1、Juniper Net Screen防火墙研发服务中心网络文档Juniper网络安全设备适用应用文档(防火墙) 2011-5-17发布目录一、Juniper Net Screen防火墙介绍 51.1 Juniper Firewalls 51.2 三种网管方式 51.3 Core Technologies 61.4 Device Architecture 71.5 SSG 产品特点 81.6 NetScreen SSG产品特点 81.7 Net Screen SSG Product Line (一) 81.8 Net Screen SSG Product Line (二) 9二、管理和初始化 1
2、02.1 System Components 102.2 CLI(命令行) 102.3 Initial config 112.4WebUI Guide 112.5 WebUI 主界面 122.6基本管理任务 12三、桥接和路由 203.1速率和双工 203.2桥接(子接口) 203.3桥接(环回口) 213.4桥接(桥接组) 213.5路由 (Virtual Routers) 223.6路由(Route Types) 233.7路由(Different Routing Tables) 233.8 Equal Cost Multiple Path 243.9其它路由功能: 26四、策略 274.
3、1 Address Book 274.2 Services Predefined 2743 Create a Custom Service 284.4 Address Group 294.5 Service Group 304.6 Multi-Cell policy Creation 304.7 Disabling a Policy 314.8 Advanced Policy 314.9 Traffic-Shaping Interface Bandwidth Properties 314.10 Traffic Logs 324.11 Traffic Counters 324.12 Traffi
4、c Alarms 32五、NAT(网络地址转换) 335.1 Juniper NAT Overview 335.2 NetScreen Packet Flow 345.3 Verifying NAT Behavior 345.4 MIP 355.5 DIP 35六、透明模式 366.1 Layer-2 Security Zones 366.2 Interface In Transparant Mode 366.3 Vlan 1 Interface 376.4 Default Management Behavior 386.5 Management Operations 386.6 Config
5、uring for Transparant Mode 39七、用户管理和认证 397.1 User Account Types 397.2 Admin Account Types 407.3 External Authentication 407.5 Auth User 407.6 Configuring Both IKE and Xauth for a Single User 41八、攻击防御 428.1 NetScreen Solutions 428.2 Screen Overview 428.3 Screen configuration 42文档修改记录序号操作文档版本文档更新日期文档撰
6、写人文档审核人1CV 1.02011-5-17卜红素说明:创建:C 修改:M 删除D 重命名:RJuniper Net Screen 防火墙学习一、 Juniper Net Screen防火墙介绍Juniper 安全产品线1、 NetScreen-Firewall/VPN2、 IDP-IPS3、 SSLVPN4、 UAC-NAC/CCA1.1 Juniper FirewallsStateful inspectionThe Netscreen firewalls themselves are based on a custom-built architecture consisting of a
7、pplication-specific integrated circuit(ASIC) technology。DIIPSEC VPNNetscreen-Remote,Netscreen-SecurityTrend Micros and Kaspersky Labs antivirus software.1.2 三种网管方式Command-line Interface (CLI)Web User Interface (WebUI)NetScreen Security Manager (NSM)1.3 Core Technologies Zones三种类型的ZoneA、 security zon
8、eB、 Tunnel zoneC、 Function zone Virtual RoutersA、 提供了多个路由表 (类似于VRF)B、 Virtual routers are bound to zones , and the zones are bound to interfaces 。 Interface ModesA、 Route ModeB、 Transparent ModePoliciesA、 三种Policies类型a) Intrazone;Interzone;GlobalB、 四种Actiona) Allow;Deny;Reject;TunnelVPNA、 Route-Base
9、dB、 Policy-Based1.4 Device ArchitectureIntegrated Security ApplicationVPNFirewallDenial of Service ProtectionTraffic ManagementSecurity Specific Real Time OSDynamic RoutingHigh AvailabilityVirtualizationCentralized ManagementRISC CPUMemoryASICInterfacesPurpose-Built Hardware Platform1.5 SSG 产品特点没有采用
10、ASICUTM两种内存方案(128M,256M)1.6 NetScreen SSG产品特点each device is relatively similar 。However,the higher up the firewall product line,the more ports and options you will get to use 。(junos相同,提供相同的配置界面,高端的防火墙产品只是能够提供更多的接口和选项。)All of the devices use flash momory as the long-term storage option。None of the f
11、irewalls relies on a hard disk to run。(统一使用Flash架构,比硬盘架构更稳定。)Net Screen SSG Product Line (一)Product Max InterfacesName Product Class Ethernet /Wan Throughput Netscreen-Remote Remote Client N/A N/AVPN Client Software Netscreen-Remote Remote Client N/A N/A Client Software NetScreen-Hardware Small Offi
12、ce 5/0 50Mbps Security Client Home Office NetScreen-5-XT Small Office 5/0 70Mbps Home Office NetScreen-5-GT Small Office 5/1 ADSL 75Mbps Home Office NetScreen-5-XT Small Office 7/1(V.92, 90Mbps Home Office ISDN,RS232)Net Screen SSG Product Line (二)Product Max InterfacesName Product Class Ethernet /W
13、an ThroughputSSG 20 Small Office 6/2(v.92,ISDN,DSL,T1,E1) 90MbpsNetScreen-25 Mid Range 4 100MbpsNetScreen-50 Mid Range 4 170MbpsSSG 140 Mid Range 10/8(2xT1,2XE1, 350Mbps 2Xserial,1Xisdn)NetScreen-204 High Range 4 400MbpsNetScreen-208 High Range 8 550MbpsSSG 520 High Range 12/(2xT1,2xE1, 600Mbps 2xSe
14、rial,1Xds3)NetScreen-500 Enterprise Class 8 700MbpsSSG 550 Enterprise Class 20/(2xT1,2xE1, 1Gbps 2xSerial,1xDS3)NetScreen-ISG 1000 Next Gen 20 1Gbps Enterprise Class NetScreen-ISG 2000 Next Gen 24 2Gbps Enterprise ClassNetScreen-5200 Carrier Class 26 10GbpsNetScreen-5400 Carrier Provider 78 30Gbps C
15、lass二、 管理和初始化2 2.1 System Components2.2 CLI(命令行)默认用户名和密码 netscreen/netscreenGetA、 Get config ;get system(类似于show)B、 Seta) Set interface e0/0 1.1.1.1 255.255.255.0b) Set vrouter trust2.3 Initial configSet interface “ethernet 0/0” zone “Untrust”Set interface “ethernet 0/1” zone “DMZ” Set interface “bg
16、roup 0” zone “Trust” Set interface bgroup 0 port ethernet 0/2 Set interface bgroup 0 port ethernet 0/3 Set interface bgroup 0 port ethernet 0/4 Unset interface vlan1 ip Set interface bgroup 0 ip 192.168.1.1 /24 Set interface bgroup 0 nat Set interface bgroup 0 ip manageable Set interface bgroup 0 dh
17、cp server service Set interface bgroup 0 dhcp server auto Set interface bgroup 0 dhcp server option gateway 192.168.1.1 Set interface bgroup 0 dhcp server option netmask 255.255.255.0 Set interface bgroup 0 dhcp service ip 192.168.1.33 to 192.168.1262.4 WebUI Guide管理员用户名和密码定义Untrust Zone , DMZ Zone
18、, Trust Zone 接口;定义Untrust 接口地址;定义DMZ接口地址;定义DHCP地址池;2.5 WebUI 主界面2.6 基本管理任务configure interface for IP connectivity;*、Network Interfaces(list) Editchange root administrator password;*、Configuration Admin Administratorscreate system administrator;administrative options;a、 接口的配置过程1、Zone are assigned to
19、a virual router;2、Interfaces are assigned to security zone;3、Individual configuration parameters are assigned to interface; b、 Configure Zones / InterfacesWebUI CLISsg20-set interface e0/0 zone untrustSsg20-set interface e0/0 ip 202.100.1.1/24Ssg20-savec、 Management Services WebUI默认情况Trust Zone :all
20、 services enable默认情况Any other Zone : all services disabledd、 Management Services CLI查看接口状态设置管理服务Ssg20-set interface e0/0 manage pingSsg20-set interface e0/0 manage telnet Ssg20-set interface e0/0 manage (服务全部启用)Ssg20-savee、 Management-IP AddressWebUICLISsg20-set interface bgroup0 manage-ip 192.168.1
21、.100Ssg20-savea、 Device Administrators(设备管理设置)1、 Root admin defined by the Screen OS2、 Local admin defined by the Root Accountb、 Change Root Admin Name/PasswordRoot账户默认为netscreen/netscreen (为了安全考虑应该马上更改)Ssg20-set admin name newadminPassword has been restored to default “netscreen”.For security reaso
22、ns ,please change password immediately.Ssg20-set admin password ciscoSsg20-savec、 Create System Administrators有两种类型的Administrator: 1、Read-Write 2、Read-Only Ssg20-set admin user cisco password cisco privilege allSsg20-saved、 Permitted Ips管理IP地址限制Configuration admin Permitted IPSSsg20-set admin manage
23、r-ip 202.100.1.0 255.255.255.0Ssg20-savee、 Management Operation1、 Match the management address of the arriving interface2、 Match the IP address of a“trusted”Source3、 Match an allowed service type4、 Match username / Passwordf、 More Control OptionPassword Minimum Length Ssg20-set admin password restri
24、ct length 4 Ssg20-save Restrict root access to console only Ssg20-set admin root access console Ssg20-save Limit unsuccessful login attempts (via Telnet) Ssg20-set admin access attempts 3 Ssg20-saveg、 External Management DevicesThere are serveral common applications that Operate in conjunction with
25、the NetScreen device.1、 DNS2、 Syslog3、 SNMPa、 DNSNetwork DNS host b、 SyslogConfiguration report settings Log Settingsc、 SNMPConfiguration report settings SNMP(一)(二)h、 Saving Your Configuration1、 WebUISave automatically When you click “Apply” or “OK”Console displays save messages.2、 CLIManual command
26、Writes to on-board flash configuration fileSsg20-saveSave System Configuration Donei、 Configuration Rollback1、 Create rollback fileSsg20-save config to last-known-goodSave system configuration to Last-Known-GoodDoneForce rollback (系统重启)Ssg20-exec config rollbackj、 Lost Root Password1、 Passwords CANN
27、OT be recovered2、 System must be restored to factory defaults-Also called “Asset Recovery”-All configuration parameters , certificates , and keys are deleted. 3、Two methods-Log in to console with device serial number as username and password.Warning messages regarding destructive results will appear
28、-Use pinhole on exterior of system Press until flashing light changes to red Wait until flashing red turns to flashing green Press again三、 桥接和路由3 3.1 速率和双工A、Linkdown Yes NoB、Auto Negotiate Yes NoC、Duplex Half FullD、Speed 10M 100M Network interface (list) Edit Phy3.2 桥接(子接口)A、 New Sub-IFNetwork interface (list) (选择类型,如(子接口,Sub-IF) NewB、 配置Zone和VLAN Tag3.3 桥接(环回口)A、 New Loopback IFNetwork interface (list) (选择类型,如(子接口,Loopback IF) NewB、 配置Loopback IF3.4 桥接(桥接组)A、 桥接组(一)默认情况下SSG20的e0/2;e0/3;e0
copyright@ 2008-2022 冰豆网网站版权所有
经营许可证编号:鄂ICP备2022015515号-1