Shulou(Shulou.com)05/31 Report--

What this article shares with you is an example analysis of the eudemon security transformation of the firewall. The editor thinks it is very practical, so I share it with you to learn. I hope you can get something after reading this article.

Background: due to security requirements, the original configuration of the EUDEMON firewall security transformation. The existing business system DMZ area network environment is 192 network segments, through the uplink of Huawei 8508 through the firewall and routing to connect to the public network. The DMZ area of the business system is connected to the internal core area through Huawei EUDEMON firewall.

Environment: the network equipment is owned by Huawei, the switch Huawei LS-S5328C, the firewall Huawei Eudemon 1000E, and the server system are all SUSE 11 ENTERPRISE SERVER 64bit versions.

Requirements: the firewall requires remote login through SSH; security access restrictions are added among the areas of the firewall.

Network topology diagram:

Firewall requires remote login through SSH

Original configuration:

Telnet protocol belongs to the application layer protocol in the TCP/IP protocol family, which provides remote login and virtual terminal functions through the network.

[switch] aaa

[switch-aaa] local-user admin password simple usermax / / set account password [switch-aaa] local-user admin privilege level 3 / / set account level, 3 is the highest level

[switch-aaa] local-user service-type telnet / / set the local account service type to telnet

[switch-aaa] quit

[switch] user-interface vty 0 4

[switch-user-vty0-4] authentication-mode aaa / / sets the login user authentication method to aaa

[switch-user-vty0-4] protocol bind telnet / / bind user protocol to telnet

[switch-user-vty0-4] idle-timeout 50 / / Idle timeout 5 minutes to exit

[switch-user-vty0-4] quit

The SSH (Secure Shell) feature can provide secure information protection and powerful authentication functions to protect devices from IP address spoofing, plaintext password interception and so on.

Reconfigured configuration:

The server creates a SSH user user001.

# create a new SSH user whose username is user001, and the authentication method is password.

[Quidway] ssh user user001

[Quidway] ssh user user001 authentication-type password

(add: SSH users mainly have four authentication methods: password, RSA, password-rsa and all:

If the authentication methods of SSH users are password or password-rsa, you must configure local-user users with the same name; if the authentication methods of SSH users are RSA, password-rsa, all, the server side should keep the RSA public key of the SSH client. )

# configure the password as huawei for SSH user user001.

[Quidway] aaa

[Quidway-aaa] local-user user001 password simple huawei

[Quidway-aaa] local-user user001 service-type ssh

# configure the VTY user interface.

[Quidway] user-interface vty 0 4

[Quidway-ui-vty0-4] authentication-mode aaa

[Quidway-ui-vty0-4] protocol inbound ssh

[Quidway-ui-vty0-4] quit

# enable SFTP service functionality

[Quidway] sftp server enable

Client connects to SSH server

# if you log in for the first time, you need to enable SSH client authentication for the first time.

[user001] ssh client first-time enable

# SFTP client Client001 uses password authentication to connect to the SSH server.

System-view

[user001] sftp 221.116.139.121

Input Username:user001

Trying 221.116.139.121...

Press CTRL+K to abort

Enter password:

Sftp-client >

Second, add security access restrictions among the areas of the firewall

The most basic function of the firewall is to control the data flow between regions with different degrees of trust in the computer network. Typical trusted zones include the Internet (UNTRUST zone) and an internal network (TRUST zone) and neutral zone (DMZ). Through the division of the internal network by the firewall, the isolation of the key network segments of the intranet can be realized, thus limiting the impact of local key or sensitive network security problems on the global network.

Original configuration: (there are no restrictions in each area, and messages are allowed to pass in all directions between security zones)

#

Firewall packet-filter default permit interzone local trust direction inbound

Firewall packet-filter default permit interzone local trust direction outbound

Firewall packet-filter default permit interzone local untrust direction inbound

Firewall packet-filter default permit interzone local untrust direction outbound

Firewall packet-filter default permit interzone local dmz direction inbound

Firewall packet-filter default permit interzone local dmz direction outbound

Firewall packet-filter default permit interzone local vzone direction inbound

Firewall packet-filter default permit interzone local vzone direction outbound

Firewall packet-filter default permit interzone trust untrust direction inbound

Firewall packet-filter default permit interzone trust untrust direction outbound

Firewall packet-filter default permit interzone trust dmz direction inbound

Firewall packet-filter default permit interzone trust dmz direction outbound

Firewall packet-filter default permit interzone trust vzone direction inbound

Firewall packet-filter default permit interzone trust vzone direction outbound

Firewall packet-filter default permit interzone dmz untrust direction inbound

Firewall packet-filter default permit interzone dmz untrust direction outbound

Firewall packet-filter default permit interzone untrust vzone direction inbound

Firewall packet-filter default permit interzone untrust vzone direction outbound

Firewall packet-filter default permit interzone dmz vzone direction inbound

Firewall packet-filter default permit interzone dmz vzone direction outbound

Configuration after transformation:

1. Simplify on the basis of exchange of visits in the original region

#

Firewall packet-filter default permit interzone local trust direction inbound

Firewall packet-filter default permit interzone local trust direction outbound

Firewall packet-filter default permit interzone local untrust direction inbound

Firewall packet-filter default permit interzone local untrust direction outbound

Firewall packet-filter default permit interzone local dmz direction inbound

Firewall packet-filter default permit interzone local dmz direction outbound

Note: data flow between security domains is directional, including incoming direction (Inbound) and outgoing direction (Outbound).

Incoming direction: data is transferred from a low-priority security area to a high-priority security area.

Outgoing direction: data is transmitted from high-priority security areas to low-priority security areas.

2. Set the address set:

[Quidway] #

Ip address-set addressgroup1

Address 4 192.29.141.130 0

Address 5 192.29.141.132 0

Address 6 192.29.141.140 0

Address 7 192.29.141.142 0

[Quidway] #

Ip address-set addressgroup4

Address 0 192.29.141.25 0

Address 1 192.29.141.26 0

Address 2 192.29.141.27 0

3. Add access rules and restrictions between specific address sets

[Quidway] #

Acl number 3201

Rule 10 permit tcp source address-set addressgroup1 destination address-set addressgroup4 destination-port eq sqlnet

Rule 11 permit tcp source address-set addressgroup1 destination address-set addressgroup4 destination-port eq ssh

Rule 15 permit udp source address-set addressgroup1 destination address-set addressgroup4 destination-port eq snmp

Rule 16 permit udp source address-set addressgroup1 destination address-set addressgroup4 destination-port eq ntp

Rule 17 permit udp source address-set addressgroup1 destination address-set addressgroup4 destination-port eq snmptrap

Rule 3000 deny ip

[Quidway] #

Acl number 3202

Rule 10 permit tcp source address-set addressgroup4 destination address-set addressgroup1 destination-port eq ssh

Rule 15 permit udp source address-set addressgroup4 destination address-set addressgroup1 destination-port eq snmp

Rule 16 permit udp source address-set addressgroup4 destination address-set addressgroup1 destination-port eq ntp

Rule 17 permit udp source address-set addressgroup4 destination address-set addressgroup1 destination-port eq snmptrap

Rule 3000 deny ip

4. Match ACL between regions

[Quidway] #

Firewall interzone dmz untrust

Packet-filter 3201 inbound

Packet-filter 3202 outbound

Detect ftp

Detect http

Session log enable acl-number 3201 inbound

Session log enable acl-number 3202 outbound

The security modifications between other areas are similar.

After the security reform, the network security has been improved to a certain extent. Of course, you can also check and fix gaps according to the specific situation, such as ACL (access control list), AM (access management configuration), AAA, dot1x, MAC binding and so on.

The above is the example analysis of the firewall eudemon security transformation, the editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.