O'Reilly logo

Junos® OS For Dummies®, 2nd Edition by Michael Bushong, Cathy Gadecki, Walter Goralski

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Writing Basic Security Policies

If the SRX could only assign interfaces to zones and allow certain services in and out, there wouldn't be much to it. But the SRX is much more powerful.

After you have zones and interfaces set up, you can tap into the real power of the SRX: the security policies themselves.

Without security policies, all the SRX could do is create interface zones and screen out certain services. Security policies allow you to configure the details of what is and is not allowed through the SRX.

Multiple security policies

Large SRXs can have hundreds or even thousands of policies, because policies become more and more complex as they try and do too much. So, you can have multiple policies that are applied to traffic, all based on source and destination zone. The policies are applied one after another until an action is determined. The final default, of course, is to deny the traffic and discard the packet.

The exception to the default deny rule is traffic on the fxp0 management interface, which makes management of the SRX possible at all times (even when configurations go haywire), and allowing this traffic is a small risk because outside user traffic never appears on this interface.

Figure 12-3 shows this policy ordering on the SRX by zones.

images

Figure 12-3: SRX zones and policies.

All SRX security policies follow an IF-THEN-ELSE algorithm. IF traffic X matches some rule, ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required