Security Policies for Logical Systems
Security policies are used to secure business and control access to LAN resources. Secure access is required both within the company across the LAN and in its interactions with external networks such as the Internet. Junos OS provides powerful network security features through its stateful firewall, application firewall, and user identity firewall. All three types of firewall enforcement are implemented through security policies. For more information, see the following topics:
Understanding Logical Systems Security Policies
Security Policies in Logical Systems
Security policies enforce rules for what traffic can pass through the firewall and actions that need to take place on the traffic as it passes through the firewall. From the perspective of security policies, traffic enters one security zone and exits another security zone.
By default, a logical system denies all traffic in all directions, including intra-zone and inter-zone directions. Through the creation of security policies, the logical system administrator can control the traffic flow from zone to zone by defining the kinds of traffic permitted to pass from specified sources to specified destinations.
Security policies can be configured in the primary logical system
and in user logical systems. Configuring a security policy in a logical
system is the same as configuring a security policy on a device that
is not configured for logical systems. Any security policies, policy
rules, address books, applications and application sets, and schedulers
created within a logical system are only applicable to that logical
system. Only predefined applications and application sets, such as junos-ftp, can be shared between logical systems.
In a logical system, you cannot specify global as
either the from-zone or the to-zone in a security policy.
The user logical system administrator can configure and view all attributes for security policies in a user logical system. All attributes of a security policy in a user logical system are also visible to the primary administrator.
Starting in Junos OS Release 18.4R1, the user can create dynamic address within a logical system. A dynamic address entry contains IP addresses and prefixes extracted from external sources. The security policies use the dynamic address in the source-address field or destination-address field.
A dynamic address entry (DAE) is a group of IP addresses that can be entered manually or imported from external sources within logical systems. The DAE feature allows feed-based IP objects to be used in security policies to either deny or allow traffic based on either source or destination IP criteria.
The maximum number of DAE depends on the dynamic-addresses assigned
to the logical systems. Starting in Junos 18.4R1, the set security
dynamic-address feed-server command can be configured under
the logical systems.
Application Timeouts
The application timeout value set for an application determines the session timeout. Application timeout behavior is the same in a logical system as at the root level. However, user logical system administrators can use predefined applications in security policies but cannot modify the timeout value of predefined applications. This is because the predefined applications are shared by the primary logical system and all user logical systems, so the user logical system administrator is not allowed to change its behavior. Application timeout values are stored in the application entry database and in the corresponding logical system TCP and UDP port-based timeout tables.
If the application that is matched for the traffic has a timeout value, that timeout value is used. Otherwise, the lookup proceeds in the following order until an application timeout value is found:
The logical system TCP and UDP port-based timeout table is searched for a timeout value.
The root TCP and UDP port-based timeout table is searched for a timeout value.
The protocol-based default timeout table is searched for a timeout value.
Security Policy Allocation
The primary administrator configures the maximum
and reserved numbers of security policies for each user logical system.
The user logical system administrator can then create security policies
in the user logical system. From a user logical system, the user logical
system administrator can use the show system security-profile
policy command to view the number of security policies allocated
to the user logical system.
The primary administrator can configure a security profile for the primary logical system that specifies the maximum and reserved numbers of security policies applied to the primary logical system. The number of policies configured in the primary logical system count toward the maximum number of policies available on the device.
See Also
Example: Configuring Security Policies in a User Logical Systems
This example shows how to configure security policies for a user logical system.
Requirements
Before you begin:
Log in to the user logical system as the logical system administrator. See User Logical Systems Configuration Overview.
Use the
show system security-profiles policycommand to see the security policy resources allocated to the logical system.Configure zones and address books. See Example: Configuring Security Zones for a User Logical Systems.
Overview
This example configures the ls-product-design user logical system shown in Example: Creating User Logical Systems, Their Administrators, Their Users, and an Interconnect Logical System.
This example configures the security policies described in Table 1.
Name |
Configuration Parameters |
|---|---|
permit-all-to-otherlsys |
Permit the following traffic:
|
permit-all-from-otherlsys |
Permit the following traffic:
|
Topology
Configuration
Procedure
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
copy and paste the commands into the CLI at the [edit] hierarchy
level, and then enter commit from configuration mode.
set security policies from-zone ls-product-design-trust to-zone ls-product-design-untrust policy permit-all-to-otherlsys match source-address product-designers set security policies from-zone ls-product-design-trust to-zone ls-product-design-untrust policy permit-all-to-otherlsys match destination-address otherlsys set security policies from-zone ls-product-design-trust to-zone ls-product-design-untrust policy permit-all-to-otherlsys match application any set security policies from-zone ls-product-design-trust to-zone ls-product-design-untrust policy permit-all-to-otherlsys then permit set security policies from-zone ls-product-design-untrust to-zone ls-product-design-trust policy permit-all-from-otherlsys match source-address otherlsys set security policies from-zone ls-product-design-untrust to-zone ls-product-design-trust policy permit-all-from-otherlsys match destination-address product-designers set security policies from-zone ls-product-design-untrust to-zone ls-product-design-trust policy permit-all-from-otherlsys match application any set security policies from-zone ls-product-design-untrust to-zone ls-product-design-trust policy permit-all-from-otherlsys then permit
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.
To configure security policies in a user logical system:
Log in to the user logical system as the logical system administrator and enter configuration mode.
lsdesignadmin1@host:ls-product-design> configure lsdesignadmin1@host:ls-product-design#
Configure a security policy that permits traffic from the ls-product-design-trust zone to the ls-product-design-untrust zone.
[edit security policies from-zone ls-product-design-trust to-zone ls-product-design-untrust] lsdesignadmin1@host:ls-product-design# set policy permit-all-to-otherlsys match source-address product-designers lsdesignadmin1@host:ls-product-design# set policy permit-all-to-otherlsys match destination-address otherlsys lsdesignadmin1@host:ls-product-design# set policy permit-all-to-otherlsys match application any lsdesignadmin1@host:ls-product-design# set policy permit-all-to-otherlsys then permit
Configure a security policy that permits traffic from the ls-product-design-untrust zone to the ls-product-design-trust zone.
[edit security policies from-zone ls-product-design-untrust to-zone ls-product-design-trust] lsdesignadmin1@host:ls-product-design# set policy permit-all-from-otherlsys match source-address otherlsys lsdesignadmin1@host:ls-product-design# set policy permit-all-from-otherlsys match destination-address product-designers lsdesignadmin1@host:ls-product-design# set policy permit-all-from-otherlsys match application any lsdesignadmin1@host:ls-product-design# set policy permit-all-from-otherlsys then permit
Results
From configuration mode, confirm your configuration
by entering the show security policies command. If the
output does not display the intended configuration, repeat the configuration
instructions in this example to correct it.
lsdesignadmin1@host:ls-product-design# show security policies
from-zone ls-product-design-trust to-zone ls-product-design-untrust {
policy permit-all-to-otherlsys {
match {
source-address product-designers;
destination-address otherlsys;
application any;
}
then {
permit;
}
}
}
from-zone ls-product-design-untrust to-zone ls-product-design-trust {
policy permit-all-from-otherlsys {
match {
source-address otherlsys;
destination-address product-designers;
application any;
}
then {
permit;
}
}
}
If you are done configuring the device, enter commit from configuration mode.
Verification
To confirm that the configuration is working properly, perform these tasks:
Configuring Dynamic Address for Logical Systems
A dynamic address entry in logical systems provides dynamic IP address information to security policies. To use dynamic address, you must specify basic information of dynamic address including their names, feeds and properties for a logical system.
Read the Example: Configuring Security Policies in a User Logical Systems to understand how and where this procedure fits to configure the security policy.
To configure dynamic address in IPv4 networks within a logical system:
To configure the security policies in the logical system:
Define the logical system name as LSYS1.
[edit] user@host# set logical-systems LSYS1
Create a security policy as p1 that permits traffic from zone trust to zone untrust and configure the match condition.
[edit logical-systems LSYS1 security policies from-zone trust to-zone untrust] user@host# set policy p1 match source-address any user@host# set policy p1 match destination-address any user@host# set policy p1 match application any user@host# set policy p1 then permit
Confirm your configuration by entering the
show logical-systems LSYS1 security policiescommand.[edit] user@host# show logical-systems LSYS1 security policies from-zone trust to-zone untrust { policy p1 { match { source-address any; destination-address any; application any; } then { permit; } } }