[互联网]Netscreen study.ppt

Juniper Netscreen & ,2, ,1. NetScreen 产品线 2. NetScreen 2-1. What is Security Zone ? 2-2. NetScreen Mode 3. NetScreen ( Command Line ) 4. NetScreen WebUI 4-1. Admin Setting 4-2. Report Setting 5. NetScreen WebUI 5-1. 5-2. Object Address 5-3. Object Service 5-4. Object Schedule 5-5. Policy 6. 命令行配置 CLI Command,3,1. NetScreen 产品线,4,NetScreen Spec ,5,6,2. NetScreen ,Security Zone Mode ( TP , NAT , Route mode ),7,2-1. Security Zone ,Untrust Zone,Trust Zone,Internet, Interface Zone Binding Object Address Zone Define Policy Zone ex) Incoming Policy From untrust to trust Outgoing Policy From trust to untrust Interface Security Zone , Zone Interface Binding . ( ex. eth3 , eth4 Trust zone eth2 Untrust zone ) L3 Mode ( NAT , Route ) Trust , DMZ , Untrust Zone L2 Mode ( Transparent ) V1-Trust , V1-DMZ , V1-Trust Zone . Zone Define .,What is Security Zone ?,2. Netscreen Mode Configuration,eth4,eth1,eth2,eth3,8,2. Netscreen Mode Configuration,2-2. Netscreen Mode,Transparent mode (L2),NAT mode (L3),Route mode(L3),L2 mode Router Switch Bridge Manage IP , IP, IP, IP, IP,L3 Routing Table IP Outbound Traffic Source IP IP NAT ,L3 zone binding Trust Interface Route mode setting L3 Routing Table ,9,2. Netscreen Mode Configuration,2-3. Netscreen Mode ,1) Transparent Mode ( L2 mode ), Network IP In , Outbound Traffic Default Gateway Routing Table , ( Telnet VPN ) Default G/W Routing Table Interface IP L2 Zone(v1-trust , v1-untrust ) Binding TP mode Ethernet Interface Switch Network Interface IP Management IP Vlan1 Interface ,Transparent mode,10,2. Netscreen Mode Configuration,2-3. Netscreen Mode ,2) NAT mode ( L3 mode ), Interface L3 Zone( Trust, Untrust ) Binding NAT mode Interface IP Address Subnet Mask Vlan1 Interface IP L3 Default G/W Network Static Route Client IP Client Trust () Untrust () Traffic Source IP Untrust Interface IP (Untrust) Trust () Incoming Traffic MIP 1:1 NAT IP Pool Source IP Dynamic .,11,2. Netscreen Mode Configuration,2-3. Netscreen Mode ,3) Route Mode ( L3 mode ),Firewall Interface Network NAT Policy IP NAT IP NAT Policy , IP Traffic Firewall Routing Routing OSPF , BGP , RIP Dynamic Routing Protocol ,Route mode, IP, IP,12,3. NetScreen ( Command Line ),13,3-1. , Mode - Transparent mode (L2) , NAT mode (L3) , Routing mode (L3) Zone Binding - L2 mode ( v1-trust , v1-dmz , v1-untrust ) - L3 mode ( Trust , DMZ , Untrust ) IP Setting - L2 mode : Vlan1 Interface IP ( only Vlan1 ) - L3 mode : Interface IP ( eth1 , eth2 eth1/1 , eth1/2 ) Interface Mode ( NAT , Route ) - Routing mode : Trust , Untrust Interface Route mode - NAT mode : Trust NAT , Untrust Route mode Routing Table - Default Gateway Static Routing or Dynamic Routing ,3. Netscreen Mode Configuration,14,3. Netscreen Mode Configuration,3-2. CLI Mode Initial Configuration,1) TP Mode setting,Netscreen Console Cable ID Password Prompt . ( Default ID / Password netscreen / netscreen ) ns5gt, Management IP setting ns5gt set int vlan1 ip /24 Interface management ns5gt set int vlan1 manage set int v1-untrust manage,15,1) TP Mode setting (),Zone Binding ns5gt set int trust zone v1-trust ns5gt set int untrust zone v1-untrust ns25 set int eth1 zone v1-trust ns25 set int eth2 zone v1-dmz ns25 set int eth3 zone v1-untrust Interface ns5gt get int Routing Table ns5gt set route /0 int vlan1 gateway 54 Routing Table ns5gt get route,54,3. Netscreen Mode Configuration,3-2. CLI Mode Initial Configuration,16, net,L3 Switch,2) NAT mode setting, Interface Zone Binding ns5gt set int trust zone trust ns25 set int eth1 zone trust Interface IP ns5gt set int trust ip /24 ns5gt set int untrust ip /24 ns25 set int eth1 ip /24 ns25 set int eth3 ip /24 Interface management ns5gt set int untrust manage ns25 set int eth3 manage System IP ( vlan1 Interface IP ) ns5gt unset int vlan1 ip,/24,/24,54/24,3. Netscreen Mode Configuration,3-2. CLI Mode Initial Configuration,/24,17,2) NAT mode setting (),/24,/24,54/24,Routing Table ns5gt set route /0 int untrust gateway 54 ns5gt set route /24 int trust gateway ns25 set route /0 int eth3 gateway 54 ns25 set route /24 int eth1 gateway Interface ns5gt get int Routing Table ns5gt get route, net,/24,L3 Switch,3. Netscreen Mode Configuration,3-2. CLI Mode Initial Configuration,18,3) Route mode setting,/24,54,/24,/24, net, Interface Zone Binding ns5gt set int trust zone trust ns25 set int eth1 zone trust Interface IP ns5gt set int trust ip /24 ns5gt set int untrust ip /24 Trust Interface Route Mode ns5gt set int trust route ns25 set int eth1 route Interface management ns5gt set int untrust manage ns25 set int eth3 manage * ns5gt set int trust manage ping,L3 Switch,3. Netscreen Mode Configuration,3-2. CLI Mode Initial Configuration,19,/24,54/24,,, net,3) Route mode setting(),System IP ( vlan1 Interface IP ) ns5gt unset int vlan1 ip Routing Table ns5gt set route /0 int untrust gateway 54 ns5gt set route /24 int trust gateway ns25 set route /0 int eth3 gateway 54 ns25 set route /24 int eth1 gateway Interface ns5gt get int Routing Table ns5gt get route,3. Netscreen Mode Configuration,3-2. CLI Mode Initial Configuration,20,4) ,TP Mode Interface IP /0 ns5gt get int TP Mode Interface IP IP ns5gt unset int trust ip ns25 unset int eth1 ip ns25 unset int eth3 ip Interface NAT mode Route mode ns5gt get int trust ns25 get int eth1,3. Netscreen Mode Configuration,3-2. CLI Mode Initial Configuration,21,4. NetScreen WebUI ,- ,22,在浏览器中输入Netscreen 的 Management IP 将访问它的Web登陆界面, 输入ID 和 Password访问它的配置界面.,4. 使用WebUI 管理Firewall,23,使用WebUI 登陆防火墙后,防火墙包含的信息如下: Device Information System Status (Root) Resources Status Interface link status The most recent events The most recent alarms,Home ,4-1. Administration 管理信息的设置,主页信息,24,Configration Date/Time,4-1. Administration 管理信息设置,时间设置,Timezone , DST , NTP 设置 设置时间信息对于 了解Log 是非常必要的,只有知道准确的时间才能进行准确的判断,25,Configration UpdateScreenOS/Keys,4-1. Administration & ,Firm Ware , Image Key License Key “Apply” . Firm Ware WebUI Upgrade Rebooting ,OS key Upgrade,26,Configration UpdateConfig File, Configuration Configuration Replace Merge Command Save .,Configuration Down Load .,Configuration Back Up,4-1. Administration & ,Configuration Load WebUI Upload Rebooting ,27,Configration UpdateAttack Signature,4-1. Administration & ,DI Attack Update ,Deep Inspection Attack Signature Update ( current version ) Update Schedule .,28, ID Password , ID Read/Write Read only . “NEW” .,Configuration AdminAdministrators,Admin Account ,4-1. Administration & ,29, Management IP , Management Client IP IP Network 6 Permitted IP List .,Configuration AdminPermitted IPs,4-1. Administration & ,30,Configuration AdminManagement, Setting . Web Console Idle Time Out Help Link Path HTTP Port HTTPS Port Telnet Port,Management Setting,4-1. Administration & ,31,Configuration Report Settings Log Settings, Tool Log Level Setting . Emergency Alert Critical Error Warning Notification Information Debugging,4-2. Report Setting,Log Level 设置,32,Configuration Report Settings Email,E-mail Server name Email Address Level Email . - Include Traffic Log : E-mail Log Traffic Log Check . - Enable E-mail Notification for Alarm : enable e-mail Alarm log .,4-2. Report Setting,E-mail Allot ,33,Configuration Report Settings SNMP,SNMP Trap Event NMS .,4-2. Report Setting,SNMP 设置,34,Configuration Report Settings Syslog,Syslog Server IP Port Enable Syslog Messages Check System Log Log Server .,4-2. Report Setting,Syslog 设置,35,5. NetScreen WebUI ,- ,36,5-1. ,Traffic - Client Server : Incoming Policy ( from Untrust to Trust ) - Client Server : Outgoing Policy ( from Trust to Untrust ) - Client DMZ Server : from Trust to DMZ Object Address - (Untrust) Server or Client : Untrust Zone Address - (Trust) Server or Client : Trust Zone Address - DMZ Host : DMZ Address Object Service - NetScreen 70 Service Pre-Defined - Pre-Defined Custom Object - Schedule , User Object Policy - Traffic ,5. WebUI NetScreen ,37,Object Addresses List,Netscreen address allow, block, encrypt, user-authentication Traffic IP Address Default IP Address Any Zone Traffic Address New Address . IP Address, Netmask Domain Name , Trust Untrust OK . Domain name Address DNS (Network/DNS),Network , , , (Address) 55,5-2. Object Address Setting,Address Setting,38,Object Addresses List,Address List Security Zone .,Address Setting,5-2. Object Address Setting,39,Object Addresses Group,Address Group Policy (IP Address) New Group New Group , Address Group Policy Address , Group Name OK Group .,Address Group Setting,5-2. Object Address Setting,40,Object Addresses Group,Address Group Security Zone .,Address Group Setting,5-2. Object Address Setting,41,Object Addresses List, Address Address Group Edit, Remove Remove Policy Address, , Policy Address , Group Address In Use ,Address , ,5-2. Object Address Setting,42,Object Addresses Summary, Security Zone Address Address Group .,Address Summary,5-2. Object Address Setting,43,Object Service Predefined,Netscreen System 70 Pre-define . Service Edit .,Predefined Service,5-3. Object Service Setting,44,Object Service Custom,Predefined Custom Service , New Service , Service Name , Protocol , Open OK Custom Service . Service Port Destination Port ,Custom Service Setting,5-3. Object Service Setting,45,Object Service Group, Group Policy ., New Group , Custom Group Name , OK Custom Service Group .,Service Group Setting,5-3. Object Service Setting,46,Object Service Custom or Group, Edit Remove OK ObjectService Custom ,Service ,5-3. Object Service Setting,47,Object Schedule,Policy Enable/Disable Rule - Recurring Times Policy . Scheduling - Once only . Schedule New Schedule Schedule OK ,Schedule,5-4. Object Schedule Setting,48,Policies, Traffic . , / , / ., Source Zone Destination Zone New Policy ( Incoming Policy : from Untrust to Trust , Outgoing Policy : from Trust to Untrust ),5-5. Policy Setting,Policy Setting,49, , . 1. Source Address : Address 2. Destination Address : Address 3. : Service 4. Permit , Deny . VPN Tunnel “VPN Tunnel” . 5. Policy Traffic Log 6. Policy . 7. Schedule Setting Advanced ,Policies New,2-5. Policy Setting,Policy Setting,5,1,2,3,4,6,7,50,Policies NewAdvanced,Advanced 1. Policy Based NAT - Source NAT , Destination NAT 2. Authentication 3. Policy Bandwidth 4. Schedule : Schedule 5. OK Policy .,2-5. Policy Setting,Policy Setting,1,2,3,4,5,51,Policies New Destination Address Multiple,2-5. Policy Setting,Multi-Cell Policy Setting,Address Service Object Multiple Object Policy Object Grouping Available Members Selecting Members ,52,2-5. Policy Setting,Multi-Cell Policy Setting, Address Grouping Multi-Object . Address Grouping List Policy Multi-Cell Policy ,53,Policies, from all zone to all zone , Go . Policy Zone .,2-5. Policy Setting,Policy ,54,Policies Move,Policy , , Policy . Move . Move Location Policy .,2-5. Policy Setting,Policy ,55,Policies,Policy Edit, Remove . Policy Clone .,2-5. Policy Setting,Policy ,56,6. 命令行配置 CLI Command,57,NetScreen 防火墙 CLI 基本配置命令语法: get 查看命令 set 系统设置命令 unset 删除设置 save 保存配置文件 exit 退出CLI配置页面Console clear 清空当前动态输出信息 reset 清空防火墙配置 ping 主机ping测试 trace-route 主机Trace Route测试 exec System Command Netscreen防火墙支持命令帮助,可以通过在相关命令后输入”?”来查询具体的命令; ex) set interface ? set admin ?,6.1 CLI Command,58,1) 查看防火墙 Configuration文件 fw get config,Total Config size 22330: set auth type 0 set auth timeout 10 set clock dst-off set clock “timezone“ 9 set admin format dos set admin name “netscreen“ set admin password nKVUM2rwMUzPcrkG5sWIHdCtqkAibn set admin user admin password nNwVKDreO5/Gc4fOWsvN/3MtvuCNDn privilege all set admin port 8081 set admin telnet port 2324 set admin auth timeout 0 set admin auth type Local,59,2) 查看 Interface状态 fw get interface fw get interface eth1 fw get interface v1-untrust,Interface: Name IP Address Zone MAC VLAN Status vlan1 v MGT 0010.db0c.17e5 up v1-trust /0 V1-Trust 0010.db0c.17e5 up v1-untrust /0 V1-Untrust