Thought I’d document the rough process for securing access to the management interface of a new SRX device.
Lets go through the steps:
First lets get rid of nasty http and telnet access and then enable ssh and https for use on the interfaces we need:
delete system services web-management http delete system services telnet set system services ssh set system services web-management https interface ae0.0
Next lets permit this access in the zones our interfaces are bound to:
set security zones security-zone untrust host-inbound-traffic system-services ssh set security zones security-zone untrust host-inbound-traffic system-services https
And now create a prefix-list to define the hosts we want to be-able to manage the SRX from:
set policy-options prefix-list management-hosts 192.0.2.0/24 set policy-options prefix-list management-hosts 203.0.113.64/27 set policy-options prefix-list management-hosts 2001:0DB8:100::/64
Now create a firewall filter to permit the prefix list to tcp 443 and 22:
set firewall family inet filter filter-management term block_unauthorised from source-address 0.0.0.0/0 set firewall family inet filter filter-management term block_unauthorised from source-prefix-list management-hosts except set firewall family inet filter filter-management term block_unauthorised from protocol tcp destination-port [ssh https] set firewall family inet filter filter-management term block_unauthorised then discard set firewall family inet filter filter-management term accept_default then accept set firewall family inet6 filter filter-management6 term block_unauthorised from source-address ::/0 set firewall family inet6 filter filter-management6 term block_unauthorised from source-prefix-list management-hosts except set firewall family inet6 filter filter-management6 term block_unauthorised from destination-port [ssh https] set firewall family inet6 filter filter-management6 term block_unauthorised then discard set firewall family inet6 filter filter-management6 term accept_detault then accept
Finally add this filter to the loopback interface:
set interfaces lo0 unit 0 family inet filter input filter-management set interfaces lo0 unit 0 family inet6 filter input filter-management6
A quick check of the configuration should confirm something like this:
root@SRX-FW011> show configuration system services
ssh;
web-management {
https {
system-generated-certificate;
interface [ vlan.0 fe-0/0/0.0 ae0.0 ];
}
}
root@SRX-FW011> show configuration security zones
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.0;
}
}
security-zone untrust {
screen untrust-screen;
host-inbound-traffic {
system-services {
ping;
ssh;
https;
}
protocols {
bgp;
}
}
interfaces {
ae0.0 {
host-inbound-traffic {
system-services {
ssh;
https;
}
}
}
}
}
root@SRX-FW011> show configuration policy-options
prefix-list management-hosts {
192.0.2.0/24;
203.0.113.64/27;
2001:0DB8:100::/64;
}
root@SRX-FW011> show configuration firewall
family inet {
filter filter-management {
term block_unauthorised {
from {
source-address {
0.0.0.0/0;
}
source-prefix-list {
management-hosts except;
}
protocol tcp;
destination-port [ ssh https ];
}
then {
discard;
}
}
term accept_default {
then accept;
}
}
}
family inet6 {
filter filter-management6 {
term block_unauthorised {
from {
source-address {
::/0;
}
source-prefix-list {
management-hosts except;
}
destination-port [ ssh https ];
}
then discard;
}
term accept_default {
then accept;
}
}
}
root@SRX-FW011> show configuration interfaces lo0
unit 0 {
family inet {
filter {
input filter-management;
}
}
family inet6 {
filter {
input filter-management6;
}
}
}
If it all looks good, we can go ahead and commit the changes:
commit