This topic describes how to configure zones to specify the kinds of traffic that can reach the device from systems that are directly connected to its interfaces.
Before You Begin |
---|
For background information, read Understanding Security Zones. |
This feature allows you to protect the device against attacks launched from systems that are directly connected to any of its interfaces. It also enables you to selectively configure the device so that administrators can manage it using certain applications on certain interfaces. You can prohibit use of other applications on the same or different interfaces of a zone. For example, most likely you would want to ensure that outsiders not use the Telnet application from the Internet to log into the device because you would not want them connecting to your system.
This topic covers:
Any host-inbound traffic that corresponds to a service listed under this option is allowed. For example, suppose a user whose system was directly connected to interface 1.3.1.4 in zone ABC wanted to telnet into interface 2.1.2.4 in zone ABC. For this action to be allowed, the telnet application must be configured as an allowed inbound service on both interfaces and a policy must permit the traffic transmission.
Table 66 lists the supported services. A value of all indicates that traffic from all of the following services is allowed inbound on the specified interfaces (of the zone, or a single specified interface)
Table 66: Supported System Services
Supported System Services |
|||
---|---|---|---|
all |
http |
rpm |
traceroute |
bootp |
https |
rsh |
xnm-clear-text |
dhcp |
ike |
snmp |
xnm-ssl |
finger |
netconf |
snmp-trap |
|
ftp |
ping |
ssh |
|
ident-reset |
rlogin |
telnet |
|
![]() |
Note: All services listed Table 66 (except DHCP and BOOTP) can be configured either per zone or per interface. A DHCP server is configured only per interface because the incoming interface must be known by the server to be able to send out DHCP replies. |
To configure zones to allow use of supported application services as inbound services, use either J-Web or the CLI configuration editor.
To configure the ABC zone to allow use of all the supported application services as inbound services using the J-Web configuration editor:
To enable FTP and telnet for interfaces such as ge-0/0/1.3 and ge-0/0/1:
To enable FTP and telnet for interface ge-0/0/1.3 and only SNMP for interface ge-0.0/1.1:
To allow all configurable system services on the interface ge-0/0/1.3, except Telnet:
To configure the ABC zone to allow use of all of the supported application services as inbound services, enter the following statements in Configure mode:
In the following example, FTP and telnet are enabled for interfaces ge-0/0/1.3 and ge-0/0/1. You must configure FTP and telnet at the interface level, not the zone level. For incoming FTP and telnet requests to be recognized, the interface must be known to the server.
- user@host# set security zones security-zone ABC interfaces
ge-0/0/1.3 host-inbound-traffic system-services ftp
- user@host# set security zones security-zone ABC interfaces
ge-0/0/1.1 host-inbound-traffic system-services telnet
In the following example, FTP and telnet are enabled for interface ge-0/0/1.3 and only SNMP is enabled for interface ge-0.0/1.1.
- user@host# set security zones security-zone ABC interfaces
ge-0/0/1.3 host-inbound-traffic system-services ftp
- user@host# set security zones security-zone ABC interfaces
ge-0/0/1.3 host-inbound-traffic system-services telnet
- user@host# set security zones security-zone ABC interfaces
ge-0/0/1.1 host-inbound-traffic system-services snmp
You can use the all option to allow all configurable system services and use the except option to exclude certain services. In this example, all configurable system services are permitted on interface ge-0/0/1.3, except Telnet.
- user@host# set security zones security-zone ABC interfaces
ge-0/0/1.3 host-inbound-traffic system-services all
- user@host# set security zones security-zone ABC interfaces
ge-0/0/1.3 host-inbound-traffic system-services telnet except
In the following example, all configurable system services are permitted on interface ge-0/0/1.1, except HTTP and FTP.
- user@host# set security zones security-zone ABC interfaces
ge-0/0/1.1 host-inbound-traffic system-services all
- user@host# set security zones security-zone ABC interfaces
ge-0/0/1.1 host-inbound-traffic system-services http except
- user@host# set security zones security-zone ABC interfaces
ge-0/0/1.3 host-inbound-traffic system-services ftp except
In the following example, telnet and FTP are enabled for security zone ABC/interface ge-0/0/1.1, but there is an interface override that takes priority and only SNMP is allowed on interface ge-0/0/1.3.
- user@host# set security zones security-zone ABC interfaces
ge-0/0/1.3 host-inbound-traffic system-services snmp
If you are finished configuring the device, commit the configuration.
Another view of the previous configuration:
security zones security-zone ABC { host-inbound-traffic { system-services { telnet; ftp; } } interfaces { ge-0/0/1.1; ge-0/0/1.3 { host-inbound-traffic { system-services { snmp; } } } }
For more information on host-inbound traffic parameters, see the JUNOS Software CLI Reference.