Thus far in this chapter, we have covered how to protect the network and services behind the SRX. This section covers how to protect the SRX itself from attack. It’s critical to harden the SRX’s control plane from any potential attacks and to ensure availability.
The first item to put in place is a firewall filter applied to the loopback interface. All traffic destined for the route engine (RE) goes through the loopback interface. To throttle and limit traffic that can enter the RE, we can apply a firewall filter to the loopback interface.
This acts much like a receive ACL on Cisco Systems routers.
The first thing you need to do when designing a loopback firewall filter is to document the traffic types
that enter the RE. Traffic such as Simple Network Management Protocol
(SNMP), Network Time Protocol (NTP), management protocols, and syslog
should be examined. For the ScreenOS crowd, firewall filters are the only
way to reproduce the
settings and restrict what IP addresses or segments can access the
management plane of the SRX.
Here are the different devices and networks that need to talk to the SRX:
|Management network: 10.1.10.1/24|
|SNMP server: 10.1.30.101|
|NTP server: 10.1.20.100|
|Backup NTP server: 10.1.30.100|
So, let’s configure the traffic types that need to enter the RE. Yours may be different, of course, depending on your network and configuration, so pay attention to the process:
edit firewall filter SRX_Protection[edit firewall ...