1. CPU利用率核查 show chassis routing-engine
2. MEM利用率核查 show chassis routing-engine
3. OSPF邻居关系核查 show ospf neighbor
4. LDP端口状态检查 show ldp interface
5. ISIS邻居关系检查 show isis adjacency
6. BGP邻居关系检查 show bgp neighbor
7. HSRP信息检查 show vrrp extensive
8. 生成树STP信息检查
9. 电源状态核查 show chassis environment pem
10. 风扇状态核查 show chassis environment
11. 单板告警核查 show chassis alarms
12. 单板状态核查 show chassis fpc/show chassis fpc pic-status
13. 单板温度核查 show chassis fpc/show chassis fpc pic-status
14. 单板固件版本信息检查 show chassis fpc detail
15. 接口配置核查 show configuration interfaces
16. 接口描述规范性核查 show interface descriptions
17. AAA认证检查 show configuration system
18. 引擎板冗余状态检查 show configuration chassis redundancy
19. NTP状态核查 show ntp associations
20. SYSLOG配置指向检查 show configuration system syslog
21. TRAP配置指向检查
22. Telnet安全登录配置检查 show configuration system login
23. DNS配置检查 show configuration system name-server
2. MEM利用率核查 show chassis routing-engine
3. OSPF邻居关系核查 show ospf neighbor
4. LDP端口状态检查 show ldp interface
5. ISIS邻居关系检查 show isis adjacency
6. BGP邻居关系检查 show bgp neighbor
7. HSRP信息检查 show vrrp extensive
8. 生成树STP信息检查
9. 电源状态核查 show chassis environment pem
10. 风扇状态核查 show chassis environment
11. 单板告警核查 show chassis alarms
12. 单板状态核查 show chassis fpc/show chassis fpc pic-status
13. 单板温度核查 show chassis fpc/show chassis fpc pic-status
14. 单板固件版本信息检查 show chassis fpc detail
15. 接口配置核查 show configuration interfaces
16. 接口描述规范性核查 show interface descriptions
17. AAA认证检查 show configuration system
18. 引擎板冗余状态检查 show configuration chassis redundancy
19. NTP状态核查 show ntp associations
20. SYSLOG配置指向检查 show configuration system syslog
21. TRAP配置指向检查
22. Telnet安全登录配置检查 show configuration system login
23. DNS配置检查 show configuration system name-server
24. 补丁版本核查 show version
1. 安全域(zone)和接口
1.1接口配置
由于在内网启用了3个vlan,而且每个vlan的网关都在防火墙上,所以在内网接口启用了tagging ,ge-0/0/1为内网接口,划分出3个子接口,子接口1对应vlan10(192.68.100.0/24网段),子接口2对应vlan2(192.168.1.0/24网段),子接口3对应vlan3(172.16.1.0/24网段)。 Ge-0/0/0为外网接口,无须启用tagging。
set interfaces ge-0/0/1 vlan-tagging
set interfaces ge-0/0/1 unit 1 vlan-id 10
set interfaces ge-0/0/1 unit 1 family inet address 192.168.100.1/24
set interfaces ge-0/0/1 unit 2 vlan-id 2
set interfaces ge-0/0/1 unit 2 family inet address 192.168.1.1/24
set interfaces ge-0/0/1 unit 3 vlan-id 3
set interfaces ge-0/0/1 unit 3 family inet address 172.16.1.1/24
set interfaces ge-0/0/2 unit 0 family inet address 192.168.2.1/24
set interfaces ge-0/0/3 vlan-tagging
set interfaces ge-0/0/3 unit 1 vlan-id 4
set interfaces ge-0/0/3 unit 1 family inet address 192.168.4.1/24
set interfaces ge-0/0/3 unit 2 vlan-id 5
set interfaces ge-0/0/3 unit 2 family inet address 192.168.5.1/24
set interfaces ge-0/0/0 unit 0 family inet address 113.106.95.115/28
1.2创建安全zone
根据需要,内网划分了3个zone,trust为内部员工所在zone(192.168.100.0/24),server为服务器所在zone(192.168.1.0/24),guest为外来人员所在zone(172.16.1.0/24)。
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone untrust screen untrust-screen
set security zones security-zone server host-inbound-traffic system-services all
set security zones security-zone server host-inbound-traffic protocols all
set security zones security-zone guest host-inbound-traffic system-services all
set security zones security-zone guest host-inbound-traffic protocols all
1.3将相应接口划入到对应的zone里,并配置接口的管理方式
set security zones security-zone trust interfaces ge-0/0/2.0 host-inbound-traffic system-services dhcp
set security zones security-zone trust interfaces ge-0/0/2.0 host-inbound-traffic system-services http
set security zones security-zone trust interfaces ge-0/0/2.0 host-inbound-traffic system-services ping
set security zones security-zone trust interfaces ge-0/0/2.0 host-inbound-traffic system-services telnet
set security zones security-zone trust interfaces ge-0/0/1.1 host-inbound-traffic system-services dhcp
set security zones security-zone trust interfaces ge-0/0/1.1 host-inbound-traffic system-services ping
set security zones security-zone trust interfaces ge-0/0/1.1 host-inbound-traffic system-services telnet
set security zones security-zone trust interfaces ge-0/0/1.1 host-inbound-traffic system-services http
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ping
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services http
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services https
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ssh
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services telnet
set security zones security-zone server interfaces ge-0/0/1.2 host-inbound-traffic system-services dhcp
set security zones security-zone server interfaces ge-0/0/1.2 host-inbound-traffic system-services ping
set security zones security-zone server interfaces ge-0/0/1.2 host-inbound-traffic system-services telnet
set security zones security-zone server interfaces ge-0/0/1.2 host-inbound-traffic system-services http
set security zones security-zone guest interfaces ge-0/0/1.3 host-inbound-traffic system-services dhcp
2 安全策略设置
每一个安全zone包含一个address book。在两个zone之间建立policys之前必须定义zone’s的address book的地址。然后再在policys里调用该address book。
2.1 设置地址池(address books)
set security zones security-zone server address-book address server250 192.168.1.250/32
set security zones security-zone server address-book address server249 192.168.1.249/32
set security zones security-zone server address-book address server248 192.168.1.248/32
2.2设置应用服务(application)
此次实施中,无须新建应用,调用系统默认的SSH应用即可(junos-ssh)
2.3 安全策略(security policy)
目前定义的规则如下:
内网用户区域(Trust)、服务器区域(server)、外来人员区域(guest)访问外网区域(untrust)是允许访问的;
内网用户区域(Trust)和服务器区域(server)之间互相访问是允许的;
外网区域(untrust)访问服务器区域(server)的3台服务器(192.168.1.248 – 250)的SSH应用是允许的。
此外,防火墙默认开启了一条允许Trust 到 Trust 访问的策略。
而除此以外的策略防火墙默认是禁止的,也就是说其他数据流将被阻止访问。
允许内网用户区域(Trust)访问外网区域(untrust);
set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
允许服务器区域(server)访问外网区域(untrust);
set security policies from-zone server to-zone untrust policy server-to-untrust match source-address any
set security policies from-zone server to-zone untrust policy server-to-untrust match destination-address any
set security policies from-zone server to-zone untrust policy server-to-untrust match application any
set security policies from-zone server to-zone untrust policy server-to-untrust then permit
允许外来人员区域(guest)访问外网区域(untrust);
set security policies from-zone guest to-zone untrust policy guest-to-untrust match source-address any
set security policies from-zone guest to-zone untrust policy guest-to-untrust match destination-address any
set security policies from-zone guest to-zone untrust policy guest-to-untrust match application any
set security policies from-zone guest to-zone untrust policy guest-to-untrust then permit
允许内网用户区域(Trust)和服务器区域(server)之间互相访问
set security policies from-zone trust to-zone server policy trust-to-server match source-address any
set security policies from-zone trust to-zone server policy trust-to-server match destination-address any
set security policies from-zone trust to-zone server policy trust-to-server match application any
set security policies from-zone trust to-zone server policy trust-to-server then permit
set security policies from-zone server to-zone trust policy server-to-trust match source-address any
set security policies from-zone server to-zone trust policy server-to-trust match destination-address any
set security policies from-zone server to-zone trust policy server-to-trust match application any
set security policies from-zone server to-zone trust policy server-to-trust then permit
允许外网区域(untrust)访问服务器区域(server)的3台服务器(192.168.1.248 – 250)的SSH应用。
set security policies from-zone untrust to-zone server policy untrust-to-server match source-address any
set security policies from-zone untrust to-zone server policy untrust-to-server match destination-address server250
set security policies from-zone untrust to-zone server policy untrust-to-server match destination-address server249
set security policies from-zone untrust to-zone server policy untrust-to-server match destination-address server248
set security policies from-zone untrust to-zone server policy untrust-to-server match application junos-ssh
set security policies from-zone untrust to-zone server policy untrust-to-server then permit
3 NAT设置
3.1源NAT (Source NAT)
当内网服务器访问外网时,需要将原地址做NAT,一般为了节省公网地址考虑,这个NAT地址使用外网接口地址,因此也叫做Interface NAT
对于Trust zone(内部员工区域)我们定义了源NAT的规则trust-to-untrust,使所有来自trust zone (192.168.100.0/24)到 untrust zone(外网区域)的数据包做源NAT,将其源地址映射为公网接口地址。
set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 192.168.100.0/24
set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface
对于server zone(服务器区域)我们定义了源NAT的规则server-to-untrust,使所有来自server zone(服务器区域)到 untrust zone(外网区域)的数据包做源NAT,将其源地址映射为公网接口地址
set security nat source rule-set server-to-untrust from zone server
set security nat source rule-set server-to-untrust to zone untrust
set security nat source rule-set server-to-untrust rule server-source-nat-rule match source-address 192.168.1.0/24
set security nat source rule-set server-to-untrust rule server-source-nat-rule then source-nat interface
对于guest zone(外来人员区域)我们定义了源NAT的规则guest-to-untrust,使所有来自guest zone(外来人员区域)到 untrust zone(外网区域)的数据包做源NAT,将其源地址映射为公网接口地址
set security nat source rule-set guest-to-untrust from zone guest
set security nat source rule-set guest-to-untrust to zone untrust
set security nat source rule-set guest-to-untrust rule guest-source-nat-rule match source-address 172.16.1.0/24
set security nat source rule-set guest-to-untrust rule guest-source-nat-rule then source-nat interface
3.2目的NAT(Destination NAT)
此次项目中,需要在外网访问内网服务器的SSH应用,所以就使用到了Destination NAT,也就是端口映射。我们将113.106.95.114的 22端口映射到内网的192.168.1.250 的22端口;将113.106.95.114的 202端口映射到内网的192.168.1.249 的22端口;113.106.95.114的 221端口映射到内网的192.168.1.248 的22端口.
定义地址池(address book)
设置地址池,也就是映射后内网服务器的IP地址和端口,在此项目中,目前设置了3个,分别名为:250、249、248.
set security nat destination pool 250 address 192.168.1.250/32
set security nat destination pool 250 address port 22
set security nat destination pool 249 address 192.168.1.249/32
set security nat destination pool 249 address port 22
set security nat destination pool 248 address 192.168.1.248/32
set security nat destination pool 248 address port 22
定义规则(rule)
设置Destination NAT的规则,设置了3个NAT规则,分别名为250、249、248:
set security nat destination rule-set 1 from zone untrust
(定义来自哪个区域)
set security nat destination rule-set 1 rule 250 match source-address 0.0.0.0/0
(匹配原地址段,0.0.0.0/0表示不限制源地址)
set security nat destination rule-set 1 rule 250 match destination-address 113.106.95.114/32
(匹配目的地址,此项目中,我们使用了地址113.106.95.114)
set security nat destination rule-set 1 rule 250 match destination-port 22
(匹配目标端口为22)
set security nat destination rule-set 1 rule 250 then destination-nat pool 250
(当匹配了以上条件后,执行Destination NAT规则,将访问113.106.95.114的22端口的数据包的映射到地址池250, 即将目的地址映射为192.168.1.250,目标端口映射为22)
另外2个规则和 规则250一样
set security nat destination rule-set 1 rule 249 match source-address 0.0.0.0/0
set security nat destination rule-set 1 rule 249 match destination-address 113.106.95.114/32
set security nat destination rule-set 1 rule 249 match destination-port 220
set security nat destination rule-set 1 rule 249 then destination-nat pool 249
set security nat destination rule-set 1 rule 248 match source-address 0.0.0.0/0
set security nat destination rule-set 1 rule 248 match destination-address 113.106.95.114/32
set security nat destination rule-set 1 rule 248 match destination-port 221
set security nat destination rule-set 1 rule 248 then destination-nat pool 248
定义ARP 代理(arp-proxy)
set security nat proxy-arp interface ge-0/0/0.0 address 113.106.95.114/32
为了使外网访问113.106.95.114时,能够到达防火墙,必须使用ARP代理,将113.106.95.114绑定在外网接口ge-0/0/0上。
定义外网区域(untrust)到服务器区域(server)的策略
此策略在2.3 节已经设置了,就无须再设置。
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
