《第6讲juniper防火墙基本介绍》由会员分享,可在线阅读,更多相关《第6讲juniper防火墙基本介绍(29页珍藏版)》请在金锄头文库上搜索。
1、第六讲 Juniper防火墙基本介绍,2,Objectives,Identify requirements that must be met by network security devices Name and describe the function of components of the Universal Security Gateway Architecture including Virtual Systems (VSYS) Zones Policies Virtual Routers Interfaces Describe the packet processing seq
2、uence in a NetScreen device Select correct deployment scenarios for NetScreen appliances and systems,3,Security Device Requirements,Frame/Packet Forwarding Bridging (Layer 2) Routing (Layer 3) Firewall Filter based on contents of IP, TCP/UDP, and application header Network/Port Address Translation P
3、rivate to public address translation Virtual Private Networks Encapsulation, authentication, and encryption Primarily implemented using IPSec,4,Layer 2 Frame Forwarding (Bridging/Switching),Transparent Bridge Functions Learning (based on Source MAC address) Forward/Flood/Filter (based on Destination
4、 MAC address) Loop prevention (Spanning Tree protocol),MAC Address Table,00c0.01cd.5120 E1 E8 00e0.01ab.cd10,5,Layer 3 Packet Forwarding (Routing),Forward IP packets based on destination address Maintain Route Table entries Static routes Dynamic routes (RIP, OSPF, BGP) Default routes,10.1.1.1,10.3.3
5、.10,E8 10.2.2.1/24,208 Route Table,E1 10.1.1.1/24,10.2.2.2/24,10.3.3.1/24,6,Firewall,Packet filter based on packet header IP (SA, DA, Protocol) TCP/UDP (Port #) Used to implement security policies,7,Network/Port Address Translation,Convert private address space to public address,NAT/PAT,10.1.1.5,Tru
6、st 10.1.1.1,Untrust 201.1.8.1,8,Virtual Private Networks,Provide secure tunnels across the Internet Encapsulation Encryption Authentication,Trust 10.0.0.254,10.1.20.310.1.20.4,Untrust 1.1.1.1,Untrust 2.2.2.1,Trust 20.1.20.1,10.0.0.510.0.0.6,9,Traditional Firewall Requirements,Untrust Network Interne
7、t or another public network No control Trust Network Our private network We have control,Untrust Zone,Trust Zone,10.0.0.510.0.0.6,10,Web Server FTP Server Mail Server,Emergence of the DMZ,Additional requirements for public access Emergence of “DMZ” Access to services such as Web, Mail, and FTP,10.0.
8、0.510.0.0.6,Untrust Zone,Trust Zone,DMZ Zone,11,Untrust Zone,Next Step: No Trusted Networks,Security required within our private network Introduces new requirements Flexible architecture Scalability,Web Server FTP Server Mail Server,DMZ Zone,Administration Zone,Marketing Zone,Engineering Zone,12,Net
9、Screen Security Architecture,NetScreen solution to new security requirements Provides flexible, scalable software architecture Components: Interfaces Zones Virtual Routers Policy Virtual Systems,13,NetScreen Device,Security Architecture Components,14,Security Concepts Functionality,A firewall is a s
10、ecurity device or set of devices that protect networks from unwanted traffic Firewalls can perform several functions: Packet Filter Application Proxy Stateful Packet Inspection Deep Packet Inspection,15,Packet Filter,Uses access control lists to examine: Source/Destination IP Protocol Number Source/
11、Destination Port TCP Ack Flag Implemented in most routers Does not keep state of IP communication through the firewall Relatively easy to spoof,16,Application Proxy,Uses a proxy program to emulate an application where each service requires its own proxy Network traffic is sent to the application pro
12、xy acting on behalf of a service provided by a server HTTP and FTP are two commonly used proxies The application proxy examines the application data and drops or forwards the traffic based on selected criteria Implemented in software at layer 7 of the OSI reference model Typically slower than packet
13、 filter methods,17,Stateful Packet Inspection,Examines the contents of IP packets and forwards or drops based on selected criteria Keeps the state of IP communication based on numerous fields in an IP packet New communication is examined then added to a state table IP packets not initiating a commun
14、ication are permitted only when related to a previously established communication Provides a much higher level of security than packet filters Much faster than application proxies, but may not provide the same high level of detail as an application proxy,18,Deep Packet Inspection,Analysis beyond bas
15、ic L3/L4 headers Protocol-specific behavior Individual request/response “commands” Port open/close requests Embedded attacks Data itself is suspect NetScreen performs two types of deep inspection Uses built-in hardware assisted application layer gateways (ALG) to handle complex applications FTP H323
16、 Others Signature-based scans for data-level attacks,19,NetScreen Decision Process/Packet Flow,20,External Zone,Private Zone,1.1.70.250,1.1.70.0/24,10.1.10.5,10.1.20.0/24,B,10.1.10.0/24,Public Zone,10.1.20.5,.254,200.5.5.5,A,B,C,D,10.1.1.0/24,10.1.2.0/24,.1 .254,.1 .254,1.1.7.0/24,1.1.8.0/24,.254 .1,Packet Flow Example,21,Packet Flow Example,22,Packet Flow Example (cont.),23,