Juniper
网络公司集成式安全网关(ISG)是一种专用安全解决方案,它采用了第四代安全ASIC GigaScreen3,以及高性能微处理器,能够提供无与伦比的防火墙和×××性能。Juniper网络公司 ISG 1000 和 ISG 2000 非常适合因需要运行VoIP和流媒体等高级应用而需要可以扩展的一致性能的企业、运营商和数据中心环境。ISG 1000和ISG 2000 将最佳深层检测防火墙、×××和DoS解决方案集成在一起不但能提供安全、可靠的连接,还能为重要的高流量网段提供网络和应用级保护。
此产品不做作解释了,下面主要了解ISG-1000的安全配置,配置可以在Web界面下(WEBUI),也可以在命令模式下(CLI)。
一、一普通***保护
1.ip地址扫描保护
WebUI:
Screening > Screen (Zone: 选择区段名称): 输入以下内容,然后单Apply:
IP Address Sweep Protection: ( 选择)
Threshold: ( 输入触发 IP 地址扫描保护的值)
IP Address Sweep Protection: ( 选择)
Threshold: ( 输入触发 IP 地址扫描保护的值)
CLI:
set zone zone screen ip-sweep threshold number
set zone zone screen ip-sweep
2.端口扫描保护
WebUI:
Screening > Screen (Zone: 选择区段名称): 输入以下内容,然后击Apply:
Port Scan Protection: ( 选择)
Threshold: ( 输入触发端口扫描保护的值)
Port Scan Protection: ( 选择)
Threshold: ( 输入触发端口扫描保护的值)
CLI:
set zone zone screen port-scan threshold number
set zone zone screen port-scan
set zone zone screen port-scan
3.使用 IP 选项的网络侦查
WebUI:
Screening > Screen (Zone: 选择区段名称): 输入以下内容,然后单Apply:
IP Record Route Option Detection: ( 选择)
IP Timestamp Option Detection: ( 选择)
IP Security Option Detection: ( 选择)
IP Stream Option Detection: ( 选择)
IP Record Route Option Detection: ( 选择)
IP Timestamp Option Detection: ( 选择)
IP Security Option Detection: ( 选择)
IP Stream Option Detection: ( 选择)
CLI:
set zone zone screen ip-record-route
set zone zone screen ip-timestamp-opt
set zone zone screen ip-security-opt
set zone zone screen ip-stream-opt
set zone zone screen ip-timestamp-opt
set zone zone screen ip-security-opt
set zone zone screen ip-stream-opt
4.
设置 SYN 和 FIN 标志
WebUI:
Screening > Screen (Zone: 选择区段名称): 选择 SYN and FIN Bits
Set Protection,然后单击 Apply。
CLIZ:set zone zone screen syn-fin
5.IP欺骗
WebUI:
(1) 接口
Network > Interfaces > Edit ( 对于 ethernet1): 输入以下内容,然后单击Apply:
Zone Name: Trust
Static IP: ( 出现时选择此选项)
IP Address/Netmask: 10.1.1.1/24
输入以下内容,然后单击 OK:
Interface Mode: NAT
Network > Interfaces > Edit ( 对于 ethernet2): 输入以下内容,然后单击 OK:
Zone Name: DMZ
Static IP: ( 出现时选择此选项)
IP Address/Netmask: 1.2.2.1/24
Network > Interfaces > Edit ( 对于 ethernet3): 输入以下内容,然后单击 OK:
Zone Name: Untrust
Static IP: ( 出现时选择此选项)
IP Address/Netmask: 1.1.1.1/24(2)路由Network > Routing > Routing Entries > trust-vr New: 输入以下内容,然后单击 OK:
Network Address/Netmask: 10.1.2.0/24
Gateway: ( 选择)
Interface: ethernet1
Gateway IP Address: 10.1.1.250
Network > Routing > Routing Entries > trust-vr New: 输入以下内容,然后单击 OK:
Network Address/Netmask: 1.2.3.0/24
Gateway: ( 选择)
Interface: ethernet2
Gateway IP Address: 1.2.2.250
Network > Routing > Routing Entries > trust-vr New: 输入以下内容,然后单击 OK:
Network Address/Netmask: 0.0.0.0/0
Gateway: ( 选择)
Interface: ethernet3
Gateway IP Address: 1.1.1.250( 3)IP欺骗保护Screening > Screen (Zone: Trust): 选择 IP Address Spoof Protection,然后单击 Apply。
Screening > Screen (Zone: DMZ): 选择 IP Address Spoof Protection,然后单
击 Apply。
Screening > Screen (Zone: Untrust): 选择 IP Address Spoof Protection,然后单击 Apply。CLI:(1)接口set interface ethernet1 zone trust
set interface ethernet1 ip 10.1.1.1/24
set interface ethernet1 nat
set interface ethernet2 zone dmz
set interface ethernet2 ip 1.2.2.1/24
set interface ethernet3 zone untrust
set interface ethernet3 ip 1.1.1.1/24(2)路由set vrouter trust-vr route 10.1.2.0/24 interface ethernet1 gateway 10.1.1.250
set vrouter trust-vr route 1.2.3.0/24 interface ethernet2 gateway 1.2.2.250
set vrouter trust-vr route 0.0.0.0/0 interface ethernet3 gateway 1.1.1.250(3)IP 欺骗保护
set zone trust screen ip-spoofing
set zone dmz screen ip-spoofing
set zone untrust screen ip-spoofing
save二、拒绝服务***防御1.基于源的会话限制WebUI:
Screening > Screen (Zone: DMZ): 输入以下内容,然后单击 OK:
Source IP Based Session Limit: ( 选择)
Threshold: 1 Sessions
Screening > Screen (Zone: Trust): 输入以下内容,然后单击 OK:
Source IP Based Session Limit: ( 选择)
Threshold: 80 Sessions
CLI:
set zone dmz screen limit-session source-ip-based 1
set zone dmz screen limit-session source-ip-based
set zone trust screen limit-session source-ip-based 80
set zone trust screen limit-session source-ip-basedsave2.基于目标的会话限制WebUI:
Screening > Screen (Zone: Untrust): 输入以下内容,然后单击 OK:
Destination IP Based Session Limit: ( 选择)
Threshold: 4000 Sessions
CLI:
set zone untrust screen limit-session destination-ip-based 4000
set zone untrust screen limit-session destination-ip-based
save3.SYN-ACK-ACK 代理泛滥WebUI:
Screening > Screen (Zone: 选择区段名称): 输入以下内容,然后单击 Apply:
SYN-ACK-ACK Proxy Protection: ( 选择)
Threshold: ( 输入触发 SYN-ACK-ACK 代理泛滥保护的值)CLI:
set zone zone screen syn-ack-ack-proxy threshold number
set zone zone screen syn-ack-ack-proxy4.ICMP 泛滥WebUI:
Screening > Screen (Zone: 选择区段名称): 输入以下内容,然后单击 Apply:
ICMP Flood Protection: ( 选择)
Threshold: ( 输入触发 ICMP 泛滥保护的值)CLI
set zone zone screen icmp-flood threshold number
set zone zone screen icmp-flood5.UDP 泛滥WebUI:
Screening > Screen (Zone: 选择区段名称): 输入以下内容,然后单击 Apply:
UDP Flood Protection: ( 选择)
Threshold: ( 输入触发 UDP 泛滥保护的值)CLI:
set zone zone screen udp-flood threshold number
set zone zone screen udp-flood6.陆地***WebUI:
Screening > Screen (Zone: 选择区段名称): 选择 Land Attack Protection,然
后单击 Apply。CLI:
set zone zone screen land7.Ping of DeathWebUI:
Screening > Screen (Zone: 选择区段名称): 选择 Ping of Death Attack
Protection,然后单击 Apply。
CLI:
set zone zone screen ping-death8.Teardrop ***WebUI:
Screening > Screen (Zone: 选择区段名称): 选择 Teardrop Attack Protection,然后单击 Apply。
CLI:
set zone zone screen tear-drop9.WinNukeWebUI:
Screening > Screen (Zone: 选择区段名称): 选择 WinNuke Attack
Protection,然后单击 Apply。
CLI:
set zone zone screen winnuke以上只是简单的配置了一些常见的***,juniper防火墙是硬件防火墙,功能强大,大家可以去专门了解下,我们公司就用了ISG-1000,感觉非常不错,到底是的全球最大的安全设备制造商啊!
转载于:https://blog.51cto.com/luciffer/368549