2013年(4)
分类: 网络与安全
2013-03-29 14:43:55
Network > Interfaces > Edit ( 对于 ethernet1): 输入以下内容,然后单击Apply:
Zone Name: Trust
Static IP: ( 出现时选择此选项)
IP Address/Netmask: 10.1.1.1/24
输入以下内容,然后单击 OK:
Interface Mode: NAT
Network > Interfaces > Edit ( 对于 ethernet2): 输入以下内容,然后单击 OK:
Zone Name: DMZ
Static IP: ( 出现时选择此选项)
IP Address/Netmask: 1.2.2.1/24
Network > Interfaces > Edit ( 对于 ethernet3): 输入以下内容,然后单击 OK:
Zone Name: Untrust
Static IP: ( 出现时选择此选项)
IP Address/Netmask: 1.1.1.1/24(2)路由Network > Routing > Routing Entries > trust-vr New: 输入以下内容,然后单击 OK:
Network Address/Netmask: 10.1.2.0/24
Gateway: ( 选择)
Interface: ethernet1
Gateway IP Address: 10.1.1.250
Network > Routing > Routing Entries > trust-vr New: 输入以下内容,然后单击 OK:
Network Address/Netmask: 1.2.3.0/24
Gateway: ( 选择)
Interface: ethernet2
Gateway IP Address: 1.2.2.250
Network > Routing > Routing Entries > trust-vr New: 输入以下内容,然后单击 OK:
Network Address/Netmask: 0.0.0.0/0
Gateway: ( 选择)
Interface: ethernet3
Gateway IP Address: 1.1.1.250( 3)IP欺骗保护Screening > Screen (Zone: Trust): 选择 IP Address Spoof Protection,然后单击 Apply。
Screening > Screen (Zone: DMZ): 选择 IP Address Spoof Protection,然后单
击 Apply。
Screening > Screen (Zone: Untrust): 选择 IP Address Spoof Protection,然后单击 Apply。CLI:(1)接口set interface ethernet1 zone trust
set interface ethernet1 ip 10.1.1.1/24
set interface ethernet1 nat
set interface ethernet2 zone dmz
set interface ethernet2 ip 1.2.2.1/24
set interface ethernet3 zone untrust
set interface ethernet3 ip 1.1.1.1/24(2)路由set vrouter trust-vr route 10.1.2.0/24 interface ethernet1 gateway 10.1.1.250
set vrouter trust-vr route 1.2.3.0/24 interface ethernet2 gateway 1.2.2.250
set vrouter trust-vr route 0.0.0.0/0 interface ethernet3 gateway 1.1.1.250(3)IP 欺骗保护
set zone trust screen ip-spoofing
set zone dmz screen ip-spoofing
set zone untrust screen ip-spoofing
save二、拒绝服务攻击防御1.基于源的会话限制WebUI:
Screening > Screen (Zone: DMZ): 输入以下内容,然后单击 OK:
Source IP Based Session Limit: ( 选择)
Threshold: 1 Sessions
Screening > Screen (Zone: Trust): 输入以下内容,然后单击 OK:
Source IP Based Session Limit: ( 选择)
Threshold: 80 Sessions
CLI:
set zone dmz screen limit-session source-ip-based 1
set zone dmz screen limit-session source-ip-based
set zone trust screen limit-session source-ip-based 80
set zone trust screen limit-session source-ip-basedsave2.基于目标的会话限制WebUI:
Screening > Screen (Zone: Untrust): 输入以下内容,然后单击 OK:
Destination IP Based Session Limit: ( 选择)
Threshold: 4000 Sessions
CLI:
set zone untrust screen limit-session destination-ip-based 4000
set zone untrust screen limit-session destination-ip-based
save3.SYN-ACK-ACK 代理泛滥WebUI:
Screening > Screen (Zone: 选择区段名称): 输入以下内容,然后单击 Apply:
SYN-ACK-ACK Proxy Protection: ( 选择)
Threshold: ( 输入触发 SYN-ACK-ACK 代理泛滥保护的值)CLI:
set zone zone screen syn-ack-ack-proxy threshold number
set zone zone screen syn-ack-ack-proxy4.ICMP 泛滥WebUI:
Screening > Screen (Zone: 选择区段名称): 输入以下内容,然后单击 Apply:
ICMP Flood Protection: ( 选择)
Threshold: ( 输入触发 ICMP 泛滥保护的值)CLI
set zone zone screen icmp-flood threshold number
set zone zone screen icmp-flood5.UDP 泛滥WebUI:
Screening > Screen (Zone: 选择区段名称): 输入以下内容,然后单击 Apply:
UDP Flood Protection: ( 选择)
Threshold: ( 输入触发 UDP 泛滥保护的值)CLI:
set zone zone screen udp-flood threshold number
set zone zone screen udp-flood6.陆地攻击WebUI:
Screening > Screen (Zone: 选择区段名称): 选择 Land Attack Protection,然
后单击 Apply。CLI:
set zone zone screen land7.Ping of DeathWebUI:
Screening > Screen (Zone: 选择区段名称): 选择 Ping of Death Attack
Protection,然后单击 Apply。
CLI:
set zone zone screen ping-death8.Teardrop 攻击WebUI:
Screening > Screen (Zone: 选择区段名称): 选择 Teardrop Attack Protection,然后单击 Apply。
CLI:
set zone zone screen tear-drop9.WinNukeWebUI:
Screening > Screen (Zone: 选择区段名称): 选择 WinNuke Attack
Protection,然后单击 Apply。
CLI:
set zone zone screen winnuke