Solved: Re: SA appliance & SSG config

OTT_ · ‎08-03-2009

Hi

Newbie with Juniper hw but wondering what are best practices with setting up a SA700 behind a SSG140 please? For example, stick SA appliance in existing dmz or enable one of the spare interfaces on SSG and link it there etc. Thanks in advance.

Ott

tkolb_ · ‎08-07-2009

Hi

I would always suggest to put the external port of the SA behind a firewall. Solely for the purpose of protecting the device from DoS and DDoS attacks. There are some mechanisms onboard to prevent the success of such attacks but it is always better to get this job done by a device that really is designed for it, a firewall.

With regards to the internal port, you are really free to place it on an firewall port or directly to your internal network. This depends on how much configuration work you want to do on the firewall (need all the ports open for AAA, logging, applications, etc..) and on the other hand how high are your demands in terms of security/visibility/control.

Regards

T.

View solution in original post

mehdi_ · ‎08-06-2009

hi

you can put your SA behind your SSG in DMZ example :

internet<---------------------SSG------------->>>>> DMZ-SA

|

local Network

if yu need more detail or need help to implemeting your SA with config, let me know

thaks

Message Edited by mehdi on 08-06-2009 11:19 AM

muttbarker_ · ‎08-06-2009

As Mehdi said - you can put it in the DMZ and it works fine. You can also put it in the trust zone - add a MIP and a policy from untrust to trust to the MIP address and that works fine also. I have set them up both ways. You can configure the IVE to just use one interface (internal) or to use both the internal and external.

It depends on how "secure" you want to make your environment and what level of complexity you want to add to put it in.

tkolb_ · ‎08-07-2009

Hi

I would always suggest to put the external port of the SA behind a firewall. Solely for the purpose of protecting the device from DoS and DDoS attacks. There are some mechanisms onboard to prevent the success of such attacks but it is always better to get this job done by a device that really is designed for it, a firewall.

With regards to the internal port, you are really free to place it on an firewall port or directly to your internal network. This depends on how much configuration work you want to do on the firewall (need all the ports open for AAA, logging, applications, etc..) and on the other hand how high are your demands in terms of security/visibility/control.

Regards

T.

dennish_ · ‎08-07-2009

Most deployments i do is one armed (internal interface) in DMZ. The reason i don't like to deploy a SA in trust is both security and routing. When only using proxy, this might not be much of an issue, however when using network connect routing and security are more of a concern.

mehdi_ · ‎08-09-2009

Hi

yes all rigth,

OTT let us know what would you like to do ?? there are differentre topology, you can let us know what you want and we can help you.

however put your SA in DMZ with MIP and use one SA's eth and let your fiwall forwar traffic to local Network with policy and routing

we wait your decision

take care all

thanks