Difference between junos-host zone and a security zone
Clash Royale CLAN TAG#URR8PPP
up vote
2
down vote
favorite
As far as security zones are concerned, we apply policies to it to control the transit traffic.
And we also apply host-inbound-traffic to a zone or interfaces.
If we have both of the above configurations, why there is junos-host zone to prevent the traffic destined to the device itself as "host-inbound-traffic" also does the same thing.
Please help to correct me if im wrong somewhere or am missing something.
This whole concept of junos-host zone and security zones along with policies is confusing.
juniper security juniper-junos juniper-srx traffic
asked Nov 21 at 6:37
RRHS
79116
add a comment |
up vote
2
down vote
favorite
As far as security zones are concerned, we apply policies to it to control the transit traffic.
And we also apply host-inbound-traffic to a zone or interfaces.
If we have both of the above configurations, why there is junos-host zone to prevent the traffic destined to the device itself as "host-inbound-traffic" also does the same thing.
Please help to correct me if im wrong somewhere or am missing something.
This whole concept of junos-host zone and security zones along with policies is confusing.
juniper security juniper-junos juniper-srx traffic
asked Nov 21 at 6:37
RRHS
79116
add a comment |
up vote
2
down vote
favorite
up vote
2
down vote
favorite
As far as security zones are concerned, we apply policies to it to control the transit traffic.
And we also apply host-inbound-traffic to a zone or interfaces.
If we have both of the above configurations, why there is junos-host zone to prevent the traffic destined to the device itself as "host-inbound-traffic" also does the same thing.
Please help to correct me if im wrong somewhere or am missing something.
This whole concept of junos-host zone and security zones along with policies is confusing.
juniper security juniper-junos juniper-srx traffic
asked Nov 21 at 6:37
RRHS
79116
As far as security zones are concerned, we apply policies to it to control the transit traffic.
And we also apply host-inbound-traffic to a zone or interfaces.
If we have both of the above configurations, why there is junos-host zone to prevent the traffic destined to the device itself as "host-inbound-traffic" also does the same thing.
Please help to correct me if im wrong somewhere or am missing something.
This whole concept of junos-host zone and security zones along with policies is confusing.
juniper security juniper-junos juniper-srx traffic
juniper security juniper-junos juniper-srx traffic
asked Nov 21 at 6:37
RRHS
79116
asked Nov 21 at 6:37
RRHS
79116
asked Nov 21 at 6:37
RRHS
79116
asked Nov 21 at 6:37
RRHS
79116
asked Nov 21 at 6:37
RRHS
79116
79116
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
up vote
2
down vote
accepted
Junos-host zone can be used to add an additional check for traffic
destined to SRX. If you don't configure any security policy to-zone
junos-host, the traffic/packet will be validated based on
host-inbound-trafficconfigured under security zones. If you
configure security policy to-zone junos-host, that policy check will
be done additionaly to host-inbound-traffic/services specified under
zones.
For example, if you allow SSH/Telnet/OSPF under interface
ge-0/0/0.0, but configure a security policy to-zone junos-host
allowing SSH, then Telnet/OSPF wont work. Only SSH will work.
More to read:
Link-1
Link-2
Inbound packet will pass in this order:
- Input interface filter, if set
- Zone
host-inbound-traffic - Zone-to-Zone policy
If traffic passed on 1 step, it can be still denied on 2 or 3.
Assume:
- No interface filter applied
host-inbound-trafficset tosystem-services ssh- Policy from zone zone1 to-zone junos-host allows only ICMP ping
As result, not ICMP ping, not SSH will be allowed. ICMP ping will be dropped on step 2; SSH will be dropped on step 3.
answered Nov 21 at 7:26
Andrey Prokhorov
1,620314
So correct me if I am wrong. If security policy to-zone junos-host is configured, its applicable to the whole device(all the interfaces included). So even if, host-inbound-traffic is configured for an interface or a zone(say Red-zone, allow only ssh) but the junos-host is configured to allow only ping, then it means the interfaces part of that Red-zone cannot allow ssh as the junos-host is configured to allow only ping to those interfaces.
– RRHS
Nov 21 at 9:07
junos-hostit's device itself. So yes, if you will configure policy from some zone, lets say RED to junos-host, and you will allow only ICMP ping, but your RED zone host-inbound-services will have ICMP ping and SSH - only ICMP ping will be allowed. You can think of it like consecutive levels of security. Let me check some docs, I will edit my answer with traffic flow sequence...
– Andrey Prokhorov
Nov 21 at 9:42
Understood. Its all about levels and junos-host isnt given any priority over the host-inbound-traffic. And yes, please attach any docs if you have, it would be very helpful.
– RRHS
Nov 21 at 11:31
@RRHS Check theese: Security Policies Feature Guide for Security Devices, KB24227
– Andrey Prokhorov
Nov 21 at 12:20
Just one more query. Are configuring security zones a necessity? And i have also read that there has to be a minimum of 2 security zones to be configured. But some of the devices which i have used have only 1(security-zone HOST) and VSRX has none. Could you please shed some light on it.
– RRHS
Nov 22 at 13:59
|
show 2 more comments
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
2
down vote
accepted
Junos-host zone can be used to add an additional check for traffic
destined to SRX. If you don't configure any security policy to-zone
junos-host, the traffic/packet will be validated based on
host-inbound-trafficconfigured under security zones. If you
configure security policy to-zone junos-host, that policy check will
be done additionaly to host-inbound-traffic/services specified under
zones.
For example, if you allow SSH/Telnet/OSPF under interface
ge-0/0/0.0, but configure a security policy to-zone junos-host
allowing SSH, then Telnet/OSPF wont work. Only SSH will work.
More to read:
Link-1
Link-2
Inbound packet will pass in this order:
- Input interface filter, if set
- Zone
host-inbound-traffic - Zone-to-Zone policy
If traffic passed on 1 step, it can be still denied on 2 or 3.
Assume:
- No interface filter applied
host-inbound-trafficset tosystem-services ssh- Policy from zone zone1 to-zone junos-host allows only ICMP ping
As result, not ICMP ping, not SSH will be allowed. ICMP ping will be dropped on step 2; SSH will be dropped on step 3.
answered Nov 21 at 7:26
Andrey Prokhorov
1,620314
So correct me if I am wrong. If security policy to-zone junos-host is configured, its applicable to the whole device(all the interfaces included). So even if, host-inbound-traffic is configured for an interface or a zone(say Red-zone, allow only ssh) but the junos-host is configured to allow only ping, then it means the interfaces part of that Red-zone cannot allow ssh as the junos-host is configured to allow only ping to those interfaces.
– RRHS
Nov 21 at 9:07
junos-hostit's device itself. So yes, if you will configure policy from some zone, lets say RED to junos-host, and you will allow only ICMP ping, but your RED zone host-inbound-services will have ICMP ping and SSH - only ICMP ping will be allowed. You can think of it like consecutive levels of security. Let me check some docs, I will edit my answer with traffic flow sequence...
– Andrey Prokhorov
Nov 21 at 9:42
Understood. Its all about levels and junos-host isnt given any priority over the host-inbound-traffic. And yes, please attach any docs if you have, it would be very helpful.
– RRHS
Nov 21 at 11:31
@RRHS Check theese: Security Policies Feature Guide for Security Devices, KB24227
– Andrey Prokhorov
Nov 21 at 12:20
Just one more query. Are configuring security zones a necessity? And i have also read that there has to be a minimum of 2 security zones to be configured. But some of the devices which i have used have only 1(security-zone HOST) and VSRX has none. Could you please shed some light on it.
– RRHS
Nov 22 at 13:59
|
show 2 more comments
up vote
2
down vote
accepted
Junos-host zone can be used to add an additional check for traffic
destined to SRX. If you don't configure any security policy to-zone
junos-host, the traffic/packet will be validated based on
host-inbound-trafficconfigured under security zones. If you
configure security policy to-zone junos-host, that policy check will
be done additionaly to host-inbound-traffic/services specified under
zones.
For example, if you allow SSH/Telnet/OSPF under interface
ge-0/0/0.0, but configure a security policy to-zone junos-host
allowing SSH, then Telnet/OSPF wont work. Only SSH will work.
More to read:
Link-1
Link-2
Inbound packet will pass in this order:
- Input interface filter, if set
- Zone
host-inbound-traffic - Zone-to-Zone policy
If traffic passed on 1 step, it can be still denied on 2 or 3.
Assume:
- No interface filter applied
host-inbound-trafficset tosystem-services ssh- Policy from zone zone1 to-zone junos-host allows only ICMP ping
As result, not ICMP ping, not SSH will be allowed. ICMP ping will be dropped on step 2; SSH will be dropped on step 3.
answered Nov 21 at 7:26
Andrey Prokhorov
1,620314
So correct me if I am wrong. If security policy to-zone junos-host is configured, its applicable to the whole device(all the interfaces included). So even if, host-inbound-traffic is configured for an interface or a zone(say Red-zone, allow only ssh) but the junos-host is configured to allow only ping, then it means the interfaces part of that Red-zone cannot allow ssh as the junos-host is configured to allow only ping to those interfaces.
– RRHS
Nov 21 at 9:07
junos-hostit's device itself. So yes, if you will configure policy from some zone, lets say RED to junos-host, and you will allow only ICMP ping, but your RED zone host-inbound-services will have ICMP ping and SSH - only ICMP ping will be allowed. You can think of it like consecutive levels of security. Let me check some docs, I will edit my answer with traffic flow sequence...
– Andrey Prokhorov
Nov 21 at 9:42
Understood. Its all about levels and junos-host isnt given any priority over the host-inbound-traffic. And yes, please attach any docs if you have, it would be very helpful.
– RRHS
Nov 21 at 11:31
@RRHS Check theese: Security Policies Feature Guide for Security Devices, KB24227
– Andrey Prokhorov
Nov 21 at 12:20
Just one more query. Are configuring security zones a necessity? And i have also read that there has to be a minimum of 2 security zones to be configured. But some of the devices which i have used have only 1(security-zone HOST) and VSRX has none. Could you please shed some light on it.
– RRHS
Nov 22 at 13:59
|
show 2 more comments
up vote
2
down vote
accepted
up vote
2
down vote
accepted
Junos-host zone can be used to add an additional check for traffic
destined to SRX. If you don't configure any security policy to-zone
junos-host, the traffic/packet will be validated based on
host-inbound-trafficconfigured under security zones. If you
configure security policy to-zone junos-host, that policy check will
be done additionaly to host-inbound-traffic/services specified under
zones.
For example, if you allow SSH/Telnet/OSPF under interface
ge-0/0/0.0, but configure a security policy to-zone junos-host
allowing SSH, then Telnet/OSPF wont work. Only SSH will work.
More to read:
Link-1
Link-2
Inbound packet will pass in this order:
- Input interface filter, if set
- Zone
host-inbound-traffic - Zone-to-Zone policy
If traffic passed on 1 step, it can be still denied on 2 or 3.
Assume:
- No interface filter applied
host-inbound-trafficset tosystem-services ssh- Policy from zone zone1 to-zone junos-host allows only ICMP ping
As result, not ICMP ping, not SSH will be allowed. ICMP ping will be dropped on step 2; SSH will be dropped on step 3.
answered Nov 21 at 7:26
Andrey Prokhorov
1,620314
Junos-host zone can be used to add an additional check for traffic
destined to SRX. If you don't configure any security policy to-zone
junos-host, the traffic/packet will be validated based on
host-inbound-trafficconfigured under security zones. If you
configure security policy to-zone junos-host, that policy check will
be done additionaly to host-inbound-traffic/services specified under
zones.
For example, if you allow SSH/Telnet/OSPF under interface
ge-0/0/0.0, but configure a security policy to-zone junos-host
allowing SSH, then Telnet/OSPF wont work. Only SSH will work.
More to read:
Link-1
Link-2
Inbound packet will pass in this order:
- Input interface filter, if set
- Zone
host-inbound-traffic - Zone-to-Zone policy
If traffic passed on 1 step, it can be still denied on 2 or 3.
Assume:
- No interface filter applied
host-inbound-trafficset tosystem-services ssh- Policy from zone zone1 to-zone junos-host allows only ICMP ping
As result, not ICMP ping, not SSH will be allowed. ICMP ping will be dropped on step 2; SSH will be dropped on step 3.
answered Nov 21 at 7:26
Andrey Prokhorov
1,620314
edited Nov 21 at 9:51
answered Nov 21 at 7:26
Andrey Prokhorov
1,620314
answered Nov 21 at 7:26
Andrey Prokhorov
1,620314
answered Nov 21 at 7:26
Andrey Prokhorov
1,620314
1,620314
So correct me if I am wrong. If security policy to-zone junos-host is configured, its applicable to the whole device(all the interfaces included). So even if, host-inbound-traffic is configured for an interface or a zone(say Red-zone, allow only ssh) but the junos-host is configured to allow only ping, then it means the interfaces part of that Red-zone cannot allow ssh as the junos-host is configured to allow only ping to those interfaces.
– RRHS
Nov 21 at 9:07
junos-hostit's device itself. So yes, if you will configure policy from some zone, lets say RED to junos-host, and you will allow only ICMP ping, but your RED zone host-inbound-services will have ICMP ping and SSH - only ICMP ping will be allowed. You can think of it like consecutive levels of security. Let me check some docs, I will edit my answer with traffic flow sequence...
– Andrey Prokhorov
Nov 21 at 9:42
Understood. Its all about levels and junos-host isnt given any priority over the host-inbound-traffic. And yes, please attach any docs if you have, it would be very helpful.
– RRHS
Nov 21 at 11:31
@RRHS Check theese: Security Policies Feature Guide for Security Devices, KB24227
– Andrey Prokhorov
Nov 21 at 12:20
Just one more query. Are configuring security zones a necessity? And i have also read that there has to be a minimum of 2 security zones to be configured. But some of the devices which i have used have only 1(security-zone HOST) and VSRX has none. Could you please shed some light on it.
– RRHS
Nov 22 at 13:59
|
show 2 more comments
So correct me if I am wrong. If security policy to-zone junos-host is configured, its applicable to the whole device(all the interfaces included). So even if, host-inbound-traffic is configured for an interface or a zone(say Red-zone, allow only ssh) but the junos-host is configured to allow only ping, then it means the interfaces part of that Red-zone cannot allow ssh as the junos-host is configured to allow only ping to those interfaces.
– RRHS
Nov 21 at 9:07
junos-hostit's device itself. So yes, if you will configure policy from some zone, lets say RED to junos-host, and you will allow only ICMP ping, but your RED zone host-inbound-services will have ICMP ping and SSH - only ICMP ping will be allowed. You can think of it like consecutive levels of security. Let me check some docs, I will edit my answer with traffic flow sequence...
– Andrey Prokhorov
Nov 21 at 9:42
Understood. Its all about levels and junos-host isnt given any priority over the host-inbound-traffic. And yes, please attach any docs if you have, it would be very helpful.
– RRHS
Nov 21 at 11:31
@RRHS Check theese: Security Policies Feature Guide for Security Devices, KB24227
– Andrey Prokhorov
Nov 21 at 12:20
Just one more query. Are configuring security zones a necessity? And i have also read that there has to be a minimum of 2 security zones to be configured. But some of the devices which i have used have only 1(security-zone HOST) and VSRX has none. Could you please shed some light on it.
– RRHS
Nov 22 at 13:59
So correct me if I am wrong. If security policy to-zone junos-host is configured, its applicable to the whole device(all the interfaces included). So even if, host-inbound-traffic is configured for an interface or a zone(say Red-zone, allow only ssh) but the junos-host is configured to allow only ping, then it means the interfaces part of that Red-zone cannot allow ssh as the junos-host is configured to allow only ping to those interfaces.
– RRHS
Nov 21 at 9:07
So correct me if I am wrong. If security policy to-zone junos-host is configured, its applicable to the whole device(all the interfaces included). So even if, host-inbound-traffic is configured for an interface or a zone(say Red-zone, allow only ssh) but the junos-host is configured to allow only ping, then it means the interfaces part of that Red-zone cannot allow ssh as the junos-host is configured to allow only ping to those interfaces.
– RRHS
Nov 21 at 9:07
junos-host it's device itself. So yes, if you will configure policy from some zone, lets say RED to junos-host, and you will allow only ICMP ping, but your RED zone host-inbound-services will have ICMP ping and SSH - only ICMP ping will be allowed. You can think of it like consecutive levels of security. Let me check some docs, I will edit my answer with traffic flow sequence...– Andrey Prokhorov
Nov 21 at 9:42
junos-host it's device itself. So yes, if you will configure policy from some zone, lets say RED to junos-host, and you will allow only ICMP ping, but your RED zone host-inbound-services will have ICMP ping and SSH - only ICMP ping will be allowed. You can think of it like consecutive levels of security. Let me check some docs, I will edit my answer with traffic flow sequence...– Andrey Prokhorov
Nov 21 at 9:42
Understood. Its all about levels and junos-host isnt given any priority over the host-inbound-traffic. And yes, please attach any docs if you have, it would be very helpful.
– RRHS
Nov 21 at 11:31
Understood. Its all about levels and junos-host isnt given any priority over the host-inbound-traffic. And yes, please attach any docs if you have, it would be very helpful.
– RRHS
Nov 21 at 11:31
@RRHS Check theese: Security Policies Feature Guide for Security Devices, KB24227
– Andrey Prokhorov
Nov 21 at 12:20
@RRHS Check theese: Security Policies Feature Guide for Security Devices, KB24227
– Andrey Prokhorov
Nov 21 at 12:20
Just one more query. Are configuring security zones a necessity? And i have also read that there has to be a minimum of 2 security zones to be configured. But some of the devices which i have used have only 1(security-zone HOST) and VSRX has none. Could you please shed some light on it.
– RRHS
Nov 22 at 13:59
Just one more query. Are configuring security zones a necessity? And i have also read that there has to be a minimum of 2 security zones to be configured. But some of the devices which i have used have only 1(security-zone HOST) and VSRX has none. Could you please shed some light on it.
– RRHS
Nov 22 at 13:59
|
show 2 more comments
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fnetworkengineering.stackexchange.com%2fquestions%2f54881%2fdifference-between-junos-host-zone-and-a-security-zone%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
