防火墙 安全策略

 介绍安全策略的定义和特点。

如图1所示,安全策略是控制设备对流量转发以及对流量进行内容安全一体化检测的策略。

图1 FW的安全策略
防火墙 安全策略_第1张图片

设备能够识别出流量的属性,并将流量的属性与安全策略的条件进行匹配。如果所有条件都匹配,则此流量成功匹配安全策略。流量匹配安全策略后,设备将会执行安全策略的动作。

  • 如果动作为“允许”,则对流量进行内容安全检测。最终根据内容安全检测的结论来判断是否对流量进行放行。

  • 如果动作为“禁止”,则禁止流量通过。

内容安全一体化检测是指使用设备的智能感知引擎对一条流量的内容只进行一次检测和处理,就能实现包括反病毒、入侵防御、URL过滤、DNS过滤、文件过滤、内容过滤、应用行为控制、邮件过滤、APT防御在内的内容安全功能,通过各种内容安全功能来保证网络安全。

实验拓扑图 

防火墙 安全策略_第2张图片

实验步骤 

 S1 三层交换机配置

S1 配置

system-view 
Enter system view, return user view with Ctrl+Z.
[Huawei]sysname S1
Nov 13 2023 17:03:04-08:00 S1 DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.25.
191.3.1 configurations have been changed. The current change number is 4, the ch
ange loop count is 0, and the maximum number of records is 4095.un	

[S1]undo info-center enable 
Info: Information center is disabled.
	
[S1]vlan batch 10 100
Info: This operation may take a few seconds. Please wait for a moment...done.
	
[S1]interface Vlanif 10
[S1-Vlanif10]ip address 192.168.10.254 24
[S1-Vlanif10]quit 

[S1]interface GigabitEthernet 0/0/1
[S1-GigabitEthernet0/0/1]port link-type access 	
[S1-GigabitEthernet0/0/1]port default vlan 10
[S1-GigabitEthernet0/0/1]quit 

[S1]interface GigabitEthernet 0/0/2
[S1-GigabitEthernet0/0/2]port link-type access 	
[S1-GigabitEthernet0/0/2]port default vlan 10
[S1-GigabitEthernet0/0/2]quit
	
[S1]dhcp enable 
Info: The operation may take a few seconds. Please wait for a moment.done.

[S1]interface Vlanif 10
[S1-Vlanif10]dhcp select interface 
[S1-Vlanif10]quit 
	
[S1]interface Vlanif 100	
[S1-Vlanif100]ip address 192.168.20.1 24	
[S1-Vlanif100]quit 
	
[S1]interface GigabitEthernet 0/0/3	
[S1-GigabitEthernet0/0/3]port link-type access 	
[S1-GigabitEthernet0/0/3]port default vlan 100
[S1-GigabitEthernet0/0/3]quit

[S1]ip route-static 0.0.0.0 0 192.168.20.2

防火墙配置 

FW1 防火墙配置

system-view 
Enter system view, return user view with Ctrl+Z.

[USG6000V1]interface GigabitEthernet 1/0/0
[USG6000V1-GigabitEthernet1/0/0]ip address 192.168.20.2 24
Nov 13 2023 09:22:31 USG6000V1 %%01IFNET/4/LINK_STATE(l)[0]:The line protocol IP
 on the interface GigabitEthernet1/0/0 has entered the UP state.
Nov 13 2023 09:22:31 USG6000V1 %%01RM/4/ROUTERID_CHANGE(l)[1]:The router ID is 1
92.168.2.2. (InstanceID=0)	
[USG6000V1-GigabitEthernet1/0/0]quit 

[USG6000V1]undo info-center enable 
Info: Saving log files...
Info: Information center is disabled.

[USG6000V1]interface GigabitEthernet 1/0/1	
[USG6000V1-GigabitEthernet1/0/1]ip address 192.168.30.1 24	
[USG6000V1-GigabitEthernet1/0/1]quit 

[USG6000V1]firewall zone trust 	
[USG6000V1-zone-trust]add interface GigabitEthernet 1/0/0  将接口加入trust区域	
[USG6000V1-zone-trust]quit 

[USG6000V1]firewall zone untrust 
[USG6000V1-zone-untrust]add interface GigabitEthernet 1/0/1 将接口加入untrust区域
[USG6000V1-zone-untrust]quit 

[USG6000V1]ip route-static 192.168.10.0 24 192.168.20.1	
[USG6000V1]ip route-static 0.0.0.0 0.0.0.0 192.168.30.2
	
[USG6000V1]security-policy  进入安全策略
[USG6000V1-policy-security]rule name t_to_u	  创建一个名为t_to_u的策略
[USG6000V1-policy-security-rule-t_to_u]source-zone trust   源 受信区域
[USG6000V1-policy-security-rule-t_to_u]destination-zone untrust   目的 非首信区域
[USG6000V1-policy-security-rule-t_to_u]source-address 192.168.10.0 mask 255.255.
255.0	 源地址为192.168.10.0网段
[USG6000V1-policy-security-rule-t_to_u]action permit  动作 允许	
[USG6000V1-policy-security-rule-t_to_u]quit 

 R1 IP VTY配置

system-view 
Enter system view, return user view with Ctrl+Z.	
[Huawei]sysname R1
	
[R1]interface GigabitEthernet 0/0/0
[R1-GigabitEthernet0/0/0]ip address 192.168.30.2 24
Nov 13 2023 17:35:32-08:00 R1 %%01IFNET/4/LINK_STATE(l)[0]:The line protocol IP 
on the interface GigabitEthernet0/0/0 has entered the UP state. 
[R1-GigabitEthernet0/0/0]quit

[R1]interface LoopBack 0	
[R1-LoopBack0]ip address 1.1.1.1 32	
[R1-LoopBack0]quit 
 
[R1]undo info-center enable 
Info: Information center is disabled.

[R1]ip route-static 192.168.10.0 24 192.168.30.1
	
[R1]user-interface vty 0 4	
[R1-ui-vty0-4]authentication-mode password 
Please configure the login password (maximum length 16):huawei	
[R1-ui-vty0-4]quit

从图中可以看出,用S1是无法telnet R1的loopback 0接口

 用192.168.10.254就可以telnet R1的loopback 0接口,因为安全策略允许了192.168.10.0网段通行

 防火墙 安全策略_第3张图片

你可能感兴趣的:(java,网络,服务器)