽에 설정을 지원합니다. 이번에는 j-web를 설정해 보겠습니다.

set system services web-management https system-generated-certificate
set system services web-management https interface fxp0.0

 

테스트를 위해서 fxp0 ip를 입력합니다. 

 

지금까지 [2024][Juniper SRX #9] SSH, Telnet and web-management 설정하기 글을 읽어주셔서 감사합니다.

저작자표시

'JUNIPER > SRX 방화벽' 카테고리의 다른 글

[2024][Juniper SRX #12] application and application-set  (2) 2024.07.24
[2024][Juniper SRX #10] Administrator access restriction settings for MGMT  (0) 2024.07.22
[2024][Juniper SRX #8] Zone configuration  (1) 2024.07.20
[2024][Juniper SRX #7] host-inbound-traffic  (0) 2024.07.19
[2024][Juniper SRX #6] Interface 설정 - RVI - Trunk mode  (0) 2024.07.17

안녕하세요.

 

오늘은 [2024][Juniper SRX #8] Zone에 대해서 알아보겠습니다. 

 

Juniper SRX는 Zone base Firewall입니다. Interface가 독자적으로 동작하지 못하고 interface는 하나에 Zone에 포함되어야 하고 방화벽 정책은 Zone를 기반으로 허용 또는 차단이 가능합니다. 

 

이 부분은 추후에 방화벽 정책을 테스트할 때 좀 더 자세히 진행하겠습니다. 

 

테스트 토폴로지는 아래와 같습니다.

1.vIOS Switch 

2.vSRX를 사용 하였습니다. 

 

IP정보는 아래와 같습니다

SRX: 

ge-0/0/0 - 10.1.1.1/24 untrust zone

ge-0/0/1 - 172.16.1.1/24 dmz zone

ge-0/0/2 - 192.168.1.1/24 trust zone

fxp0 - dhcp - management zone

SW1

gi0/0 - 10.1.1.2/24

SW2

gi0/0 - 172.16.1.2/24

SW3

gi0/0 - 192.168.1.2/24

Juniper SRX Zone Types 

1. fuctional zone (management Zone) - dedicate an interface just for the purpose of management 

    일반적으로 fxp0이 management 인터페이스인데, data interface를 MGMT로 사용할 때 이 명령어를 사용하여 

    MGMT역활한 할 수 있게 설정할 수 있습니다. 

2. Security zone - to control traffic between different security zone 

3. junos-host - control traffic between security zone and juniper device itself

4. null - discard traffic 

 

현재 생성된 zone 리스트를 출력 하는 명령어

show security zones terse

root> show security zones terse  
Zone                        Type
junos-host                  Security

 

아래 interface를 보면 fxp0이 SRX management interface입니다. 

root> show interfaces terse 
Interface               Admin Link Proto    Local                 Remote
ge-0/0/0                up    up
gr-0/0/0                up    up
ip-0/0/0                up    up
lsq-0/0/0               up    up
lt-0/0/0                up    up
mt-0/0/0                up    up
sp-0/0/0                up    up
sp-0/0/0.0              up    up   inet    
                                   inet6   
sp-0/0/0.16383          up    up   inet    
ge-0/0/1                up    up
ge-0/0/2                up    up
dsc                     up    up
fti0                    up    up
fxp0                    up    up
gre                     up    up
ipip                    up    up
irb                     up    up
lo0                     up    up
lo0.16384               up    up   inet     127.0.0.1           --> 0/0
lo0.16385               up    up   inet     10.0.0.1            --> 0/0
                                            10.0.0.16           --> 0/0
                                            128.0.0.1           --> 0/0
                                            128.0.0.4           --> 0/0
                                            128.0.1.16          --> 0/0
lo0.32768               up    up  
lsi                     up    up
mtun                    up    up
pimd                    up    up
pime                    up    up
pp0                     up    up
ppd0                    up    up
ppe0                    up    up
st0                     up    up
tap                     up    up
vlan                    up    down

root>

 

fxp0 인터페이스에 IP주소를 DHCP 통해서 할당 받겠습니다.

간단하게 제 테스트랩을 설명하겠습니다

 

1. 제 노트북에서 Global Protect(VPN agent)로 팔로알토에 접속합니다. 

2. EVE-NG는 VMware ESXi안에 설치되어 있스비다. 

3. 팔로알토가 DHCP기능을 수행합니다. 

그래서 fxp0 인터페이스는 자동으로 팔로알토로부터 IP를 받을 수 있습니다. 

 

아니면 수동으로 설정하셔도 됩니다.

root# set interfaces fxp0 unit 0 family inet dhcp      

[edit]
root# commit 
commit complete

 

그리고 Interface에 IP주소를 확인합니다. 

root> show interfaces terse 
Interface               Admin Link Proto    Local                 Remote
ge-0/0/0                up    up
gr-0/0/0                up    up
ip-0/0/0                up    up
lsq-0/0/0               up    up
lt-0/0/0                up    up
mt-0/0/0                up    up
sp-0/0/0                up    up
sp-0/0/0.0              up    up   inet    
                                   inet6   
sp-0/0/0.16383          up    up   inet    
ge-0/0/1                up    up
ge-0/0/2                up    up
dsc                     up    up
fti0                    up    up
fxp0                    up    up
fxp0.0                  up    up   inet     192.168.10.104/24
gre                     up    up
ipip                    up    up
irb                     up    up
lo0                     up    up
lo0.16384               up    up   inet     127.0.0.1           --> 0/0
lo0.16385               up    up   inet     10.0.0.1            --> 0/0

 

제 PC에서 SRX fxp0 192.168.10.104 ping 테스트입니다.

핑이 성공합니다. 

C:\Users\admin>ping 192.168.10.104

Pinging 192.168.10.104 with 32 bytes of data:
Reply from 192.168.10.104: bytes=32 time=4ms TTL=63
Reply from 192.168.10.104: bytes=32 time=5ms TTL=63
Reply from 192.168.10.104: bytes=32 time=7ms TTL=63
Reply from 192.168.10.104: bytes=32 time=14ms TTL=63

Ping statistics for 192.168.10.104:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 4ms, Maximum = 14ms, Average = 7ms

C:\Users\admin>

 

fxp0를 수동으로 IP주소를 설정하기. 

set interfaces fxp0 unit 0 family inet address 192.168.10.104/24
set routing-options static route 0.0.0.0/0 next-hop 192.168.10.253

 

PC에서 PIng테스트

C:\Users\admin>ping 192.168.10.104

Pinging 192.168.10.104 with 32 bytes of data:
Reply from 192.168.10.104: bytes=32 time=5ms TTL=63
Reply from 192.168.10.104: bytes=32 time=6ms TTL=63
Reply from 192.168.10.104: bytes=32 time=6ms TTL=63
Reply from 192.168.10.104: bytes=32 time=13ms TTL=63

Ping statistics for 192.168.10.104:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 5ms, Maximum = 13ms, Average = 7ms

 

어떤 Interface가 어떤 Zone에 할당되었는지 확인하는 명령어입니다. 

show interfaces zone terse

root> show interfaces zone terse 
Interface               Admin Link Proto    Local                 Remote                Zone
ge-0/0/0.0              up    up   inet     10.1.1.1/24     
                                                                                        Null
sp-0/0/0.0              up    up   inet    
                                   inet6                                                Null
sp-0/0/0.16383          up    up   inet                                                 Null
fxp0.0                  up    up   inet     192.168.10.104/24
                                                                                        Null
lo0.16384               up    up   inet     127.0.0.1           --> 0/0                  
                                                                                        Null
lo0.16385               up    up   inet     10.0.0.1            --> 0/0                  
                                            10.0.0.16           --> 0/0                  
                                            128.0.0.1           --> 0/0                  
                                            128.0.0.4           --> 0/0                  
                                            128.0.1.16          --> 0/0                  
                                                                                        Null
lo0.32768               up    up                                                        Null

 

fxp0는 기본적으로 null zone에 할당되어 있습니다. 

 

일반적은 data용 interface를 MGMT interface로 사용할 때 사용 됩니다.

테스트를 위해서 ge-0/0/0를 MGMT interface로 만들어 보겠습니다.

root# set interfaces ge-0/0/0 unit 0 family inet address 10.1.1.1/24 

[edit]
root# set security zones functional-zone management interfaces ge-0/0/0 

[edit]
root# commit 
commit complete

root> show security zones terse 
Zone                        Type
management                  Functional
junos-host                  Security

root> 

 

Zone를 확인하고 Interface 할당된 Zone도 확인합니다.

root> show security zones terse 
Zone                        Type
management                  Functional
junos-host                  Security

root> 

root> show interfaces zone terse    
Interface               Admin Link Proto    Local                 Remote                Zone
ge-0/0/0.0              up    up   inet     10.1.1.1/24     
                                                                                        Management
sp-0/0/0.0              up    up   inet    
                                   inet6                                                Null
sp-0/0/0.16383          up    up   inet                                                 Null
fxp0.0                  up    up   inet     192.168.10.104/24
                                                                                        Null
lo0.16384               up    up   inet     127.0.0.1           --> 0/0                  
                                                                                        Null
lo0.16385               up    up   inet     10.0.0.1            --> 0/0                  
                                            10.0.0.16           --> 0/0                  
                                            128.0.0.1           --> 0/0                  
                                            128.0.0.4           --> 0/0                  
                                            128.0.1.16          --> 0/0                  
                                                                                        Null
lo0.32768               up    up                                                        Null

root> 

 

테스트를 위해서 기존에 Ge-0/0/0 zone를 삭제합니다.

delete security zones functional-zone management interfaces ge-0/0/0.0
commit


root> show interfaces zone terse 
Interface               Admin Link Proto    Local                 Remote                Zone
ge-0/0/0.0              up    up   inet     10.1.1.1/24     
                                                                                        Null
sp-0/0/0.0              up    up   inet    
                                   inet6                                                Null
sp-0/0/0.16383          up    up   inet                                                 Null
fxp0.0                  up    up   inet     192.168.10.104/24
                                                                                        Null
lo0.16384               up    up   inet     127.0.0.1           --> 0/0                  
                                                                                        Null
lo0.16385               up    up   inet     10.0.0.1            --> 0/0                  
                                            10.0.0.16           --> 0/0                  
                                            128.0.0.1           --> 0/0                  
                                            128.0.0.4           --> 0/0                  
                                            128.0.1.16          --> 0/0                  
                                                                                        Null
lo0.32768               up    up                                                        Null

root> 

 

2

 

2. Security zone - to control traffic between different security zone 

 

테스트를 위해서 IP를 설정합니다.

set interfaces ge-0/0/0 unit 0 family inet address 10.1.1.1/24
set interfaces ge-0/0/1 unit 0 family inet address 172.16.1.1/24
set interfaces ge-0/0/2 unit 0 family inet address 192.168.1.1/24

commit

 

인터페이스를 확인합니다.


root> show interfaces terse 
Interface               Admin Link Proto    Local                 Remote
ge-0/0/0                up    up
ge-0/0/0.0              up    up   inet     10.1.1.1/24     
gr-0/0/0                up    up
ip-0/0/0                up    up
lsq-0/0/0               up    up
lt-0/0/0                up    up
mt-0/0/0                up    up
sp-0/0/0                up    up
sp-0/0/0.0              up    up   inet    
                                   inet6   
sp-0/0/0.16383          up    up   inet    
ge-0/0/1                up    up
ge-0/0/1.0              up    up   inet     172.16.1.1/24   
ge-0/0/2                up    up
ge-0/0/2.0              up    up   inet     192.168.1.1/24  
dsc                     up    up
fti0                    up    up
fxp0                    up    up
fxp0.0                  up    up   inet     192.168.10.104/24
gre                     up    up
ipip                    up    up
irb                     up    up
lo0                     up    up        
lo0.16384               up    up   inet     127.0.0.1           --> 0/0
lo0.16385               up    up   inet     10.0.0.1            --> 0/0
                                            10.0.0.16           --> 0/0
                                            128.0.0.1           --> 0/0
                                            128.0.0.4           --> 0/0
                                            128.0.1.16          --> 0/0
lo0.32768               up    up  
lsi                     up    up
mtun                    up    up
pimd                    up    up
pime                    up    up
pp0                     up    up
ppd0                    up    up
ppe0                    up    up
st0                     up    up
tap                     up    up
vlan                    up    down

root> 

 

Zone를 생성합니다.

set security zones security-zone trust
set security zones security-zone untrust
set security zones security-zone dmz

commit

 

Zone를 생성을 확인합니다.

root> show security zones terse 
Zone                        Type
management                  Functional
dmz                         Security
trust                       Security
untrust                     Security
junos-host                  Security

root> 

 

Interface를 Zone에 할당합니다.

set security zones security-zone trust interfaces ge-0/0/2.0
set security zones security-zone untrust interfaces ge-0/0/0.0
set security zones security-zone dmz interfaces ge-0/0/1.0

commit

 

Zone에 할당된 interface를 확인합니다.

root> show interfaces zone terse | match ge-   
ge-0/0/0.0              up    up   inet     10.1.1.1/24     
ge-0/0/1.0              up    up   inet     172.16.1.1/24   
ge-0/0/2.0              up    up   inet     192.168.1.1/24  

root> 

 

Ping 테스트를 위해서 각 Zone에 PING를 허용합니다.

set security zones security-zone trust host-inbound-traffic system-services ping
set security zones security-zone untrust host-inbound-traffic system-services ping
set security zones security-zone dmz host-inbound-traffic system-services ping

 

SW1 gi0/0 IP를 설정하고 SRX ge-0/0/0 10.1.1.1로 PIng를 시도합니다.

Switch(config)#int g0/0
Switch(config-if)#no sw
Switch(config-if)#ip add 10.1.1.2 255.255.255.0
Switch(config-if)#no sh

Switch(config-if)#end
Switch# ping 10.1.1.1
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/146/579 ms
Switch#

 

SW2 gi0/0 IP를 설정하고 SRX ge-0/0/0 172.16.1.1로 PIng를 시도합니다.

Switch(config)#int g0/0
Switch(config-if)#no sw 
Switch(config-if)#ip add 172.16.1.2 255.255.255.0
Switch(config-if)#no sh
Switch(config-if)#end
Switch#
Switch#ping 172.16.1.1
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 2/3/4 ms
Switch#

 

SW3 gi0/0 IP를 설정하고 SRX ge-0/0/0 192.168.1.1로 PIng를 시도합니다.

Switch#conf t
Switch(config)#int g0/0
Switch(config-if)#no sw
Switch(config-if)#ip add 192.168.1.2 255.255.255.0
Switch(config-if)#no sh
Switch(config-if)#end
Switch#ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:

*Jun 20 08:56:02.421: %SYS-5-CONFIG_I: Configured from console by console
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/2 ms
Switch#

 

서로 다른 Zone끼리 방화벽 정책이 없기 때문에 서로 간에 통신은 불가능합니다. 

지금까지 [2024][Juniper SRX #8] Zone configuration 글을 읽어주셔서 감사합니다. 

다음 강좌를 address-book에 대해서 알아보도록 하겠습니다. 

 

감사합니다. 

저작자표시

'JUNIPER > SRX 방화벽' 카테고리의 다른 글

[2024][Juniper SRX #10] Administrator access restriction settings for MGMT  (0) 2024.07.22
[2024][Juniper SRX #9] SSH, Telnet and web-management 설정하기  (0) 2024.07.21
[2024][Juniper SRX #7] host-inbound-traffic  (0) 2024.07.19
[2024][Juniper SRX #6] Interface 설정 - RVI - Trunk mode  (0) 2024.07.17
[2024][Juniper SRX #5] Interface 설정 - RVI - access mode  (0) 2024.07.16

+ Recent posts

티스토리툴바