配置入侵防御 1、拓扑 2、配置思路 1)配置接口IP地址和安全区域,完成网络基本参数配置。 2)配置入侵防御配置文件profile_ips_pc,保护内网用户。通过配置签名过滤器来满足安全需要。 3)配置入侵防御配置文件profile_ips_server,保护内网服务器。并配置签名过滤器以及例外签名来满足安全需要。 4)创建安全策略policy_sec_1,并引用安全配置文件profile_ips_pc,保护内网用户免受来自Internet的攻击。 5)创建安全策略policy_sec_2,并引用安全配置文件profile_ips_server,保护内网服务器免受来自内网用户和Internet的攻击。 3、操作步骤 1)配置接口IP地址和安全区域,完成网络基本参数配置。 [FW] interface GigabitEthernet 1/0/1 [FW-GigabitEthernet1/0/1] ip address 1.1.1.1 255.255.255.0 [FW-GigabitEthernet1/0/1] quit [FW] interface GigabitEthernet 1/0/2 [FW-GigabitEthernet1/0/2] ip address 10.2.0.1 255.255.255.0 [FW-GigabitEthernet1/0/2] quit [FW] interface GigabitEthernet 1/0/3 [FW-GigabitEthernet1/0/3] ip address 10.3.0.1 255.255.255.0 [FW-GigabitEthernet1/0/3] quit [FW] firewall zone trust [FW-zone-trust] add interface GigabitEthernet 1/0/3 [FW-zone-trust] quit [FW] firewall zone dmz [FW-zone-dmz] add interface GigabitEthernet 1/0/2 [FW-zone-dmz] quit [FW] firewall zone untrust [FW-zone-untrust] add interface GigabitEthernet 1/0/1 [FW-zone-untrust] quit 2)创建入侵防御配置文件profile_ips_pc,保护内网用户。 [FW] profile type ips name profile_ips_pc [FW-profile-ips-profile_ips_pc] description profile for intranet users [FW-profile-ips-profile_ips_pc] collect-attack-evidence enable [FW-profile-ips-profile_ips_pc] signature-set name filter1 [FW-profile-ips-profile_ips_pc-sigset-filter1] target client [FW-profile-ips-profile_ips_pc-sigset-filter1] severity high [FW-profile-ips-profile_ips_pc-sigset-filter1] protocol HTTP [FW-profile-ips-profile_ips_pc-sigset-filter1] quit [FW-profile-ips-profile_ips_pc] quit 3) 创建入侵防御配置文件profile_ips_server,保护内网FTP服务器。配置ID为74320的签名为例外签名,设置动作为阻断。 [FW] profile type ips name profile_ips_server [FW-profile-ips-profile_ips_server] description profile for intranet servers [FW-profile-ips-profile_ips_server] collect-attack-evidence enable [FW-profile-ips-profile_ips_server] signature-set name filter2 [FW-profile-ips-profile_ips_server-sigset-filter2] target server [FW-profile-ips-profile_ips_server-sigset-filter2] severity high [FW-profile-ips-profile_ips_server-sigset-filter2] protocol FTP [FW-profile-ips-profile_ips_server-sigset-filter2] quit [FW-profile-ips-profile_ips_server] exception ips-signature-id 74320 action block [FW-profile-ips-profile_ips_server] quit 4)提交配置。 [FW] engine configuration commit 5)配置Trust区域和Untrust区域之间的安全策略,引用入侵防御配置文件profile_ips_pc。 [FW] security-policy [FW-policy-security] rule name policy_sec_1 [FW-policy-security-rule-policy_sec_1] source-zone trust [FW-policy-security-rule-policy_sec_1] destination-zone untrust [FW-policy-security-rule-policy_sec_1] source-address 10.3.0.0 24 [FW-policy-security-rule-policy_sec_1] profile ips profile_ips_pc [FW-policy-security-rule-policy_sec_1] action permit [FW-policy-security-rule-policy_sec_1] quit 6)配置从Trust区域到DMZ区域、从Untrust区域到DMZ区域的安全策略,引用入侵防御配置文件profile_ips_server。 [FW-policy-security] rule name policy_sec_2 [FW-policy-security-rule-policy_sec_2] source-zone trust untrust [FW-policy-security-rule-policy_sec_2] destination-zone dmz [FW-policy-security-rule-policy_sec_2] destination-address 10.2.0.0 24 [FW-policy-security-rule-policy_sec_2] profile ips profile_ips_server [FW-policy-security-rule-policy_sec_2] action permit [FW-policy-security-rule-policy_sec_2] quit [FW-policy-security] quit 7)保存配置信息,以便设备下次启动时自动加载上述配置信息。 [FW] quit <FW> save