Juniper SRX JUNOS使用Firewall Filter來限制只有特定的IP才能管理設備

Juniper SRX (Junos OS)使用Firewall Filter來限制特定IP才能管理設備

通常我們可以透過ssh(加密的連線CLI)telnet(一般的連線CLI) http(一般連線網頁) https(加密連線網頁)四種方式來從遠端管理Juniper SRX防火牆,而telnet http兩種遠端管理方式因為資料乃明文傳送較不安全,所以一般建議停止其服務為上策,我們強烈建議只使用傳輸資料內容經過加密的sshhttps兩種遠端管理方式較佳。
我們這篇文章的目的,是要透過設定Firewall Filter來限制只有少數使用特定的IP或網段的人員,才能夠管理Juniper SRX網路設備,而這麼做就是為了要提高Juniper SRX防火牆的安全性,避免駭客透過網路來攻擊您的防火牆,進而入侵您公司的網路。
本例為限定只有特定的IP或網段(prefix-list mgmt-nets),才能管理Juniper SRX設備,而且限定只能使用ssh或是https服務;其他非prefix-list mgmt-nets之中所列的IP,凡是要接觸設備telnethttpsshhttps服務端口的流量一律拒絕。
在這裡我們會有個疑問,既然我們限定只能使用ssh或是https服務,為何還要開放http服務呢?這是因為不開放會導致https J-Web部分功能無法使用,會出現錯誤訊息,因此才在路由引擎中開放http服務,但是我們可以在system services之中刪除telnethttp服務來達到相同的效果。

下列為Firewall Filter的設定示範,為了說明Firewall Filter的使用及功能,我們設計了三個功能相同Firewall Filter,如下所示:

policy-options {
    prefix-list manager-ip {
        192.168.1.0/28;
        192.168.1.150/32;
        192.168.1.200/32;
        192.168.5.150/32;
        192.168.5.200/32;
        192.168.6.0/28;
        192.168.6.150/32;
        192.168.6.200/32;
        192.168.7.150/32;
        192.168.7.200/32;
    }
}
firewall {
    family inet {
        filter management-acl-1 {
            term management_access {
                from {
                    source-address {
                        192.168.1.0/28;
                        192.168.6.0/28;
                        192.168.1.150/32;
                        192.168.5.150/32;
                        192.168.6.150/32;
                        192.168.7.150/32;
                        192.168.1.200/32;
                        192.168.5.200/32;
                        192.168.6.200/32;
                        192.168.7.200/32;
                    }
                    protocol tcp;
                    port [ ssh http https ];
                }
                then accept;
            }
            term management_access_denied {
                from {
                    protocol tcp;
                    port [ ssh telnet http https];
                }
                then {
                    log;
                    reject;
                }
            }
            term default-term {
                then accept;
            }
        }
    }
    filter management-acl-2 {
        term allow-manager-networks {
            from {
                source-prefix-list {
                    manager-ip;
                }
            }
            then accept;
        }
        term deny-mgmt {
            from {
                destination-port [ ssh telnet http https ];
            }
            then {
                log;
                discard;
            }
        }
        term accept-all {
            then accept;
        }
    }
    filter management-acl-3 {
        term 1 {
            from {
                source-address {
                    192.168.1.0/28 except;
                    192.168.6.0/28 except;
                    192.168.1.200/32 except;
                    192.168.5.200/32 except;
                    192.168.6.200/32 except;
                    192.168.7.200/32 except;
                    192.168.1.150/32 except;
                    192.168.5.150/32 except;
                    192.168.6.150/32 except;
                    192.168.7.150/32 except;
                    0.0.0.0/0;
                }
                destination-port [ ssh telnet http https ];
            }
            then {
                log;
                discard;
            }
        }
        term 2 {
            then accept;
        }
    }
}
interfaces {
    lo0 {
        unit 0 {
            family inet {
                filter {
                    input management-acl-2;
                }
                address 127.0.0.1/32;
            }
        }
    }
}

下列為Firewall FilterCLI命令設定示範,三組功能相同Firewall Filter,不同的設定方式,分別如下所示:
## firewall filter management-acl-1
##此段乃依據原廠網站示範修改而成,有指定屬於family inet(IPv4)以及判斷條件protocol tcp,可明確條件範圍,乃正規標準之範例。
## term management_access邏輯說明:凡是符合(來源位址如表列 + 目的ports如表列 +  protocoltcp)的流量一律放行。
set firewall family inet filter management-acl-1 term management_access from source-address 192.168.1.0/28
set firewall family inet filter management-acl-1 term management_access from source-address 192.168.6.0/28
set firewall family inet filter management-acl-1 term management_access from source-address 192.168.1.150/32
set firewall family inet filter management-acl-1 term management_access from source-address 192.168.5.150/32
set firewall family inet filter management-acl-1 term management_access from source-address 192.168.6.150/32
set firewall family inet filter management-acl-1 term management_access from source-address 192.168.7.150/32
set firewall family inet filter management-acl-1 term management_access from source-address 192.168.1.200/32
set firewall family inet filter management-acl-1 term management_access from source-address 192.168.5.200/32
set firewall family inet filter management-acl-1 term management_access from source-address 192.168.6.200/32
set firewall family inet filter management-acl-1 term management_access from source-address 192.168.7.200/32
set firewall family inet filter management-acl-1 term management_access from protocol tcp
set firewall family inet filter management-acl-1 term management_access from port ssh
set firewall family inet filter management-acl-1 term management_access from port http
set firewall family inet filter management-acl-1 term management_access from port https
set firewall family inet filter management-acl-1 term management_access then accept
## term management_access_denied邏輯說明:凡是符合(protocoltcp + 目的port如表列)的流量一律拒絕並記入系統日誌。
set firewall family inet filter management-acl-1 term management_access_denied from protocol tcp
set firewall family inet filter management-acl-1 term management_access_denied from port ssh
set firewall family inet filter management-acl-1 term management_access_denied from port telnet
set firewall family inet filter management-acl-1 term management_access_denied from port http
set firewall family inet filter management-acl-1 term management_access_denied from port https
set firewall family inet filter management-acl-1 term management_access_denied then log
set firewall family inet filter management-acl-1 term management_access_denied then reject
## term default-term邏輯說明:凡是不符上述條件的流量一律放行。
set firewall family inet filter management-acl-1 term default-term then accept


## firewall filter management-acl-2
##此段乃是將來源位址獨立出來,方便添加及修改,並且針對匹配條件邏輯加以簡化,減少了判斷條件,卻能達到相同的功能,還可以減少設備的負擔,是屬於有經驗的做法。
set policy-options prefix-list manager-ip 192.168.1.0/28
set policy-options prefix-list manager-ip 192.168.1.150/32
set policy-options prefix-list manager-ip 192.168.1.200/32
set policy-options prefix-list manager-ip 192.168.5.150/32
set policy-options prefix-list manager-ip 192.168.5.200/32
set policy-options prefix-list manager-ip 192.168.6.0/28
set policy-options prefix-list manager-ip 192.168.6.150/32
set policy-options prefix-list manager-ip 192.168.6.200/32
set policy-options prefix-list manager-ip 192.168.7.150/32
set policy-options prefix-list manager-ip 192.168.7.200/32
## term allow-manager-networks邏輯說明:凡是符合來源位址如表列的流量一律放行。
set firewall filter management-acl-2 term allow-manager-networks from source-prefix-list manager-ip
set firewall filter management-acl-2 term allow-manager-networks then accept
## term deny-mgmt邏輯說明:凡是符合目的ports如表列的流量一律拒絕並記入系統日誌。
set firewall filter management-acl-2 term deny-mgmt from destination-port ssh
set firewall filter management-acl-2 term deny-mgmt from destination-port telnet
set firewall filter management-acl-2 term deny-mgmt from destination-port http
set firewall filter management-acl-2 term deny-mgmt from destination-port https
set firewall filter management-acl-2 term deny-mgmt then log
set firewall filter management-acl-2 term deny-mgmt then discard
## term accept-all邏輯說明:凡是不符上述條件的流量一律放行。
set firewall filter management-acl-2 term accept-all then accept


## firewall filter management-acl-3
##本段-在來源位址之中加入了except(排除)選項,讓term縮短成兩段。
## term 1邏輯說明:凡是符合來源位址如表列(被排除的位址不包含在內)、目的port如表列的流量一律拒絕並記入系統日誌。
set firewall filter management-acl-3 term 1 from source-address 192.168.1.0/28 except
set firewall filter management-acl-3 term 1 from source-address 192.168.6.0/28 except
set firewall filter management-acl-3 term 1 from source-address 192.168.1.200/32 except
set firewall filter management-acl-3 term 1 from source-address 192.168.5.200/32 except
set firewall filter management-acl-3 term 1 from source-address 192.168.6.200/32 except
set firewall filter management-acl-3 term 1 from source-address 192.168.7.200/32 except
set firewall filter management-acl-3 term 1 from source-address 192.168.1.150/32 except
set firewall filter management-acl-3 term 1 from source-address 192.168.5.150/32 except
set firewall filter management-acl-3 term 1 from source-address 192.168.6.150/32 except
set firewall filter management-acl-3 term 1 from source-address 192.168.7.150/32 except
set firewall filter management-acl-3 term 1 from source-address 0.0.0.0/0
set firewall filter management-acl-3 term 1 from destination-port ssh
set firewall filter management-acl-3 term 1 from destination-port telnet
set firewall filter management-acl-3 term 1 from destination-port http
set firewall filter management-acl-3 term 1 from destination-port https
set firewall filter management-acl-3 term 1 then log
set firewall filter management-acl-3 term 1 then discard
## term 2邏輯說明:凡是不符上述條件的流量一律放行。若是後面還有其他的term要執行,或是屬於deny filter,就不適合使用本例,而要如同management-acl-1一般,明確指明要允許或禁止的目標條件才行。
set firewall filter management-acl-3 term 2 then accept

##我們再此將firewall filter management-acl-2套用在loopback介面(Interface) lo.0
##您也可以在lo.0上分別套用management-acl-1c management-acl-2,三者的達到的功能相同。
##為什麼我們要將firewall filter套用在loopback介面lo.0上呢?因為lo.0就代表了設備本身,您只需要單獨將firewall filter套用在loopback介面lo.0上即可,而不需要將其分別套用到每個介面之上。我們這篇firewall filter設定的目的,就是希望無論user是要從哪個介面來管理srx設備,都能受到firewall filter設定的規範,所以我們才將firewall filter設定直接套用在loopback介面(Interface) lo.0之上。
set interfaces lo0 unit 0 family inet filter input management-acl-2
set interfaces lo0 unit 0 family inet address 127.0.0.1/32


set firewall family inet filter management-acl-2 term deny-all from destination-port [ ssh telnet http https 11443 ]
上面這一行命令效果等同下面5行命令。
set firewall family inet filter management-acl-2 term deny-all from destination-port ssh
set firewall family inet filter management-acl-2 term deny-all from destination-port telnet
set firewall family inet filter management-acl-2 term deny-all from destination-port http
set firewall family inet filter management-acl-2 term deny-all from destination-port https
set firewall family inet filter management-acl-2 term deny-all from destination-port 11443


下列命令展示了firewall filter term allow-manager-networksfrom之後可以使用的匹配條件選項列表:
root@srx210# set firewall filter manager-ip-filter term allow-manager-networks from ?
Possible completions:
> address              Match IP source or destination address
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
> destination-address  Match IP destination address
+ destination-port     Match TCP/UDP destination port
+ destination-port-except  Do not match TCP/UDP destination port
> destination-prefix-list  Match IP destination prefixes in named list
+ dscp                 Match Differentiated Services (DiffServ) code point
+ dscp-except          Do not match Differentiated Services (DiffServ) code point
+ esp-spi              Match IPSec ESP SPI value
+ esp-spi-except       Do not match IPSec ESP SPI value
  first-fragment       Match if packet is the first fragment
+ forwarding-class     Match forwarding class
+ forwarding-class-except  Do not match forwarding class
  fragment-flags       Match fragment flags (in symbolic or hex formats) - (Ingress only)
+ fragment-offset      Match fragment offset
+ fragment-offset-except  Do not match fragment offset
+ icmp-code            Match ICMP message code
+ icmp-code-except     Do not match ICMP message code
+ icmp-type            Match ICMP message type
+ icmp-type-except     Do not match ICMP message type
> interface            Match interface name
+ interface-group      Match interface group
+ interface-group-except  Do not match interface group
> interface-set        Match interface in set
+ ip-options           Match IP options
+ ip-options-except    Do not match IP options
  is-fragment          Match if packet is a fragment
+ packet-length        Match packet length
+ packet-length-except  Do not match packet length
+ port                 Match TCP/UDP source or destination port
+ port-except          Do not match TCP/UDP source or destination port
+ precedence           Match IP precedence value
+ precedence-except    Do not match IP precedence value
> prefix-list          Match IP source or destination prefixes in named list
+ protocol             Match IP protocol type
+ protocol-except      Do not match IP protocol type
  service-filter-hit   Match if service-filter-hit is set
> source-address       Match IP source address
+ source-port          Match TCP/UDP source port
+ source-port-except   Do not match TCP/UDP source port
> source-prefix-list   Match IP source prefixes in named list
  tcp-established      Match packet of an established TCP connection
  tcp-flags            Match TCP flags (in symbolic or hex formats)
  tcp-initial          Match initial packet of a TCP connection
[edit]
root@srx210#



Use Security Policy
Note: 在使用安全性原則時,必須記住該策略還涉及針對設備本身的流量。 這包括如下協議 OSPFBGPRIP 然後將必要的地址添加到前綴列表manager-ip中。
[edit security policies]
from-zone mgmt to-zone junos-host {
    policy allow-manager-ip {
        match {
            source-address manager-ip;
            destination-address any;
            application any;
        }
        then {
            permit;
        }
    }
    policy deny-all {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            deny;
        }
    }
}
default-policy {
    deny-all;
}
[edit security zones]
security-zone mgmt {
    address-book {
        address 10.0.0.0/8 10.0.0.0/8;
        address 192.168.0.0/16 192.168.0.0/16;
        address 172.16.0.0/12 172.16.0.0/12;
        address-set manager-ip {
            address 10.0.0.0/8;
            address 192.168.0.0/16;
            address 172.16.0.0/12;
        }
    }
    host-inbound-traffic {
        system-services {
            all;
        }
        protocols {
            all;
        }
    }
    interfaces {
        lo0.0;
    }
}



這個網誌中的熱門文章

如何測試網路連線--網路斷線了怎麼辦?

筆記電腦刷BIOS失敗無法開機—用CH341A編程器重刷BIOS教學!

查理王的電腦部落格-首頁