Options
Juniper Configuration questions-HELP!
I am new to Juniper. I have question about how to configure the juniper firewall to permit and deny traffic with user-defined policies. My organization has Juniper Netscreen 5GT in trust-untrust mode with static IP. Recently we were blacklisted. I came across a suggestion to deny 25 port for every private IP from the trust zone other than the mail server so that an infected PC cannot uste that port to send mail directly. Can I create 2 policies:
1. Any to any to deny SMTP service
2. Mail server (his IP) to any to permit SMTP service
Which of the 2 policies will be stronger regarding the mail server?
Sorry if the question is stupid. I need help to protect my net and to protect external network not to be attacked by infected PCs from my network. On the juniper all the protcetion for land attack, syn, IP spoof etc are checked. We have proper anti-virus protection. why is this not enough?
Thanks in advance,
Ljupka
1. Any to any to deny SMTP service
2. Mail server (his IP) to any to permit SMTP service
Which of the 2 policies will be stronger regarding the mail server?
Sorry if the question is stupid. I need help to protect my net and to protect external network not to be attacked by infected PCs from my network. On the juniper all the protcetion for land attack, syn, IP spoof etc are checked. We have proper anti-virus protection. why is this not enough?
Thanks in advance,
Ljupka
Comments
-
Options
Gogousa
Member Posts: 68 ■■□□□□□□□□
You should put the second one on top of the list.
Think like the packet and a list to do. If something wants to go out, it reads the first line, if it does not apply it goes to the second line, and this goes on and on until it finds something that apply to him, and thats it (the packet is out). If it gets to the end of the list and nothing apply to it, it is discarted.
So, the policies should go from specific on the top (like your example, one server-one port) to general at the end.
hope this help
good luck -
Options
Pash
Member Posts: 1,600 ■■■■■□□□□□
You should put the second one on top of the list.
Think like the packet and a list to do. If something wants to go out, it reads the first line, if it does not apply it goes to the second line, and this goes on and on until it finds something that apply to him, and thats it (the packet is out). If it gets to the end of the list and nothing apply to it, it is discarted.
So, the policies should go from specific on the top (like your example, one server-one port) to general at the end.
hope this help
good luck
Exactly this. Always keep your rules that are most generalized below your specific rules, this way you are guaranteed that your policy list is doing its job. I always make a habbit of logging all traffic as well as adding counters, this depends on your model of firewall sometimes because you do not wan't to flood the memory on the device with too much logging if it cannot handle it.
PashDevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me.