[Contents] [Prev] [Next] [Index] [Report an Error] [No Frames]


Configuring Firewall Policies and Services for Enterprise Manager Portal

The SRC software represents a JUNOS firewall as two types of SRC services:

For example, to configure an access only to accept e-mail from a specific IP address, you can use a basic firewall service that blocks all incoming and outgoing traffic; then you can use a firewall exception that allows incoming e-mail traffic from that IP address.

The SRC software supports the following types of firewalls on JUNOS routing platforms:

An application is typically associated with a stateful firewall rule. After a flow or conversation meets firewall criteria, packets in that flow can pass through the firewall. For example, when an FTP control connection requests a file download, the stateful firewall knows to expect and allows a TCP data connection to start.

The same criteria may not be applied to each packet. For example for a TCP application, the criteria changes when a new TCP session is initiated to allow subsequent packets in the flow.

You can make either stateless firewalls or stateful firewalls available from Enterprise Manager Portal.

Overview of Basic Firewall Services and Policies

You can create as many basic firewall services in the directory as you want. Table 24 shows the names of the services and policies associated with the basic firewall services in the sample data.




Table 24: Basic Firewall Services and Policies
Name of Service
Name of Policy Group
Function of Firewall

BrickWall

brickwall

Blocks all incoming and outgoing traffic

EmailAndWeb

emailweb

Blocks all incoming traffic and allows only outgoing e-mail and HTTP traffic

Multiservice

multiservice

Blocks all incoming traffic and allows outgoing e-mail, HTTP, FTP, telnet, and Real-Time Streaming Protocol (RTSP) traffic

The services are located under l=entJunos, o=Scopes, o=umc in the sample data.

The policies are located under ou=entJunos, o=Policies, o=umc in the sample data.

You can use these services and their associated policies as a starting point for developing your own basic firewall services.

Tasks to Configure Firewall Policies and Services

The tasks to configure policies and services for firewalls are:

  1. Configuring Basic Firewall Policies
  2. Configuring Basic Firewall Services
  3. For stateful firewalls:
  1. Reviewing the fwrule Policy Group for Exceptions to Stateful Firewalls
  2. Reviewing the Firewall Rule Service for Exceptions to Stateful Firewalls
  1. For stateless firewalls:
  1. Reviewing Services for Exceptions to Stateless Firewalls
  2. Parameter Values Used by Services for Exceptions to Stateless Firewalls
  3. Planning Services for Custom Firewall Exceptions
  4. Configuring Policies for Custom Firewall Exceptions
  5. Configuring Services for Custom Firewall Exceptions

Configuring Basic Firewall Policies

You can create policies from Policy Editor. For information about creating firewall policies, including prerequisites on the JUNOS routing platform, see SRC-PE Services and Policies Guide, Chapter 10, Configuring and Managing Policies with the SRC CLI or SRC-PE Services and Policies Guide, Chapter 7, Using Policy Editor.

To create a basic firewall policy:

  1. Create a policy group and associated policy rules in ou=entjunos, o=Policies, o=umc.
  2. Specify a precedence for the policy rules.

All basic firewall services should have a similar value that is higher than the range of precedences you configure for firewall exceptions. In the sample data, we use precedences of 600 and 601 for basic firewall policies.

Ensure that the precedence for basic firewall policies integrate with other policies that affect the same traffic. See Configuring Priorities for Stateless or Stateful Firewall Services.

For a sample basic firewall policy, see policyGroupName=brickwall, ou=entjunos, o=Policies, o=umc in the sample data.

Configuring Basic Firewall Services

You can create services from SDX Admin. For information about creating services in SDX Admin, see SRC-PE Services and Policies Guide, Chapter 10, Configuring and Managing Policies with the SRC CLI or SRC-PE Services and Policies Guide, Chapter 7, Using Policy Editor.

To create a basic firewall service:

  1. Create a service.
  2. Specify the following values for the service:

This description will appear on the portal, and subscribers will use the description to select a firewall service. Although there is no upper limit for the length of this attribute, the portal will display the text in one paragraph.

For a sample firewall service, see serviceName=BrickWall, l=entJunos, o=Scopes, o=umc in the sample data.

Reviewing the fwrule Policy Group for Exceptions to Stateful Firewalls

The policy group policyGroupName=fwrule, ou=entJunos, o=Policies, o=umc is predefined in the sample data. Do not modify any settings or substitutions for this service.

Reviewing the Firewall Rule Service for Exceptions to Stateful Firewalls

The SRC sample data provides one service for firewall exceptions, serviceName=FirewallRule, l=entJunos, o=Scopes, o=umc, that is designed to work with Enterprise Manager Portal. Do not modify the definition for this service or its associated policy.

You can modify the allowed priority ranges for the service. See Configuring Priorities for Stateless or Stateful Firewall Services.

Each subscription to this service adds a rule to the stateful firewall. The FirewallRule service and its associated policy are general and contain many parameters, such as the priority of the firewall exception and the action that the firewall should take. IT managers supply actual values for these parameters through Enterprise Manager Portal.

You can modify the priority ranges for this policy group if necessary; do not modify any other settings. The values for these parameters must be lower than the precedence settings for the policy rules in the basic firewall policy groups. This distinction allows the firewall exception to take priority over the basic firewalls. In the sample data, the FirewallRule service has priorities in the range 500-579.

Reviewing Services for Exceptions to Stateless Firewalls

Review the services that Enterprise Manager Portal requires to ensure that configuration of these services works in your environment. These services are firewall exceptions—services that define the types of traffic that a firewall admits or blocks.

Enterprise Manager Portal requires that specific services be configured to cover each of the following traffic actions:

These actions are required for each traffic direction; that is, traffic:

Table 25 lists the names of services required by Enterprise Manager Portal. The naming convention for the services specifies both action and direction; for example, for the FWR_Fwd_Out service:

Services configured to reject traffic return a "network-unreachable" ICMP message.




Table 25: Stateless Firewall Services in Sample Data
Traffic Entering the Enterprise
Traffic Exiting from the Enterprise
Traffic Entering and Exiting the Enterprise
Traffic Allowed

FWR_Fwd_In

FWR_Fwd_Out

FWR_Fwd_Both

Traffic to Be Discarded

FWR_Filter_In

FWR_Filter_Out

FWR_Filter_Both

Traffic Rejected

FWR_Rej_In

FWR_Rej_Out

FWR_Rej_Both

The services are located under l=entJunosStatelessFW, o=Scopes, o=umc in the sample data. These services and the associated policies configured in the sample data are designed for a subscriber-facing interface on a provider edge device.

In most cases you can use the services as configured. If needed—for example, for a service provider-facing interface in a customer edge device—you can customize the services listed in Table 25, but do not change the names.

To customize services for an enterprise-facing interface, change the configuration for:

You can also create services that provide custom exceptions to a firewall. Portal users can select custom exceptions under Firewall actions on the Firewall page in Enterprise Manager Portal.

Parameter Values Used by Services for Exceptions to Stateless Firewalls

Table 26 lists the parameters for which Enterprise Manager Portal provides values. The parameter names start with "fw" (service's LDAP attribute parameterSubstitution). The services listed in Before You Configure Services for Enterprise Manager Portal use these parameters.




Table 26: Parameters for Stateless Firewall Services for Enterprise Manager Portal
To Specify this Value
Use This Parameter

Protocol

fwProtocol

Source network

fwSrcIp

Source port

fwSrcPort

Destination network

fwDestIp

Destination port

fwDestPort

TOS byte

fwTosByte

TOS byte mask

fwTosByteMask

TCP flags

fwTcpFlags

TCP flags mask

fwTcpFlagsMask

IP flags

fwIpFlags

IP flags mask

fwIpFlagsMask

Fragmentation offset

fwIpFragOffset

ICMP type

fwIcmpType

ICMP code

fwIcmpCode

Packet length

fwPacketLength

Planning Services for Custom Firewall Exceptions

Typically, you use custom exceptions to provide bandwidth management as well as firewall exceptions. Using custom exceptions that do both simplifies the way you integrate BoD and firewall services. For example, you can create custom exceptions to police traffic or to assign a traffic class to the traffic and to specify firewall behavior.

See examples of services for custom exceptions in the sample data:

The sample services and the associated policies are designed for a subscriber-facing interface on a provider edge device. When you create policies, policy direction (input or output) can map to incoming or outgoing traffic depending on whether the SRC-managed interface is a subscriber-facing interface on a service provider edge device, or a service-provider facing interface on the customer edge device in an enterprise. When you configure policies for services designed for use through the Enterprise Management Portal, you typically assume that:

Configuring Policies for Custom Firewall Exceptions

You can create policies from Policy Editor. For information about creating policies in Policy Editor, see SRC-PE Services and Policies Guide, Chapter 10, Configuring and Managing Policies with the SRC CLI or SRC-PE Services and Policies Guide, Chapter 7, Using Policy Editor. For information about managing policies, see SRC-PE Services and Policies Guide, Chapter 6, Policy Management Overview.

To configure a policy for a custom firewall exception:

  1. Create a stateless firewall policy group and associated policy rules.
  2. Specify parameters for the following properties for each policy rule:

For a sample policy, see policyGroupName=custom_policer, ou=entjunos_statelessfw, o=Policies, o=umc in the sample data.

Configuring Services for Custom Firewall Exceptions

You can create services from SDX Admin. For information about creating services in SDX Admin, see SRC-PE Services and Policies Guide, Chapter 1, Managing Services with the SRC CLI or SRC-PE Services and Policies Guide, Chapter 5, Scheduling Services on a Solaris Platform. You can create services that take actions such as those listed in Table 25.

To configure a service for a custom firewall exception:

  1. Create a service for each traffic action listed in Table 25. Specify a name that provides meaningful information to a user, including information about the forwarding treatment for traffic. The name appears in the Firewall Action field on the Firewall tab in Enterprise Manager Portal.
  2. Specify the following values for the service:
  1. Specify substitutions for the service.

Configuring Priorities for Stateless or Stateful Firewall Services

If you design services to be accessed from Enterprise Manager Portal, you can configure ranges of priority values that are enterprise specific and ranges that are available to a number of enterprises. Setting the two ranges makes it possible for a service provider to specify firewall exceptions that an IT manager in an enterprise cannot override.

Configuring Priorities to Have Enterprise Services Work Together

You can configure the parameters in the following list as global parameters that apply to all subscribers, and as subscriber-specific parameters. If you configure both, the global range takes precedence over a subscriber-specific limit.

Ensure that:

Configuring Global Priority Ranges from Policy Editor

Before you configure the global priority range, make sure that the sample data for Enterprise Manager Portal is loaded. If the sample data is not available, you must create a parameter similar to fwEnterpriseMinPriority.

To configure priorities for firewall policy rules from Policy Editor:

  1. In Policy Editor, in the navigation pane select Parameters.
  2. Under Parameters, select a priority, such as fwEnterpriseMinPriority, and on the General tab change the value for Default Value.

Configuring Global Priority Ranges from SDX Admin

Before you configure the global priority range, make sure that the sample data for Enterprise Manager Portal is loaded. If the sample data is not available, you must create a parameter similar to fwEnterpriseMinPriority in Policy Editor.

To configure priorities for firewall services from SDX Admin:

  1. In SDX Admin, in the navigation pane select Parameters.
  2. Under Parameters, select a priority, such as fwEnterpriseMinPriority, and on the Main tab change the value for Default Value.

Configuring Priorities for Individual Scopes by Defining Them in Services

You can use parameters to limit priority ranges for services within a scope. For stateful firewall services, you set parameters to limit priority ranges in the FirewallRule service. For stateless firewall services, you set parameters to limit priority ranges in the FRW_Filter_Both service.

You can use parameters to limit priority ranges for services within a scope in addition to using global ranges. For example, you can define a global range, and then define a different range that overrides the global range for specified subscribers.

To allow priority values for services in one scope to override the priority values for services in another scope:

  1. In a service that resides in a service scope that has a low precedence (indicated by a higher number), define default values for parameters that limits a priority range.
  2. Attach this scope to an entry at a high level in the subscriber folder; for example, to a retailer.
  3. Create a second scope that has a higher precedence.
  4. Create a service that uses parameters to limit priority ranges in the second scope.
  5. Attach the second scope (which has a higher precedence) to the enterprise.

The services with the higher precedence override the services with a lower precedence.

Using Stateless Firewall and BoD Applications Together

In most cases, you can use the services listed in Table 25 to provide bandwidth management and firewall support. However, if you want to design special services to have firewalls work with BoD services, use the following guidelines to design your services:

After all the BoD policy rules are applied, the stateless firewall policy rules are applied. Packets are forwarded or dropped as appropriate.


[Contents] [Prev] [Next] [Index] [Report an Error] [No Frames]