In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-02-23 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >
Share
Shulou(Shulou.com)06/01 Report--
USG Firewall Zone configuration
Learning purpose
Master the configuration method of firewall security zone
Master the parameter configuration of the security zone
Master the method of packet filtering between regions
Topological graph
Scene
You are the network administrator of the company. The network of the company's headquarters is divided into three areas, including the internal area (Trust), the external area (Untrust) and the server area (DMZ). Now it is designed to control the data through the firewall. On the switch, the interfaces of G0Uniqq1 and G0UniUnix 21 are defined to vlan11, the interfaces of G0Uniqp2 and G0UniUnix 22 are defined to vlan12, and the interfaces of G0Placer3 and G0UniUniq23 are defined to vlan13. Three network segments are planned respectively.
Now meet the requirements:
Users in the "Trust" area can access users in "Untrust"
Users in the "Trust" and "Untrust" areas can access users in the "DMZ" area
Users in the "Untrust" area cannot directly access users in the "Trust" zone
Users in the "DMZ" area cannot directly access users in the "Trust" and "Untrust" zones.
Learning task
Step one. Basic configuration and IP addressin
First configure the three routers with address information
[Huawei] sysname R1
[R1] interface g0/0/1
[R1-GigabitEthernet0/0/1] ip add 10.0.10.124
[R1-GigabitEthernet0/0/1] desc this portconnect to S1-G0/0/1
[R1-GigabitEthernet0/0/1] interfaceloopback0
[R1-LoopBack0] ip add 10.0.1.1 24
[R1-LoopBack0] q
[Huawei] sysname R2
[R2] interface g0/0/1
[R2-GigabitEthernet0/0/1] ip add 10.0.20.224
[R2-GigabitEthernet0/0/1] desc this portconnect to S1-G0/0/2
[R2-GigabitEthernet0/0/1] interfaceloopback0
[R2-LoopBack0] ip add 10.0.2.2 24
[R2-LoopBack0] q
[Huawei] sysname R3
[R3] interface g0/0/1
[R3-GigabitEthernet0/0/1] ip add 10.0.30.324
[R3-GigabitEthernet0/0/1] desc this portconnect to S1-G0/0/3
[R3-GigabitEthernet0/0/1] interfaceloopback0
[R3-LoopBack0] ip add 10.0.3.3 24
[R3-LoopBack0] q
Configure the firewall with an address, G0/0/1IP address: 10.0.20.254 Universe 24. Acts as a gateway for the Inside area.
[SRG] sysname FW
08:34:20 2014-07-05
[FW] interface g0/0/1
08:35:50 2014-07-05
[FW-GigabitEthernet0/0/1] ip add 10.0.20.25424
08:36:01 2014-07-05
[FW-GigabitEthernet0/0/1] description thisport connect to S1-G0/0/22
08:38:06 2014-07-05
[FW-GigabitEthernet0/0/1] interface g0/0/0
08:39:08 2014-07-05
[FW-GigabitEthernet0/0/0] ip add 10.0.10.25424
08:39:27 2014-07-05
Info: The DHCP server configuration on thisinterface will be deleted.
[FW-GigabitEthernet0/0/0] desc tihis portconnect to S1-G0/0/21
08:40:02 2014-07-05
[FW-GigabitEthernet0/0/0] interface G0/0/2
08:40:15 2014-07-05
[FW-GigabitEthernet0/0/2] ip add 10.0.30.25424
08:40:30 2014-07-05
[FW-GigabitEthernet0/0/2] desc this portconnect to S1-G0/0/23
08:41:05 2014-07-05
[FW-GigabitEthernet0/0/2] q
08:41:07 2014-07-05
Vlan needs to be defined on the switch as required.
[Huawei] sysname S1
[S1] vlan batch 11 to 13
Info: This operation may take a fewseconds. Please wait for a moment...done.
[S1] interface g0/0/1
[S1-GigabitEthernet0/0/1] port link-typeaccess
[S1-GigabitEthernet0/0/1] port default vlan11
[S1-GigabitEthernet0/0/1] interface g0/0/2
[S1-GigabitEthernet0/0/2] port link-typeaccess
[S1-GigabitEthernet0/0/2] port default vlan12
[S1] interface g0/0/3
[S1-GigabitEthernet0/0/3] port link-typeaccess
[S1-GigabitEthernet0/0/3] port default vlan13
[S1-GigabitEthernet0/0/3] interface g0/0/21
[S1-GigabitEthernet0/0/21] port link-typeaccess
[S1-GigabitEthernet0/0/21] port default vlan11
[S1-GigabitEthernet0/0/21] interface g0/0/22
[S1-GigabitEthernet0/0/22] port link-typeaccess
[S1-GigabitEthernet0/0/22] port default vlan12
[S1-GigabitEthernet0/0/22] interface g0/0/23
[S1-GigabitEthernet0/0/23] port link-typeaccess
[S1-GigabitEthernet0/0/23] port default vlan13
Step two. Configure the interface to the security zone
There are four zones on the firewall by default, namely "local", "trust", "untrust" and "dmz".
In the experiment, we used "trust", "untrust" and "dmz". G0Accord 0 is added to the untrust region, G0Accord 0 is added to the DMZ region, and G0Accord 1 is added to the trust region.
[FW] firewall zone trust
09:09:15 2014-07-05
[FW-zone-trust] dis this
09:09:19 2014-07-05
#
Firewall zone trust
Setpriority 85
Addinterface GigabitEthernet0/0/0
#
Return
[FW-zone-trust] undo add inter
[FW-zone-trust] undo add interface g0/0/0
09:09:35 2014-07-05
[FW-zone-trust] add interface g0/0/1
09:10:01 2014-07-05
[FW] firewall zone untrust
09:11:24 2014-07-05
[FW-zone-untrust] add interface g0/0/0
09:11:36 2014-07-05
[FW-zone-untrust] q
[FW] firewall zone dmz
09:12:07 2014-07-05
[FW-zone-dmz] add interface g0/0/2
09:12:16 2014-07-05
[FW-zone-dmz] q
By default, fire prevention does not allow communication between areas other than the local area. In order to verify the correctness of the configuration, we first configure the default rules between firewall zones to allow communication between all zones. After configuration, test connectivity in the same area on the FW device.
[FW] firewall packet-filter default permitall
09:17:33 2014-07-05
Warning:Setting the default packetfiltering to permit poses security risks. You
Are advised to configure the securitypolicy based on the actual data flows. Are
You sure you want to continue? [Y/N] y
[FW] ping-c 1 10.0.10.1
09:18:04 2014-07-05
PING 10.0.10.1: 56 data bytes,press CTRL_C to break
Reply from 10.0.10.1: bytes=56 Sequence=1 ttl=255 time=180 ms
-10.0.10.1 ping statistics-
1packet (s) transmitted
1packet (s) received
0.005% packet loss
Round-trip min/avg/max = 180, 180, 180 ms
[FW] ping-c 1 10.0.20.2
09:18:11 2014-07-05
PING 10.0.20.2: 56 data bytes,press CTRL_C to break
Reply from 10.0.20.2: bytes=56 Sequence=1 ttl=255 time=120 ms
-10.0.20.2 ping statistics-
1packet (s) transmitted
1 packet (s) received
0.005% packet loss
Round-trip min/avg/max = 120 ms 120 ms
[FW] ping-c 1 10.0.30.3
09:18:16 2014-07-05
PING 10.0.30.3: 56 data bytes,press CTRL_C to break
Reply from 10.0.30.3: bytes=56 Sequence=1 ttl=255 time=110 ms
-10.0.30.3 ping statistics-
1packet (s) transmitted
1packet (s) received
0.005% packet loss
Round-tripmin/avg/max = 110 Compact 110 ms
Configure default routes on R1, R2, and R3, and configure explicit static routes on FW. Realize the interworking between the network segments connected by three loopback0 interfaces.
[R1] ip route-static 0.0.0.0 0.0.0.010.0.10.254
[R2] ip route-static 0.0.0.0 0.0.0.010.0.20.254
[R3] ip route-static 0.0.0.0 0.0.0.010.0.30.254
[FW] ip route-static 10.0.1.0 24 10.0.10.1
09:24:57 2014-07-05
[FW] ip route-static 10.0.2.0 24 10.0.20.2
09:25:14 2014-07-05
[FW] ip route-static 10.0.3.0 24 10.0.30.3
09:25:29 2014-07-05
[FW]
After the configuration is complete, test the communication between the network segments of the loopback0 interface of a router.
[R1] ping-a 10.0.1.1 10.0.2.2
PING 10.0.2.2: 56 data bytes,press CTRL_C to break
Reply from 10.0.2.2: bytes=56 Sequence=1 ttl=254 time=110 ms
Reply from 10.0.2.2: bytes=56 Sequence=2 ttl=254 time=60 ms
Reply from 10.0.2.2: bytes=56 Sequence=3 ttl=254 time=100 ms
Reply from 10.0.2.2: bytes=56 Sequence=4 ttl=254 time=90 ms
Reply from 10.0.2.2: bytes=56 Sequence=5 ttl=254 time=50 ms
-10.0.2.2 ping statistics-
5packet (s) transmitted
5packet (s) received
0.005% packet loss
Round-tripmin/avg/max = 50Comp82Universe 110 ms
[R1] ping-a 10.0.1.1 10.0.3.3
PING 10.0.3.3: 56 data bytes,press CTRL_C to break
Reply from 10.0.3.3: bytes=56 Sequence=1 ttl=254 time=90 ms
Reply from 10.0.3.3: bytes=56 Sequence=2 ttl=254 time=40 ms
Reply from 10.0.3.3: bytes=56 Sequence=3 ttl=254 time=70 ms
Reply from 10.0.3.3: bytes=56 Sequence=4 ttl=254 time=50 ms
Reply from 10.0.3.3: bytes=56 Sequence=5 ttl=254 time=60 ms
-10.0.3.3 ping statistics-
5packet (s) transmitted
5packet (s) received
0.005% packet loss
Round-tripmin/avg/max = 40-62-90 ms
Step four. Configure zone security policy
To configure the policy between zones, first configure the firewall's interzone default filtering policy to deny all traffic, and then configure only Trust zones to access other areas and not between other zones.
[FW] firewall packet-filter default deny all
[FW] firewall packet-filter default permitinterzone trust untrust direction outbound
09:41:35 2014-07-05
Warning:Setting the default packetfiltering to permit poses security risks. You
Are advised to configure the securitypolicy based on the actual data flows. Are
You sure you want to continue? [Y/N] y
[FW] firewall packet-filter default permitinterzone trust dmz direction outbound
Warning:Setting the default packet filteringto permit poses security risks. You
Are advised to configure the securitypolicy based on the actual data flows. Are
You sure you want to continue? [Y/N] y
[FW] firewall session link-state check
09:43:20 2014-07-05
After the configuration is complete, test the connectivity between the areas.
Untrust area to Trust area
Ping-a 10.0.1.1 10.0.2.2
PING 10.0.2.2: 56 data bytes,press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
-10.0.2.2 ping statistics-
5packet (s) transmitted
0packet (s) received
100.005% packetloss
Untrust area to DMZ area
Ping-a 10.0.1.1 10.0.3.3
PING 10.0.3.3: 56 data bytes,press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
-10.0.3.3 ping statistics-
5packet (s) transmitted
0packet (s) received
100.005% packetloss
Trust area to Untrust area
Ping-a 10.0.2.2 10.0.1.1
PING 10.0.1.1: 56 data bytes,press CTRL_C to break
Reply from 10.0.1.1: bytes=56 Sequence=1 ttl=254 time=100 ms
Reply from 10.0.1.1: bytes=56 Sequence=2 ttl=254 time=70 ms
Reply from 10.0.1.1: bytes=56 Sequence=3 ttl=254 time=100 ms
Reply from 10.0.1.1: bytes=56 Sequence=4 ttl=254 time=80 ms
Reply from 10.0.1.1: bytes=56 Sequence=5 ttl=254 time=90 ms
-10.0.1.1 ping statistics-
5packet (s) transmitted
5packet (s) received
0.005% packet loss
Round-trip min/avg/max = 70, 88, 100 ms
Trust area to DMZ area
Ping-a 10.0.2.2 10.0.3.3
PING 10.0.3.3: 56 data bytes,press CTRL_C to break
Reply from 10.0.3.3: bytes=56 Sequence=1 ttl=254 time=70 ms
Reply from 10.0.3.3: bytes=56 Sequence=2 ttl=254 time=110 ms
Reply from 10.0.3.3: bytes=56 Sequence=3 ttl=254 time=50 ms
Reply from 10.0.3.3: bytes=56 Sequence=4 ttl=254 time=40 ms
Reply from 10.0.3.3: bytes=56 Sequence=5 ttl=254 time=60 ms
-10.0.3.3 ping statistics-
5packet (s) transmitted
5packet (s) received
0.005% packet loss
Round-trip min/avg/max = 40 ms 66 Compact 110 ms
DMZ area to Untrust area
Ping-a 10.0.3.3 10.0.1.1
PING 10.0.1.1: 56 data bytes,press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
-10.0.1.1 ping statistics-
5packet (s) transmitted
0packet (s) received
100.005% packet loss
DMZ area to Trust area
Ping-a 10.0.3.3 10.0.2.2
PING 10.0.2.2: 56 data bytes,press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
-10.0.2.2 ping statistics-
5packet (s) transmitted
0packet (s) received
100.005% packet loss
Step five. Configure specific servers that allow Untrust zone access to DMZ zone
There is a server in the DMZ area with an IP address of 10.0.3.3. Telnet services need to be opened to the Untrust area, and ICMP ping testing functions need to be opened in order to test the network.
[FW] policy interzone dmz untrust inbound
09:54:29 2014-07-05
[FW-policy-interzone-dmz-untrust-inbound] policy1
09:54:39 2014-07-05
[FW-policy-interzone-dmz-untrust-inbound-1] policyservice service-set icmp
09:54:58 2014-07-05
[FW-policy-interzone-dmz-untrust-inbound-1] policydestination 10.0.3.3 0
09:55:19 2014-07-05
[FW-policy-interzone-dmz-untrust-inbound-1] actionpermit
09:55:29 2014-07-05
[FW-policy-interzone-dmz-untrust-inbound-1] q
09:55:30 2014-07-05
[FW-policy-interzone-dmz-untrust-inbound] policy2
09:55:38 2014-07-05
[FW-policy-interzone-dmz-untrust-inbound-2] policyservice service-set telnet
09:55:55 2014-07-05
[FW-policy-interzone-dmz-untrust-inbound-2] policydestination 10.0.3.3 0
09:56:05 2014-07-05
[FW-policy-interzone-dmz-untrust-inbound-2] actionpermit
09:56:25 2014-07-05
[FW-policy-interzone-dmz-untrust-inbound-2] q
09:56:27 2014-07-05
[FW-policy-interzone-dmz-untrust-inbound] policy3
09:56:30 2014-07-05
[FW-policy-interzone-dmz-untrust-inbound-3] actiondeny
09:56:37 2014-07-05
[FW-policy-interzone-dmz-untrust-inbound-3]
To enable telnet testing, turn on the telnet function on R3.
[R3] user-interface vty 0 4
[R3-ui-vty0-4] auth
[R3-ui-vty0-4] authentication-mode pass
[R3-ui-vty0-4] authentication-mode password
Please configure the login password (maximum length 16): 16
[R3-ui-vty0-4] set auth
[R3-ui-vty0-4] set authentication pass
[R3-ui-vty0-4] set authentication password?
Cipher Set the password withcipher text
[R3-ui-vty0-4] set authentication passwordcp
[R3-ui-vty0-4] set authentication passwordci
[R3-ui-vty0-4] set authentication passwordcipher huawei
[R3-ui-vty0-4] user pri
[R3-ui-vty0-4] user privilege lev
[R3-ui-vty0-4] user privilege level 3
[R3-ui-vty0-4]
Test network connectivity
Ping-c 1 10.0.3.3
PING 10.0.3.3: 56 data bytes,press CTRL_C to break
Reply from 10.0.3.3: bytes=56 Sequence=1 ttl=254 time=60 ms
-10.0.3.3 ping statistics-
1packet (s) transmitted
1packet (s) received
0.005% packet loss
Round-trip min/avg/max = 60-60-60 ms
Ping-c 1-a 10.0.1.1 10.0.3.3
PING10.0.3.3: 56 data bytes, press CTRL_C tobreak
Reply from 10.0.3.3: bytes=56 Sequence=1 ttl=254 time=70 ms
-10.0.3.3 ping statistics-
1packet (s) transmitted
1packet (s) received
0.005% packet loss
Round-trip min/avg/max = 70-70-70 ms
Ping 10.0.30.3
PING 10.0.30.3: 56 data bytes,press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
-10.0.30.3 ping statistics-
5packet (s) transmitted
0packet (s) received
100.005% packetloss
Telnet10.0.3.3
Press CTRL_] to quit telnet mode
Trying 10.0.3.3...
Connected to 10.0.3.3...
Loginauthentication
Password:
For example, the test results show the filtering between areas. In addition to the specific released data streams, other data streams are filtered out.
Attachment: http://down.51cto.com/data/2364617
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.
12
Report
