juniper srx相關附件

時間 2021-08-14

標籤安全服務器 app ssh ide spa 代理 server 接口欄目系統安全简体版

原文原文鏈接

1. 安全域（zone）和接口

1.1 接口配置

因爲在內網啓用了3個vlan，並且每一個vlan的網關都在防火牆上，因此在內網接口啓用了tagging ，ge-0/0/1爲內網接口，劃分出3個子接口，子接口1對應vlan10(192.68.100.0/24網段)，子接口2對應vlan2（192.168.1.0/24網段），子接口3對應vlan3（172.16.1.0/24網段）。 Ge-0/0/0爲外網接口，無須啓用tagging。

set interfaces ge-0/0/1 vlan-tagging

set interfaces ge-0/0/1 unit 1 vlan-id 10

set interfaces ge-0/0/1 unit 1 family inet address 192.168.100.1/24

set interfaces ge-0/0/1 unit 2 vlan-id 2

set interfaces ge-0/0/1 unit 2 family inet address 192.168.1.1/24

set interfaces ge-0/0/1 unit 3 vlan-id 3

set interfaces ge-0/0/1 unit 3 family inet address 172.16.1.1/24

set interfaces ge-0/0/2 unit 0 family inet address 192.168.2.1/24

set interfaces ge-0/0/3 vlan-tagging

set interfaces ge-0/0/3 unit 1 vlan-id 4

set interfaces ge-0/0/3 unit 1 family inet address 192.168.4.1/24

set interfaces ge-0/0/3 unit 2 vlan-id 5

set interfaces ge-0/0/3 unit 2 family inet address 192.168.5.1/24

set interfaces ge-0/0/0 unit 0 family inet address 113.106.95.115/28

1.2 建立安全zone

根據須要，內網劃分了3個zone，trust爲內部員工所在zone（192.168.100.0/24），server爲服務器所在zone（192.168.1.0/24），guest爲外來人員所在zone（172.16.1.0/24）。

set security zones security-zone trust host-inbound-traffic system-services all

set security zones security-zone trust host-inbound-traffic protocols all

set security zones security-zone untrust screen untrust-screen

set security zones security-zone server host-inbound-traffic system-services all

set security zones security-zone server host-inbound-traffic protocols all

set security zones security-zone guest host-inbound-traffic system-services all

set security zones security-zone guest host-inbound-traffic protocols all

1.3 將相應接口劃入到對應的zone 裏，並 配置接口的管理方式

set security zones security-zone trust interfaces ge-0/0/2.0 host-inbound-traffic system-services dhcp

set security zones security-zone trust interfaces ge-0/0/2.0 host-inbound-traffic system-services http

set security zones security-zone trust interfaces ge-0/0/2.0 host-inbound-traffic system-services ping

set security zones security-zone trust interfaces ge-0/0/2.0 host-inbound-traffic system-services telnet

set security zones security-zone trust interfaces ge-0/0/1.1 host-inbound-traffic system-services dhcp

set security zones security-zone trust interfaces ge-0/0/1.1 host-inbound-traffic system-services ping

set security zones security-zone trust interfaces ge-0/0/1.1 host-inbound-traffic system-services telnet

set security zones security-zone trust interfaces ge-0/0/1.1 host-inbound-traffic system-services http

set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp

set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ping

set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services http

set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services https

set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ssh

set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services telnet

set security zones security-zone server interfaces ge-0/0/1.2 host-inbound-traffic system-services dhcp

set security zones security-zone server interfaces ge-0/0/1.2 host-inbound-traffic system-services ping

set security zones security-zone server interfaces ge-0/0/1.2 host-inbound-traffic system-services telnet

set security zones security-zone server interfaces ge-0/0/1.2 host-inbound-traffic system-services http

set security zones security-zone guest interfaces ge-0/0/1.3 host-inbound-traffic system-services dhcp

2 安全策略設置

每個安全zone包含一個address book。在兩個zone之間創建policys以前必須定義zone’s的address book的地址。而後再在policys裏調用該address book。

2.1 設置地址池（address books）

set security zones security-zone server address-book address server250 192.168.1.250/32

set security zones security-zone server address-book address server249 192.168.1.249/32

set security zones security-zone server address-book address server248 192.168.1.248/32

2.2 設置應用服務（application）

這次實施中，無須新建應用，調用系統默認的SSH應用便可（junos-ssh）

2.3 安全策略（security policy）

目前定義的規則以下：

內網用戶區域（ Trust）、服務器區域（server）、外來人員區域（guest）訪問外網區域（untrust）是容許訪問的；

內網用戶區域（ Trust）和服務器區域（server）之間互相訪問是容許的；

外網區域（ untrust）訪問服務器區域（server）的3臺服務器（192.168.1.248 – 250）的 SSH應用是容許的。

此外，防火牆默認開啓了一條容許 Trust 到 Trust 訪問的策略。

而除此之外的策略防火牆默認是禁止的，也就是說其餘數據流將被阻止訪問。

容許內網用戶區域（ Trust）訪問外網區域（untrust）；

set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any

set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any

set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any

set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit

容許服務器區域（ server）訪問外網區域（untrust）；

set security policies from-zone server to-zone untrust policy server-to-untrust match source-address any

set security policies from-zone server to-zone untrust policy server-to-untrust match destination-address any

set security policies from-zone server to-zone untrust policy server-to-untrust match application any

set security policies from-zone server to-zone untrust policy server-to-untrust then permit

容許外來人員區域（ guest）訪問外網區域（untrust）；

set security policies from-zone guest to-zone untrust policy guest-to-untrust match source-address any

set security policies from-zone guest to-zone untrust policy guest-to-untrust match destination-address any

set security policies from-zone guest to-zone untrust policy guest-to-untrust match application any

set security policies from-zone guest to-zone untrust policy guest-to-untrust then permit

容許內網用戶區域（ Trust）和服務器區域（server）之間互相訪問

set security policies from-zone trust to-zone server policy trust-to-server match source-address any

set security policies from-zone trust to-zone server policy trust-to-server match destination-address any

set security policies from-zone trust to-zone server policy trust-to-server match application any

set security policies from-zone trust to-zone server policy trust-to-server then permit

set security policies from-zone server to-zone trust policy server-to-trust match source-address any

set security policies from-zone server to-zone trust policy server-to-trust match destination-address any

set security policies from-zone server to-zone trust policy server-to-trust match application any

set security policies from-zone server to-zone trust policy server-to-trust then permit

容許外網區域（ untrust）訪問服務器區域（server）的3臺服務器（192.168.1.248 – 250）的 SSH應用。

set security policies from-zone untrust to-zone server policy untrust-to-server match source-address any

set security policies from-zone untrust to-zone server policy untrust-to-server match destination-address server250

set security policies from-zone untrust to-zone server policy untrust-to-server match destination-address server249

set security policies from-zone untrust to-zone server policy untrust-to-server match destination-address server248

set security policies from-zone untrust to-zone server policy untrust-to-server match application junos-ssh

set security policies from-zone untrust to-zone server policy untrust-to-server then permit

3 NAT設置

3.1源NAT (Source NAT)

當內網服務器訪問外網時，須要將原地址作NAT，通常爲了節省公網地址考慮，這個NAT地址使用外網接口地址，所以也叫作Interface NAT

對於Trust zone（內部員工區域）咱們定義了源NAT的規則trust-to-untrust，使全部來自trust zone （192.168.100.0/24）到 untrust zone（外網區域）的數據包作源NAT，將其源地址映射爲公網接口地址。

set security nat source rule-set trust-to-untrust from zone trust

set security nat source rule-set trust-to-untrust to zone untrust

set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 192.168.100.0/24

set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface

對於server zone（服務器區域）咱們定義了源NAT的規則server-to-untrust，使全部來自server zone（服務器區域）到 untrust zone（外網區域）的數據包作源NAT，將其源地址映射爲公網接口地址

set security nat source rule-set server-to-untrust from zone server

set security nat source rule-set server-to-untrust to zone untrust

set security nat source rule-set server-to-untrust rule server-source-nat-rule match source-address 192.168.1.0/24

set security nat source rule-set server-to-untrust rule server-source-nat-rule then source-nat interface

對於guest zone（外來人員區域）咱們定義了源NAT的規則guest-to-untrust，使全部來自guest zone（外來人員區域）到 untrust zone（外網區域）的數據包作源NAT，將其源地址映射爲公網接口地址

set security nat source rule-set guest-to-untrust from zone guest

set security nat source rule-set guest-to-untrust to zone untrust

set security nat source rule-set guest-to-untrust rule guest-source-nat-rule match source-address 172.16.1.0/24

set security nat source rule-set guest-to-untrust rule guest-source-nat-rule then source-nat interface

3.2目的NAT(Destination NAT)

這次項目中，須要在外網訪問內網服務器的SSH應用，因此就使用到了Destination NAT，也就是端口映射。咱們將113.106.95.114的 22端口映射到內網的192.168.1.250 的22端口；將113.106.95.114的 202端口映射到內網的192.168.1.249 的22端口；113.106.95.114的 221端口映射到內網的192.168.1.248 的22端口.

定義地址池（address book）

設置地址池，也就是映射後內網服務器的IP地址和端口，在此項目中，目前設置了3個，分別名爲：250、24九、248.

set security nat destination pool 250 address 192.168.1.250/32

set security nat destination pool 250 address port 22

set security nat destination pool 249 address 192.168.1.249/32

set security nat destination pool 249 address port 22

set security nat destination pool 248 address 192.168.1.248/32

set security nat destination pool 248 address port 22

定義規則（rule）

設置Destination NAT的規則，設置了3個NAT規則，分別名爲250、24九、248：

set security nat destination rule-set 1 from zone untrust

（定義來自哪一個區域）