Main Menu
Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - bk6662

Pages1
#1
Security / Re: Firewall design - should this work?
April 23, 2020, 08:36:14 AM
Thanks everybody - appreciate the responses.

I did find out this particular firewall has a feature allowing it to run in transparent mode, thereby operating as a switch.  In that scenario it does allow me to designate specific interfaces as trusted or untrusted.  But only later Juniper's support that.

Thanks again!
-BK
#2
Security / Firewall design - should this work?
April 21, 2020, 02:46:35 PM
Hi!

I inherited a project where I was asked to set up a firewall, to control traffic within the same subnet.  (I know that's sort of counterintuitive - should be done with VLANS!)  But anyhow...

Using a Juniper firewall, I'm working with 2 interfaces.  0 is "untrusted", and 1 is trusted.  Both interfaces connect to a switch, and all connected devices are in the same subnet.  With Juniper it seems the best method is to configure both 0 and 1 as INETv4 interfaces, assign an IP (both being in the same range as the rest of the subnet), and create policies allowing traffic to flow in both directions.

I set up in a test lab, but not having any success.  End result to this point is:

From Juniper I can ping both interfaces, and also get a PING response from endpoints located on both interfaces.
From untrusted endpoint I get a PING response from the Juniper untrusted interface, but no response from the trusted interface or trusted endpoint (Request timed out)
From trusted endpoint I get a PING response only from the Juniper trusted interface.  Everything else results in "Destination host unreachable" response.

Also side note I have a router configured on the untrusted end.  Using that as "Next Hop" for the Juniper (set routing-options static route 0.0.0.0/0 next-hop 10.1.1.1)

I'll be happy to provide a config if requested (it's really short).  But I'm wondering if this design should work, or is there a better way to accomplish what I'm trying to do?  (Only caveat it has to be with the Juniper!)

Thank you!
-BK

EDIT: may as well provide the config

security
  policies
    from-zone trust to-zone untrust
      policy our-internet-policy
        match
          source-address any
          destination-address any
          application any
        then permit

    from-zone untrust to-zone trust
      policy outside-in
        match
          source-address any
          destination-address any
          application any
        then permit

  zones
    security-zone untrust
      host-inbound-traffic
        system-services
          all
        protocols
          all
      interfaces ge-0/0/0.0

    security-zone trust
      host-inbound-traffic
        system-services
          all
        protocols
          all
      interfaces ge-0/0/1.0

interfaces
  ge-0/0/0
    unit 0
      family inet
        address 10.1.1.2/24

  ge-0/0/1
    unit 0
      family inet
        address 10.1.1.3/24

routing-options
  static
    route 0.0.0.0/0 next-hop 10.1.1.1

Pages1