[ Contents] [ Prev] [ Next] [ Index] [ Report an Error]

Secure Context Configuration Settings

The following factory configuration settings are defined for secure context:

The built-in Gigabit Ethernet interface ge-0/0/0 is bound to a preconfigured zone called “trust.” All other interfaces are bound to a preconfigured zone named “untrust.”
The ge-0/0/0 interface is configured to allow management access with SSH and HTTP services enabled. The following host-inbound services are configured for the ge-0/0/0 interface in the trust zone:
- HTTP
- HTTPS
- SSH
- DHCP
For the trust zone, TCP reset is enabled. The default policy for the trust zone allows transmission of traffic from the trust zone to the untrust zone. All traffic within the trust zone is allowed.
A screen is applied to a zone to protect against attacks launched from within the zone. The following screens are enabled for the untrust zone:
- ICMP ping-of-death
- IP source route options
- IP teardrop
- TCP land attack
- TCP SYN flood with the following settings:
  - Alarm threshold of 1024 half-complete proxy connections per second
  - Attack threshold of 200 SYN packets per second
  - Source threshold of 1024 SYN segments the router can receive per second
  - Destination threshold of 2048 SYN segments received per second
  - Queue size of 2000 proxy connection requests
  - Timeout of 20 seconds
The default policy for the untrust zone is to deny all traffic.

Secure context configuration values are defined as follows:



system {


autoinstallation {
delete-upon-commit;


traceoptions { 
level verbose;


flag { 
all;
}


}


}




services { 
ssh;


web-management { 


http { 
interface [ ge-0/0/0.0 ]; 
}


}


}




syslog { 


user * {
any emergency;
}




file messages {
any any;
authorization info;
}




file interactive-commands {
interactive-commands any;
}


}


}
interfaces { 


ge-0/0/0 { 
unit 0;
}


}
security { 


screen { 


ids-option untrust-screen {


icmp { 
ping-death; 
}




ip {
source-route-option; 
tear-drop; 
}




tcp { 


syn-flood { 
alarm-threshold 1024; 
attack-threshold 200; 
source-threshold 1024; 
destination-threshold 2048; 
queue-size 2000; 
timeout 20;
}


land;
}


}


}




zones { 


security-zone trust { 
tcp-rst; 


interfaces { 


ge-0/0/0.0 { 


host-inbound-traffic { 


system-services { 
http; 
https; 
ssh; 
dhcp; 
}


}


}


}


}




security-zone untrust { 
screen untrust-screen;
}


}




policies { 


from-zone trust to-zone trust { 


policy default-permit { 


match { 
source-address any;
destination-address any; 
application any; 
}




then { 
permit;
}


}




}




from-zone trust to-zone untrust { 


policy default-permit { 


match { 
source-address any;
destination-address any; 
application any; 
}




then { 
permit;
}


}


}




from-zone untrust to-zone trust { 


policy default-deny { 


match { 
source-address any;
destination-address any; 
application any; 
}




then { 
deny;
}


}


}


}

[ Contents] [ Prev] [ Next] [ Index] [ Report an Error]