Practical Amazon VPC - Part 2 of 3 - Juniper SSG-5
X
Introduction
Juniper SSG-5 Overview
Default UnTrust Zone
Default DMZ Zone
Default Trust Zone
Port, Zone and Cabling Summary
Juniper ScreenOS Configuration
Juniper ScreenOS Configuration
Setup Summary
Setup Summary Recap
VPC Subnets
VPC Deployment Demo Plan
Demo
00:00
/
00:00
CC
Our
device:
Juniper
SSG
5
ssg-5-pic.jpg
Cabling
guide:
Internet/Untrust
“zone”
ssg-5-pic.jpg
ethernet-0/0
ScreenOS
Zone:
UnTrust
Connected
to:
Internet
Cabling
guide:
DMZ
“zone”
ssg-5-pic.jpg
ethernet-0/1
ScreenOS
Zone:
DMZ
Connected
to:
Nothing
(unused)
Cabling
guide:
Trust
“zone”
ssg-5-pic.jpg
ethernet-0/2
-
0/6
“bgroup0”
ScreenOS
Zone:
Trust
Connected
to:
Local
Network
Cliché
Setup
Example
ssg-5-pic.jpg
ethernet-0/2
-
0/6
“bgroup0”
Connected
to
company
LAN
(“Trust
Zone)
ethernet-0/1
Connected
to
DMZ
servers
(FTP,
SMTP,
Web,
etc.)
(“DMZ
Zone”)
ethernet-0/0
Connected
to
Internet
(“Untrust
Zone)
Juniper
ScreenOS
Configuration
Oversimplifying
but
…
Configuring
the
device
mainly
revolves
around:
Configuring
“zones”
Configuring
policies
that
enforce
what
is
allowed
to
occur
within
each
zone
Configuring
policies
that
enforce
what
traffic
is
allowed
to
pass/route/transit
between
zones
A
number
of
useful
things
are
already
setup
by
default
on
the
device
Juniper
ScreenOS
Configuration
Our
configuration
Untrust
Zone
/
port
ethernet-0/0:
Connect
to
internet,
assign
static
IP
DNS
name:
dirt.bioteam.net
Allow
SSH
&
HTTPS
to
static
IP
Block
just
about
everything
else
Trust
Zone
/
port
ethernet-0/2:
Attach
to
internal
192.168.1.0
network
Connect
port
ethernet-0/2
to
our
testing
server
ScreenOS
Policy:
Allow
ALL
from
Trust
to
Untrust
Actual
Setup
ssg-5-pic.jpg
ethernet-0/2
Connected
to
192.168.1.0/24
network
and
our
test
Linux
server
ethernet-0/0
Connected
to
internet
as
“dirt.bioteam.net”
VPC
Deployment
Demo
One
Juniper
SSG-5
Attached
to
internet
as
‘dirt.bioteam.net’
One
local
test
server
Attached
to
Juniper
SSG-5
“Trust”
Zone
Local
network:
192.168.1.0/24
Our
Local
Environment
VPC
Deployment
Demo
Amazon
VPC
lets
us
define
our
subnets
We
can
define
multiple
subnets
using
standard
CIDR
network
notation
When
starting
EC2
servers
we
can
tell
AWS
what
subnet
to
attach
our
server
to
For
this
demo:
One
standard
Class-C
subnet
(10.0.0.1/24)
One
smaller
subnet
(10.0.0.128/25)
Our
Amazon
Cloud
VPC
Environment
VPC
Deployment
Demo
Set
up
an
Amazon
VPC
link
Define
our
two
cloud
subnets
Configure
our
Juniper
SSG-5
Bring
the
VPC
link
up
Using
our
local
test
server:
Start
an
EC2
server
within
our
private
cloud
Confirm
that
it
has
been
assigned
an
IP
address
within
our
defined
10.0.0.128/25
subnet
Confirm
we
can
ping
&
login
to
it
via
our
local
test
server
The
Plan
Demo