Security Zones | Junos OS | Juniper Networks

Interfaces act as a doorway through
which traffic enters and exits a Juniper Networks device. Many interfaces
can share exactly the same security requirements; however, different
interfaces can also have different security requirements for inbound
and outbound data packets. Interfaces with identical security requirements
can be grouped together into a single security zone.

A security zone is a collection of one or more
network segments requiring the regulation of inbound and outbound
traffic through policies.

Security zones are logical entities to which one
or more interfaces are bound. With many types of Juniper Networks
devices, you can define multiple security zones, the exact number
of which you determine based on your network needs.

On a single device, you can configure multiple
security zones, dividing the network into segments to which you can
apply various security options to satisfy the needs of each segment.
At a minimum, you must define two security zones, basically to protect
one area of the network from the other. On some security platforms,
you can define many security zones, bringing finer granularity to
your network security design—and without deploying multiple
security appliances to do so.

From the perspective of security policies, traffic
enters into one security zone and goes out on another security zone.
This combination of a from-zone and a to-zone is defined as a context. Each context contains
an ordered list of policies. For more information on policies, see Security Policies Overview.

This topic includes the following sections:

Understanding Security Zone Interfaces

An interface for a security zone can be thought
of as a doorway through which TCP/IP traffic can pass between that
zone and any other zone.

Through the policies you define, you can permit
traffic between zones to flow in one direction or in both. With the
routes that you define, you specify the interfaces that traffic from
one zone to another must use. Because you can bind multiple interfaces
to a zone, the routes you chart are important for directing traffic
to the interfaces of your choice.

An interface can be configured with an IPv4 address, IPv6 address,
or both.

Understanding Functional Zones

A functional zone is used for special purposes,
like management interfaces. Currently, only the management (MGT) zone
is supported. Management zones have the following properties:

  • Management zones host management interfaces.

  • Traffic entering management zones does not match policies;
    therefore, traffic cannot transit out of any other interface if it
    was received in the management interface.

  • Management zones can only be used for dedicated management
    interfaces.

Understanding Security Zones

Security zones are the building blocks for policies;
they are logical entities to which one or more interfaces are bound.
Security zones provide a means of distinguishing groups of hosts (user
systems and other hosts, such as servers) and their resources from
one another in order to apply different security measures to them.

Security zones have the following properties:

  • Policies—Active security policies that enforce rules
    for the transit traffic, in terms of what traffic can pass through
    the firewall, and the actions that need to take place on the traffic
    as it passes through the firewall. For more information, see Security Policies Overview.

  • Screens—A Juniper Networks stateful firewall secures
    a network by inspecting, and then allowing or denying, all connection
    attempts that require passage from one security zone to another. For
    every security zone, you can enable a set of predefined screen options
    that detect and block various kinds of traffic that the device determines
    as potentially harmful. For more information, see Reconnaissance Deterrence Overview.

  • Address books—IP addresses and address sets that
    make up an address book to identify its members so that you can apply
    policies to them. Address book entries can include any combination
    of IPv4 addresses, IPv6 addresses, and Domain Name System (DNS) names.
    For more information, see Example: Configuring Address Books and Address Sets.

  • TCP-RST—When this feature is enabled, the system
    sends a TCP segment with the RESET flag set when traffic arrives that
    does not match an existing session and does not have the SYNchronize
    flag set.

  • Interfaces—List of interfaces in the zone.

Security zones have the following preconfigured
zone:

  • Trust zone—Available only in the factory configuration
    and is used for initial connection to the device. After you commit
    a configuration, the trust zone can be overridden.