Juniper防火墙基本安全策略.ppt

Juniper防火墙安全策略ITman论坛,Security Zones and Policies,Inter-Zone traffic must be checked by policyIntra-Zone traffic may be checked by policy,ExternalZone,PrivateZone,B,PublicZone,.254,A,B,C,D,.1.254,.1.254,.254.1,Src IP Dest IP Protocol Src Port Dst Port Data 10.1.10.5 1.1.70.250 06 36033 80#$%&,Policy Components,Source&DestinationAddress BookAddress GroupServicePre-defined ServiceCustom ServiceCustom Service Group,ActionPermitDenyTunnelOptionsCovered in next chapter,Policy Configuration Procedure,Create Address Book entries for each zoneDefine any custom services needed for your networkCreate policy entriesSort policy set for proper ordering,Step 1:Address Book Entries,ExternalZone,PrivateZone,B,PublicZone,.254,A,B,C,D,.1.254,.1.254,.254.1,Address Book-WebUI,Entries displayed based on zoneUse alphabet buttons to filter display when large numbers of addresses are configuredClick on“New”button to add an entry,Objects Addresses List,New Address Entry,Address name is used in address list and policy listMake the name meaningful to your network!Comment is your opportunity for embedded documentationChoice of address/mask or domain nameDomain name requires DNS configuration,Objects Addresses List(New),Address Book CLI,set address/,set address ns208-set Yahoo,ns208-get addressaddr zone name PrivatePrivate Addresses:Name Address Netmask Flag CommentsAny 0.0.0.0 0.0.0.0 02 All AddrDial-Up VPN 255.255.255.255 255.255.255.255 02 Dial-Up VPN AddrPrivatePC 10.1.10.5 255.255.255.255 00,IP Address,Viewing the address book,Domain name,Step 2:Services,Address book entries define where traffic can flow from and toService entries define the type of trafficProtocol and port numbers,Predefined Services,get service pre-defined,Objects Services Predefined,Creating a Custom Service,set service name,Objects Services Custom(New),Step 3:Create Policy-WebUI,Select zone pairs,then click“New”,Policies,Create Policy-WebUI,Components Source&Destination ZoneSource&Destination AddressUse pull-down menu to display address book entriesServiceUse pull-down menu to display service entriesActionPermit,deny,or tunnel,Create Policy CLI,set policy from to permit|denyExample:,Viewing Policy Entries WebUI,Policies,Viewing Policy Entries-CLI,ns208-get policyTotal regular policies 6,Default deny.ID From To Src-address Dst-address Service Action State ASTLCB 1 Private Public Any Any H.323 Deny enabled-X 2 Private Public Admins 1.1.70.250/Allowed Permit enabled-X 3 Private Public 10.1.10.100 1.1.70.200/ANY Permit enabled-X 4 Private Public 10.1.10.16/1.1.70.200/Allowed Permit enabled-X 5 Private Public Any 1.1.70.200/HTTP Deny enabled-X 6 Private Public Any 1.1.70.200/FTP Permit enabled-X,Step 4:Policy Ordering,New policies added to end of listDefault condition is deny all trafficOrder is important!,Re-Ordering Policies-WebUI,Button allows move by numberArrow allows placement by position(point and click),Move Button,Move Arrow,Re-Ordering Policies(cont.),Using the buttonUsing the Arrows,Re-Ordering Policies CLI,set policy id before|topns208-set policy id 5 before 4ns208-set policy id 1 top,Configuration Options,Address GroupsService GroupsMulti-Cell Policies,Address Groups,Group of individual address book entriesTreated as single entity by a policyAppears as a selection in the WebUI pull-down menu,Creating Address Groups WebUI,Objects Addresses Group,Creating Address Groups-CLI,set group address add ns208-set group address Private Admins add Admin1ns208-set group address Private Admins add Admin2,Viewing Address Groups,Objects Addresses Group,get group address ns208-get group address PrivateGroup Name Count CommentAdmins 2get group address ns208-get group address Private Admins Group Name:Admins Comment:Group Items:2 Members:Admin1 Admin2,Creating a Service Group,set group service add,Objects Services Group(New),Viewing Service Groups,get group servicens208-get group serviceGroup Name Count CommentAllowedServices 5get group service ns208-get group service AllowedServices Group Name:AllowedServices Comment:Group Items:5 Members:FTP HTTP PING TELNET TFTP,Objects Services Group,Multi-Cell Policies,An alternative to groupsEach policy is an entity comprising multiple address entries and/or service entriesLimited to 8“cells”per category(source address,destination address,service),Multi-Cell Policy Creation WebUI,Multi-Cell Policy Creation-WebUI,“Negate the Following”apply policy to all except the listed addresses,Multi-Cell Policy Creation CLI,ns208-set policy from private to external my-pc any any permitpolicy id=5ns208-set policy id 5ns208(policy:5)-set?attack attack groupav AntiVirus(CSP)scanningcount counting optiondst-address destination addressidp-alert-disable disable idp alertlog logging optionname policy nameservice serviceseverity attack severitysrc-address source addressns208(policy:5)-set src-address?negate modify negattion setting for this dimension namens208(policy:5)-set src-address,Viewing Multi-Cell Policies,ns208-get policyTotal regular policies 2,Default deny.ID From To Src-address Dst-address Service Action State ASTLCB 11 Private External my-otherPC Any FTP Permit enabled-X my-pc HTTP PING,Modifying Multi-Cell Policies,ns208-set policy id 11ns208(policy:11)-unset?attack attack groupav AntiVirus(CSP)scanningdst-address destination addressims-alert ims alert optionims-log ims log optionservice serviceseverity attack severitysrc-address source addressns208(policy:11)-,Common Problems,Ordering problemsNames addressesGroup memberships,Names Addresses,Policy list shows address names,not actual entriesWould this make any difference in this example?,Group Membership,Global Zone,Use to create default policies,set policy from global to global permit|deny,Modifying/Removing Policies,Addresses,Services,Modifying WebUI:click on Edit,make changesCLI:enter new set commandRemovingWebUI:Click on RemoveCLI:use unset commandFor policy,specify policy numberFor address,specify address nameFor service,specify service nameNote:you cannot remove an address or service if it is in use by a policy,Disabling a Policy,Gray text indicates disabled policyDisabled policies not included in policy evaluationCan be used for troubleshooting orderingDisable policy does anything change?Does NOT allow addresses/services to be removed if policy uses them,Other Troubleshooting Tools,Per-policy traffic logs We will discuss these in the next chapter,