Author Topic: Restrict Access to Management Port ONLY  (Read 1119 times)

MichAda

  • Newbie
  • *
  • Posts: 11
  • Karma: +0/-0
    • View Profile
Restrict Access to Management Port ONLY
« on: October 06, 2016, 06:36:54 pm »
I thought using the Out-of-Band management interface would restrict management of the switch to only the management port on the back of the switch (me0) and the console port.
Apparently that is not the case because I've been able to access the JWEB UI from any port on the switch.
I've been trying to restrict access to ssh, http, and https management on an EX2200 switch using firewall filters, but everything I do comes up short.
Opened a ticket with support and they had me alter the filters several ways, but none seem to do the job without also having adverse affects.
They've offered no other solutions so far.

Anyway, is there anyone out there that can provide a sample switch config where switch management can only be performed on the management port (the one on the back of the system) and the console port?

Any help would be greatly appreciated!!

MichAda

  • Newbie
  • *
  • Posts: 11
  • Karma: +0/-0
    • View Profile
Re: Restrict Access to Management Port ONLY
« Reply #1 on: October 11, 2016, 06:39:10 pm »
I was finally able to get this working the way I wanted, but I'm not sure if there is any potential for negative impact.
If you happen to know something in my solution that could cause problems, I'd really like to hear about it.

Now for those that may have a similar requirement, I'll post what I did...Maybe it will help someone.

Just to be clear on my requirement.
We needed to send the switch to a remote site to provide a group of developers an isolated lab environment.
Their lab switch was going to hang off of a spare port on the firewall for internet connectivity and this lab would have NO restrictions.  We typically just use vme for management, and don't really restrict access, but this one was going to have to be set up differently than our others.  We needed to be able to remotely manage the switch, but we wanted management services to be provided ONLY through the MGMT port and IP.  So the plan was to connect MGMT port on the back of the EX2200 to an internal network that would provide us access for management.  Configuring the switch to behave, as we needed, was not obvious to me at all.

Getting the MGMT port to work was no problem.
Restricting access to the MGMT port was no problem.
However, restricting endpoints from having management access via the RVI...THAT was my problem.

My first few attempts focused on using firewall filters to only allow admin ips access to management services on the RVI.
Thought it was going to work, but it dropped all other internet traffic.

After several failed attempts, I finally opened a ticket with support...Apparently this is not a popular request with support either.  My support tech acted like I was trying to put a square peg into a round hole.
Best advice he/she offered was to change the port number used by http(s) and then block that.  After proving to be of very little help (not typical of my experience with juniper support) I went back to trial and error testing until I finally came up with what I hope to be the right solution.

KB19171 really put me on the right track.

So, anyway, this is what I did.

I restricted http and https to only listen on me0 using this:
set system services web-management http interface me0.0
set system services web-management https interface me0.0

Then I created a firewall filter to drop anything to/from lo0 that used any of the management services, but then allow anything else that did not match:
set firewall family inet filter Mgt_To_lo0_Blocked term Dropped_Src_Ports from source-port ssh
set firewall family inet filter Mgt_To_lo0_Blocked term Dropped_Src_Ports from source-port http
set firewall family inet filter Mgt_To_lo0_Blocked term Dropped_Src_Ports from source-port https
set firewall family inet filter Mgt_To_lo0_Blocked term Dropped_Src_Ports from source-port telnet
set firewall family inet filter Mgt_To_lo0_Blocked term Dropped_Src_Ports then discard
set firewall family inet filter Mgt_To_lo0_Blocked term Dropped_Dst_Ports from destination-port ssh
set firewall family inet filter Mgt_To_lo0_Blocked term Dropped_Dst_Ports from destination-port http
set firewall family inet filter Mgt_To_lo0_Blocked term Dropped_Dst_Ports from destination-port https
set firewall family inet filter Mgt_To_lo0_Blocked term Dropped_Dst_Ports from destination-port telnet
set firewall family inet filter Mgt_To_lo0_Blocked term Dropped_Dst_Ports then discard
set firewall family inet filter Mgt_To_lo0_Blocked term Else_Accept then accept

Next I created the filter to only allow predefined systems access to the switch management port me0, and anything else that did not match would be dropped by the implicit deny:
set firewall family inet filter Mgt_To_me0_Allowed term Allowed_Manager_IPs from source-prefix-list ADM
set firewall family inet filter Mgt_To_me0_Allowed term Allowed_Manager_IPs then accept

Now assign the filter to appropriate interface:
set interfaces me0 unit 0 family inet filter input Mgt_To_me0_Allowed
set interfaces lo0 unit 0 family inet filter input Mgt_To_lo0_Blocked

The above reference to 'lo0' was odd to me, because even though I call out 'lo0' as listed above, it was not previously visible anywhere in my config...until the additions above...but it still worked and all seems well...so far.

Really hope this helps someone else someday.