Page MenuHomePhabricator
Create Task
Maniphest T218234

Management routers: filter traffic from external to junos-host
Closed, ResolvedPublic
Actions

Description

Unlike standard SRX security policies security policies from-zone x to-zone y that have a default and implicit deny.

The policies with security policies from-zone x to-zone junos-host -for traffic toward the device itself- is a default and implicit permit.

I noticed that while looking at log and noticed on mr1-codfw:
SNMPD_AUTH_FAILURE: nsa_log_community: unauthorized SNMP community from 52.73.169.169 to 208.80.153.196 (public)

zone junos-host is only used on the mgmt routers (mr1*) and not on the payment firewalls.

We need to add:

[edit applications application icmp-app1]
     term t1 { ... }
+    term t2 protocol icmp6;
[edit security policies from-zone untrust to-zone junos-host]
      policy any--traceroute { ... }
+     /* T218234 - to-zone junos-host has an implicit default permit */
+     policy default-deny {
+         match {
+             source-address any;
+             destination-address any;
+             application any;
+         }
+         then {
+             deny;
+         }
+     }

Progressively, one router at a time, with a commit confirmed to ensure no legitimate traffic is being blocked.

This was not caught by diffscan as the external security zone only host an IP outside our ranges (OOB).
No other service than SNMP has been wrongly exposed.

Event Timeline

ayounsi triaged this task as High priority.Mar 13 2019, 5:20 PM
ayounsi created this task.
ayounsi created this object with visibility "acl*sre-team (Project)".
Restricted Application added a project: SRE. · View Herald TranscriptMar 13 2019, 5:20 PM
ayounsi updated the task description. (Show Details)Mar 13 2019, 5:24 PM
ayounsi renamed this task from Management routers: deny traffic from external to junos-host to Management routers: filter traffic from external to junos-host.Mar 13 2019, 5:26 PM
ayounsi updated the task description. (Show Details)Mar 14 2019, 4:29 PM
ayounsi updated the task description. (Show Details)Mar 14 2019, 4:45 PM
ayounsi closed this task as Resolved.Mar 14 2019, 5:07 PM

All patched. No need for this task to be private anymore.

ayounsi changed the visibility from "acl*sre-team (Project)" to "Public (No Login Required)".Mar 14 2019, 5:07 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits