Juniper-防火墙的管理.ppt

对防火墙的管理,2,目标,介绍防火墙的管理通过控制线和网络实现对防火墙的管理配置管理员设置和选项配置防火墙与第三方设备之间的管理通信License 的管理对防火墙的配置文件和软件升级的管理灾难恢复的管理,3,系统组成,所有关键的系统功能都在内存中运行。可以通过控制线和webu对防火墙的配置进行修改。,TablesBuffersRunningConfigScreenOS(active),ScreenOSImageSaved ConfigCerts,etc.,RAM,Flash,Interf.,Interf.,Interf.,TFTP,PwrUp/Reset,Aux.Storage,WebUI,NetScreen,Aux.Mgt.Servers,DNS/Syslog,Console,“Get”,“Set”,4,建立控制台的连接,可以通过物理的控制线来连接防火墙设备。用控制线连接的好处直接连接到防火墙安全性好完成配置不需要网络连接不需要IP地址可以看到启动的信息可以看到时事的 debug or snoop 信息,NetScreenDevice,ConsolePort,5,命令行界面,使用终端登录防火墙，用默认的口令登录防火墙login:netscreen password:netscreenCommand line interface(CLI)是默认的模式Use Up and Down Arrow keys to recall previous commands Use CTL-A to move to the beginning of a command lineUse CTL-E to move to the end of a command lineUse Left and Right Arrow keys to position cursor editing commandsUse TAB for command completionHelp facility availableUse?to display optionsUse at the prompt for commandsUse within a command for parameters,6,提供命令使用的帮助 CLI,ns208-?clear clear dynamic system infoexec exec system commandsexit exit command consoleget get system informationping ping other hostreset reset systemsave save commandset configure system parameterstrace-route trace routeunset unconfigure system parameters,输入问号可以提供时事的帮助信息:左列显示该命令的使用右列显示该命令的帮助信息。,7,ns208-get systemProduct Name:NS208Serial Number:0043042002000034,Control Number:00000000Hardware Version:0110(0)-(11),FPGA checksum:00000000,VLAN1 IP(0.0.0.0)Software Version:5.0.0.0,Type:Firewall+VPNBase Mac:0010.db1d.1c30File Name:n200-LAS0z0ad,Checksum:00000000Date 04/15/2003 22:06:53,Daylight Saving Time enabledThe Network Time Protocol is DisabledUp 2 hours 31 minutes 14 seconds Since 15 Apr 2003 19:35:39Total Device Resets:0System in NAT/route mode.Use interface IP,Config Port:80User Name:netscreenInterface ethernet1:number 0,if_info 0,if_index 0,mode nat link up,phy-link up/full-duplex vsys Root,zone Trust,vr trust-vr dhcp disabled*ip 1.1.1.1/24 mac 0010.db1d.1c30*manage ip 1.1.1.1,mac 0010.db1d.1c30-more-,显示状态信息-CLI,In the CLI,get commands provide valuable status about operational conditions:System serial numberSoftware versionOperating modeInterface statusInterface addressManagement addresses,8,图形化界面-WebUI,NetScreen 防火墙可以通过图形化的界面进行管理。需要的条件(ie.one IP address)一台PC机与防火墙在同一个网段口令保护,9,初始化配置向导,一台新设备可以通过初始化向导进行防火墙的配置，也可以跳过向导手工进行配置,10,初始化配置向导,初始化完毕系统会通过向用户提供配置信息,11,WebUI 的主界面,Displays information similar to get system output,12,WebUI 启动java 菜单,Navigation in the category selection panel can be accomplished using Java link format,13,配置管理员访问概述,配置IP地址以便进行通信Assign addressManagement servicesManage-IP addresses(optional)修改 root administrator 口令建立系统管理员 system administrators管理员选项TimeoutsManager-IP addresses,14,网卡配置步骤,分配网卡到安全域定义L3 ip 地址,15,Zone 和 Interface 的分配,A strict hierarchical linkage exists between zones and interfaces in a NetScreen deviceZones are assigned to a virtual routerInterfaces are assigned to a security zoneAn interface can only belong to one security zoneIndividual configuration parameters are assigned to interfacesIP addressesManagement servicesOthers,Int.,Zone,Zone,Virtual Router,IP,16,Zone 的类型,安全zonePre-defined:Trust,Untrust,DMZ;V1-Trust,V1-Untrust,V1-DMZUser-definedTunnel Zone,功能 ZonesNullMGTHASelfVLAN,ns5gt-get zoneTotal 10 zones created in vsys Root-5 are policy configurable.Total policy configurable zones for Root is 5.-ID Name Type Attr VR Default-IF VSYS 0 Null Null Shared untrust-vr hidden Root 1 Untrust Sec(L3)Shared trust-vr untrust Root 2 Trust Sec(L3)trust-vr trust Root 4 Self Func trust-vr self Root 5 MGT Func trust-vr null Root 10 Global Sec(L3)trust-vr null Root 11 V1-Untrust Sec(L2)trust-vr v1-untrust Root 12 V1-Trust Sec(L2)trust-vr v1-trust Root 14 VLAN Func trust-vr vlan1 Root 16 Untrust-Tun Tun trust-vr hidden.1 Root-,17,Configuring Zones/Interfaces-WebUI,Network Interfaces(edit),18,Configuring Zones/Interfaces-CLI,一个网卡必须属于一个“security zone”然后才能分配IP地址。,set interface zone set interface ip/ns208-set interface e1 zone trustns208-set interface e1 ip 1.1.1.1/24,19,管理服务 WebUI,在默认情况下与域的分配有关。Trust zone:all services enabledAny other zone:all services disabled,NetworkInterfacesEdit,20,Management Services CLI,set interface manage ns208-set interface e1 manage pingns208-set interface e1 manage webEnable all services:ns208-set interface e1 manage,如果没有通过命令指定管理服务，那么所有的管理服务都被允许。,21,Manage-IP Address,Separate IP address specifically for management,set interface manage-ip set interface e1 manage-ip 1.1.1.250,NetworkInterfacesEdit,22,验证网卡的配置-WebUI,NetworkInterfacesEdit,23,验证网卡的配置-CLI,ns208-get interface e1Interface ethernet1:number 0,if_info 0,if_index 0,mode nat link up,phy-link up/full-duplex vsys Root,zone Trust,vr trust-vr dhcp disabled ip 1.1.1.1/24 mac 0010.db1d.1c30 manage ip 1.1.1.3,mac 0010.db1d.1c30 ping enabled,telnet enabled,SSH enabled,SNMP enabled web enabled,ident-reset disabled,SSL enabled webauth disabled,webauth-ip 0.0.0.0 OSPF disabled BGP disabled RIP disabled DHCP-Relay disabled bandwidth:physical 100000kbps,configured 0kbps,current 0kbps total configured gbw 0kbps,total allocated gbw 0kbps,24,设备管理员,Netscreen 防火墙可以被不同级别的管理员进行管理Root admin defined by the ScreenOSLocal admin created by the Root account,Click to create new Local Administrator,Click to view settings for Root account,ConfigurationAdminAdministrators,25,修改根管理员的用户名和口令,ConfigurationAdminAdministrators,set admin name set admin password,26,建立系统管理员,ConfigurationAdminAdministrators,set admin user name password privilege all|read-only,27,验证管理员信息 WebUI,ConfigurationAdminAdministrators,28,验证管理员-CLI,ns208-get admin userName Privilege-netscreen RootIT-Admin-10 Read-WriteIT-Admin-20 Read-WriteAdmin-Mktg Read-Onlyns208-get admin ssh allAdmin Name SSH PWA enabled SSH PKA keys-netscreen yes 0IT-Admin-10 yes 0IT-Admin-20 yes 0Admin-Mktg no 0,29,Timeout-Console,Management via the console port is protected by an idle timeoutDefault value is 10 minutesDisable by setting timeout to 0,set console timeout ns208 set console timeout 5,30,Timeout-WebUI,set admin auth timeout,ConfigurationAdminManagement,31,Manager-IP Addresses,出于安全的考虑，netscreen 防火墙可以指定一些 IP地址，这些IP 地址被认为是可以信任的管理IP 地址。通过 Permitted IP addresses 来定义可以信任的管理IP地址。允许管理的IP 地址可以包括掩码进行网段的定义。可以是主机，子网、网络组等。每个设备可以定义6个条目以前的版本 称 Restricted Management IP,32,Configuring Manager-IP,set admin manager-ip ns208-set admin manager-ip 1.1.7.250 255.255.255.255ns208-set admin manager-ip 1.1.1.0 255.255.255.0,ConfigurationAdminPermitted IPs,33,Verifying Manager-IP-CLI,ns208-get systemSerial Number:0043042002000034,Control Number:00000000Hardware Version:0110(0)-(11),FPGA checksum:00000000,VLAN1 IP(0.0.0.0)Software Version:5.0.0ad.0,Type:Firewall+VPNBase Mac:0010.db1d.1c30File Name:n200-LAS0z0ad,Checksum:00000000Date 04/15/2003 22:39:46,Daylight Saving Time enabledThe Network Time Protocol is DisabledUp 3 hours 4 minutes 7 seconds Since 15 Apr 2003 19:35:39Total Device Resets:0System in NAT/route mode.Use interface IP,Config Port:80Mng Host IP:1.1.7.250/255.255.255.255Mng Host IP:1.1.1.0/255.255.255.0User Name:netscreenInterface ethernet1:number 0,if_info 0,if_index 0,mode nat link up,phy-link up/full-duplex vsys Root,zone Trust,vr trust-vr-more-,34,管理的运作步骤：,Management requests terminate on the unitAs a security device,the NetScreen must qualify all management requestsMatch the management address of the arriving interfaceMatch the IP address of a trusted sourceMatch an allowed service typeMatch username/password,ManagementServiceFilter,Interface,manage-ipMgt.Address,Allowed services,Authentication,Username/password,manager-ipTrusted Source,35,外部管理设备,Netscreen 防火墙也可以通过一些标准的网络设备进行管理。例如：DNSSyslogSNMP,36,DNS Configuration,NetworkDNS,set dns host dns1 set dns host dns2 set dns host schedule,37,Syslog Configuration,ConfigurationReport SettingsSyslog,set syslog config facility set syslog config log all|traffic|eventset syslog src-interface set syslog enable,38,SNMP Configuration-WebUI,ConfigurationReport SettingsSNMP,39,SNMP Configuration WebUI(cont.),ConfigurationReport SettingsSNMPCommunity,40,SNMP Configuration-CLI,set snmp contact set snmp location set snmp port listen|trap set snmp community trap-on|trap-offset snmp community version v1|v2cset snmp host src-interface set snmp host trap,41,License Keys的管理,以下的特征需要增加license key:Capacity expansion(extended/advanced releases)Anti-virusURL filteringDeep Inspection两种安装key的方法Manual get key from Juniper/resellerAutomatic register device at Juniper Website,then download licenses,exec license-key capacity,exec license-key update,42,文件管理,备份/恢复 netscreen 防火墙所需要的重要的配置文件信息。ScreenOS imageConfiguration files备份/恢复 配置文件的存放On-board FlashTFTP serverExternal storage(SANdisk)Management station(WebUI only),43,保存配置,WebUISaves automatically when you click“Apply”or“OK”Console displays save messagesCLIManual commandWrites to on-board flash configuration file,ns208 save,44,配置文件管理-CLI,只有根管理员才能进行这些操作配置文件备份配置文件恢复Option 1:copies file into flash available at next rebootOption 2:merges file into RAM BE CAREFUL!,save config from flash to tftp|pcmcia|slot1 ns208-save config from flash to tftp 1.1.7.250 15Jun03.cfg,save config from tftp|pcmcia|slot1 to flash ns208-save config from tftp 1.1.7.250 15June03.cfg to flash,save config from tftp|pcmcia|slot1 mergens208-save config from tftp 1.1.7.250 15June03.cfg merge,45,配置文件管理 WebUI,ConfigurationUpdateConfig File,46,配置的回退（Rollback）,Provides“safety net”for failed/corrupted configIf default config in flash cant be loaded,system will try to load“last known good”fileCan be forced manually to correct config mistakesCreate rollback fileForce rollback,save config to last-known-good,exec config rollback,47,软件包的管理,Image backupImage importing(Upgrade)Downgrade from 5.0 or higher to prior releases,save software from flash to tftp|pcmcia|slot1 ns208-save software from flash to tftp 1.1.7.250 ns208image.bin,save software from tftp|pcmcia|slot1 to flash ns208-save software from tftp 1.1.7.250 newimage to flash,exec downgrade,48,Upgrade Example CLI,5XT-save software from tftp 1.1.7.250 newimage.bin to flash!tftp received octets=3304662tftp success!TFTP SucceededSave to flash.It may take a few minutes.update new flash image(02c86db0,33 04662)platform=17,cpu=10,version=16offset=20,address=900000,size=3304584date=0,time=0,cksum=28e9f31cProgram flash(0,3304662).+doneDone5XT-reset,49,ConfigurationUpdateScreenOS/Keys,Upgrade Example-WebUI,50,灾难恢复“Disaster”Recovery,NetScreen devices support features to deal with electronic“disasters”Corrupted ScreenOS image in FlashLost root passwordRequirement to reset to factory defaults,51,Recovering the ScreenOS Image-Boot Mode,NetScreen NS-200 Boot Loader Version 3.0.0(Checksum:35E1A866)Copyright(c)1997-2003 NetScreen Technologies,Inc.Total physical memory:128MB Test-Pass Initialization-DoneModel Number:NS-208Hit any key to run loaderHit any key to run loaderHit any key to ruSerial Number 0043042002000034:READ ONLYHW Version Number 0110:READ ONLYSelf MAC Address 0010-db1d-1c30:READ ONLYBoot File Name n200-LAS0z0ad:n200-LAS0z0adSelf IP Address 172.16.10.1:1.1.1.1TFTP IP Address 172.16.10.131:1.1.1.2Save loader config(112 bytes).Done,TFTP server must be in same subnet as NetScreens Self IP address.Server must be connected to:Trust interface on devices with Trust interfaceE1 interface on devices with E1 interfaceE1/1 or MGT interface on systems,52,Boot Mode(cont.),Loading file n200-LAS0z0ad.r!r.tatatatatatatatatatatatatatatatatLoaded Successfully!(size=3,444,522 bytes)Ignore image authentication!Save to on-board flash disk?(y/n/m)Yes!Saving as default system image in flash disk.Done!(size=3,444,522 bytes)Run downloaded system image?(y/n)Yes!Start loading.Done.NetScreen Technologies,IncNS200 System SoftwareCopyright,1997-2003Version 5.0.0ad.0Init Heap(1546000/50b9c00,32,00000000/00000000)GT64120 revision id:0 x11Load NVRAM Information.(5.0)Done,53,根管理员口令丢失,口令不能被恢复系统需要回到出厂设置Also called“Asset Recovery”All configuration parameters,certificates,and keys are deleted两种方法Log in to console with device serial number as username and passwordWarning messages regarding destructive results will appearUse pinhole on exterior of systemPress until flashing light changes to redWait until flashing red turns to flashing greenPress again,54,总结,在这一章中我们要掌握以下的内容:防火墙系统不同管理组件的功能通过网络和控制线建立与防火墙的管理连接配置管理员设置和选项配置与外部管理设备的通信配置文件和软件包的升级管理灾难恢复的步骤,