防火牆安全區域及安全策略配置
一、學習目的
- 掌握防火牆安全區域的配置方法
- 掌握安全策略的配置方法
二、拓撲圖
三、場景
你是公司的網絡管理員。公司總部的網絡分成了三個區域,包括內部區域(trust),外部區域(untrust)和服務器區域(DMZ)。你設計通過防火牆來實現對數據的控制,確保公司內部網絡安全,並通過DMZ區域對外網提供服務器。
四、學習任務
步驟一、登陸防火牆
An initial password is required for the first login via the console.
Set a password and keep it safe. Otherwise you will not be able to login via the console.
Please configure the login password (8-16)
Enter Password:admin@123
Confirm Password:admin@123
Warning: The authentication mode was changed to password authentication and the user level was changed to 15 on con0 at the first user login.
Warning: There is a risk on the user-interface which you login through. Please change the configuration of the user-interface as soon as possible.
*************************************************************************
* Copyright (C) 2014-2015 Huawei Technologies Co., Ltd. *
* All rights reserved. *
* Without the owner's prior written consent, *
* no decompiling or reverse-engineering shall be allowed. *
*************************************************************************
<USG6000V1>
步驟二、根據拓撲圖對設備進行基本配置與IP編址
給路由器和防火牆配置地址,並配置靜態路由,在交換機上配置vlan
配置R1:
sys
sysname R1
interface GigabitEthernet 0/0/1
ip add 10.0.10.1 24
int lo0
ip add 10.0.1.1 24
ip route-static 0.0.0.0 0.0.0.0 10.0.10.254
配置R2:
sys
sysname R2
interface g0/0/1
ip address 10.0.20.1 24
int LoopBack0
ip add 10.0.2.2 24
ip route-static 0.0.0.0 0.0.0.0 10.0.20.254
[R2]interface g0/0/1
[R2-GigabitEthernet0/0/1]ip address 10.0.20.1 24
[R2-GigabitEthernet0/0/1]int LoopBack0
[R2-LoopBack0]ip add 10.0.2.2 24
[R2-LoopBack0]ip route-static 0.0.0.0 0.0.0.0 10.0.20.254
[R2]dis ip int br
*down: administratively down
^down: standby
(l): loopback
(s): spoofing
The number of interface that is UP in Physical is 3
The number of interface that is DOWN in Physical is 2
The number of interface that is UP in Protocol is 3
The number of interface that is DOWN in Protocol is 2
Interface IP Address/Mask Physical Protocol
GigabitEthernet0/0/0 unassigned down down
GigabitEthernet0/0/1 10.0.20.1/24 up up
GigabitEthernet0/0/2 unassigned down down
LoopBack0 10.0.2.2/24 up up(s)
NULL0 unassigned up up(s)
[R2]dis ip rou
[R2]dis ip routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 11 Routes : 11
Destination/Mask Proto Pre Cost Flags NextHop Interface
0.0.0.0/0 Static 60 0 RD 10.0.20.254 GigabitEthernet0/0/1
10.0.2.0/24 Direct 0 0 D 10.0.2.2 LoopBack0
10.0.2.2/32 Direct 0 0 D 127.0.0.1 LoopBack0
10.0.2.255/32 Direct 0 0 D 127.0.0.1 LoopBack0
10.0.20.0/24 Direct 0 0 D 10.0.20.1 GigabitEthernet0/0/1
10.0.20.1/32 Direct 0 0 D 127.0.0.1 GigabitEthernet0/0/1
10.0.20.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet0/0/1
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
配置R3:
<R3>sys
Enter system view, return user view with Ctrl+Z.
[R3]sysname R3
[R3]int g0/0/1
[R3-GigabitEthernet0/0/1]ip add 10.0.30.1 24
Mar 14 2018 23:27:26-08:00 R3 %%01IFNET/4/LINK_STATE(l)[0]:The line protocol IP on the interface GigabitEthernet0/0/1 has entered the UP state. int LoopBack0
[R3-GigabitEthernet0/0/1]
[R3-LoopBack0]ip add 10.0.3.3 24
[R3-LoopBack0]quit
[R3]ip route-static 0.0.0.0 0.0.0.0 10.0.30.254
防火牆默認會啟用GigabitEthernet0/0/0接口的IP地址,為避免干擾可以刪除。
在FW上配置明確的靜態路由,實現三個loopback0接口網段之間路由暢通
FW1配置IP和路由如下:
sys
sysname FW1
int g0/0/0
undo ip address
quit
int g1/0/0
ip add 10.0.10.254 24
int g1/0/1
ip add 10.0.20.254 24
int g1/0/2
ip add 10.0.30.254 24
ip route-static 10.0.1.0 24 10.0.10.1
ip route-static 10.0.2.0 24 10.0.20.1
ip route-static 10.0.3.0 24 10.0.30.1
交換機上需要按照需求定義VLAN
交換機上的配置如下:
sys
sysname SW1
vlan batch 10 20 30
int g0/0/1
port link-type access
port default vlan 10
int g0/0/21
port link-type access
port default vlan 10
int g0/0/2
port link-type access
port default vlan 20
int g0/0/22
port link-type access
port default vlan 20
int g0/0/3
port link-type access
port default vlan 30
int g0/0/23
port link-type access
port default vlan 30
步驟三、配置防火牆區域
防火牆上默認有四個區域分別是:local、trust、untrust、dmz
實驗中我們使用到trust、untrust、dmz三個區域,分別將對應接口加入各安全區域,由於默認配置將
g0/0/0加入了trust區域為避免干擾,將其刪除;
FW1上配置腳本如下:
sys
firewall zone dmz
add interface g1/0/2
quit
firewall zone trust
add interface g1/0/1
undo add interface g0/0/0
quit
firewall zone untrust
add interface g1/0/0
quit
檢查各接口所在的區域:
[FW1]dis zone interface
local
interface of the zone is (0):
trust
interface of the zone is (1):
GigabitEthernet1/0/1
#
untrust
interface of the zone is (1):
GigabitEthernet1/0/0
#
dmz
interface of the zone is (1):
GigabitEthernet1/0/2
#
可以看到三個接口已經被划分到相應的區域內,默認情況 下不同區域是不可互通的,因此,此時各路由器之間流量是無法通過的,需要配置區域間的安全策略放行允許通過的流量
步驟四、配置安全策略
USG6000默認情況下只有0口是可以允許所有服務的。那么如果想在其他端口開啟相應的服務,需要在相應端口下面輸入相應命令
3.1、配置允許從local ping通trust區域
配置前測試從local區域到trust區域連通性:
[FW1-policy-security]ping 10.0.20.1
PING 10.0.20.1: 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
--- 10.0.20.1 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
配置安全策略腳本:
sys
security-policy
rule name lo_to_tr
source-zone local
destination-zone trust
source-address 10.0.20.0 mask 255.255.255.0
action permit
quit
檢查驗證:
[FW1-policy-security]dis this
#
security-policy
rule name lo_to_tr
source-zone local
destination-zone trust
source-address 10.0.20.0 24
action permit
#
return
[FW1-policy-security]
[FW1-policy-security]
[FW1-policy-security]ping 10.0.20.1
PING 10.0.20.1: 56 data bytes, press CTRL_C to break
Reply from 10.0.20.1: bytes=56 Sequence=1 ttl=255 time=27 ms
Reply from 10.0.20.1: bytes=56 Sequence=2 ttl=255 time=43 ms
Mar 15 2018 12:21:21 FW1 DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.25.191.3.1 configurations have been changed. The current change number is 49, the change loop count is 0, and the maximum number of records is 4095.
Reply from 10.0.20.1: bytes=56 Sequence=3 ttl=255 time=40 ms
Reply from 10.0.20.1: bytes=56 Sequence=4 ttl=255 time=40 ms
Reply from 10.0.20.1: bytes=56 Sequence=5 ttl=255 time=43 ms
--- 10.0.20.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 27/38/43 ms
3.2、配置策略允許trust區域能ping通防火牆本地
配置前從trust區域ping防火牆:
[R2]ping 10.0.20.254
PING 10.0.20.254: 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
--- 10.0.20.254 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
流量不通
如何配置才能通呢?
如下:
interface g1/0/1
service-manage ping permit
測試OK:
[R2]ping 10.0.20.254
PING 10.0.20.254: 56 data bytes, press CTRL_C to break
Reply from 10.0.20.254: bytes=56 Sequence=1 ttl=255 time=30 ms
Reply from 10.0.20.254: bytes=56 Sequence=2 ttl=255 time=30 ms
Reply from 10.0.20.254: bytes=56 Sequence=3 ttl=255 time=50 ms
Reply from 10.0.20.254: bytes=56 Sequence=4 ttl=255 time=30 ms
Reply from 10.0.20.254: bytes=56 Sequence=5 ttl=255 time=50 ms
--- 10.0.20.254 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 30/38/50 ms
3.3、配置從trust區域的網段10.0.2.0和10.0.20.0發往untrust區域的數據包被放行,、
配置腳本如下:
sys
security-policy
rule name tr_to_un
source-zone trust
destination-zone untrust
source-address 10.0.2.0 24
source-address 10.0.20.0 24
action permit
驗證結果:
[FW1]dis security-policy rule tr_to_un
(1 times matched)
rule name tr_to_un
source-zone trust
destination-zone untrust
source-address 10.0.2.0 24
source-address 10.0.20.0 24
action permit
[R2]ping -a 10.0.2.2 10.0.1.1
PING 10.0.1.1: 56 data bytes, press CTRL_C to break
Reply from 10.0.1.1: bytes=56 Sequence=1 ttl=254 time=60 ms
Reply from 10.0.1.1: bytes=56 Sequence=2 ttl=254 time=80 ms
Reply from 10.0.1.1: bytes=56 Sequence=3 ttl=254 time=90 ms
Reply from 10.0.1.1: bytes=56 Sequence=4 ttl=254 time=90 ms
Reply from 10.0.1.1: bytes=56 Sequence=5 ttl=254 time=70 ms
--- 10.0.1.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 60/78/90 ms
3.3、 配置從untrust區域發往DMZ目標服務器10.0.3.3的telnet和FTP請求被放行
配置腳本如下:
sys
security-policy
rule name un_to_dmz
source-zone untrust
destination-zone dmz
destination-address 10.0.3.3 32
service telnet
service ftp
service icmp
action permit
驗證:
<R1>ping 10.0.3.3
PING 10.0.3.3: 56 data bytes, press CTRL_C to break
Reply from 10.0.3.3: bytes=56 Sequence=1 ttl=254 time=100 ms
Reply from 10.0.3.3: bytes=56 Sequence=2 ttl=254 time=80 ms
Reply from 10.0.3.3: bytes=56 Sequence=3 ttl=254 time=70 ms
Reply from 10.0.3.3: bytes=56 Sequence=4 ttl=254 time=70 ms
Reply from 10.0.3.3: bytes=56 Sequence=5 ttl=254 time=70 ms
--- 10.0.3.3 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 70/78/100 ms
<R1>tel
<R1>telnet 10.0.3.3
Press CTRL_] to quit telnet mode
Trying 10.0.3.3 ...
Connected to 10.0.3.3 ...
Login authentication
Username:zhi
Password:
-----------------------------------------------------------------------------
User last login information:
-----------------------------------------------------------------------------
Access Type: Telnet
IP-Address : 10.0.10.1
Time : 2018-03-15 21:08:28-08:00
-----------------------------------------------------------------------------