ShortestPathFirst Network Architecture and Design, and Information Security Best Practices

7Jul/116

Juniper SRX Tips :: Altering Default-Deny Behavior

In our previous article, we looked at using apply-groups to alter all the security policies uniformly on an SRX device such that they would all have an implicit logging statement. And while this is fine for all existing policies, it doesn't log traffic which doesn't match any explicitly defined security policy.

The reason for this is due to the fact that in Junos, traffic which doesn't match an explicitly defined security policy matches against the default-deny policy.  However, given the fact that the default-deny policy is implicitly defined, apply-group configurations are of little benefit as apply-groups can only be inherited by those elements which have been explicitly defined.

Often in these cases, administrators will simply choose to create their own deny policies with the desired options and place this deny policy as the last policy for traffic going from one zone to another. However, in instances where there are many zones, it might prove too cumbersome and time consuming to manually configure this to accommodate all zones.

Clearly it would be more beneficial to have something akin to the Global Zone in ScreenOS which can be used to match on all traffic which doesn't match against any of the explicitly defined security policies.  However, at the time of this writing, Global Zone functionality doesn't exist in Junos.

The good news is that we can use the power of apply-groups once again to our benefit, this time to create an explicitly defined deny policy which will be inherited at the tail-end of all security policies defined within our configuration. Note that this will encompass both Inter-zone as well as Intra-zone traffic.

For this example, let's assume that we want to log everything that would normally hit the default-deny policy. Let's start by taking a look at our baseline configuration:

root@ce-1# show security policies
from-zone Trust to-zone Untrust {
    policy allow-outbound {
        match {
            source-address Users-subnet;
            destination-address any;
            application any;
        }
        then {
            permit;
        }
    }
}
from-zone Untrust to-zone Trust {
    policy allow-web {
        match {
            source-address any;
            destination-address web-server;
            application junos-http;
        }
        then {
            permit;
        }
    }
}

Here you can see we have a policy allowing all traffic outbound from the Users-subnet in the Trust zone towards the Untrust zone, and another policy allowing inbound HTTP traffic from the Untrust zone towards the Web Server in the Trust zone.  Now, in order to change the default-deny behavior and add additional options, we will use an apply-group to inherit a new policy at the tail-end of all previously defined policies, as follows:

groups {
    default-log {
        security {
            policies {
                from-zone <*> to-zone <*> {
                    policy log-all-else {
                        match {
                            source-address any;
                            destination-address any;
                            application any;
                        }
                        then {
                            deny;
                            log {
                                session-init;
                            }
                        }
                    }
                }
            }
        }
    }
}

Finally, let's apply our apply-group at the [security policies] stanza within our configuration:

root@ce-1# set security policies apply-groups default-log

Now that we've completed the configuration, let's examine the results of the application of our apply-group by taking a look at our security policies, this time by displaying the inherited configuration:

root@ce-1# show security policies | display inheritance
apply-groups default-log
from-zone Trust to-zone Untrust {
    policy allow-outbound {
        match {
            source-address Users-subnet;
            destination-address any;
            application any;
        }
        then {
            permit;
        }
    }
    ##
    ## 'log-all-else' was inherited from group 'default-log'
    ##
    policy log-all-else {
        ##
        ## 'match' was inherited from group 'default-log'
        ##
        match {
            ##
            ## 'any' was inherited from group 'default-log'
            ##
            source-address any;
            ##
            ## 'any' was inherited from group 'default-log'
            ##
            destination-address any;
            ##
            ## 'any' was inherited from group 'default-log'
            ## Warning: application or application-set must be defined
            ##
            application any;
        }
        ##
        ## 'then' was inherited from group 'default-log'
        ##
        then {
            ##
            ## 'deny' was inherited from group 'default-log'
            ##
            deny;
            ##
            ## 'log' was inherited from group 'default-log'
            ##
            log {
                ##
                ## 'session-init' was inherited from group 'default-log'
                ##
                session-init;
            }
        }
    }
}
from-zone Untrust to-zone Trust {
    policy allow-web {
        match {
            source-address any;
            destination-address web-server;
            application junos-http;
        }
        then {
            permit;
        }
    }
    ##
    ## 'log-all-else' was inherited from group 'default-log'
    ##
    policy log-all-else {
        ##
        ## 'match' was inherited from group 'default-log'
        ##
        match {
            ##
            ## 'any' was inherited from group 'default-log'
            ##
            source-address any;
            ##
            ## 'any' was inherited from group 'default-log'
            ##
            destination-address any;
            ##
            ## 'any' was inherited from group 'default-log'
            ## Warning: application or application-set must be defined
            ##
            application any;
        }
        ##
        ## 'then' was inherited from group 'default-log'
        ##
        then {
            ##
            ## 'deny' was inherited from group 'default-log'
            ##
            deny;
            ##
            ## 'log' was inherited from group 'default-log'
            ##
            log {
                ##
                ## 'session-init' was inherited from group 'default-log'
                ##
                session-init;
            }
        }
    }
}

Once again, with just a couple of lines of code we can streamline the configuration to a large extent, in this case creating an explicitly defined deny policy which logs all traffic that would otherwise be silently discarded.  And best of all, we can do so without having to resort to manual configuration of each and every one.

In small installations this technique might be of little benefit, but in larger implementations consisting of dozens of zones with a combination of Interzone and Intrazone and bidirectional security policies, the benefit of such an approach cannot be understated.  Not only will this ease configuration burden, but it will ensure that all traffic which doesn't match any of the existing security policies will be handled in a consistent manner.  Of course, as with previous examples, if there are certain policies that we don't want to inherit this new default-deny, we can simply utilize the apply-group-except statement for each of those respective policies.

In our next article we will examine changing the built-in Junos application defaults so that we can customize timers and other parameters.

Users-subnet

Post to Twitter Post to Delicious Post to Digg Post to Facebook Post to Google Buzz Send Gmail Post to LinkedIn Post to Slashdot Post to Technorati

Comments (6) Trackbacks (0)
  1. brother stefn ,

    the option of group DEFAULT LOG and with out this option i found no such change .or i might be not getting the exact point which this blog is explaning . can you please help me in it by clearing it for me ??

  2. There is one exception to this that needs to be noted but makes sense in the context of what you are doing, if you have two zones with no rules between them, they will not inherit this new rule, therefore the drops will still be silent.

  3. Cheers for this.

    Was able to use this to adapt to requirements around blocking specific networks within a supernet.
    Read this when first posted but came back to confirm it.
    http://forums.juniper.net/t5/SRX-Services-Gateway/SRX-IP-exception-through-policy/m-p/106888/

    Cheers,
    Jav

  4. While there is no Global Zone, you can create a Zone Group that includes all your Zones. The only problem I’ve found with this is that when you have a policy going to multiple devices with different Zone names it will fail to push the policy as the “Global” (Group of Zones) doesnt match the ones configured on the target SRX.

  5. Hi Stefan,
    Any ideas how to apply security policy using apply-groups and move that policy to the top of other policies. Applied policy goes to the end of the security policy list.

    Thanks.

    P.S. Great post :)

  6. Hi Misha,

    I am unsure how to do this because as you’ve stated the applied policies always are inherited at the tail end… Fortunately, soon we will have Global zones in Junos so tricks such as the above will no longer be necessary…


Leave a comment

No trackbacks yet.