使用 Juniper SRX-240 加固实验室网络
简介
Juniper SRX 是一种网络安全设备,它可以通过 zone 和 security policy 对网络流量进行管理和控制。
Zone 是一种逻辑分区,用于划分网络中的不同部分,如内部网络、DMZ 和外部网络等。每个 zone 都有一个与之相关联的安全策略,用于控制该 zone 中的流量是否被允许进出以及如何进行处理。
Security Policy 是一组规则,用于控制特定 zone 之间的流量流向。这些规则可以基于源地址、目标地址、端口和协议等多种条件进行匹配,并指定相应的操作,如通过、拒绝或重定向到其他位置等。
在 Juniper SRX 中,通过创建 zone 和 security policy 可以帮助管理员实现对网络流量的精细控制和保护,从而提高网络安全性能。
这里我让 SRX 工作于二层模式(透明防火墙)。
Interfaces
ge-0/0/1 {
unit 0 {
family bridge {
interface-mode access;
vlan-id 10;
}
}
}
ge-0/0/4 {
unit 0 {
family bridge {
interface-mode access;
vlan-id 10;
}
}
}
ge-0/0/8 {
unit 0 {
family bridge {
interface-mode access;
vlan-id 10;
}
}
}
bridge-domains {
oob {
domain-type bridge;
vlan-id 10;
routing-interface irb.0;
}
}
网桥
irb {
unit 0 {
family inet {
address 219.217.199.203/24;
}
family inet6 {
address 2001:250:7802:61::c0:ffee/64;
}
}
}
管理逻辑端口,用来连接 SRX 自身。
Security Zones
security-zone Lab {
host-inbound-traffic {
system-services {
all;
}
}
interfaces {
ge-0/0/4.0;
}
}
security-zone Edu {
screen untrust-screen;
host-inbound-traffic {
system-services {
all;
}
}
interfaces {
ge-0/0/1.0;
}
}
security-zone DC {
host-inbound-traffic {
system-services {
all;
}
}
interfaces {
ge-0/0/8.0;
}
}
由于是二层模式,路由规则无法工作,所以 Zone 要绑定到端口上。如果要连接不同的 Zone,需要创建一个桥接网桥组。
Security Policies
from-zone Lab to-zone Edu {
policy edu-infra-ban {
match {
source-address any;
destination-address [ Jwc JwcUtil ];
application any;
}
then {
reject;
log {
session-init;
session-close;
}
}
}
policy lab-to-edu {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone DC to-zone Edu {
policy dc-to-edu {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone Lab to-zone DC {
policy lab-to-dc {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone Edu to-zone Lab {
policy edu-to-lab {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone DC to-zone Lab {
policy dc-to-lab {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone Edu to-zone DC {
policy allow-management-access {
match {
source-address Lab-MGMT;
destination-address any;
application any;
}
then {
permit;
}
}
policy ban-remote-control {
match {
source-address any;
destination-address any;
application [ junos-ssh junos-telnet junos-icmp-all ];
}
then {
reject;
log {
session-init;
session-close;
}
}
}
policy edu-to-dc {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
为 Zone-to-Zone 的流量制定规则。注意,这里的规则没有自反性。如 set A->B,B->A 依然会被阻断。
地址段需要使用 address-book
配置。
Log Accounting
set system syslog file messages any critical
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands error
set system syslog file traffic.log user info
set system syslog file traffic.log match RT_FLOW_SESSION
set system syslog file lab-deny.log user any
set system syslog file lab-deny.log match edu-infra-ban
set system syslog file traffic-screens any any
set system syslog file traffic-screens match RT_SCREEN
set system syslog file dc-deny.log user any
set system syslog file dc-deny.log match ban-remote-control
set system syslog file security-log.log any any
set system syslog file security-log.log archive files 1
set system syslog file security-log.log structured-data
set security log mode event
set security policies from-zone Lab to-zone Edu policy edu-infra-ban then log session-init
set security policies from-zone Lab to-zone Edu policy edu-infra-ban then log session-close
set security policies from-zone Edu to-zone DC policy ban-remote-control then log session-init
set security policies from-zone Edu to-zone DC policy ban-remote-control then log session-close