juniper防火墙初级动手配置-internal-qubo.ppt

防火墙-动手配置,议程,系统管理 透明模式 路由模式 安全策略 地址翻译 应用层和网络层防攻击,系统管理,系统组成,所有关键的系统功能都在内存中运行 。 可以通过控制线和webu对防火墙的配置进行修改。,tables buffers running config screenos (active),screenos image saved config certs, etc.,ram,flash,interf.,interf.,interf.,tftp, pwrup/ reset,aux. storage,webui,netscreen,aux. mgt. servers,dns/ syslog,console,“get”,“set”,ns208- get system product name: ns208 serial number: 0043042002000034, control number: 00000000 hardware version: 0110(0)-(11), fpga checksum: 00000000, vlan1 ip () software version: , type: firewall+vpn base mac: 0010.db1d.1c30 file name: n200-las0z0ad, checksum: 00000000 date 04/15/2003 22:06:53, daylight saving time enabled the network time protocol is disabled up 2 hours 31 minutes 14 seconds since 15 apr 2003 19:35:39 total device resets: 0 system in nat/route mode. use interface ip, config port: 80 user name: netscreen interface ethernet1: number 0, if_info 0, if_index 0, mode nat link up, phy-link up/full-duplex vsys root, zone trust, vr trust-vr dhcp disabled *ip /24 mac 0010.db1d.1c30 *manage ip , mac 0010.db1d.1c30 - more -,显示状态信息 - cli,in the cli, get commands provide valuable status about operational conditions: system serial number software version operating mode interface status interface address management addresses,图形化界面 - webui,netscreen 防火墙可以通过图形化的界面进行管理。 需要的条件 (ie. one ip address) 一台pc机与防火墙在同一个网段 口令保护,zone 和 interface 的分配,a strict hierarchical linkage exists between zones and interfaces in a netscreen device zones are assigned to a virtual router interfaces are assigned to a security zone an interface can only belong to one security zone individual configuration parameters are assigned to interfaces ip addresses management services others,int.,zone,zone,virtual router,ip,zone 的类型,安全zone pre-defined: trust, untrust, dmz; v1-trust, v1-untrust, v1-dmz user-defined tunnel zone,功能 zones null mgt ha self vlan,ns5gt- get zone total 10 zones created in vsys root - 5 are policy configurable. total policy configurable zones for root is 5. - id name type attr vr default-if vsys 0 null null shared untrust-vr hidden root 1 untrust sec(l3) shared trust-vr untrust root 2 trust sec(l3) trust-vr trust root 4 self func trust-vr self root 5 mgt func trust-vr null root 10 global sec(l3) trust-vr null root 11 v1-untrust sec(l2) trust-vr v1-untrust root 12 v1-trust sec(l2) trust-vr v1-trust root 14 vlan func trust-vr vlan1 root 16 untrust-tun tun trust-vr hidden.1 root -,configuring zones/interfaces - webui,network interfaces (edit),license keys 的管理,以下的特征需要增加license key: capacity expansion (extended/advanced releases) anti-virus url filtering deep inspection 两种安装key的方法 manual get key from juniper/reseller automatic register device at juniper website, then download licenses,exec license-key capacity ,exec license-key update,文件管理,备份/恢复 netscreen 防火墙所需要的重要的配置文件信息。 screenos image configuration files 备份/恢复 配置文件的存放 on-board flash tftp server external storage (sandisk) management station (webui only),保存配置,webui saves automatically when you click “apply” or “ok” console displays save messages cli manual command writes to on-board flash configuration file,ns208 save,配置文件管理 - cli,只有根管理员才能进行这些操作 配置文件备份 配置文件恢复 option 1: copies file into flash available at next reboot option 2: merges file into ram be careful!,save config from flash to tftp | pcmcia | slot1 ns208- save config from flash to tftp 50 15jun03.cfg,save config from tftp | pcmcia | slot1 to flash ns208- save config from tftp 50 15june03.cfg to flash,save config from tftp | pcmcia | slot1 merge ns208- save config from tftp 50 15june03.cfg merge,配置文件管理 webui,configurationupdateconfig file,配置的回退（ rollback）,provides “safety net” for failed/corrupted config if default config in flash cant be loaded, system will try to load “last known good” file can be forced manually to correct config mistakes create rollback file force rollback,save config to last-known-good,exec config rollback,软件包的管理,image backup image importing (upgrade) downgrade from 5.0 or higher to prior releases,save software from flash to tftp | pcmcia | slot1 ns208- save software from flash to tftp 50 ns208image.bin,save software from tftp | pcmcia | slot1 to flash ns208- save software from tftp 50 newimage to flash,exec downgrade,upgrade example cli,5xt- save software from tftp 50 newimage.bin to flash ! ! ! ! ! tftp received octets = 3304662 tftp success! tftp succeeded save to flash. it may take a few minutes . update new flash image (02c86db0,33 04662) platform = 17, cpu = 10, version = 16 offset = 20, address = 900000, size = 3304584 date = 0, time = 0, cksum = 28e9f31c program flash (0,3304662) . +done done 5xt- reset,configurationupdatescreenos/keys,upgrade example - webui,灾难恢复“disaster” recovery,netscreen devices support features to deal with electronic “disasters” corrupted screenos image in flash lost root password requirement to reset to factory defaults,recovering the screenos image - boot mode,netscreen ns-200 boot loader version 3.0.0 (checksum: 35e1a866) copyright (c) 1997-2003 netscreen technologies, inc. total physical memory: 128mb test - pass initialization - done model number: ns-208 hit any key to run loader hit any key to run loader hit any key to ru serial number 0043042002000034: read only hw version number 0110: read only self mac address 0010-db1d-1c30: read only boot file name n200-las0z0ad: n200-las0z0ad self ip address : tftp ip address 31: save loader config (112 bytes). done,tftp server must be in same subnet as netscreens self ip address. server must be connected to: trust interface on devices with trust interface e1 interface on devices with e1 interface e1/1 or mgt interface on systems,boot mode (cont.),loading file “n200-las0z0ad“. r!r.tatatatatatatatatatatatatatatatat loaded successfully! (size = 3,444,522 bytes) ignore image authentication! save to on-board flash disk? (y/n/m) yes! saving as default system image in flash disk. done! (size = 3,444,522 bytes) run downloaded system image? (y/n) yes! start loading. done. netscreen technologies, inc ns200 system software copyright, 1997-2003 version 5.0.0ad.0 init heap (1546000/50b9c00,32, 00000000/00000000) gt64120 revision id: 0x11 load nvram information . (5.0)done,根管理员口令丢失,口令不能被恢复 系统需要回到出厂设置 also called “asset recovery” all configuration parameters, certificates, and keys are deleted 两种方法 log in to console with device serial number as username and password warning messages regarding destructive results will appear use pinhole on exterior of system press until flashing light changes to red wait until flashing red turns to flashing green press again,透明模式,什么是透明模式?,netscreen 防火墙的接口在第二层的网桥模式或者是第二层的交换模式下进行工作。 learning, flooding, forwarding, filtering 通过安全策略让风火墙对第二层的安全区之间的数据包进行流量的访问控制。,/16,e1,e3,zone v1-trust,zone v1-dmz,zone v1-untrust,e2,layer 2 frame forwarding (bridging/switching),透明模式的功能 learning (based on source mac address) forward/flood/filter (based on destination mac address) loop prevention (spanning tree protocol),mac address table,00c0.01cd.5120 e1 e8 00e0.01ab.cd10,v1-untrust,透明模式的工作,由于没有使用到网络的第三层，因此，透明模式能够让防火墙更加快速的部署。 不需要定义拓扑结构 增加安全性 在netscreen 的二层工作模式下可以使用vpn zone 概念的提出，可以提供比基于路由的acl更加安全的访问控制,/16,b,b,d,a,b,/16,/16,layer-2 安全区,预先定义的 “v1” zones v1-trust v1-untrust v1-dmz 用户定义的安全区 layer-2 (l2) 区 用户在定义安全区的时候必须以 “l2-”开头。,透明模式中的接口,在screenos 5.0 没有定义任何接口是属于透明模式 把一个接口放到第二层的安全区中 因此二层的接口的域必须是以 “v1-” or “l2-”开头的。 所有接口在v1或者是l2 安全区，是具有相同广播域的第二层防火墙的成员。,int e1,zone l2-private,int e2,zone l2-public,/16,vlan1 接口,在vlan 区中是第三层逻辑接口 该接口可以配置一个ip 地址，用来管理netscreen 防火墙。 支持管理ip地址 所有物理接口都可以接受arp 请求。,v1-trust,0,1,2,v1-dmz,v1-untrust,vlan1 is a logical interface which is accessible from any transparent zone,vlan1 interface: 10/24,e1,e3,e2,a,b,c,v1-trust,0,1,2,v1-dmz,v1-untrust,vlan1 interface: 10/24,e1,e3,e2,a,b,c,管理行为,vlan1 will inherit management options from zone membership of physical interfaces,x,vlan1 interface: 10/24,透明模式的配置,建立2层的安全区 (在没有使用缺省安全区的情况下) 分配接口给2层安全区 为vlan1 配置管理地址 3a. 配置ip 地址 3b. 选择广播的方法 3c. 配置管理服务 (可选项) 配置每个安全区的管理服务 在不同的安全区之间配置策略,step 1: 配置2层安全区,network zones new,set zone name l2 example: ns208- set zone name l2-demo l2 1,step 2: 分配接口到安全区,network interfaces (edit),set interface zone ns208- set interface e3 zone l2-demo,step 3a: 配置vlan1 的ip 地址,network interfaces edit (vlan1),use for interface ip when terminating vpns,use manage-ip as destination address of ping, telnet, web ui, etc.,set interface vlan1 ip / ns208- set int vlan1 ip /24,set interface vlan1 manage-ip ns208- set int vlan1 manage-ip 00/24,step 3b: 选择广播的方法,flooding (default) 如果mac表中没有，原数据包将向所有的接口进行广播除了流入数据包的接口。 arp/trace-route 如果mac表中没有, arp 或 traceroute 将向所有的接口进行广播除了流入数据包的接口。,network interfaces edit (vlan1),set vlan1 broadcast arp,set vlan1 broadcast flood,step 3c: 配置vlan1 的服务,允许所有的管理服务 web ui, telnet, ssh, snmp, ssl, ns-globalpro (nsmgmt) 选择指定的管理服务,network interfaces edit (vlan1),set interface vlan1 manage ns208- set int vlan1 manage,set interface vlan1 manage ns208- set int vlan1 manage web ns208- set int vlan1 manage ssl ns208- set int vlan1 manage nsmgmt,step 4: 在每个安全区中配置不同的管理服务,network zones edit (v1-trust),set zone manage ns208- set zone v1-dmz manage web,透明模式的检查工具,get interface get arp get mac-learn get session,get interface ,ns208- get interface ethernet1 interface ethernet1: number 0, if_info 0, if_index 0, mode xparent, port vlan 1, sess token 9 link up, phy-link up/half-duplex vsys root, zone v1-trust, vr trust-vr *ip /0 mac 0010.db22.23f0 ping enabled, telnet enabled, ssh enabled, snmp enabled web enabled, ident-reset disabled, ssl enabled, nsmgmt enabled webauth disabled dhcp-relay disabled bandwidth: physical 100000kbps, configured 0kbps, current 0kbps total configured gbw 0kbps, total allocated gbw 0kbps ns208-,get arp,ns208- get arp ip mac vr/interface state age retry pakque abc3241244dc trust-vr/v1-trust sts 0 0 50 00065bd2ff42 trust-vr/v1-trust vld 1151 0 0 arp entry number 2/1024, no free entry count: 0 arp always-on-dest: disabled ns208-,note: although it says “interface”, in transparent mode the zone name is displayed,get mac-learn,学习 associates a mac address with an outgoing interface determines how received frames are forwarded in layer-2 also known as bridge table or l2 forwarding table 静态arp 影射 mac address to outgoing port association can be manually configured via the cli,set mac ,ns208- get mac-learn link down clear mac learn table: enable total 3, create 9, ageout 6 flood 1, bcast 150, relearn 1, nofree 0, error 0, drop 0 ethernet2: 0004.7648.aa3c 56 ethernet1: 0010.db13.e441 44 ethernet3: 0010.db15.6bc4 59,get session,ns208- get session alloc 2/max 128000, alloc failed 0 id 43/s*,vsys 0,flag 00000090/00/00,policy 1,time 1 17(01):/27129-0/768,1,00b0d06c3f39,vlan 0,tun 0,vsd 0 19(00):/271290/768,1,00b0d06c3f39,vlan 0,tun 0,vsd 0 19(00):/27385-0/768,1,0010db2b1622,vlan 0,tun 0,vsd 0 total 2 sessions shown,icmp sequence #,icmp identifier #,ip protocol #,需要考虑的问题,必须配置策略才能允许访问 没有默认策略 通过第三层的地址配置策略 避免潜在的网络风暴 透明模式是一个非常灵活的防火墙部署解决方案 可以快速实现防火墙和vpn 的功能 不需要修改网络结构，建立虚拟地址（nat），就可以实现访问控制。,lab: transparent mode,目的: 使用5gt配置防火墙的透明模式，并能够在透明模式下实现对防火墙的管理。,路由模式,layer 3 操作模式,external zone,private zone,50,/24,,/24,b,/24,public zone,,.254,,a,b,c,d,/24,/24,.1 .254,.1 .254,/24,/24,.254 .1,interface address e1 e2 e7 e8 ,静态路由,external zone,private zone,50,/24,,/24,b,/24,public zone,,.254,,a,b,c,d,/24,/24,.1 .254,.1 .254,/24,/24,.254 .1,network interface next hop /24 e1 - /24 e2 - /24 e7 - /24 e8 - /24 e1 54,默认网关,external zone,private zone,50,/24,,/24,b,/24,public zone,,.254,,a,b,c,d,/24,/24,.1 .254,.1 .254,/24,/24,.254 .1,network interface next hop /24 e1 - /24 e2 - /24 e7 - /24 e8 - /24 e1 54 /0 e8 54,zones 和 interfaces 的复习和回顾,严格的等级管理 接口必须属于一个zone ，然后才能为其分配ip 地址,配置第三层的步骤,建立 zones (如果没有使用默认的zone ) 分配接口给zone 分配ip地址给接口 配置静态路由,step 1: 建立 zones,set zone name example: ns208- set zone name private,network zones,step 2: 分配接口给 zones,network interfaces (edit),set interface zone ns208- set interface e8 zone untrust,step 3: 分配地址给接口,set interface ip / ns208- set interface e8 ip /24,network interfaces (edit),step 4: 配置静态路由,set route / interface gateway example: ns208- set route /24 interface e1 gateway 54,network routing destination edit,验证接口的配置,network interfaces,ns208- get interface a - active, i - inactive, u - up, d - down, r - ready interfaces in vsys root: name ip address zone mac vlan state vsd eth1 /24 private 0010.db1d.1be0 - u - eth2 /0 v1-dmz 0010.db1d.1be4 - d - eth3 /0 v1-untrust 0010.db1d.1be5 - d - eth4 /0 private 0010.db1d.1be6 - d - eth5 /0 untrust 0010.db1d.1be7 - d - eth6 /0 null 0010.db1d.1be8 - d - eth7 /24 public 0010.db1d.1be9 - u - eth8 /24 external 0010.db1d.1bea - u - vlan1 /0 vlan 0010.db1d.1bef 1 d -,验证静态路由 webui,network routing destination,验证静态路由 - cli,ns208- get route untrust-vr (0 entries) - c - connected, s - static, a - auto-exported, i - imported, r - rip ib - ibgp, eb - ebgp, o - ospf, e1 - ospf external type 1 e2 - ospf external type 2 trust-vr (9 entries) - id ip-prefix interface gateway p pref mtr vsys - * 7 /0 eth8 54 s 20 1 root * 8 /24 eth1 0 s 20 1 root 9 /24 eth2 0 s 20 1 root * 6 /24 eth8 c 0 0 root 11 /24 eth3 0 s 20 1 root * 5 /24 eth7 c 0 0 root 4 /24 eth3 c 0 0 root 3 /24 eth2 c 0 0 root * 2 /24 eth1 c 0 0 root,验证路由,get route ip ns208- get route ip destination routes for - trust-vr : = /24 (id=6) via 54 (vr: trust-vr) interface ethernet1 , metric 1,验证路由,ns208- ping type escape sequence to abort sending 5, 100-byte icmp echos to , timeout is 2 seconds ! success rate is 100 percent (5/5), round-trip time min/avg/max=2/3/9 ms ns208- ping target ip address: repeat count 5: datagram size 100: timeout in seconds2: source interface: type escape sequence to abort sending 5, 100-byte icmp echos to , timeout is 2 seconds ! success rate is 100 percent (5/5), round-trip time min/avg/max=2/3/4 ms,ping and extended ping,验证路由,ns208- trace type escape sequence to escape send icmp echos to , timeout is 2 seconds, maximum hops are 32 1 1ms 2ms 2ms 54 2 3ms 2ms 3ms trace complete,traceroute,路由的相互依赖性,external zone,private zone,50,/24,,/24,b,/24,public zone,,.254,,a,b,c,d,/24,/24,.1 .254,.1 .254,/24,/24,.254 .1,network interface next hop /24 e1 - /0 e2 54,how will traffic from host d get to host a?,virtual routers one vr,one table displays all routes external and internal difficult to secure,routing table,id ip-prefix interface gateway p pref mtr vsys - * 3 /24 eth8 c 0 0 root * 8 /24 eth8 s 20 1 root * 7 /24 eth8 s 20 1 root * 2 /24 eth1 c 0 0 root * 4 /24 eth1 s 20 1 root * 5 /24 eth1 s 20 1 root,e8,e1,,,,,,,,,loopback 接口,没有物理连接 只要路有可以达到，可以通过任何接口连接到防火墙的loopback 地址 used for 管理 vpn 终结 动态路由 (router id),loopback interface 配置,set interface loopback. zone set interface loopback. ip / set interface loopback. manage ,network address translation (nat),external zone,private zone,,/24,.254,,a,d,/24,.1 .254,/24,内部的私有地址被翻译为外部的合法的注册的有效的公网ip地址。 这个过程被称作网络地址端口转化：network address port translation (napt),基于接口的 nat,防火墙的接口运行在nat或路由模式下 在路由模式下没有地址翻译发生 在nat模式下，地址翻译可以出现在特定的条件中 one vr from trust zone to untrust zone only two vr from any vr to untr