• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 856
  • Last Modified:

SSG5 - tunnels, zones and VPN

Hi Experts,

I'm new to Juniper firewalls and am having a hard time wrapping my brain around how tunnels and zones are used, does anyone know a good link to good documentation on these topics.
  • 2
3 Solutions
This is a good start to get info regarding VPNs


Another good link to have os for the Juniper technical publications


From there you can get detailed docs on doing pretty much all that you want to do wit juniper boxes.

kb.juniper.net is also a great resource for researching basic info.  Note some solutions will require a valid login for the site but there are still quite a lot of articles open to the public.

The idea behind the zones is  allowing us to group similar networks and interfaces with similar security requirements into one logical unit.  We can then use this to assign specific levels of security and policies.

Screenos (and now junos) use a pair of zones to display the directionality of the traffic, ie from trust to untrust or from untrust to dmz etc.

This is different from otehr firewalls in that if we need 2 way traffic on a particular set of paramaters we MUST have 2 rules, ie from trust to untrust any any any permit and from untrust to trust any any any permit (the reverse), rather than have the same source and destination nets in each source and dest window - like Check Point)

Although it can add to the number of rules you have overall, because the unit will only ever look at policies assigned for the specific zonal direction, the actual policy look up for the traffic is generally quicker than other vendors as there are fewer matching policies to go through.

Zones are well explained by deimark. You can group several interfaces into the same zone, and no policies will be applied between the interfaces. As he said, zones need to be crossed for policies to be applied.

About tunnels: There are two kind of tunnels on ScreenOS - tunnel interfaces, which are statically defined virtual interfaces for VPN, or dynamic tunnels, which are created as soon as a VPN is connected. That makes it a bit more complicated to understand, but you need not to know the tunnel interfaces for starter, as long as you do not have special requirements.
Dynamic tunnels are created if you use policy based VPN. That is, you define your VPN paramters in a policy only - no routing info is needed, it is all done by the policy. That VPNs are the easier one, as you can visually see what they have defined.

Tunnels can be imagined as pipes in pipes. There is always something wrapped about the contents, to hide it from the public; like an envelope in another envelope. The simplest tunnel just wraps another protocol around the packet, e.g. IP with embedded IP, to be able to pass packets addressed from and to private addresses over a public media (Internet). Usually you want to encrypt the contents, especially when using Internet for carrying the tunnel, and that is what you define in VPN settings. There are more VPN settings for securing the authenticity, encryption key (re)negotiation aso., which make them much more secure.

I recommend to read the corresponding volumes of the Concepts & Examples of Juniper ScreenOS. They are covering the basics well, and allow for specific reading if needed.

Featured Post

The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now