Difference between junos-host zone and a security zone

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
2
down vote

favorite












As far as security zones are concerned, we apply policies to it to control the transit traffic.
And we also apply host-inbound-traffic to a zone or interfaces.
If we have both of the above configurations, why there is junos-host zone to prevent the traffic destined to the device itself as "host-inbound-traffic" also does the same thing.
Please help to correct me if im wrong somewhere or am missing something.



This whole concept of junos-host zone and security zones along with policies is confusing.










share|improve this question

























    up vote
    2
    down vote

    favorite












    As far as security zones are concerned, we apply policies to it to control the transit traffic.
    And we also apply host-inbound-traffic to a zone or interfaces.
    If we have both of the above configurations, why there is junos-host zone to prevent the traffic destined to the device itself as "host-inbound-traffic" also does the same thing.
    Please help to correct me if im wrong somewhere or am missing something.



    This whole concept of junos-host zone and security zones along with policies is confusing.










    share|improve this question























      up vote
      2
      down vote

      favorite









      up vote
      2
      down vote

      favorite











      As far as security zones are concerned, we apply policies to it to control the transit traffic.
      And we also apply host-inbound-traffic to a zone or interfaces.
      If we have both of the above configurations, why there is junos-host zone to prevent the traffic destined to the device itself as "host-inbound-traffic" also does the same thing.
      Please help to correct me if im wrong somewhere or am missing something.



      This whole concept of junos-host zone and security zones along with policies is confusing.










      share|improve this question













      As far as security zones are concerned, we apply policies to it to control the transit traffic.
      And we also apply host-inbound-traffic to a zone or interfaces.
      If we have both of the above configurations, why there is junos-host zone to prevent the traffic destined to the device itself as "host-inbound-traffic" also does the same thing.
      Please help to correct me if im wrong somewhere or am missing something.



      This whole concept of junos-host zone and security zones along with policies is confusing.







      juniper security juniper-junos juniper-srx traffic






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Nov 21 at 6:37









      RRHS

      79116




      79116




















          1 Answer
          1






          active

          oldest

          votes

















          up vote
          2
          down vote



          accepted











          Junos-host zone can be used to add an additional check for traffic
          destined to SRX. If you don't configure any security policy to-zone
          junos-host, the traffic/packet will be validated based on
          host-inbound-traffic configured under security zones. If you
          configure security policy to-zone junos-host, that policy check will
          be done additionaly to host-inbound-traffic/services specified under
          zones.



          For example, if you allow SSH/Telnet/OSPF under interface
          ge-0/0/0.0, but configure a security policy to-zone junos-host
          allowing SSH, then Telnet/OSPF wont work. Only SSH will work.




          More to read:
          Link-1
          Link-2



          Juniper SRX traffic flow



          Inbound packet will pass in this order:



          1. Input interface filter, if set

          2. Zone host-inbound-traffic

          3. Zone-to-Zone policy

          If traffic passed on 1 step, it can be still denied on 2 or 3.
          Assume:



          1. No interface filter applied


          2. host-inbound-traffic set to system-services ssh

          3. Policy from zone zone1 to-zone junos-host allows only ICMP ping

          As result, not ICMP ping, not SSH will be allowed. ICMP ping will be dropped on step 2; SSH will be dropped on step 3.






          share|improve this answer






















          • So correct me if I am wrong. If security policy to-zone junos-host is configured, its applicable to the whole device(all the interfaces included). So even if, host-inbound-traffic is configured for an interface or a zone(say Red-zone, allow only ssh) but the junos-host is configured to allow only ping, then it means the interfaces part of that Red-zone cannot allow ssh as the junos-host is configured to allow only ping to those interfaces.
            – RRHS
            Nov 21 at 9:07











          • junos-host it's device itself. So yes, if you will configure policy from some zone, lets say RED to junos-host, and you will allow only ICMP ping, but your RED zone host-inbound-services will have ICMP ping and SSH - only ICMP ping will be allowed. You can think of it like consecutive levels of security. Let me check some docs, I will edit my answer with traffic flow sequence...
            – Andrey Prokhorov
            Nov 21 at 9:42










          • Understood. Its all about levels and junos-host isnt given any priority over the host-inbound-traffic. And yes, please attach any docs if you have, it would be very helpful.
            – RRHS
            Nov 21 at 11:31










          • @RRHS Check theese: Security Policies Feature Guide for Security Devices, KB24227
            – Andrey Prokhorov
            Nov 21 at 12:20










          • Just one more query. Are configuring security zones a necessity? And i have also read that there has to be a minimum of 2 security zones to be configured. But some of the devices which i have used have only 1(security-zone HOST) and VSRX has none. Could you please shed some light on it.
            – RRHS
            Nov 22 at 13:59










          Your Answer








          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "496"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          convertImagesToLinks: false,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          imageUploader:
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          ,
          noCode: true, onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );













           

          draft saved


          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fnetworkengineering.stackexchange.com%2fquestions%2f54881%2fdifference-between-junos-host-zone-and-a-security-zone%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes








          up vote
          2
          down vote



          accepted











          Junos-host zone can be used to add an additional check for traffic
          destined to SRX. If you don't configure any security policy to-zone
          junos-host, the traffic/packet will be validated based on
          host-inbound-traffic configured under security zones. If you
          configure security policy to-zone junos-host, that policy check will
          be done additionaly to host-inbound-traffic/services specified under
          zones.



          For example, if you allow SSH/Telnet/OSPF under interface
          ge-0/0/0.0, but configure a security policy to-zone junos-host
          allowing SSH, then Telnet/OSPF wont work. Only SSH will work.




          More to read:
          Link-1
          Link-2



          Juniper SRX traffic flow



          Inbound packet will pass in this order:



          1. Input interface filter, if set

          2. Zone host-inbound-traffic

          3. Zone-to-Zone policy

          If traffic passed on 1 step, it can be still denied on 2 or 3.
          Assume:



          1. No interface filter applied


          2. host-inbound-traffic set to system-services ssh

          3. Policy from zone zone1 to-zone junos-host allows only ICMP ping

          As result, not ICMP ping, not SSH will be allowed. ICMP ping will be dropped on step 2; SSH will be dropped on step 3.






          share|improve this answer






















          • So correct me if I am wrong. If security policy to-zone junos-host is configured, its applicable to the whole device(all the interfaces included). So even if, host-inbound-traffic is configured for an interface or a zone(say Red-zone, allow only ssh) but the junos-host is configured to allow only ping, then it means the interfaces part of that Red-zone cannot allow ssh as the junos-host is configured to allow only ping to those interfaces.
            – RRHS
            Nov 21 at 9:07











          • junos-host it's device itself. So yes, if you will configure policy from some zone, lets say RED to junos-host, and you will allow only ICMP ping, but your RED zone host-inbound-services will have ICMP ping and SSH - only ICMP ping will be allowed. You can think of it like consecutive levels of security. Let me check some docs, I will edit my answer with traffic flow sequence...
            – Andrey Prokhorov
            Nov 21 at 9:42










          • Understood. Its all about levels and junos-host isnt given any priority over the host-inbound-traffic. And yes, please attach any docs if you have, it would be very helpful.
            – RRHS
            Nov 21 at 11:31










          • @RRHS Check theese: Security Policies Feature Guide for Security Devices, KB24227
            – Andrey Prokhorov
            Nov 21 at 12:20










          • Just one more query. Are configuring security zones a necessity? And i have also read that there has to be a minimum of 2 security zones to be configured. But some of the devices which i have used have only 1(security-zone HOST) and VSRX has none. Could you please shed some light on it.
            – RRHS
            Nov 22 at 13:59














          up vote
          2
          down vote



          accepted











          Junos-host zone can be used to add an additional check for traffic
          destined to SRX. If you don't configure any security policy to-zone
          junos-host, the traffic/packet will be validated based on
          host-inbound-traffic configured under security zones. If you
          configure security policy to-zone junos-host, that policy check will
          be done additionaly to host-inbound-traffic/services specified under
          zones.



          For example, if you allow SSH/Telnet/OSPF under interface
          ge-0/0/0.0, but configure a security policy to-zone junos-host
          allowing SSH, then Telnet/OSPF wont work. Only SSH will work.




          More to read:
          Link-1
          Link-2



          Juniper SRX traffic flow



          Inbound packet will pass in this order:



          1. Input interface filter, if set

          2. Zone host-inbound-traffic

          3. Zone-to-Zone policy

          If traffic passed on 1 step, it can be still denied on 2 or 3.
          Assume:



          1. No interface filter applied


          2. host-inbound-traffic set to system-services ssh

          3. Policy from zone zone1 to-zone junos-host allows only ICMP ping

          As result, not ICMP ping, not SSH will be allowed. ICMP ping will be dropped on step 2; SSH will be dropped on step 3.






          share|improve this answer






















          • So correct me if I am wrong. If security policy to-zone junos-host is configured, its applicable to the whole device(all the interfaces included). So even if, host-inbound-traffic is configured for an interface or a zone(say Red-zone, allow only ssh) but the junos-host is configured to allow only ping, then it means the interfaces part of that Red-zone cannot allow ssh as the junos-host is configured to allow only ping to those interfaces.
            – RRHS
            Nov 21 at 9:07











          • junos-host it's device itself. So yes, if you will configure policy from some zone, lets say RED to junos-host, and you will allow only ICMP ping, but your RED zone host-inbound-services will have ICMP ping and SSH - only ICMP ping will be allowed. You can think of it like consecutive levels of security. Let me check some docs, I will edit my answer with traffic flow sequence...
            – Andrey Prokhorov
            Nov 21 at 9:42










          • Understood. Its all about levels and junos-host isnt given any priority over the host-inbound-traffic. And yes, please attach any docs if you have, it would be very helpful.
            – RRHS
            Nov 21 at 11:31










          • @RRHS Check theese: Security Policies Feature Guide for Security Devices, KB24227
            – Andrey Prokhorov
            Nov 21 at 12:20










          • Just one more query. Are configuring security zones a necessity? And i have also read that there has to be a minimum of 2 security zones to be configured. But some of the devices which i have used have only 1(security-zone HOST) and VSRX has none. Could you please shed some light on it.
            – RRHS
            Nov 22 at 13:59












          up vote
          2
          down vote



          accepted







          up vote
          2
          down vote



          accepted







          Junos-host zone can be used to add an additional check for traffic
          destined to SRX. If you don't configure any security policy to-zone
          junos-host, the traffic/packet will be validated based on
          host-inbound-traffic configured under security zones. If you
          configure security policy to-zone junos-host, that policy check will
          be done additionaly to host-inbound-traffic/services specified under
          zones.



          For example, if you allow SSH/Telnet/OSPF under interface
          ge-0/0/0.0, but configure a security policy to-zone junos-host
          allowing SSH, then Telnet/OSPF wont work. Only SSH will work.




          More to read:
          Link-1
          Link-2



          Juniper SRX traffic flow



          Inbound packet will pass in this order:



          1. Input interface filter, if set

          2. Zone host-inbound-traffic

          3. Zone-to-Zone policy

          If traffic passed on 1 step, it can be still denied on 2 or 3.
          Assume:



          1. No interface filter applied


          2. host-inbound-traffic set to system-services ssh

          3. Policy from zone zone1 to-zone junos-host allows only ICMP ping

          As result, not ICMP ping, not SSH will be allowed. ICMP ping will be dropped on step 2; SSH will be dropped on step 3.






          share|improve this answer















          Junos-host zone can be used to add an additional check for traffic
          destined to SRX. If you don't configure any security policy to-zone
          junos-host, the traffic/packet will be validated based on
          host-inbound-traffic configured under security zones. If you
          configure security policy to-zone junos-host, that policy check will
          be done additionaly to host-inbound-traffic/services specified under
          zones.



          For example, if you allow SSH/Telnet/OSPF under interface
          ge-0/0/0.0, but configure a security policy to-zone junos-host
          allowing SSH, then Telnet/OSPF wont work. Only SSH will work.




          More to read:
          Link-1
          Link-2



          Juniper SRX traffic flow



          Inbound packet will pass in this order:



          1. Input interface filter, if set

          2. Zone host-inbound-traffic

          3. Zone-to-Zone policy

          If traffic passed on 1 step, it can be still denied on 2 or 3.
          Assume:



          1. No interface filter applied


          2. host-inbound-traffic set to system-services ssh

          3. Policy from zone zone1 to-zone junos-host allows only ICMP ping

          As result, not ICMP ping, not SSH will be allowed. ICMP ping will be dropped on step 2; SSH will be dropped on step 3.







          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited Nov 21 at 9:51

























          answered Nov 21 at 7:26









          Andrey Prokhorov

          1,620314




          1,620314











          • So correct me if I am wrong. If security policy to-zone junos-host is configured, its applicable to the whole device(all the interfaces included). So even if, host-inbound-traffic is configured for an interface or a zone(say Red-zone, allow only ssh) but the junos-host is configured to allow only ping, then it means the interfaces part of that Red-zone cannot allow ssh as the junos-host is configured to allow only ping to those interfaces.
            – RRHS
            Nov 21 at 9:07











          • junos-host it's device itself. So yes, if you will configure policy from some zone, lets say RED to junos-host, and you will allow only ICMP ping, but your RED zone host-inbound-services will have ICMP ping and SSH - only ICMP ping will be allowed. You can think of it like consecutive levels of security. Let me check some docs, I will edit my answer with traffic flow sequence...
            – Andrey Prokhorov
            Nov 21 at 9:42










          • Understood. Its all about levels and junos-host isnt given any priority over the host-inbound-traffic. And yes, please attach any docs if you have, it would be very helpful.
            – RRHS
            Nov 21 at 11:31










          • @RRHS Check theese: Security Policies Feature Guide for Security Devices, KB24227
            – Andrey Prokhorov
            Nov 21 at 12:20










          • Just one more query. Are configuring security zones a necessity? And i have also read that there has to be a minimum of 2 security zones to be configured. But some of the devices which i have used have only 1(security-zone HOST) and VSRX has none. Could you please shed some light on it.
            – RRHS
            Nov 22 at 13:59
















          • So correct me if I am wrong. If security policy to-zone junos-host is configured, its applicable to the whole device(all the interfaces included). So even if, host-inbound-traffic is configured for an interface or a zone(say Red-zone, allow only ssh) but the junos-host is configured to allow only ping, then it means the interfaces part of that Red-zone cannot allow ssh as the junos-host is configured to allow only ping to those interfaces.
            – RRHS
            Nov 21 at 9:07











          • junos-host it's device itself. So yes, if you will configure policy from some zone, lets say RED to junos-host, and you will allow only ICMP ping, but your RED zone host-inbound-services will have ICMP ping and SSH - only ICMP ping will be allowed. You can think of it like consecutive levels of security. Let me check some docs, I will edit my answer with traffic flow sequence...
            – Andrey Prokhorov
            Nov 21 at 9:42










          • Understood. Its all about levels and junos-host isnt given any priority over the host-inbound-traffic. And yes, please attach any docs if you have, it would be very helpful.
            – RRHS
            Nov 21 at 11:31










          • @RRHS Check theese: Security Policies Feature Guide for Security Devices, KB24227
            – Andrey Prokhorov
            Nov 21 at 12:20










          • Just one more query. Are configuring security zones a necessity? And i have also read that there has to be a minimum of 2 security zones to be configured. But some of the devices which i have used have only 1(security-zone HOST) and VSRX has none. Could you please shed some light on it.
            – RRHS
            Nov 22 at 13:59















          So correct me if I am wrong. If security policy to-zone junos-host is configured, its applicable to the whole device(all the interfaces included). So even if, host-inbound-traffic is configured for an interface or a zone(say Red-zone, allow only ssh) but the junos-host is configured to allow only ping, then it means the interfaces part of that Red-zone cannot allow ssh as the junos-host is configured to allow only ping to those interfaces.
          – RRHS
          Nov 21 at 9:07





          So correct me if I am wrong. If security policy to-zone junos-host is configured, its applicable to the whole device(all the interfaces included). So even if, host-inbound-traffic is configured for an interface or a zone(say Red-zone, allow only ssh) but the junos-host is configured to allow only ping, then it means the interfaces part of that Red-zone cannot allow ssh as the junos-host is configured to allow only ping to those interfaces.
          – RRHS
          Nov 21 at 9:07













          junos-host it's device itself. So yes, if you will configure policy from some zone, lets say RED to junos-host, and you will allow only ICMP ping, but your RED zone host-inbound-services will have ICMP ping and SSH - only ICMP ping will be allowed. You can think of it like consecutive levels of security. Let me check some docs, I will edit my answer with traffic flow sequence...
          – Andrey Prokhorov
          Nov 21 at 9:42




          junos-host it's device itself. So yes, if you will configure policy from some zone, lets say RED to junos-host, and you will allow only ICMP ping, but your RED zone host-inbound-services will have ICMP ping and SSH - only ICMP ping will be allowed. You can think of it like consecutive levels of security. Let me check some docs, I will edit my answer with traffic flow sequence...
          – Andrey Prokhorov
          Nov 21 at 9:42












          Understood. Its all about levels and junos-host isnt given any priority over the host-inbound-traffic. And yes, please attach any docs if you have, it would be very helpful.
          – RRHS
          Nov 21 at 11:31




          Understood. Its all about levels and junos-host isnt given any priority over the host-inbound-traffic. And yes, please attach any docs if you have, it would be very helpful.
          – RRHS
          Nov 21 at 11:31












          @RRHS Check theese: Security Policies Feature Guide for Security Devices, KB24227
          – Andrey Prokhorov
          Nov 21 at 12:20




          @RRHS Check theese: Security Policies Feature Guide for Security Devices, KB24227
          – Andrey Prokhorov
          Nov 21 at 12:20












          Just one more query. Are configuring security zones a necessity? And i have also read that there has to be a minimum of 2 security zones to be configured. But some of the devices which i have used have only 1(security-zone HOST) and VSRX has none. Could you please shed some light on it.
          – RRHS
          Nov 22 at 13:59




          Just one more query. Are configuring security zones a necessity? And i have also read that there has to be a minimum of 2 security zones to be configured. But some of the devices which i have used have only 1(security-zone HOST) and VSRX has none. Could you please shed some light on it.
          – RRHS
          Nov 22 at 13:59

















           

          draft saved


          draft discarded















































           


          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fnetworkengineering.stackexchange.com%2fquestions%2f54881%2fdifference-between-junos-host-zone-and-a-security-zone%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown






          Popular posts from this blog

          How to check contact read email or not when send email to Individual?

          Displaying single band from multi-band raster using QGIS

          How many registers does an x86_64 CPU actually have?