Configuring Firewall Policies and Services for Enterprise Manager Portal
The SRC software represents a JUNOS firewall as two types of SRC services:
- Basic firewall service—Defines the action that the firewall takes and specifies the types of traffic that the firewall affects.
- Services to provide firewall exceptions—Defines exception rules to block traffic that otherwise would be permitted to traverse the firewall, or to admit traffic that would otherwise be blocked. Exceptions specify criteria against which packets and application flows are inspected.
For example, to configure an access only to accept e-mail from a specific IP address, you can use a basic firewall service that blocks all incoming and outgoing traffic; then you can use a firewall exception that allows incoming e-mail traffic from that IP address.
The SRC software supports the following types of firewalls on JUNOS routing platforms:
- Stateless firewalls—Inspect each packet in isolation; do not evaluate the traffic flow.
- Stateful firewalls—Inspect track traffic flows and conversations between applications, and evaluate this information when applying exception rules to the traffic.
An application is typically associated with a stateful firewall rule. After a flow or conversation meets firewall criteria, packets in that flow can pass through the firewall. For example, when an FTP control connection requests a file download, the stateful firewall knows to expect and allows a TCP data connection to start.
The same criteria may not be applied to each packet. For example for a TCP application, the criteria changes when a new TCP session is initiated to allow subsequent packets in the flow.
You can make either stateless firewalls or stateful firewalls available from Enterprise Manager Portal.
Overview of Basic Firewall Services and Policies
You can create as many basic firewall services in the directory as you want. Table 24 shows the names of the services and policies associated with the basic firewall services in the sample data.
Blocks all incoming traffic and allows only outgoing e-mail and HTTP traffic
Blocks all incoming traffic and allows outgoing e-mail, HTTP, FTP, telnet, and Real-Time Streaming Protocol (RTSP) traffic
The services are located under l=entJunos, o=Scopes, o=umc in the sample data.
The policies are located under ou=entJunos, o=Policies, o=umc in the sample data.
You can use these services and their associated policies as a starting point for developing your own basic firewall services.
Tasks to Configure Firewall Policies and Services
The tasks to configure policies and services for firewalls are:
- Configuring Basic Firewall Policies
- Configuring Basic Firewall Services
- For stateful firewalls:
- Reviewing the fwrule Policy Group for Exceptions to Stateful Firewalls
- Reviewing the Firewall Rule Service for Exceptions to Stateful Firewalls
- Reviewing Services for Exceptions to Stateless Firewalls
- Parameter Values Used by Services for Exceptions to Stateless Firewalls
- Planning Services for Custom Firewall Exceptions
- Configuring Policies for Custom Firewall Exceptions
- Configuring Services for Custom Firewall Exceptions
Configuring Basic Firewall Policies
You can create policies from Policy Editor. For information about creating firewall policies, including prerequisites on the JUNOS routing platform, see SRC-PE Services and Policies Guide, Chapter 10, Configuring and Managing Policies with the SRC CLI or SRC-PE Services and Policies Guide, Chapter 7, Using Policy Editor.
To create a basic firewall policy:
- Create a policy group and associated policy rules in ou=entjunos, o=Policies, o=umc.
- Specify a precedence for the policy rules.
All basic firewall services should have a similar value that is higher than the range of precedences you configure for firewall exceptions. In the sample data, we use precedences of 600 and 601 for basic firewall policies.
Ensure that the precedence for basic firewall policies integrate with other policies that affect the same traffic. See Configuring Priorities for Stateless or Stateful Firewall Services.
For a sample basic firewall policy, see policyGroupName=brickwall, ou=entjunos, o=Policies, o=umc in the sample data.
Configuring Basic Firewall Services
You can create services from SDX Admin. For information about creating services in SDX Admin, see SRC-PE Services and Policies Guide, Chapter 10, Configuring and Managing Policies with the SRC CLI or SRC-PE Services and Policies Guide, Chapter 7, Using Policy Editor.
To create a basic firewall service:
- Category—Text string basicFirewall (service's LDAP attribute sspCategory)
- Description—Summary of what the firewall service does (service's LDAP attribute description)
This description will appear on the portal, and subscribers will use the description to select a firewall service. Although there is no upper limit for the length of this attribute, the portal will display the text in one paragraph.
For a sample firewall service, see serviceName=BrickWall, l=entJunos, o=Scopes, o=umc in the sample data.
Reviewing the fwrule Policy Group for Exceptions to Stateful Firewalls
The policy group policyGroupName=fwrule, ou=entJunos, o=Policies, o=umc is predefined in the sample data. Do not modify any settings or substitutions for this service.
Reviewing the Firewall Rule Service for Exceptions to Stateful Firewalls
The SRC sample data provides one service for firewall exceptions, serviceName=FirewallRule, l=entJunos, o=Scopes, o=umc, that is designed to work with Enterprise Manager Portal. Do not modify the definition for this service or its associated policy.
You can modify the allowed priority ranges for the service. See Configuring Priorities for Stateless or Stateful Firewall Services.
Each subscription to this service adds a rule to the stateful firewall. The FirewallRule service and its associated policy are general and contain many parameters, such as the priority of the firewall exception and the action that the firewall should take. IT managers supply actual values for these parameters through Enterprise Manager Portal.
You can modify the priority ranges for this policy group if necessary; do not modify any other settings. The values for these parameters must be lower than the precedence settings for the policy rules in the basic firewall policy groups. This distinction allows the firewall exception to take priority over the basic firewalls. In the sample data, the FirewallRule service has priorities in the range 500-579.
Reviewing Services for Exceptions to Stateless Firewalls
Review the services that Enterprise Manager Portal requires to ensure that configuration of these services works in your environment. These services are firewall exceptions—services that define the types of traffic that a firewall admits or blocks.
Enterprise Manager Portal requires that specific services be configured to cover each of the following traffic actions:
These actions are required for each traffic direction; that is, traffic:
Table 25 lists the names of services required by Enterprise Manager Portal. The naming convention for the services specifies both action and direction; for example, for the FWR_Fwd_Out service:
Services configured to reject traffic return a "network-unreachable" ICMP message.
The services are located under l=entJunosStatelessFW, o=Scopes, o=umc in the sample data. These services and the associated policies configured in the sample data are designed for a subscriber-facing interface on a provider edge device.
In most cases you can use the services as configured. If needed—for example, for a service provider-facing interface in a customer edge device—you can customize the services listed in Table 25, but do not change the names.
To customize services for an enterprise-facing interface, change the configuration for:
You can also create services that provide custom exceptions to a firewall. Portal users can select custom exceptions under Firewall actions on the Firewall page in Enterprise Manager Portal.
Parameter Values Used by Services for Exceptions to Stateless Firewalls
Table 26 lists the parameters for which Enterprise Manager Portal provides values. The parameter names start with "fw" (service's LDAP attribute parameterSubstitution). The services listed in Before You Configure Services for Enterprise Manager Portal use these parameters.
Planning Services for Custom Firewall Exceptions
Typically, you use custom exceptions to provide bandwidth management as well as firewall exceptions. Using custom exceptions that do both simplifies the way you integrate BoD and firewall services. For example, you can create custom exceptions to police traffic or to assign a traffic class to the traffic and to specify firewall behavior.
See examples of services for custom exceptions in the sample data:
- l=Limit1Mbs, l=entJunosStatelessFW, o=Scopes, o=umc
- l=Limit2Mbs, l=entJunosStatelessFW, o=Scopes, o=umc
- l=Limit5kbs, l=entJunosStatelessFW, o=Scopes, o=umc
The sample services and the associated policies are designed for a subscriber-facing interface on a provider edge device. When you create policies, policy direction (input or output) can map to incoming or outgoing traffic depending on whether the SRC-managed interface is a subscriber-facing interface on a service provider edge device, or a service-provider facing interface on the customer edge device in an enterprise. When you configure policies for services designed for use through the Enterprise Management Portal, you typically assume that:
- Source IP addresses and ports are inside an enterprise
- Destination IP addresses and ports are outside an enterprise
Configuring Policies for Custom Firewall Exceptions
You can create policies from Policy Editor. For information about creating policies in Policy Editor, see SRC-PE Services and Policies Guide, Chapter 10, Configuring and Managing Policies with the SRC CLI or SRC-PE Services and Policies Guide, Chapter 7, Using Policy Editor. For information about managing policies, see SRC-PE Services and Policies Guide, Chapter 6, Policy Management Overview.
To configure a policy for a custom firewall exception:
- Create a stateless firewall policy group and associated policy rules.
- Specify parameters for the following properties for each policy rule:
- IP protocol
- TOS byte in the IP header
- Source IP addresses
- Source TCP/UDP ports
- Destination IP addresses
- Destination TCP/UDP ports
- TCP flags
- IP flags (fragmentation flags)
- Fragmentation offset
- Packet length
- ICMP type
- ICMP code
For a sample policy, see policyGroupName=custom_policer, ou=entjunos_statelessfw, o=Policies, o=umc in the sample data.
Configuring Services for Custom Firewall Exceptions
You can create services from SDX Admin. For information about creating services in SDX Admin, see SRC-PE Services and Policies Guide, Chapter 1, Managing Services with the SRC CLI or SRC-PE Services and Policies Guide, Chapter 5, Scheduling Services on a Solaris Platform. You can create services that take actions such as those listed in Table 25.
To configure a service for a custom firewall exception:
- Create a service for each traffic action listed in Table 25. Specify a name that provides meaningful information to a user, including information about the forwarding treatment for traffic. The name appears in the Firewall Action field on the Firewall tab in Enterprise Manager Portal.
- Specify the following values for the service:
- Category—customFWRule (the service's LDAP attribute sspCategory)
- Policy Group—Policy group that supports custom firewall exceptions
Configuring Priorities for Stateless or Stateful Firewall Services
If you design services to be accessed from Enterprise Manager Portal, you can configure ranges of priority values that are enterprise specific and ranges that are available to a number of enterprises. Setting the two ranges makes it possible for a service provider to specify firewall exceptions that an IT manager in an enterprise cannot override.
Configuring Priorities to Have Enterprise Services Work Together
You can configure the parameters in the following list as global parameters that apply to all subscribers, and as subscriber-specific parameters. If you configure both, the global range takes precedence over a subscriber-specific limit.
- fwMinPriority—Specifies the lower limit of the range of precedences available for subscriptions to firewall exceptions.
- fwMaxPriority—Specifies the upper limit of the range of precedences available for subscriptions to firewall exceptions.
- fwEnterpriseMinPriority—Specifies the lower limit of the range of precedences that an enterprise-specific manager can make available for subscriptions to firewall exceptions.
- fwEnterpriseMaxPriority—Specifies the upper limit of the range of precedences that an enterprise-specific manager can make available for subscriptions to firewall exceptions.
- fwMaxPriority is greater than or equal to fwEnterpriseMaxPriority
- fwEnterpriseMaxPriority is greater than fwEnterpriseMinPriority
- fwEnterpriseMinPriority is greater than or equal to fwMinPriority
Configuring Global Priority Ranges from Policy Editor
Before you configure the global priority range, make sure that the sample data for Enterprise Manager Portal is loaded. If the sample data is not available, you must create a parameter similar to fwEnterpriseMinPriority.
To configure priorities for firewall policy rules from Policy Editor:
- In Policy Editor, in the navigation pane select Parameters.
- Under Parameters, select a priority, such as fwEnterpriseMinPriority, and on the General tab change the value for Default Value.
Configuring Global Priority Ranges from SDX Admin
Before you configure the global priority range, make sure that the sample data for Enterprise Manager Portal is loaded. If the sample data is not available, you must create a parameter similar to fwEnterpriseMinPriority in Policy Editor.
To configure priorities for firewall services from SDX Admin:
- In SDX Admin, in the navigation pane select Parameters.
- Under Parameters, select a priority, such as fwEnterpriseMinPriority, and on the Main tab change the value for Default Value.
Configuring Priorities for Individual Scopes by Defining Them in Services
You can use parameters to limit priority ranges for services within a scope. For stateful firewall services, you set parameters to limit priority ranges in the FirewallRule service. For stateless firewall services, you set parameters to limit priority ranges in the FRW_Filter_Both service.
You can use parameters to limit priority ranges for services within a scope in addition to using global ranges. For example, you can define a global range, and then define a different range that overrides the global range for specified subscribers.
To allow priority values for services in one scope to override the priority values for services in another scope:
- In a service that resides in a service scope that has a low precedence (indicated by a higher number), define default values for parameters that limits a priority range.
- Attach this scope to an entry at a high level in the subscriber folder; for example, to a retailer.
- Create a second scope that has a higher precedence.
- Create a service that uses parameters to limit priority ranges in the second scope.
- Attach the second scope (which has a higher precedence) to the enterprise.
The services with the higher precedence override the services with a lower precedence.
Using Stateless Firewall and BoD Applications Together
In most cases, you can use the services listed in Table 25 to provide bandwidth management and firewall support. However, if you want to design special services to have firewalls work with BoD services, use the following guidelines to design your services:
After all the BoD policy rules are applied, the stateless firewall policy rules are applied. Packets are forwarded or dropped as appropriate.