公司由于业务整理,整理出一台netscreen防火墙设备,为避免设备闲置,决定将其放于关键业务的前端使用。使用透明模式,加强对公司关键业务应用的保护。
一、防火墙的透明模式即防火墙内网和外网不设三层IP地址,不做路由或者地址转换,只有设置管理IP。
一般在现有复杂网络添加防火墙时采用。接口为透明模式时,NetScreen 设备过滤通过防火墙的封包,而不会修改 IP 封包包头中的任何源或目的地信息。所有接口运行起来都像是同一网络中的一部分,而NetScreen 设备的作用更像是Layer 2(第 2 层)交换机或桥接器。在透明模式下,接口的 IP 地址被设置为 0.0.0.0,使得 NetScreen 设备对于用户来说是可视或“透明”的。
二、实例
ethent0 V1-Trust zone IP:0.0.0.0/0
ethent3 V1-Untrust zone IP:0.0.0.0/0
gateway:192.168.1.1
LAN:192.168.1.0/24
web 服务器:192.168.1.2 192.168.1.3 192.168.1.4
sqlserver服务器:192.168.1.10 192.168.1.11 192.168.1.12
VLAN1 IP:192.168.1.100/24 端口 8080
透明模式的 NetScreen 设备保护的单独 LAN 的基本配置。策略允许 V1-Trust 区段中所有主机的外向信息流、web服务器的内向 web服务,以及 sqlserver服务器的内向 访问 服务。为了提高管理信息流的安全性,将 WebUI 管理的 HTTP 端口号从 80 改为 8080。使用 VLAN1 IP 地址192.168.1.100/24 来管理 V1-Trust 安全区段的设备。也可配置到外部路由器的缺省路由(于 192.168.1.1处),以便 NetScreen 设备能向其发送出站 VPN 信息流。V1-Trust 区段中所有设备的缺省网关也是 192.168.1.1。)
Web界面模式
管理设置和接口
1. Network > Interfaces > Edit(对于 VLAN1 接口):输入以下内容,然后单击 OK:
IP Address/Netmask: 192.168.1.100/24
Management Services: WebUI, Telnet (选择)
Other Services: Ping(选择)
2. Configuration > Admin > Management:在“HTTP Port”字段中,键入 8080,然后单击 Apply
3. Network > Interfaces > Edit(对于 ethernet1):输入以下内容,然后单击 OK:
Zone Name: V1-Trust
IP Address/Netmask: 0.0.0.0/0
4. Network > Interfaces > Edit(对于 ethernet3):输入以下内容,然后单击 OK:
Zone Name: V1-Untrust
IP Address/Netmask: 0.0.0.0/0
5. Network > Interfaces > Edit(对于 v1-trust):选择以下内容,然后单击 OK:
Management Services: WebUI, Telnet
Other Services: Ping
路由
6. Network > Routing > Routing Table > trust-vr New:输入以下内容,然后单击 OK:
Network Address/Netmask: 0.0.0.0/0
Gateway: (选择)
Interface: vlan1(trust-vr)
Gateway IP Address: 192.168.1.1.
Metric: 1
地址
7. Objects > Addresses > List > New:输入以下内容,然后单击 OK:
Address Name: web Server1
IP Address/Domain Name: IP/Netmask: 192.168.1.2/32
Zone: v1-Trust
Address Name: web Server2
IP Address/Domain Name: IP/Netmask: 192.168.1.3/32
Zone: v1-Trust
Address Name: web Server3
IP Address/Domain Name: IP/Netmask: 192.168.1.4/32
Zone: v1-Trust
8. Objects > Addresses > List > New:输入以下内容,然后单击 OK:
Address Name: sqlserver1
IP Address/Domain Name: IP/Netmask: 192.168.1.10/32
Zone: v1-Trust
Address Name: sqlserver2
IP Address/Domain Name: IP/Netmask: 192.168.1.11/32
Zone: v1-Trust
Address Name: sqlserver3
IP Address/Domain Name: IP/Netmask: 192.168.1.12/32
Zone: v1-Trust
策略
9. Policies > (From: v1-Trust, To: v1-Untrust) > New:输入以下内容,然后单击 OK:
Source Address:
Address Book: (选择) , Any
Destination Address:
Address Book: (选择) , Any
Service: Any
Action: Permit
10. Policies > (From: v1-Untrust, To: v1-Trust) > New:输入以下内容,然后单击 OK:
Source Address:
Address Book: (选择) , Any
Destination Address:
Address Book: (选择) -muti :webserver1,webserver2,webserver3
Service: http,pcanywhere
Action: Permit
11. Policies > (From: v1-Untrust, To: v1-Trust) > New:输入以下内容,然后单击 OK:
Source Address:
Address Book: (选择) , Any
Destination Address:
Address Book: (选择) -muti: sqlserver1,sqlserver2,sqlserver3
Service: MS-SQL,pcanywhere
Action: Permit
命令行模式:
set interface vlan1 ip 192.168.1.100/24
set interface vlan1 manage web
set interface vlan1 manage telnet
set interface vlan1 manage ping
set admin port 8080
set interface eth1 zone V1-Trust
set interface eth3 zone V1-Untrust
set interface eth1 manage web
set interface eth1 manage telnet
set interface eth1 manage ping
set route 0.0.0.0/0 interface vlan1 gateway 192.168.1.1 metric 1
set address v1-trust webserver1 192.168.1.2/32
set address v1-trust webserver1 192.168.1.3/32
set address v1-trust webserver1 192.168.1.4/32
set address v1-trust sqlserver1 192.168.1.10/32
set address v1-trust sqlserver1 192.168.1.11/32
set address v1-trust sqlserver1 192.168.1.12/32
set policy from v1-trust to v1-untrust any any any permit
set policy from v1-untrust to v1-trust any webserver1 http permit
set policy from v1-untrust to v1-trust any webserver2 http permit
set policy from v1-untrust to v1-trust any webserver3 http permit
set policy from v1-untrust to v1-trust any sqlserver1 ms-sql permit
set policy from v1-untrust to v1-trust any sqlserver2 ms-sql permit
set policy from v1-untrust to v1-trust any sqlserver3 ms-sql permit
阅读(1271) | 评论(0) | 转发(0) |