《juniper防火墙初级动手配置-internal-qubo》由会员分享,可在线阅读,更多相关《juniper防火墙初级动手配置-internal-qubo(169页珍藏版)》请在金锄头文库上搜索。
1、Copyright 2004 Juniper Networks, Inc. Proprietary and C 1防火墙-动手配置2Copyright 2004 Juniper Networks, Inc. Proprietary and C 议程 系统管理 透明模式 路由模式 安全策略 地址翻译 应用层和网络层防攻击Copyright 2004 Juniper Networks, Inc. Proprietary and C 3系统管理4Copyright 2004 Juniper Networks, Inc. Proprietary and C 系统组成 所有关键的系统功 能都在内存中运行
2、 。 可以通过控制线和 webu对防火墙的配 置进行修改。Tables BuffersRunning ConfigScreenOS (active)ScreenOS ImageSaved ConfigCerts, etc.RAMFlashInterf.Interf.Interf.TFTP PwrUp/ ResetAux. StorageWebUINetScreenAux. Mgt. ServersDNS/ SyslogConsole“Get”“Set”5Copyright 2004 Juniper Networks, Inc. Proprietary and C ns208- get syst
3、em Product Name: NS208 Serial Number: 0043042002000034, Control Number: 00000000 Hardware Version: 0110(0)-(11), FPGA checksum: 00000000, VLAN1 IP (0.0.0.0) Software Version: 5.0.0.0, Type: Firewall+VPN Base Mac: 0010.db1d.1c30 File Name: n200-LAS0z0ad, Checksum: 00000000Date 04/15/2003 22:06:53, Da
4、ylight Saving Time enabled The Network Time Protocol is Disabled Up 2 hours 31 minutes 14 seconds Since 15 Apr 2003 19:35:39 Total Device Resets: 0System in NAT/route mode.Use interface IP, Config Port: 80 User Name: netscreenInterface ethernet1:number 0, if_info 0, if_index 0, mode natlink up, phy-
5、link up/full-duplexvsys Root, zone Trust, vr trust-vrdhcp disabled*ip 1.1.1.1/24 mac 0010.db1d.1c30*manage ip 1.1.1.1, mac 0010.db1d.1c30 - more -显示状态信息 - CLIIn the CLI, get commands provide valuable status about operational conditions: System serial number Software version Operating mode Interface
6、status Interface address Management addresses6Copyright 2004 Juniper Networks, Inc. Proprietary and C 图形化界面 - WebUI NetScreen 防火墙可以通过图形化的界面进行管 理。 需要的条件 (ie. one IP address) 一台PC机与防火墙在同一个网段 口令保护7Copyright 2004 Juniper Networks, Inc. Proprietary and C Zone 和 Interface 的分配A strict hierarchical linkage
7、exists between zones and interfaces in a NetScreen device Zones are assigned to a virtual router Interfaces are assigned to a security zone An interface can only belong to one security zone Individual configuration parameters are assigned to interfaces IP addresses Management services OthersInt.Zone
8、ZoneVirtual RouterVRZoneInt.IP8Copyright 2004 Juniper Networks, Inc. Proprietary and C Zone 的类型 安全zone Pre-defined: Trust, Untrust, DMZ; V1-Trust, V1-Untrust, V1-DMZ User-defined Tunnel Zone功能 Zones Null MGT HA Self VLANns5gt- get zone Total 10 zones created in vsys Root - 5 are policy configurable.
9、 Total policy configurable zones for Root is 5. -ID Name Type Attr VR Default-IF VSYS0 Null Null Shared untrust-vr hidden Root1 Untrust Sec(L3) Shared trust-vr untrust Root2 Trust Sec(L3) trust-vr trust Root4 Self Func trust-vr self Root5 MGT Func trust-vr null Root10 Global Sec(L3) trust-vr null Ro
10、ot11 V1-Untrust Sec(L2) trust-vr v1-untrust Root12 V1-Trust Sec(L2) trust-vr v1-trust Root14 VLAN Func trust-vr vlan1 Root16 Untrust-Tun Tun trust-vr hidden.1 Root -9Copyright 2004 Juniper Networks, Inc. Proprietary and C Configuring Zones/Interfaces - WebUINetwork Interfaces (edit)10Copyright 2004
11、Juniper Networks, Inc. Proprietary and C License Keys 的管理 以下的特征需要增加license key: Capacity expansion (extended/advanced releases) Anti-virus URL filtering Deep Inspection 两种安装key的方法 Manual get key from Juniper/reseller Automatic register device at Juniper Website, then download licensesexec license-ke
12、y capacity exec license-key update11Copyright 2004 Juniper Networks, Inc. Proprietary and C 文件管理 备份/恢复 netscreen 防火墙所需要的重要的配置文 件信息。 ScreenOS image Configuration files 备份/恢复 配置文件的存放 On-board Flash TFTP server External storage (SANdisk) Management station (WebUI only)12Copyright 2004 Juniper Networks,
13、 Inc. Proprietary and C 保存配置 WebUI Saves automatically when you click “Apply” or “OK” Console displays save messages CLI Manual command Writes to on-board flash configuration file ns208 save13Copyright 2004 Juniper Networks, Inc. Proprietary and C 配置文件管理 - CLI 只有根管理员才能进行这些操作 配置文件备份 配置文件恢复 Option 1: copies file into flash available at next reboot Option 2: merges file into RAM BE CAREFUL!save config from flash to tftp | pcmcia |
