Limiting Access to OneConfig

We've had a few queries recently about whether it was possible to restrict the access of the persistent OneConfig connection to your Junos SRX and EX devices. Great question. When you use our web interface we use our connection to gather information from your devices using the equivalent of operation commands and a few snippets of configuration. This 'just-in-time' collection enables us to give you the functions in the web app. After a short timeout, we clear the details from the cache. In short, none of your device configuration information is stored on our system.

For example, if you want to edit a security policy we need to collect the zones, the policies and any address books that go with them. If you make a change, we construct what is needed to be changed in your configuration, we make sure no one else is currently making a change, and then we push the change (whilst doing a commit check).

This is all done over secure connections: SSL web session from your browser to our web application, then over an SSH encrypted netconf session to your SRX or EX. A similar process is used when we display and edit interface information.

If you want to be more restrictive in what the OneConfig connection can access, then that is certainly possible. We encourage you to look at the following example and apply it to anything that you would never want to come over the connection to us. As an example here I'm going to use the [system] hierarchy of the configuration. This part of the configuration has lots of things like usernames/passwords, system services and logging. We don't do anything with that part of the config, but if we did give you options in the future, you may want to restrict it. Here is how you'd do it.

First, you'll need to create a custom user class that you can assign to the OneConfig user.

[edit system login class restrict-oneconfig]
user@host# set permissions all
user@host# set deny-configuration-regexps "system"

Then you would assign that role to the OneConfig user:

[edit system login user oneconfig] user@host# set class restrict-oneconfig

You can then commit the change,

[edit system login user oneconfig]
user@host# top 

[edit]
user@host# commit check 

configuration check succeeds

user@host# commit and-quit 
commit complete
Exiting configuration mode

Now the [system] hierarchy will no longer be accessible, and you can check it by logging in as the OneConfig user.

[edit]
oneconfig@host# edit system
 ^
syntax error, expectingor .

[edit]
oneconfig@host# exit
Exiting configuration mode

oneconfig@host> show configuration sy
 ^
syntax error.

This is just one example of an area you could protect using this method. You can expand this to restrict access to commands, or conversely allow only specific commands/configuration.

Enjoy.

Further reading:

https://kb.juniper.net/KB23038

http://www.juniper.net/techpubs/en_US/junos11.3/topics/example/access-privileges-configuration-mode-commands-regexps-configuring.html