《Juniper防火墙基本安全策略PPT演示文稿》由会员分享,可在线阅读,更多相关《Juniper防火墙基本安全策略PPT演示文稿(41页珍藏版)》请在金锄头文库上搜索。
1、Juniper防火墙安全策略ITman论坛 ,Security Zones and Policies,Inter-Zone traffic must be checked by policy Intra-Zone traffic may be checked by policy,External Zone,Private Zone,1.1.70.250,1.1.70.0/24,10.1.10.5,10.1.20.0/24,B,10.1.10.0/24,Public Zone,10.1.20.5,.254,200.5.5.5,A,B,C,D,10.1.1.0/24,10.1.2.0/24,.1.
2、254,.1.254,1.1.7.0/24,1.1.8.0/24,.254.1,Src IP Dest IP Protocol Src Port Dst Port Data 10.1.10.5 1.1.70.250 06 36033 80 #$%&,Policy Components,Source & Destination Address Book Address Group Service Pre-defined Service Custom Service Custom Service Group,Action Permit Deny Tunnel Options Covered in
3、next chapter,Policy Configuration Procedure,Create Address Book entries for each zone Define any custom services needed for your network Create policy entries Sort policy set for proper ordering,Step 1: Address Book Entries,External Zone,Private Zone,1.1.70.250,1.1.70.0/24,10.1.10.5,10.1.20.0/24,B,1
4、0.1.10.0/24,Public Zone,10.1.20.5,.254,200.5.5.5,A,B,C,D,10.1.1.0/24,10.1.2.0/24,.1.254,.1.254,1.1.7.0/24,1.1.8.0/24,.254.1,E1 10.1.1.1 E2 10.1.2.1 E7 1.1.7.1 E8 1.1.8.1,Address Book - WebUI,Entries displayed based on zone Use alphabet buttons to filter display when large numbers of addresses are co
5、nfigured Click on “New” button to add an entry,Objects Addresses List,New Address Entry,Address name is used in address list and policy list Make the name meaningful to your network! Comment is your opportunity for embedded documentation Choice of address/mask or domain name Domain name requires DNS
6、 configuration,Objects Addresses List (New),Address Book CLI,set address / ns208- set address Private PrivatePC 10.1.10.5/32,set address ns208- set Yahoo ,ns208- get address addr zone name Private Private Addresses: Name Address Netmask Flag Comments Any 0.0.0.0 0.0.0.0 02 All Addr Dial-Up VPN 255.2
7、55.255.255 255.255.255.255 02 Dial-Up VPN Addr PrivatePC 10.1.10.5 255.255.255.255 00,IP Address,Viewing the address book,Domain name,Step 2: Services,Address book entries define where traffic can flow from and to Service entries define the type of traffic Protocol and port numbers,Predefined Servic
8、es,get service pre-defined,Objects Services Predefined,Creating a Custom Service,set service name ,Objects Services Custom (New),Step 3: Create Policy - WebUI,Select zone pairs, then click “New”,Policies,Create Policy - WebUI,Components Source & Destination Zone Source & Destination Address Use pull
9、-down menu to display address book entries Service Use pull-down menu to display service entries Action Permit, deny, or tunnel,Create Policy CLI,set policy from to permit | deny Example: ns208- set policy from private to public 10.1.10.5/32 any http permit,Viewing Policy Entries WebUI,Policies,View
10、ing Policy Entries - CLI,ns208- get policy Total regular policies 6, Default deny. ID From To Src-address Dst-address Service Action State ASTLCB 1 Private Public Any Any H.323 Deny enabled -X 2 Private Public Admins 1.1.70.250/ Allowed Permit enabled -X 3 Private Public 10.1.10.100 1.1.70.200/ ANY
11、Permit enabled -X 4 Private Public 10.1.10.16/ 1.1.70.200/ Allowed Permit enabled -X 5 Private Public Any 1.1.70.200/ HTTP Deny enabled -X 6 Private Public Any 1.1.70.200/ FTP Permit enabled -X,Step 4: Policy Ordering,New policies added to end of list Default condition is deny all traffic Order is i
12、mportant!,Re-Ordering Policies - WebUI,Button allows move by number Arrow allows placement by position (point and click),Move Button,Move Arrow,Re-Ordering Policies (cont.),Using the button Using the Arrows,Re-Ordering Policies CLI,set policy id before | top ns208- set policy id 5 before 4 ns208- se
13、t policy id 1 top,Configuration Options,Address Groups Service Groups Multi-Cell Policies,Address Groups,Group of individual address book entries Treated as single entity by a policy Appears as a selection in the WebUI pull-down menu,Creating Address Groups WebUI,Objects Addresses Group,Creating Add
14、ress Groups - CLI,set group address add ns208- set group address Private Admins add Admin1 ns208- set group address Private Admins add Admin2,Viewing Address Groups,Objects Addresses Group,get group address ns208- get group address Private Group Name Count Comment Admins 2 get group address ns208- g
15、et group address Private Admins Group Name: Admins Comment: Group Items: 2 Members: Admin1 Admin2,Creating a Service Group,set group service add ,Objects Services Group (New),Viewing Service Groups,get group service ns208- get group service Group Name Count Comment AllowedServices 5 get group servic
16、e ns208- get group service AllowedServices Group Name: AllowedServices Comment: Group Items: 5 Members: FTP HTTP PING TELNET TFTP,Objects Services Group,Multi-Cell Policies,An alternative to groups Each policy is an entity comprising multiple address entries and/or service entries Limited to 8 “cells” per category (source address, des
