| technology | networking - Ross Heintzkill
Juniper Zones Explained
Usually hovering around 10% of the router market share, Juniper Networks might not have a global stranglehold on networking products, but they're also not negligible. For top-of-the-line speed, throughput and open architecture, Juniper outperforms their competition — including Cisco, who holds a larger, broader market share.
Juniper networks are particular, though, from their hardware to their security. Juniper's best approaches to security include the Juniper Networks SRX Series Gateways — high-performance enterprise security, routing and networking devices. A key to understanding how SRX gateways keep the right people in and the wrong people out is understanding Juniper Zones.
What is a Juniper Security Zone?
Quick Definition: Network traffic has to have a place to enter and exist on network devices — those are interfaces. In Juniper networks, a security zone is what you get when interfaces get bundled together and given the same regulation requirements. A zone is a group of interfaces with similar security needs.
An Overview of Juniper Zones [VIDEO]
In this video, Scott Morris covers Juniper zone concepts and how they interact with the security gateway in JUNOS (SRX). Simply put, a zone is a group of interfaces with similar security needs, and policies are going to handle how traffic is controlled between each of these zones.
How Do Juniper Security Zones Work?
In this post, we're going to explore Juniper security zones and how they're defined and operate. You should think of this as a preliminary introduction to the idea of Junos zones, and not a definitive tutorial on managing and configuring Junos security. For more in-depth training in Juniper configuring, browse CBT Nuggets' training for Juniper Networks.
The easiest way to imagine zones is to conceptualize a hypothetical network diagram. We have the wide, open internet over on one side of our network, and separating our network from the hazards and dangers of the web is a Juniper SRX device. Through four separate interfaces, the SRX is connected to four EX4200s, a Juniper ethernet switch.
Those four EX4200s each belong to a zone. Because the interfaces inside each zone receive identical security regulations, it's pretty common to separate zones according to functional departments. So in our case, we'll have an IT Zone for our IT staff and department, a Data Center Zone, Engineering Zone, and a Human Resources Zone. Depending on the size of the organization, we might have many more other zones, too.
In our network diagram, the internet is separated from our network, but the most accurate way to conceptualize the internet in this case would be to call that the Internet Zone. All the traffic in the Internet Zone is separated from our internal zones by routers and switches. It's the job of the network engineer to set up the interfaces to belong to one zone or another.
What is the Null Zone in Juniper Network Security?
In Juniper Network Security, there is a Null Zone, or "blank" zone. The Null Zone exists by default, and all interfaces that aren't assigned anywhere else belong to the Null Zone. What's essentially happening in the Null Zone is that all traffic going into and out of that zone is getting dropped. The default behavior of the Null Zone is that it doesn't go anywhere.
Once you know this about the Null Zone, it's a standard security practice. But if you're not familiar with this default behavior, it can be confusing and annoying. Because out of the box, if you were to plug in an SRX device, you'd find that network traffic isn't routing. The traffic doesn't get where you want it to, and you likely wouldn't know why. On Juniper devices, interfaces are in the null zone by default, where traffic won't be passed until the interface is assigned to a zone.
There are some minor exceptions to this. Management interfaces like fxp0 and em0 don't technically start in the null zone. Nevertheless, fxp0 and em0 interfaces — acting like standard management interfaces — allow network access to each node in the cluster, and still need to be configured before accessing them.
Juniper Security Zone Rules vs. Juniper Security Zone Policies
Something to remember about zones, and the reason that management interfaces like fxp0 and em0 don't need to be explicitly attached to a zone, is that zones define rules of transit. That is to say, zones regulate packets coming into or going out of the router itself. Transit and egress of packets from and between users is what zones focus on.
And there are rules about zone behavior too. But by that we don't mean policies. Zone policies are the rules for the handling of traffic. But zone rules are how zones behave, what they're capable of, and most importantly, what they're not capable of.
Obviously, zones exist to have logical interfaces assigned to them. A logical interface may be assigned into a zone, but it can't be assigned to more than one zone. Similarly, a logical interface can be assigned to a routing instance. But you can't assign the same logical interface to more than one routing instance. In both cases, zones and routing instances, it's got to be one thing or another.
To think back to our network diagram, we couldn't have a single interface be both in HR and Engineering. We might set up access controls that allow for highly similar features between the HR interface and Engineering interface, but we can't have one interface belong to multiple zones.
Notice that we're referring to the point on the device that does the routing as the "logical interface". If you're not entirely familiar with routing in the Junos world, that term might throw you off. But you might have heard it referred to elsewhere, in other routing schema, as a unit. Other vendors also refer to the same concept as a "sub-interface". Really, whatever you want to call it is fine.
But it's important to understand that it's the logical portion that must belong to one and only one zone or routing instance. The nature of abstracting the interface and converting it to a logical interface for the SRX to interact with means that it can't be subdivided to other zones and interfaces.
Can Logical Interfaces in the Same Zone Be Assigned to Different Routing Interfaces?
No, a logical interface cannot be assigned to different routing interfaces than other interfaces in the same zone. The reason for this has to do with the logical abstraction of the interfaces.
In other words, we can't have some places in HR belong to one routing instance and other places in HR belong to another one. Remember that a zone is a group of interfaces receiving the same security measures and transit policies. Splitting a zone up in that way wouldn't just be counter-intuitive, it would make for a freakishly confusing situation on the SRX itself.
The bottom line when it comes to zone behavior is that if you want to assign different interfaces in the same zone to different routing interfaces, you'll need to set up multiple zones. Not only that, but that means that an incredibly important part of planning and creating your zones is understanding and taking into account how your interfaces are done. All of the logical interfaces in one particular zone must belong to the same routing instance.
To that effect, many engineers keep the demarcation very simple. In other vendors, you might see the simple differentiation of "Inside" and "Outside". In the Junos world, that isn't quite the default behavior. The default behavior on branch devices will have some zones already baked in. Those are typically a "Trust" and an "Untrust".
The common wisdom in the IT world is that Juniper Networks' relatively small market share tends to mean that the IT professionals who are trained and familiar with the devices are especially valuable. It's a matter of low supply and considerable demand.
Understanding Juniper zones, how they route, and the rules that govern them is core to using and securing Juniper networks. If you're interested in starting a career in Junos networking, consider CBT Nuggets' associate-level JNCIA-Junos (JN0-102) training.