查看完整版本: [轉貼]Juniper SSG-5-SH 新手配置手册2

chun 2013-7-9 15:56

[轉貼]Juniper SSG-5-SH 新手配置手册2

<a href="http://www.zdh1909.com/html/Cisco/17028_2.html">http://www.zdh1909.com/html/Cisco/17028_2.html</a><br><div><span style="color: rgb(34, 34, 34); font-family: tahoma, Verdana, Arial, 宋体; line-height: 28px; text-indent: 28px;">备出 file。接着就等SSG5更新完毕</span><table border="0" width="338" height="282" align="right" style="color: rgb(34, 34, 34); font-family: tahoma, Verdana, Arial, 宋体; font-size: 14px; line-height: 28px; text-indent: 28px;"><tbody><tr><td><ins style="display: inline-table; border: none; height: 280px; margin: 0px; padding: 0px; position: relative; visibility: visible; width: 336px;"><ins id="aswift_0_anchor" style="display: block; border: none; height: 280px; margin: 0px; padding: 0px; position: relative; visibility: visible; width: 336px;"><iframe width="336" height="280" frameborder="0" marginwidth="0" marginheight="0" vspace="0" hspace="0" allowtransparency="true" scrolling="no" id="aswift_0" name="aswift_0" style="left: 0px; position: absolute; top: 0px;"></iframe></ins></ins></td></tr></tbody></table><span style="color: rgb(34, 34, 34); font-family: tahoma, Verdana, Arial, 宋体; line-height: 28px; text-indent: 28px;">!</span><br style="color: rgb(34, 34, 34); font-family: tahoma, Verdana, Arial, 宋体; line-height: 28px; text-indent: 28px;"><strong style="color: rgb(34, 34, 34); font-family: tahoma, Verdana, Arial, 宋体; line-height: 28px; text-indent: 28px;">SSG5三十天就上手-Day 5 SSG5 Security Zones</strong><br style="color: rgb(34, 34, 34); font-family: tahoma, Verdana, Arial, 宋体; line-height: 28px; text-indent: 28px;"><span style="color: rgb(34, 34, 34); font-family: tahoma, Verdana, Arial, 宋体; line-height: 28px; text-indent: 28px;">Security Zones-安全区设定</span><br style="color: rgb(34, 34, 34); font-family: tahoma, Verdana, Arial, 宋体; line-height: 28px; text-indent: 28px;"><span style="color: rgb(34, 34, 34); font-family: tahoma, Verdana, Arial, 宋体; line-height: 28px; text-indent: 28px;">你可以通过 Security Zones 将你的SSG5 切个为多个安全区域,在SSG5中预设会有下列Zones:</span><br style="color: rgb(34, 34, 34); font-family: tahoma, Verdana, Arial, 宋体; line-height: 28px; text-indent: 28px;"><strong style="color: rgb(34, 34, 34); font-family: tahoma, Verdana, Arial, 宋体; line-height: 28px; text-indent: 28px;">Null</strong><br style="color: rgb(34, 34, 34); font-family: tahoma, Verdana, Arial, 宋体; line-height: 28px; text-indent: 28px;"><strong style="color: rgb(34, 34, 34); font-family: tahoma, Verdana, Arial, 宋体; line-height: 28px; text-indent: 28px;">Trust</strong><br style="color: rgb(34, 34, 34); font-family: tahoma, Verdana, Arial, 宋体; line-height: 28px; text-indent: 28px;"><strong style="color: rgb(34, 34, 34); font-family: tahoma, Verdana, Arial, 宋体; line-height: 28px; text-indent: 28px;">Untrust<br></strong><strong style="color: rgb(34, 34, 34); font-family: tahoma, Verdana, Arial, 宋体; line-height: 28px; text-indent: 28px;">Self</strong><br style="color: rgb(34, 34, 34); font-family: tahoma, Verdana, Arial, 宋体; line-height: 28px; text-indent: 28px;"><strong style="color: rgb(34, 34, 34); font-family: tahoma, Verdana, Arial, 宋体; line-height: 28px; text-indent: 28px;">Global</strong><br style="color: rgb(34, 34, 34); font-family: tahoma, Verdana, Arial, 宋体; line-height: 28px; text-indent: 28px;"><strong style="color: rgb(34, 34, 34); font-family: tahoma, Verdana, Arial, 宋体; line-height: 28px; text-indent: 28px;">HA</strong><br style="color: rgb(34, 34, 34); font-family: tahoma, Verdana, Arial, 宋体; line-height: 28px; text-indent: 28px;"><strong style="color: rgb(34, 34, 34); font-family: tahoma, Verdana, Arial, 宋体; line-height: 28px; text-indent: 28px;">MGT</strong><br style="color: rgb(34, 34, 34); font-family: tahoma, Verdana, Arial, 宋体; line-height: 28px; text-indent: 28px;"><strong style="color: rgb(34, 34, 34); font-family: tahoma, Verdana, Arial, 宋体; line-height: 28px; text-indent: 28px;">Untrust-Tun<br></strong><strong style="color: rgb(34, 34, 34); font-family: tahoma, Verdana, Arial, 宋体; line-height: 28px; text-indent: 28px;">V1-Null</strong><br style="color: rgb(34, 34, 34); font-family: tahoma, Verdana, Arial, 宋体; line-height: 28px; text-indent: 28px;"><strong style="color: rgb(34, 34, 34); font-family: tahoma, Verdana, Arial, 宋体; line-height: 28px; text-indent: 28px;">V1-Trust<br></strong><strong style="color: rgb(34, 34, 34); font-family: tahoma, Verdana, Arial, 宋体; line-height: 28px; text-indent: 28px;">V1-Untrust</strong><br style="color: rgb(34, 34, 34); font-family: tahoma, Verdana, Arial, 宋体; line-height: 28px; text-indent: 28px;"><strong style="color: rgb(34, 34, 34); font-family: tahoma, Verdana, Arial, 宋体; line-height: 28px; text-indent: 28px;">DMZ</strong><br style="color: rgb(34, 34, 34); font-family: tahoma, Verdana, Arial, 宋体; line-height: 28px; text-indent: 28px;"><strong style="color: rgb(34, 34, 34); font-family: tahoma, Verdana, Arial, 宋体; line-height: 28px; text-indent: 28px;">V1-DMZ<br></strong><strong style="color: rgb(34, 34, 34); font-family: tahoma, Verdana, Arial, 宋体; line-height: 28px; text-indent: 28px;">VLAN<br></strong><span style="color: rgb(34, 34, 34); font-family: tahoma, Verdana, Arial, 宋体; line-height: 28px; text-indent: 28px;">其中建议你最少要使用两个Security Zones将你的网络进行区隔。在默认值中会</span><strong style="color: rgb(34, 34, 34); font-family: tahoma, Verdana, Arial, 宋体; line-height: 28px; text-indent: 28px;">将ethernet0/0放到Untrust,ethernet0/1放到DMZ,其它放到Trust。</strong><span style="color: rgb(34, 34, 34); font-family: tahoma, Verdana, Arial, 宋体; line-height: 28px; text-indent: 28px;">假设你只有一条对外线,建议你将该线路放到 ethernet0/0 (Untrust),内部就放到Trust。然后再设定SSG5的 Policy 来保护内部网络。</span><br style="color: rgb(34, 34, 34); font-family: tahoma, Verdana, Arial, 宋体; line-height: 28px; text-indent: 28px;"><strong style="color: rgb(34, 34, 34); font-family: tahoma, Verdana, Arial, 宋体; line-height: 28px; text-indent: 28px;">SSG5三十天就上手-Day 6 SSG5 Interface</strong><br style="color: rgb(34, 34, 34); font-family: tahoma, Verdana, Arial, 宋体; line-height: 28px; text-indent: 28px;"><span style="color: rgb(34, 34, 34); font-family: tahoma, Verdana, Arial, 宋体; line-height: 28px; text-indent: 28px;">Interface 是SSG5中实际封包进出的出入口,经由Interface 让封包来进出security zone。为了让网络封包能够进出security zone,你必须将bind 一个interface到该security zone,如果你要让两个security zone互通封包时,你就必须设定 policies (就像是iptables)。</span><br style="color: rgb(34, 34, 34); font-family: tahoma, Verdana, Arial, 宋体; line-height: 28px; text-indent: 28px;"><span style="color: rgb(34, 34, 34); font-family: tahoma, Verdana, Arial, 宋体; line-height: 28px; text-indent: 28px;">你可以把多个Interface bind到同一个security zone,但是一个 Interface只能被bind 到一个security zone,也就是说Interface 跟 security zone 是多对一的关系。</span><br style="color: rgb(34, 34, 34); font-family: tahoma, Verdana, Arial, 宋体; line-height: 28px; text-indent: 28px;"><span style="color: rgb(34, 34, 34); font-family: tahoma, Verdana, Arial, 宋体; line-height: 28px; text-indent: 28px;">Interface Types</span><br style="color: rgb(34, 34, 34); font-family: tahoma, Verdana, Arial, 宋体; line-height: 28px; text-indent: 28px;"><strong style="color: rgb(34, 34, 34); font-family: tahoma, Verdana, Arial, 宋体; line-height: 28px; text-indent: 28px;">Physical Interfaces</strong><br style="color: rgb(34, 34, 34); font-family: tahoma, Verdana, Arial, 宋体; line-height: 28px; text-indent: 28px;"><span style="color: rgb(34, 34, 34); font-family: tahoma, Verdana, Arial, 宋体; line-height: 28px; text-indent: 28px;">这就是你SSG5中的实体网络 port ,你可以对照SSG5机体上的编号:eth0/0 ~ eth0/6 共有七个网络 port</span><br style="color: rgb(34, 34, 34); font-family: tahoma, Verdana, Arial, 宋体; line-height: 28px; text-indent: 28px;"><strong style="color: rgb(34, 34, 34); font-family: tahoma, Verdana, Arial, 宋体; line-height: 28px; text-indent: 28px;">Bridge Group Interfaces</strong><br style="color: rgb(34, 34, 34); font-family: tahoma, Verdana, Arial, 宋体; line-height: 28px; text-indent: 28px;"><strong style="color: rgb(34, 34, 34); font-family: tahoma, Verdana, Arial, 宋体; line-height: 28px; text-indent: 28px;">Subinterfaces</strong><br style="color: rgb(34, 34, 34); font-family: tahoma, Verdana, Arial, 宋体; line-height: 28px; text-indent: 28px;"><strong style="color: rgb(34, 34, 34); font-family: tahoma, Verdana, Arial, 宋体; line-height: 28px; text-indent: 28px;">Aggregate Interfaces<br></strong><strong style="color: rgb(34, 34, 34); font-family: tahoma, Verdana, Arial, 宋体; line-height: 28px; text-indent: 28px;">Redundant Interfaces</strong><br style="color: rgb(34, 34, 34); font-family: tahoma, Verdana, Arial, 宋体; line-height: 28px; text-indent: 28px;"><strong style="color: rgb(34, 34, 34); font-family: tahoma, Verdana, Arial, 宋体; line-height: 28px; text-indent: 28px;">Virtual Security Interfaces<br>SSG5三十天就上手-Day 7 SSG5 Interface Modes</strong><br style="color: rgb(34, 34, 34); font-family: tahoma, Verdana, Arial, 宋体; line-height: 28px; text-indent: 28px;"><span style="color: rgb(34, 34, 34); font-family: tahoma, Verdana, Arial, 宋体; line-height: 28px; text-indent: 28px;">在SSG5 Interface 可以以下列几种方式运作:</span><br style="color: rgb(34, 34, 34); font-family: tahoma, Verdana, Arial, 宋体; line-height: 28px; text-indent: 28px;"><strong style="color: rgb(34, 34, 34); font-family: tahoma, Verdana, Arial, 宋体; line-height: 28px; text-indent: 28px;">Transparent Mode</strong><br style="color: rgb(34, 34, 34); font-family: tahoma, Verdana, Arial, 宋体; line-height: 28px; text-indent: 28px;"><strong style="color: rgb(34, 34, 34); font-family: tahoma, Verdana, Arial, 宋体; line-height: 28px; text-indent: 28px;">NAT(Network Address Translation) Mode&nbsp;<br></strong><strong style="color: rgb(34, 34, 34); font-family: tahoma, Verdana, Arial, 宋体; line-height: 28px; text-indent: 28px;">Route Mode</strong><br style="color: rgb(34, 34, 34); font-family: tahoma, Verdana, Arial, 宋体; line-height: 28px; text-indent: 28px;"><span style="color: rgb(34, 34, 34); font-family: tahoma, Verdana, Arial, 宋体; line-height: 28px; text-indent: 28px;">Interface 被bind 在 Layer 3 且有设定 IP 时可以选择使用 NAT 或 Route方式运作。</span><br style="color: rgb(34, 34, 34); font-family: tahoma, Verdana, Arial, 宋体; line-height: 28px; text-indent: 28px;"><span style="color: rgb(34, 34, 34); font-family: tahoma, Verdana, Arial, 宋体; line-height: 28px; text-indent: 28px;">Interface 被bind 在 Layer 2的Zone 时,Interface 需以Transparent 方式运作。</span><br style="color: rgb(34, 34, 34); font-family: tahoma, Verdana, Arial, 宋体; line-height: 28px; text-indent: 28px;"><strong style="color: rgb(34, 34, 34); font-family: tahoma, Verdana, Arial, 宋体; line-height: 28px; text-indent: 28px;">Transparent Mode:</strong><span style="color: rgb(34, 34, 34); font-family: tahoma, Verdana, Arial, 宋体; line-height: 28px; text-indent: 28px;">当Interface 在此模式时, IP address 会设定为0.0.0.0,此时SSG5不会对于封包中的source 或destination信息做任何的修改。SSG5此时就像扮演 Layer 2 switch 或 bridge。</span><br style="color: rgb(34, 34, 34); font-family: tahoma, Verdana, Arial, 宋体; line-height: 28px; text-indent: 28px;"><strong style="color: rgb(34, 34, 34); font-family: tahoma, Verdana, Arial, 宋体; line-height: 28px; text-indent: 28px;">NAT Mode:</strong><span style="color: rgb(34, 34, 34); font-family: tahoma, Verdana, Arial, 宋体; line-height: 28px; text-indent: 28px;">此时你的SSG5就像扮演 Layer 3 Switch 或是 Router,会对封包进行转译(translates),他会换掉流向 Untrust zone 封包的 Source IP 跟 Port。</span><br style="color: rgb(34, 34, 34); font-family: tahoma, Verdana, Arial, 宋体; line-height: 28px; text-indent: 28px;"><strong style="color: rgb(34, 34, 34); font-family: tahoma, Verdana, Arial, 宋体; line-height: 28px; text-indent: 28px;">Route Mode:</strong><span style="color: rgb(34, 34, 34); font-family: tahoma, Verdana, Arial, 宋体; line-height: 28px; text-indent: 28px;">当SSG5的Interface在此模式时,防火墙不会对于两个不同zone之间的封包做Source NAT。</span><br style="color: rgb(34, 34, 34); font-family: tahoma, Verdana, Arial, 宋体; line-height: 28px; text-indent: 28px;"><strong style="color: rgb(34, 34, 34); font-family: tahoma, Verdana, Arial, 宋体; line-height: 28px; text-indent: 28px;">SSG5三十天就上手-Day 8 SSG5 Policies</strong><br style="color: rgb(34, 34, 34); font-family: tahoma, Verdana, Arial, 宋体; line-height: 28px; text-indent: 28px;"><span style="color: rgb(34, 34, 34); font-family: tahoma, Verdana, Arial, 宋体; line-height: 28px; text-indent: 28px;">Policies 你可以将它想成 iptables</span><br style="color: rgb(34, 34, 34); font-family: tahoma, Verdana, Arial, 宋体; line-height: 28px; text-indent: 28px;"><span style="color: rgb(34, 34, 34); font-family: tahoma, Verdana, Arial, 宋体; line-height: 28px; text-indent: 28px;">在SSG5中,预设会将跨security zone的封包(interzone traffic) deny ,bind 在同一个zone的interface 的封包(intrazone traffic)预设为allow</span><br style="color: rgb(34, 34, 34); font-family: tahoma, Verdana, Arial, 宋体; line-height: 28px; text-indent: 28px;"><span style="color: rgb(34, 34, 34); font-family: tahoma, Verdana, Arial, 宋体; line-height: 28px; text-indent: 28px;">如果你需要对以上预设行为进行调整,那你就必须透过 Policies来进行。</span><br style="color: rgb(34, 34, 34); font-family: tahoma, Verdana, Arial, 宋体; line-height: 28px; text-indent: 28px;"><span style="color: rgb(34, 34, 34); font-family: tahoma, Verdana, Arial, 宋体; line-height: 28px; text-indent: 28px;">Policies 由下列基本元素所组成:</span><br style="color: rgb(34, 34, 34); font-family: tahoma, Verdana, Arial, 宋体; line-height: 28px; text-indent: 28px;"><strong style="color: rgb(34, 34, 34); font-family: tahoma, Verdana, Arial, 宋体; line-height: 28px; text-indent: 28px;">Direction:</strong><span style="color: rgb(34, 34, 34); font-family: tahoma, Verdana, Arial, 宋体; line-height: 28px; text-indent: 28px;">这是指封包的流向从 source zone 流向 destination zone</span><br style="color: rgb(34, 34, 34); font-family: tahoma, Verdana, Arial, 宋体; line-height: 28px; text-indent: 28px;"><strong style="color: rgb(34, 34, 34); font-family: tahoma, Verdana, Arial, 宋体; line-height: 28px; text-indent: 28px;">Source Address:</strong><span style="color: rgb(34, 34, 34); font-family: tahoma, Verdana, Arial, 宋体; line-height: 28px; text-indent: 28px;">这是封包起始的地址</span><br style="color: rgb(34, 34, 34); font-family: tahoma, Verdana, Arial, 宋体; line-height: 28px; text-indent: 28px;"><strong style="color: rgb(34, 34, 34); font-family: tahoma, Verdana, Arial, 宋体; line-height: 28px; text-indent: 28px;">Destination Address:</strong><span style="color: rgb(34, 34, 34); font-family: tahoma, Verdana, Arial, 宋体; line-height: 28px; text-indent: 28px;">这是封包要送到的地址</span><br style="color: rgb(34, 34, 34); font-family: tahoma, Verdana, Arial, 宋体; line-height: 28px; text-indent: 28px;"><strong style="color: rgb(34, 34, 34); font-family: tahoma, Verdana, Arial, 宋体; line-height: 28px; text-indent: 28px;">Service:</strong><span style="color: rgb(34, 34, 34); font-family: tahoma, Verdana, Arial, 宋体; line-height: 28px; text-indent: 28px;">这是封包的服务种类,如DNS、http等等</span><br style="color: rgb(34, 34, 34); font-family: tahoma, Verdana, Arial, 宋体; line-height: 28px; text-indent: 28px;"><strong style="color: rgb(34, 34, 34); font-family: tahoma, Verdana, Arial, 宋体; line-height: 28px; text-indent: 28px;">Action :</strong><span style="color: rgb(34, 34, 34); font-family: tahoma, Verdana, Arial, 宋体; line-height: 28px; text-indent: 28px;">这是当收到封包满足此Polices时要进行的动作。</span><p style="color: rgb(34, 34, 34); font-family: tahoma, Verdana, Arial, 宋体; line-height: 28px; text-indent: 28px;"></p><p style="color: rgb(34, 34, 34); font-family: tahoma, Verdana, Arial, 宋体; line-height: 28px; text-indent: 28px;">举例来说:假设你要设定任何地址都可以由Trust zone 到 Untrust Zone 中的</p></div>
頁: [1]
查看完整版本: [轉貼]Juniper SSG-5-SH 新手配置手册2