[j-nsp] Firewall best practices

Ben Dale bdale at comlinx.com.au
Mon Jun 11 20:04:42 EDT 2012


Hi Morgan,

> I have a question regarding managing policies among multiple sets of
> firewalls. I don't know what industry standard / best practice is for
> managing rules among multiple devices.


If there is an industry standard, no one in any industry I've worked with is aware of it ; )

> I don't know what the best way to manage the firewall rules is between
> these sites. I don't think its sustainable to write the same rule on site A
> core, site A edge, site B edge, site B core. And then managing the address
> book entries on every device also becomes a hassle, making sure its
> all synchronized etc. Is there a better method of doing this?


Tools like NSM are supposed to make this easier, however it comes with the requirement that you understand it's workflow and don't deviate too far from it.  Junos Space Security Design 12.1 is also worth a look now, especially for the policy management side of things, but neither is a panacea yet though : (

If you're more CLI-focussed, then from Junos 11.1 you can define stand-alone (eg: portable) address-books, which can then be bound to specific security zones eg:

set security address-book DMZ-HOSTS-AB address HOST-A 172.16.10.1/24
set security address-book DMZ-HOSTS-AB address HOST-B 172.16.10.2/24
set security address-book DMZ-HOSTS-AB address HOST-C 172.16.10.3/24

You can then copy and paste this into all of your firewalls, then bind it to the appropriate zone eg:

On the SRX the DMZ is attached to:

set security address-book DMZ-HOSTS-AB attach zone DMZ

On the SRX at a remote site:

set security address-book DMZ-HOSTS-AB attach zone WAN

What would really help though is if Junos allowed multiple address-books to be bound to a single zone - that way, SRXs buried deeper in your network would have access to all address-book entries on a single upstream zone with very little configuration management.  I'm sure this concept would make tools like Space and NSM easier to use as well - Juniper SRX PLMs are you listening out there?  SAVE US!

Cheers,

Ben

On 12/06/2012, at 9:18 AM, Morgan McLean wrote:

> 
> 
> I don't even want to think about what happens if I want traffic from the
> office to route through site A in order to reach site B in the event of a
> VPN issue between the office and site B directly.
> 
> Is there a good method for keeping these things managed, like only having
> the edge firewall for site A manage incoming connections, and let the other
> sites edge firewall deal with site A's outgoing connections, etc?
> 
> I'm a mess. If we add two more sites my head might explode.
> 
> Morgan
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
> 




More information about the juniper-nsp mailing list