Firewall design - should this work?

Started by bk6662, April 21, 2020, 02:46:35 PM

Previous topic - Next topic

bk6662

Hi!

I inherited a project where I was asked to set up a firewall, to control traffic within the same subnet.  (I know that's sort of counterintuitive - should be done with VLANS!)  But anyhow...

Using a Juniper firewall, I'm working with 2 interfaces.  0 is "untrusted", and 1 is trusted.  Both interfaces connect to a switch, and all connected devices are in the same subnet.  With Juniper it seems the best method is to configure both 0 and 1 as INETv4 interfaces, assign an IP (both being in the same range as the rest of the subnet), and create policies allowing traffic to flow in both directions.

I set up in a test lab, but not having any success.  End result to this point is:

From Juniper I can ping both interfaces, and also get a PING response from endpoints located on both interfaces.
From untrusted endpoint I get a PING response from the Juniper untrusted interface, but no response from the trusted interface or trusted endpoint (Request timed out)
From trusted endpoint I get a PING response only from the Juniper trusted interface.  Everything else results in "Destination host unreachable" response.

Also side note I have a router configured on the untrusted end.  Using that as "Next Hop" for the Juniper (set routing-options static route 0.0.0.0/0 next-hop 10.1.1.1)

I'll be happy to provide a config if requested (it's really short).  But I'm wondering if this design should work, or is there a better way to accomplish what I'm trying to do?  (Only caveat it has to be with the Juniper!)

Thank you!
-BK

EDIT: may as well provide the config

security
  policies
    from-zone trust to-zone untrust
      policy our-internet-policy
        match
          source-address any
          destination-address any
          application any
        then permit

    from-zone untrust to-zone trust
      policy outside-in
        match
          source-address any
          destination-address any
          application any
        then permit

  zones
    security-zone untrust
      host-inbound-traffic
        system-services
          all
        protocols
          all
      interfaces ge-0/0/0.0

    security-zone trust
      host-inbound-traffic
        system-services
          all
        protocols
          all
      interfaces ge-0/0/1.0

interfaces
  ge-0/0/0
    unit 0
      family inet
        address 10.1.1.2/24

  ge-0/0/1
    unit 0
      family inet
        address 10.1.1.3/24

routing-options
  static
    route 0.0.0.0/0 next-hop 10.1.1.1


icecream-guy

So what happens when a device is looking for another device on the same network segment?

say 10.1.1.5 is looking for 10.1.1.6,
so 10.1.1.5  sends out a broadcast  "who has IP 10.1.1.6"
10.1.1.6 replies "i do, here is my MAC address" and sends it to 10.1.1.5,
now that 10.1.1.5 has the MAC address of 10.1.1.6 the communication is sent directly.

if you want to separate segments via a firewall, you need to separate hosts on to unique networks for inside (trusted) and outside (untrusted)

at least at the network layer,
:professorcat:

My Moral Fibers have been cut.

deanwebb

Correct. The zones need to be in different IP subnets. Firewalls control access from one subnet to the other - they block or permit traffic at layer 3. Having both interfaces being layer 3 adjacent means no routing and, hence, no firewalling.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

icecream-guy

if you had a high-end switch you could probably do something with private VLANs
:professorcat:

My Moral Fibers have been cut.

bk6662

Thanks everybody - appreciate the responses.

I did find out this particular firewall has a feature allowing it to run in transparent mode, thereby operating as a switch.  In that scenario it does allow me to designate specific interfaces as trusted or untrusted.  But only later Juniper's support that.

Thanks again!
-BK