Shulou(Shulou.com)06/03 Report--

Today, what is mainly brought is the indispensable patron saint of network security, that is, the firewall. When it comes to firewalls, I believe all the compatriots engaged in the network know what he does. As the name implies, isn't the firewall fireproof? yes, it is fireproof. What he protects against is the malicious traffic in the network that threatens our network security. Let's first give you a brief understanding.

Overview and definition of firewalls:

1. The so-called firewall refers to a protective barrier composed of software and hardware and constructed on the interface between the intranet and the extranet and between the private network and the public network.

two。 Firewall is a technical measure to protect computer network security. It isolates internal and external networks by establishing a corresponding network communication monitoring system on the network boundary, in order to block the external network.

3. A firewall is the name of a part in a car. In a car, a firewall is used to separate passengers from the engine, so that if the engine catches fire, the firewall can not only protect passengers, but also allow the driver to continue to control the engine. In computer terminology, of course, this is not what it means. We can understand by analogy that in a network, the so-called "firewall" refers to a method of separating the intranet from the public access network (such as Internet). It is actually an isolation technology. A firewall is an access control measure that is implemented when two networks communicate. It allows people and data you "agree" to enter your network, while shutting out people and data you "disagree". To the maximum extent possible to prevent people in the network from accessing your network. In other words, without going through the firewall, people inside the company cannot access people on the Internet,Internet or communicate with people inside the company.

The main advantages of firewalls are:

(1) the firewall can strengthen the security policy.

(2) the firewall can effectively record the activities on the Internet.

(3) the firewall restricts the exposure of user points. Firewalls can be used to separate one network segment from another in a network. In this way, problems affecting one network segment can be prevented from spreading through the entire network.

(4) Firewall is a checkpoint of security policy. All incoming and outgoing information must pass through the firewall, which becomes a checkpoint of security issues, so that suspicious access is denied.

Here I use Cisco's ASA5500 firewall. Let's start with a brief introduction:

ASA security appliance (also known as ASA firewall)

ASA5500 series

Features are available:

1 Firewall technology (cisco PIX)

2IPS technology (cisco IPS)

3NW-AV (cisco IPS,AV)

4 × × (cisco × × 3000)

5 Network Intelligence (Cisco Network Services)

6 Application detection, use implementation, WEB control (application security)

7 software, content defense, abnormal traffic detection (Anti-X defense)

8 Traffic, admission control, active response (network suppression and control)

9 secure connection (IPSec & SSL × ×)

Interface name of the firewall

1 physical name G0UniUniverse 1

2 logical names are used to describe security zones such as inside outside

Interface security level

Range: the higher the number from 0 to 100, the higher the security level, and vice versa.

Inside (intranet) security level 100

Outside (public network) security level 0

Inside- Firewall-outside

Lab Topology:

Lab requirements: DMZ publishes Web server Client2 can access configure ACL disable Client3 access Server2Server3 use the command show conn detail to view the Conn table view the routing table address plans for ASA and AR respectively: device port IP address and mask Server110.1.1.1/24Client110.2.2.2/24Server2192.168.8.100/24Client2192.168.8.1/24Server3192.168.3.100/24Client3192.168.3.1/24 router Gi0/0/010.1.1.254/24 router Gi0 Gi0/0/2192.168.1.1/24 firewall G0192.168.1.254ax 24 firewall G1192.168.254ax 24 firewall G2192.168.3.254ax 24 experimental ideas and steps: 1. Configure IP addresses according to address plan

1. The process of configuring IP addresses of routers and terminal devices according to address planning is relatively simple, so I won't elaborate on it here.

two。 Configure the interface of the ASA firewall:

Ciscoasa (config) # int G0

Ciscoasa (config-if) # nameif inside name the logical interface

INFO: Security level for "inside" set to 100by default. The security level for the inside zone is 100 by default

Ciscoasa (config-if) # ip address 192.168.1.254 255.255.255.0

Ciscoasa (config-if) # no shutdown

Ciscoasa (config-if) # security-level 100

Ciscoasa (config-if) # int G1

Ciscoasa (config-if) # nameif outside name the logical interface

INFO: Security level for "outside" set to 0 by default. The security level for the outside zone defaults to 0

Ciscoasa (config-if) # ip address 192.168.254 255.255.255.0

Ciscoasa (config-if) # no shutdown

Ciscoasa (config-if) # security-level 0

Ciscoasa (config-if) # int G2

Ciscoasa (config-if) # nameif DMZ name the logical interface

INFO: Security level for "DMZ" set to 0 by default.

Ciscoasa (config-if) # ip address 192.168.3.254 255.255.255.0

Ciscoasa (config-if) # no shutdown

Ciscoasa (config-if) # security-level 50 change the security level of the DMZ zone to 50

Second, configure default route

1. Configure the default route for the router

[R1] ip route-static 0.0.0.0 0.0.0.0 192.168.1.254

two。 Configure static routes for firewalls

Ciscoasa (config) # route inside 10.1.1.0 255.255.255.0 192.168.1.1

Ciscoasa (config) # route inside 10.2.2.0 255.255.255.0 192.168.1.1

Verify:

View the router routing table through display Ip routing-table:

View the firewall routing table through show route:

3. Configure task content * * 1. DMZ publishes Web server, and Client2 can access Server3**

First, start the HTTP service in server3

Then configure ACL on the firewall

Analysis: because client2 is located in the outside zone and the security level is lower than that in the DMZ zone where server3 is located, when client2 initiates a request, the firewall is not allowed to pass by default, so we need to make ACL to allow Client2 to access Server3.

The command is as follows:

Ciscoasa (config) # access-list out-to-DMZ permit tcp host 192.168.8.1 host 192.168.3.100 eq www allows access from 192.168.8.1 to 192.168.3.100 through port tcp80

Ciscoasa (config) # access-group out-to-DMZ in interface outside applies ACL in outside port

Verify:

At this point, client2 can access server3.

* * 2. Configure ACL to prevent Client3 from accessing Server2**

First configure the HTTP service and FTP service of server2

Secondly, configure the firewall ASA

Analysis: because Client3 is located on the interface side of DMZ, and the security level is higher than that of server2, the firewall ASA allows access to SERVER2 by default, so in order to complete Task 2, we need to configure ACL to deny traffic from Client3 to Server2.

The command is as follows:

Ciscoasa (config) # access-list DMZ-to-out deny ip host 192.168.3.1 host 192.168.8.100 denies all IP traffic from 192.168.3.1 to 192.168.100.

Ciscoasa (config) # access-group DMZ-to-out in interface DMZ applies ACL in DMZ interface

Verify the invocation:

Verify:

At this point, client3 can no longer access server2.

Result verification

The router looks at the routing table through display ip routing-table:

Firewall ASA looks at the conn table through show conn detail:

Summary:

The default rules followed when accessing interfaces with different security levels

1 allow outbound (outbound) connections

2 No inbound (inbound) connection

3 prohibit communication between interfaces with the same security level (the security level on both sides is 50, etc.)

High security level-> low security level (accessible)

Low security level-> high security level (inaccessible)

For example, in the security (firewall mechanism) on the first floor of the company, people inside the company can get in and out through employee identification cards, but strangers will be blocked.

If you want a low-security zone to access a high-security zone, you must configure ACL to allow traffic to pass through.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.