书签分享收藏举报版权申诉 / 169

立即下载加入VIP免费专享

当前位置：首页 > 建筑/施工/环境 > 项目建议 > juniper防火墙初级动手配置internalqubo.ppt

juniper防火墙初级动手配置internalqubo.ppt

上传人：文库蛋蛋多

文档编号：2903429

上传时间：2023-03-02

格式：PPT

页数：169

大小：4.42MB

《juniper防火墙初级动手配置internalqubo.ppt》由会员分享，可在线阅读，更多相关《juniper防火墙初级动手配置internalqubo.ppt（169页珍藏版）》请在三一办公上搜索。

1、防火墙-动手配置,议程,系统管理透明模式路由模式安全策略地址翻译应用层和网络层防攻击,系统管理,系统组成,所有关键的系统功能都在内存中运行。可以通过控制线和webu对防火墙的配置进行修改。,TablesBuffersRunningConfigScreenOS(active),ScreenOSImageSaved ConfigCerts,etc.,RAM,Flash,Interf.,Interf.,Interf.,TFTP,PwrUp/Reset,Aux.Storage,WebUI,NetScreen,Aux.Mgt.Servers,DNS/Syslog,Console,“Get”,“Set”,

2、ns208-get systemProduct Name:NS208Serial Number:0043042002000034,Control Number:00000000Hardware Version:0110(0)-(11),FPGA checksum:00000000,VLAN1 IP(0.0.0.0)Software Version:5.0.0.0,Type:Firewall+VPNBase Mac:0010.db1d.1c30File Name:n200-LAS0z0ad,Checksum:00000000Date 04/15/2003 22:06:53,Daylight Sa

3、ving Time enabledThe Network Time Protocol is DisabledUp 2 hours 31 minutes 14 seconds Since 15 Apr 2003 19:35:39Total Device Resets:0System in NAT/route mode.Use interface IP,Config Port:80User Name:netscreenInterface ethernet1:number 0,if_info 0,if_index 0,mode nat link up,phy-link up/full-duplex

4、vsys Root,zone Trust,vr trust-vr dhcp disabled*ip 1.1.1.1/24 mac 0010.db1d.1c30*manage ip 1.1.1.1,mac 0010.db1d.1c30-more-,显示状态信息-CLI,In the CLI,get commands provide valuable status about operational conditions:System serial numberSoftware versionOperating modeInterface statusInterface addressManage

5、ment addresses,图形化界面-WebUI,NetScreen 防火墙可以通过图形化的界面进行管理。需要的条件(ie.one IP address)一台PC机与防火墙在同一个网段口令保护,Zone 和 Interface 的分配,A strict hierarchical linkage exists between zones and interfaces in a NetScreen deviceZones are assigned to a virtual routerInterfaces are assigned to a security zoneAn interface

6、can only belong to one security zoneIndividual configuration parameters are assigned to interfacesIP addressesManagement servicesOthers,Int.,Zone,Zone,Virtual Router,IP,Zone 的类型,安全zonePre-defined:Trust,Untrust,DMZ;V1-Trust,V1-Untrust,V1-DMZUser-definedTunnel Zone,功能 ZonesNullMGTHASelfVLAN,ns5gt-get

7、zoneTotal 10 zones created in vsys Root-5 are policy configurable.Total policy configurable zones for Root is 5.-ID Name Type Attr VR Default-IF VSYS 0 Null Null Shared untrust-vr hidden Root 1 Untrust Sec(L3)Shared trust-vr untrust Root 2 Trust Sec(L3)trust-vr trust Root 4 Self Func trust-vr self R

8、oot 5 MGT Func trust-vr null Root 10 Global Sec(L3)trust-vr null Root 11 V1-Untrust Sec(L2)trust-vr v1-untrust Root 12 V1-Trust Sec(L2)trust-vr v1-trust Root 14 VLAN Func trust-vr vlan1 Root 16 Untrust-Tun Tun trust-vr hidden.1 Root-,Configuring Zones/Interfaces-WebUI,Network Interfaces(edit),Licens

9、e Keys的管理,以下的特征需要增加license key:Capacity expansion(extended/advanced releases)Anti-virusURL filteringDeep Inspection两种安装key的方法Manual get key from Juniper/resellerAutomatic register device at Juniper Website,then download licenses,exec license-key capacity,exec license-key update,文件管理,备份/恢复 netscreen

10、防火墙所需要的重要的配置文件信息。ScreenOS imageConfiguration files备份/恢复配置文件的存放On-board FlashTFTP serverExternal storage(SANdisk)Management station(WebUI only),保存配置,WebUISaves automatically when you click“Apply”or“OK”Console displays save messagesCLIManual commandWrites to on-board flash configuration file,ns208 sa

11、ve,配置文件管理-CLI,只有根管理员才能进行这些操作配置文件备份配置文件恢复Option 1:copies file into flash available at next rebootOption 2:merges file into RAM BE CAREFUL!,save config from flash to tftp|pcmcia|slot1 ns208-save config from flash to tftp 1.1.7.250 15Jun03.cfg,save config from tftp|pcmcia|slot1 to flash ns208-save conf

12、ig from tftp 1.1.7.250 15June03.cfg to flash,save config from tftp|pcmcia|slot1 mergens208-save config from tftp 1.1.7.250 15June03.cfg merge,配置文件管理 WebUI,ConfigurationUpdateConfig File,配置的回退（Rollback）,Provides“safety net”for failed/corrupted configIf default config in flash cant be loaded,system wi

13、ll try to load“last known good”fileCan be forced manually to correct config mistakesCreate rollback fileForce rollback,save config to last-known-good,exec config rollback,软件包的管理,Image backupImage importing(Upgrade)Downgrade from 5.0 or higher to prior releases,save software from flash to tftp|pcmcia

14、|slot1 ns208-save software from flash to tftp 1.1.7.250 ns208image.bin,save software from tftp|pcmcia|slot1 to flash ns208-save software from tftp 1.1.7.250 newimage to flash,exec downgrade,Upgrade Example CLI,5XT-save software from tftp 1.1.7.250 newimage.bin to flash!tftp received octets=3304662tf

15、tp success!TFTP SucceededSave to flash.It may take a few minutes.update new flash image(02c86db0,33 04662)platform=17,cpu=10,version=16offset=20,address=900000,size=3304584date=0,time=0,cksum=28e9f31cProgram flash(0,3304662).+doneDone5XT-reset,ConfigurationUpdateScreenOS/Keys,Upgrade Example-WebUI,灾

16、难恢复“Disaster”Recovery,NetScreen devices support features to deal with electronic“disasters”Corrupted ScreenOS image in FlashLost root passwordRequirement to reset to factory defaults,Recovering the ScreenOS Image-Boot Mode,NetScreen NS-200 Boot Loader Version 3.0.0(Checksum:35E1A866)Copyright(c)1997

17、-2003 NetScreen Technologies,Inc.Total physical memory:128MB Test-Pass Initialization-DoneModel Number:NS-208Hit any key to run loaderHit any key to run loaderHit any key to ruSerial Number 0043042002000034:READ ONLYHW Version Number 0110:READ ONLYSelf MAC Address 0010-db1d-1c30:READ ONLYBoot File N

18、ame n200-LAS0z0ad:n200-LAS0z0adSelf IP Address 172.16.10.1:1.1.1.1TFTP IP Address 172.16.10.131:1.1.1.2Save loader config(112 bytes).Done,TFTP server must be in same subnet as NetScreens Self IP address.Server must be connected to:Trust interface on devices with Trust interfaceE1 interface on device

19、s with E1 interfaceE1/1 or MGT interface on systems,Boot Mode(cont.),Loading file n200-LAS0z0ad.r!r.tatatatatatatatatatatatatatatatatLoaded Successfully!(size=3,444,522 bytes)Ignore image authentication!Save to on-board flash disk?(y/n/m)Yes!Saving as default system image in flash disk.Done!(size=3,

20、444,522 bytes)Run downloaded system image?(y/n)Yes!Start loading.Done.NetScreen Technologies,IncNS200 System SoftwareCopyright,1997-2003Version 5.0.0ad.0Init Heap(1546000/50b9c00,32,00000000/00000000)GT64120 revision id:0 x11Load NVRAM Information.(5.0)Done,根管理员口令丢失,口令不能被恢复系统需要回到出厂设置Also called“Asse

21、t Recovery”All configuration parameters,certificates,and keys are deleted两种方法Log in to console with device serial number as username and passwordWarning messages regarding destructive results will appearUse pinhole on exterior of systemPress until flashing light changes to redWait until flashing red

22、 turns to flashing greenPress again,透明模式,什么是透明模式?,Netscreen 防火墙的接口在第二层的网桥模式或者是第二层的交换模式下进行工作。Learning,Flooding,Forwarding,Filtering通过安全策略让风火墙对第二层的安全区之间的数据包进行流量的访问控制。,10.1.0.0/16,E1,E3,zoneV1-Trust,zoneV1-DMZ,zoneV1-Untrust,E2,Layer 2 Frame Forwarding(Bridging/Switching),透明模式的功能Learning(based on Sourc

23、e MAC address)Forward/Flood/Filter(based on Destination MAC address)Loop prevention(Spanning Tree protocol),MAC Address Table,00c0.01cd.5120 E1E8 00e0.01ab.cd10,V1-Untrust,透明模式的工作,由于没有使用到网络的第三层，因此，透明模式能够让防火墙更加快速的部署。不需要定义拓扑结构增加安全性在netscreen 的二层工作模式下可以使用VPNZone 概念的提出，可以提供比基于路由的ACL更加安全的访问控制,10.1.0.0/16

24、,B,B,D,A,B,10.100.1.0/16,10.200.1.0/16,Layer-2 安全区,预先定义的“V1”zonesV1-TrustV1-UntrustV1-DMZ用户定义的安全区Layer-2(L2)区用户在定义安全区的时候必须以“L2-”开头。,透明模式中的接口,在ScreenOS 5.0 没有定义任何接口是属于透明模式把一个接口放到第二层的安全区中因此二层的接口的域必须是以“V1-”or“L2-”开头的。所有接口在v1或者是L2 安全区，是具有相同广播域的第二层防火墙的成员。,Int e1,Zone L2-private,Int e2,Zone L2-public,10.1

25、.0.0/16,VLAN1 接口,在VLAN 区中是第三层逻辑接口该接口可以配置一个IP 地址，用来管理netscreen 防火墙。支持管理IP地址所有物理接口都可以接受arp 请求。,V1-Trust,1.1.1.10,1.1.1.11,1.1.1.12,V1-DMZ,V1-Untrust,VLAN1 is a logical interface which is accessible fromany transparent zone,VLAN1 interface:1.1.1.210/24,E1,E3,E2,A,B,C,V1-Trust,1.1.1.10,1.1.1.11,1.1.1.12

26、,V1-DMZ,V1-Untrust,VLAN1 interface:1.1.1.210/24,E1,E3,E2,A,B,C,管理行为,VLAN1 will inherit management options from zone membership of physical interfaces,X,VLAN1 interface:1.1.1.210/24,透明模式的配置,建立2层的安全区(在没有使用缺省安全区的情况下)分配接口给2层安全区为VLAN1 配置管理地址3a.配置IP 地址3b.选择广播的方法3c.配置管理服务(可选项)配置每个安全区的管理服务在不同的安全区之间配置策略,Step

27、 1:配置2层安全区,Network Zones New,set zone name L2 Example:ns208-set zone name L2-Demo L2 1,Step 2:分配接口到安全区,Network Interfaces(Edit),set interface zone ns208-set interface e3 zone L2-Demo,Step 3a:配置VLAN1 的IP 地址,Network Interfaces Edit(VLAN1),Use for Interface IP when terminating VPNs,Use Manage-IP as des

28、tination address of PING,telnet,Web UI,etc.,set interface vlan1 ip/ns208-set int vlan1 ip 1.1.7.1/24,set interface vlan1 manage-ip ns208-set int vlan1 manage-ip 1.1.7.100/24,Step 3b:选择广播的方法,Flooding(default)如果MAC表中没有，原数据包将向所有的接口进行广播除了流入数据包的接口。ARP/Trace-Route如果MAC表中没有,ARP 或 traceroute 将向所有的接口进行广播除了流入

29、数据包的接口。,Network Interfaces Edit(VLAN1),set vlan1 broadcast arp,set vlan1 broadcast flood,Step 3c:配置VLAN1 的服务,允许所有的管理服务Web UI,Telnet,SSH,SNMP,SSL,NS-GlobalPro(nsmgmt)选择指定的管理服务,Network Interfaces Edit(VLAN1),set interface vlan1 managens208-set int vlan1 manage,set interface vlan1 manage ns208-set int

30、vlan1 manage webns208-set int vlan1 manage sslns208-set int vlan1 manage nsmgmt,Step 4:在每个安全区中配置不同的管理服务,Network Zones Edit(V1-Trust),set zone manage ns208-set zone v1-dmz manage web,透明模式的检查工具,Get interfaceGet ARPGet mac-learnGet session,Get interface,ns208-get interface ethernet1Interface ethernet1:

31、number 0,if_info 0,if_index 0,mode xparent,port vlan 1,sess token 9 link up,phy-link up/half-duplex vsys Root,zone V1-Trust,vr trust-vr*ip 0.0.0.0/0 mac 0010.db22.23f0 ping enabled,telnet enabled,SSH enabled,SNMP enabled web enabled,ident-reset disabled,SSL enabled,nsmgmt enabled webauth disabled DH

32、CP-Relay disabled bandwidth:physical 100000kbps,configured 0kbps,current 0kbps total configured gbw 0kbps,total allocated gbw 0kbpsns208-,Get arp,ns208-get arpIP Mac VR/Interface State Age Retry PakQue3.4.5.6 abc3241244dc trust-vr/v1-trust STS 0 01.1.7.250 00065bd2ff42 trust-vr/v1-trust VLD 1151 0 0

33、ARP Entry Number 2/1024,No Free Entry Count:0Arp always-on-dest:disabledns208-,Note:Although it says“interface”,in transparent mode the zone name is displayed,Get mac-learn,学习Associates a MAC address with an outgoing interfaceDetermines how received frames are forwarded in Layer-2Also known as Bridg

34、e Table or L2 Forwarding Table静态ARP 影射MAC address to outgoing port association can be manually configured via the CLI,set mac,ns208-get mac-learnlink down clear mac learn table:enableTotal 3,Create 9,Ageout 6Flood 1,BCast 150,ReLearn 1,NoFree 0,Error 0,Drop 0 ethernet2:0004.7648.aa3c 56ethernet1:001

35、0.db13.e441 44ethernet3:0010.db15.6bc4 59,Get session,ns208-get sessionalloc 2/max 128000,alloc failed 0id 43/s*,vsys 0,flag 00000090/00/00,policy 1,time 1 17(01):192.168.1.5/27129-192.168.1.10/768,1,00b0d06c3f39,vlan 0,tun 0,vsd 0 19(00):192.168.1.5/27129192.168.1.10/768,1,00b0d06c3f39,vlan 0,tun 0

36、,vsd 0 19(00):192.168.1.5/27385-192.168.1.10/768,1,0010db2b1622,vlan 0,tun 0,vsd 0Total 2 sessions shown,ICMP Sequence#,ICMP Identifier#,IP protocol#,需要考虑的问题,必须配置策略才能允许访问没有默认策略通过第三层的地址配置策略避免潜在的网络风暴透明模式是一个非常灵活的防火墙部署解决方案可以快速实现防火墙和VPN 的功能不需要修改网络结构，建立虚拟地址（NAT），就可以实现访问控制。,Lab:Transparent Mode,目的:使用5GT配置防

37、火墙的透明模式，并能够在透明模式下实现对防火墙的管理。,路由模式,Layer 3 操作模式,ExternalZone,PrivateZone,1.1.70.250,1.1.70.0/24,10.1.10.5,10.1.20.0/24,B,10.1.10.0/24,PublicZone,10.1.20.5,.254,200.5.5.5,A,B,C,D,10.1.1.0/24,10.1.2.0/24,.1.254,.1.254,1.1.7.0/24,1.1.8.0/24,.254.1,InterfaceAddressE110.1.1.1E210.1.2.1E71.1.7.1E81.1.8.1,静态

38、路由,ExternalZone,PrivateZone,1.1.70.250,1.1.70.0/24,10.1.10.5,10.1.20.0/24,B,10.1.10.0/24,PublicZone,10.1.20.5,.254,200.5.5.5,A,B,C,D,10.1.1.0/24,10.1.2.0/24,.1.254,.1.254,1.1.7.0/24,1.1.8.0/24,.254.1,NetworkInterfaceNext Hop10.1.1.0/24E1-10.1.2.0/24E2-1.1.7.0/24E7-1.1.8.0/24E8-10.1.10.0/24E110.1.1.2

39、54,默认网关,ExternalZone,PrivateZone,1.1.70.250,1.1.70.0/24,10.1.10.5,10.1.20.0/24,B,10.1.10.0/24,PublicZone,10.1.20.5,.254,200.5.5.5,A,B,C,D,10.1.1.0/24,10.1.2.0/24,.1.254,.1.254,1.1.7.0/24,1.1.8.0/24,.254.1,NetworkInterfaceNext Hop10.1.1.0/24E1-10.1.2.0/24E2-1.1.7.0/24E7-1.1.8.0/24E8-10.1.10.0/24E110.

40、1.1.2540.0.0.0/0E81.1.8.254,Zones 和 Interfaces 的复习和回顾,严格的等级管理接口必须属于一个zone，然后才能为其分配IP 地址,配置第三层的步骤,建立 zones(如果没有使用默认的zone)分配接口给zone分配IP地址给接口配置静态路由,Step 1:建立 Zones,set zone name Example:ns208-set zone name Private,Network Zones,Step 2:分配接口给 Zones,Network Interfaces(Edit),set interface zone ns208-set in

41、terface e8 zone untrust,Step 3:分配地址给接口,set interface ip/ns208-set interface e8 ip 1.1.8.1/24,Network Interfaces(Edit),Step 4:配置静态路由,set route/interface gateway Example:ns208-set route 10.1.10.0/24 interface e1 gateway 10.1.1.254,Network Routing Destination Edit,验证接口的配置,Network Interfaces,ns208-get i

42、nterfaceA-Active,I-Inactive,U-Up,D-Down,R-ReadyInterfaces in vsys Root:Name IP Address Zone MAC VLAN State VSDeth1 10.1.1.1/24 Private 0010.db1d.1be0-U-eth2 0.0.0.0/0 V1-DMZ 0010.db1d.1be4-D-eth3 0.0.0.0/0 V1-Untrust 0010.db1d.1be5-D-eth4 0.0.0.0/0 Private 0010.db1d.1be6-D-eth5 0.0.0.0/0 Untrust 001

43、0.db1d.1be7-D-eth6 0.0.0.0/0 Null 0010.db1d.1be8-D-eth7 1.1.7.1/24 Public 0010.db1d.1be9-U-eth8 1.1.8.1/24 External 0010.db1d.1bea-U-vlan1 0.0.0.0/0 VLAN 0010.db1d.1bef 1 D-,验证静态路由 WebUI,Network Routing Destination,验证静态路由-CLI,ns208-get routeuntrust-vr(0 entries)-C-Connected,S-Static,A-Auto-Exported,

44、I-Imported,R-RIPiB-IBGP,eB-EBGP,O-OSPF,E1-OSPF external type 1E2-OSPF external type 2trust-vr(9 entries)-ID IP-Prefix Interface Gateway P Pref Mtr Vsys-*7 0.0.0.0/0 eth8 1.1.8.254 S 20 1 Root*8 10.1.1.0/24 eth1 1.1.1.10 S 20 1 Root 9 10.2.1.0/24 eth2 1.1.2.10 S 20 1 Root*6 1.1.8.0/24 eth8 0.0.0.0 C

45、0 0 Root 11 10.3.1.0/24 eth3 1.1.3.10 S 20 1 Root*5 1.1.7.0/24 eth7 0.0.0.0 C 0 0 Root 4 1.1.3.0/24 eth3 0.0.0.0 C 0 0 Root 3 1.1.2.0/24 eth2 0.0.0.0 C 0 0 Root*2 1.1.1.0/24 eth1 0.0.0.0 C 0 0 Root,验证路由,get route ip ns208-get route ip 10.1.10.5Destination Routes for 10.1.10.5-trust-vr:=10.1.10.0/24(

46、id=6)via 10.1.1.254(vr:trust-vr)Interface ethernet1,metric 1,验证路由,ns208-ping 10.1.10.5Type escape sequence to abortSending 5,100-byte ICMP Echos to 10.1.10.5,timeout is 2 seconds!Success Rate is 100 percent(5/5),round-trip time min/avg/max=2/3/9 msns208-pingTarget IP address:10.1.10.5Repeat count 5:

47、Datagram size 100:Timeout in seconds2:Source interface:Type escape sequence to abortSending 5,100-byte ICMP Echos to 10.1.10.5,timeout is 2 seconds!Success Rate is 100 percent(5/5),round-trip time min/avg/max=2/3/4 ms,Ping and extended ping,验证路由,ns208-trace 10.1.10.5Type escape sequence to escapeSen

48、d ICMP echos to 10.1.10.5,timeout is 2 seconds,maximum hops are 321 1ms 2ms 2ms 10.1.1.2542 3ms 2ms 3ms 10.1.10.5Trace complete,traceroute,路由的相互依赖性,ExternalZone,PrivateZone,1.1.70.250,1.1.70.0/24,10.1.10.5,10.1.20.0/24,B,10.1.10.0/24,PublicZone,10.1.20.5,.254,200.5.5.5,A,B,C,D,10.1.1.0/24,10.1.2.0/2

49、4,.1.254,.1.254,1.1.7.0/24,1.1.8.0/24,.254.1,NetworkInterfaceNext Hop1.1.8.0/24E1-0.0.0.0/0E21.1.8.254,How will traffic from Host D get to Host A?,Virtual Routers One VR,One table displays all routes external and internalDifficult to secure,Routing Table,ID IP-Prefix Interface Gateway P Pref Mtr Vsy

50、s-*3 1.1.1.0/24 eth8 0.0.0.0 C 0 0 Root*8 1.1.10.0/24 eth8 1.1.1.2 S 20 1 Root*7 1.1.20.0/24 eth8 1.1.1.3 S 20 1 Root*2 10.1.10.0/24 eth1 0.0.0.0 C 0 0 Root*4 10.1.110.0/24 eth1 10.1.10.2 S 20 1 Root*5 10.1.120.0/24 eth1 10.1.10.3 S 20 1 Root,E8,E1,1.1.1.2,1.1.1.3,10.1.10.2,10.1.10.3,10.1.110.0,10.1