Juniper Net Screen防火墙.docx
《Juniper Net Screen防火墙.docx》由会员分享,可在线阅读,更多相关《Juniper Net Screen防火墙.docx(42页珍藏版)》请在冰豆网上搜索。
JuniperNetScreen防火墙
研发服务中心
网络文档
Juniper网络安全设备适用应用文档
(防火墙)
2011-5-17发布
目录
一、JuniperNetScreen防火墙介绍5
1.1JuniperFirewalls5
1.2三种网管方式5
1.3CoreTechnologies6
1.4DeviceArchitecture7
1.5SSG产品特点8
1.6NetScreenSSG产品特点8
1.7NetScreenSSGProductLine
(一)8
1.8NetScreenSSGProductLine
(二)9
二、管理和初始化10
2.1SystemComponents10
2.2CLI(命令行)10
2.3Initialconfig11
2.4WebUIGuide11
2.5WebUI主界面12
2.6基本管理任务12
三、桥接和路由20
3.1速率和双工20
3.2桥接(子接口)20
3.3桥接(环回口)21
3.4桥接(桥接组)21
3.5路由(VirtualRouters)22
3.6路由(RouteTypes)23
3.7路由(DifferentRoutingTables)23
3.8EqualCostMultiplePath24
3.9其它路由功能:
26
四、策略27
4.1AddressBook27
4.2ServicesPredefined27
43CreateaCustomService28
4.4AddressGroup29
4.5ServiceGroup30
4.6Multi-CellpolicyCreation30
4.7DisablingaPolicy31
4.8AdvancedPolicy31
4.9Traffic-ShapingInterfaceBandwidthProperties31
4.10TrafficLogs32
4.11TrafficCounters32
4.12TrafficAlarms32
五、NAT(网络地址转换)33
5.1JuniperNATOverview33
5.2NetScreenPacketFlow34
5.3VerifyingNATBehavior34
5.4MIP35
5.5DIP35
六、透明模式36
6.1Layer-2SecurityZones36
6.2InterfaceInTransparantMode36
6.3Vlan1Interface37
6.4DefaultManagementBehavior38
6.5ManagementOperations38
6.6ConfiguringforTransparantMode39
七、用户管理和认证39
7.1UserAccountTypes39
7.2AdminAccountTypes40
7.3ExternalAuthentication40
7.5AuthUser40
7.6ConfiguringBothIKEandXauthforaSingleUser41
八、攻击防御42
8.1NetScreenSolutions42
8.2ScreenOverview42
8.3Screenconfiguration42
文档修改记录
序号
操作
文档版本
文档更新日期
文档撰写人
文档审核人
1
C
V1.0
2011-5-17
卜红素
说明:
创建:
C修改:
M删除D重命名:
R
JuniperNetScreen防火墙学习
一、JuniperNetScreen防火墙介绍
Juniper安全产品线
1、NetScreen-------------------------------------------------Firewall/VPN
2、IDP--------------------------------------------------------------IPS
3、SSLVPN
4、UAC-------------------------------------------------------------NAC/CCA
1.1JuniperFirewalls
Statefulinspection
TheNetscreenfirewallsthemselvesarebasedonacustom-builtarchitectureconsistingofapplication-specificintegratedcircuit(ASIC)technology。
DI
IPSECVPN
Netscreen-Remote,Netscreen-Security
TrendMicro’sandKasperskyLab’santivirussoftware.
1.2三种网管方式
Command-lineInterface(CLI)
WebUserInterface(WebUI)
NetScreenSecurityManager(NSM)
1.3CoreTechnologies
Zones
三种类型的Zone
A、securityzone
B、Tunnelzone
C、Functionzone
VirtualRouters
A、提供了多个路由表(类似于VRF)
B、Virtualroutersareboundtozones,andthezonesareboundtointerfaces。
InterfaceModes
A、RouteMode
B、TransparentMode
Policies
A、三种Policies类型
a)Intrazone;Interzone;Global
B、四种Action
a)Allow;Deny;Reject;Tunnel
VPN
A、Route-Based
B、Policy-Based
1.4DeviceArchitecture
IntegratedSecurityApplication
VPN
Firewall
DenialofServiceProtection
TrafficManagement
SecuritySpecificRealTimeOS
DynamicRouting
HighAvailability
Virtualization
CentralizedManagement
RISCCPU
Memory
ASIC
Interfaces
Purpose-BuiltHardwarePlatform
1.5SSG产品特点
没有采用ASIC
UTM
两种内存方案(128M,256M)
1.6NetScreenSSG产品特点
eachdeviceisrelativelysimilar。
However,thehigherupthefirewallproductline,themoreportsandoptionsyouwillgettouse。
(junos相同,提供相同的配置界面,高端的防火墙产品只是能够提供更多的接口和选项。
)
Allofthedevicesuseflashmomoryasthelong-termstorageoption。
Noneofthefirewallsreliesonaharddisktorun。
(统一使用Flash架构,比硬盘架构更稳定。
)
NetScreenSSGProductLine
(一)
ProductMaxInterfaces
NameProductClassEthernet/WanThroughput
Netscreen-RemoteRemoteClientN/AN/A
VPNClientSoftware
Netscreen-RemoteRemoteClientN/AN/A
ClientSoftware
NetScreen-HardwareSmallOffice5/050Mbps
SecurityClientHomeOffice
NetScreen-5-XTSmallOffice5/070Mbps
HomeOffice
NetScreen-5-GTSmallOffice5/1ADSL75Mbps
HomeOffice
NetScreen-5-XTSmallOffice7/1(V.92,90Mbps
HomeOfficeISDN,RS232)
NetScreenSSGProductLine
(二)
ProductMaxInterfaces
NameProductClassEthernet/WanThroughput
SSG20SmallOffice6/2(v.92,ISDN,DSL,T1,E1)90Mbps
NetScreen-25MidRange4100Mbps
NetScreen-50MidRange4170Mbps
SSG140MidRange10/8(2xT1,2XE1,350Mbps
2Xserial,1Xisdn)
NetScreen-204HighRange4400Mbps
NetScreen-208HighRange8550Mbps
SSG520HighRange12/(2xT1,2xE1,600Mbps
2xSerial,1Xds3)
NetScreen-500EnterpriseClass8700Mbps
SSG550EnterpriseClass20/(2xT1,2xE1,1Gbps
2xSerial,1xDS3)
NetScreen-ISG1000NextGen201Gbps
EnterpriseClass
NetScreen-ISG2000NextGen242Gbps
EnterpriseClass
NetScreen-5200CarrierClass2610Gbps
NetScreen-5400CarrierProvider7830Gbps
Class
二、管理和初始化
2
2.1SystemComponents
2.2CLI(命令行)
默认用户名和密码netscreen/netscreen
Get
A、Getconfig;getsystem(类似于show)
B、Set
a)Setinterfacee0/01.1.1.1255.255.255.0
b)Setvroutertrust
2.3Initialconfig
Setinterface“ethernet0/0”zone“Untrust”
Setinterface“ethernet0/1”zone“DMZ”
Setinterface“bgroup0”zone“Trust”
Setinterfacebgroup0portethernet0/2
Setinterfacebgroup0portethernet0/3
Setinterfacebgroup0portethernet0/4
Unsetinterfacevlan1ip
Setinterfacebgroup0ip192.168.1.1/24
Setinterfacebgroup0nat
Setinterfacebgroup0ipmanageable
Setinterfacebgroup0dhcpserverservice
Setinterfacebgroup0dhcpserverauto
Setinterfacebgroup0dhcpserveroptiongateway192.168.1.1
Setinterfacebgroup0dhcpserveroptionnetmask255.255.255.0
Setinterfacebgroup0dhcpserviceip192.168.1.33to192.168.126
2.4WebUIGuide
管理员用户名和密码
定义UntrustZone,DMZZone,TrustZone接口;
定义Untrust接口地址;
定义DMZ接口地址;
定义DHCP地址池;
2.5WebUI主界面
2.6基本管理任务
configureinterfaceforIPconnectivity;
*、Network>Interfaces(list)>Edit
changerootadministratorpassword;
*、Configuration>Admin>Administrators
createsystemadministrator;
administrativeoptions;
a、接口的配置过程
1、Zoneareassignedtoavirualrouter;
2、Interfacesareassignedtosecurityzone;
3、Individualconfigurationparametersareassignedtointerface;
b、ConfigureZones/Interfaces
WebUI
CLI
Ssg20->setinterfacee0/0zoneuntrust
Ssg20->setinterfacee0/0ip202.100.1.1/24
Ssg20->save
c、ManagementServicesWebUI
默认情况TrustZone:
allservicesenable
默认情况AnyotherZone:
allservicesdisabled
d、ManagementServicesCLI
查看接口状态
设置管理服务
Ssg20->setinterfacee0/0manageping
Ssg20->setinterfacee0/0managetelnet
Ssg20->setinterfacee0/0manage(服务全部启用)
Ssg20->save
e、Management-IPAddress
WebUI
CLI
Ssg20->setinterfacebgroup0manage-ip192.168.1.100
Ssg20->save
a、DeviceAdministrators(设备管理设置)
1、RootadmindefinedbytheScreenOS
2、LocaladmindefinedbytheRootAccount
b、ChangeRootAdminName/Password
Root账户默认为netscreen/netscreen(为了安全考虑应该马上更改)
Ssg20->setadminnamenewadmin
Passwordhasbeenrestoredtodefault“netscreen”.Forsecurityreasons,pleasechangepasswordimmediately.
Ssg20->setadminpasswordcisco
Ssg20->save
c、CreateSystemAdministrators
有两种类型的Administrator:
1、Read-Write2、Read-Only
Ssg20->setadminuserciscopasswordciscoprivilegeall
Ssg20->save
d、PermittedIps
管理IP地址限制
Configuration>admin>PermittedIPS
Ssg20->setadminmanager-ip202.100.1.0255.255.255.0
Ssg20->save
e、ManagementOperation
1、Matchthemanagementaddressofthearrivinginterface
2、MatchtheIPaddressofa“trusted”Source
3、Matchanallowedservicetype
4、Matchusername/Password
f、MoreControlOption
PasswordMinimumLength
Ssg20->setadminpasswordrestrictlength4
Ssg20->save
Restrictrootaccesstoconsoleonly
Ssg20->setadminrootaccessconsole
Ssg20->save
Limitunsuccessfulloginattempts(viaTelnet)
Ssg20->setadminaccessattempts3
Ssg20->save
g、ExternalManagementDevices
ThereareserveralcommonapplicationsthatOperateinconjunctionwiththeNetScreendevice.
1、DNS
2、Syslog
3、SNMP
a、DNS
Network>DNS>host>
b、Syslog
Configuration>reportsettings>LogSettings
c、SNMP
Configuration>reportsettings>SNMP
(一)
(二)
h、SavingYourConfiguration
1、WebUI
SaveautomaticallyWhenyouclick“Apply”or“OK”Consoledisplayssavemessages.
2、CLI
Manualcommand
Writestoon-boardflashconfigurationfile
Ssg20->save
SaveSystemConfiguration…
Done
i、ConfigurationRollback
1、Createrollbackfile
Ssg20->saveconfigtolast-known-good
SavesystemconfigurationtoLast-Known-Good…
Done
Forcerollback(系统重启)
Ssg20->execconfigrollback
j、LostRootPassword
1、PasswordsCANNOTberecovered
2、Systemmustberestoredtofactorydefaults
-Alsocalled“AssetRecovery”
-Allconfigurationparameters,certificates,andkeysaredeleted.
3、Twomethods
-Logintoconsolewithdeviceserialnumberasusernameandpassword.
Warningmessagesregardingdestructiveresultswillappear
-Usepinholeonexteriorofsystem
Pressuntilflashinglightchangestored
Waituntilflashingredturnstoflashinggreen
Pressagain
三、桥接和路由
3
3.1速率和双工
A、LinkdownYesNo
B、AutoNegotiateYesNo
C、DuplexHalfFull
D、Speed10M100M
Network>interface(list)>Edit>Phy
3.2桥接(子接口)
A、NewSub-IF
Network>interface(list)>(选择类型,如(子接口,Sub-IF))New
B、配置Zone和VLANTag
3.3桥接(环回口)
A、NewLoopbackIF
Network>interface(list)>(选择类型,如(子接口,LoopbackIF))New
B、配置LoopbackIF
3.4桥接(桥接组)
A、桥接组
(一)
默认情况下SSG20的e0/2;e0/3;e0
升级会员 