Using a Firewall Filter to Protect SNMP Access

Problem

You have a firewall filter on your interfaces and want to add a term to restrict NMS system access to the router.

Solution

You can add a term to the existing firewall filter that allows access to the desired NMS systems:

Add a term to an existing firewall filter that restricts SSH and Telnet access:

	[edit firewall filter protect-RE term allow- 
snmp-from-nms-systems ]
	aviva@router1# set from source-address 10.0.0.1/32 
	aviva@router1# set from source-address 10.0.5.1/32 
	aviva@router1# set from source-address 10.0.6.1/34 
	aviva@router1# set from source-address 10.10.1.50/32 
	aviva@router1# set from protocol udp 
	aviva@router1# set from destination-port snmp 
	aviva@router1# set then accept 

For the filter to affect incoming traffic, apply it to the desired interfaces:

	[edit interfaces]
	aviva@router1# set fe-0/0/0 unit 0 family inet filter input protect-RE

 

Discussion

An interface can have one inbound and one outbound firewall filter, so if you already have filters in place that control the incoming and outgoing interface traffic, you can add a term that applies to NMS access. To filter polling requests from NMS systems, add the term to the inbound filter; to filter the router's responses, add it to the outbound filter. This term allows four NMS systems, all identified by IP address, to send SNMP requests to the router. The destination-port option matches the SNMP port number in the IP packet's destination field, and you include the udp option because SNMP exchanges use UDP, not TCP.

You then have to decide where in the filter to place the term. Because the terms in the firewall filter are evaluated in the order in which they appear, the placement affects the efficiency of the filter. Generally, terms for operations that need to be performed quickly, such as BGP peering and IGP and DNS traffic, are at the beginning of the filter. For operations that are less time-critical, including processing SNMP traffic, place the term towards the end of the filter.

For the filter to do anything, you apply it to the desired interface with the set filter input command.

To create a parallel filter for outbound SNMP traffic, you can incorporate the same term into the interface's outbound firewall filter and then apply it on the ongoing side:

	[edit interfaces]
	aviva@router1# set fe-0/0/0 unit 0 family inet filter output outgoing-from-me

Fashion the firewall filter for outgoing SNMP a bit differently to allow the router to send SNMP traps. Specify a source port of snmp (port 161) and a destination port of snmptrap (port 162):

	
	[edit firewall filter outgoing-from-me ]
	aviva@router1# set term allow- 
snmp-to-nms-systems source-port snmp 
	aviva@router1# set term allow-snmp-to-nms-systems destination-port snmptrap 

Instead of listing addresses individually in the from source-address portion of the configuration, a shortcut creates a prefix list and then just references the list. A prefix list is simply a named list of IP prefixes created in the [edit policy-options] portion of the configuration and then referred to in firewall filters and in routing policies.

See Also

Recipes 9.3, 9.15, and 9.16


Router Configuration and File Management

Basic Router Security and Access Control

IPSec

SNMP

Logging

NTP

Router Interfaces

IP Routing

Routing Policy and Firewall Filters

RIP

IS-IS

OSPF

BGP

MPLS

VPNs

IP Multicast



JUNOS Cookbook
Junos Cookbook (Cookbooks (OReilly))
ISBN: 0596100140
EAN: 2147483647
Year: 2007
Pages: 290
Authors: Aviva Garrett

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net