124
華為防火牆eudemon安全改造案例
背景:因安全需求,對原先配置的EUDEMON防火牆進行安全改造。現有的業務係統DMZ區網絡環境是192網段的,通過上聯的華為8508經防火牆和路由連公網。 業務係統DMZ區通過華為EUDEMON防火牆接內部核心區。
環境:網絡設備都是華為的,交換機華為LS-S5328C,防火牆華為Eudemon 1000E,服務器係統都是SUSE 11 ENTERPRISE SERVER 64bit版本的。
需求:防火牆要求通過SSH方式遠程登錄;防火牆各區域間加安全訪問限製。
網絡拓撲圖:
一、防火牆要求通過SSH方式遠程登錄
原配置:
Telnet協議在TCP/IP協議族中屬於應用層協議,通過網絡提供遠程登錄和虛擬終端功能。
[switch]aaa
[switch-aaa]local-user admin password simple usermax //設置賬號密碼[switch-aaa]local-user admin privilege level 3 //設置賬號級別,3為最高級
[switch-aaa]local-user service-type telnet //設置本地賬號服務類型是telnet
[switch-aaa]quit
[switch]user-interface vty 0 4
[switch-user-vty0-4]authentication-mode aaa //設置登錄用戶驗證方式為aaa
[switch-user-vty0-4]protocol bind telnet // 綁定用戶協議為telnet
[switch-user-vty0-4]idle-timeout 5 0 //空閑超時5分鍾退出
[switch-user-vty0-4]quit
SSH(Secure Shell)特性可以提供安全的信息保障和強大的認證功能,以保護設備不受諸如IP地址欺騙、明文密碼截取等攻擊。
改造後的配置:
服務端創建SSH用戶user001。
# 新建用戶名為user001的SSH用戶,且認證方式為password。
[Quidway] ssh user user001
[Quidway] ssh user user001 authentication-type password
(補充:SSH用戶主要有password、RSA、password-rsa、all這4種認證方式:
如果SSH用戶的認證方式為password、password-rsa時,必須配置同名的local-user用戶;如果SSH用戶的認證方式為RSA、password-rsa、all,服務器端應保存SSH客戶端的RSA公鑰。)
# 為SSH用戶 user001 配置密碼為huawei。
[Quidway] aaa
[Quidway-aaa] local-user user001 password simple huawei
[Quidway-aaa] local-user user001 service-type ssh
# 配置VTY用戶界麵。
[Quidway] user-interface vty 0 4
[Quidway-ui-vty0-4] authentication-mode aaa
[Quidway-ui-vty0-4] protocol inbound ssh
[Quidway-ui-vty0-4] quit
# 使能SFTP服務功能
[Quidway] sftp server enable
客戶端連接SSH服務器
# 第一次登錄,則需要使能SSH客戶端首次認證功能。
[ user001 ] ssh client first-time enable
# SFTP客戶端Client001用password認證方式連接SSH服務器。
< user001 > system-view
[ user001 ] sftp 221.116.139.121
Input Username:user001
Trying 221.116.139.121 ...
Press CTRL+K to abort
Enter password:
sftp-client>
二、防火牆各區域間加安全訪問限製
防火牆最基本的功能就是控製在計算機網絡中,不同信任程度區域間傳送的數據流。 典型信任的區域包括互聯網(UNTRUST區域)和一個內部網絡(TRUST區域)還有中立區(DMZ) 。通過利用防火牆對內部網絡的劃分,可實現內部網重點網段的隔離,從而限製了局部重點或敏感網絡安全問題對全局網絡造成的影響.
原配置:(各區域沒有限製,安全區域間的所有方向都允許報文通過)
#
firewall packet-filter default permit interzone local trust direction inbound
firewall packet-filter default permit interzone local trust direction outbound
firewall packet-filter default permit interzone local untrust direction inbound
firewall packet-filter default permit interzone local untrust direction outbound
firewall packet-filter default permit interzone local dmz direction inbound
firewall packet-filter default permit interzone local dmz direction outbound
firewall packet-filter default permit interzone local vzone direction inbound
firewall packet-filter default permit interzone local vzone direction outbound
firewall packet-filter default permit interzone trust untrust direction inbound
firewall packet-filter default permit interzone trust untrust direction outbound
firewall packet-filter default permit interzone trust dmz direction inbound
firewall packet-filter default permit interzone trust dmz direction outbound
firewall packet-filter default permit interzone trust vzone direction inbound
firewall packet-filter default permit interzone trust vzone direction outbound
firewall packet-filter default permit interzone dmz untrust direction inbound
firewall packet-filter default permit interzone dmz untrust direction outbound
firewall packet-filter default permit interzone untrust vzone direction inbound
firewall packet-filter default permit interzone untrust vzone direction outbound
firewall packet-filter default permit interzone dmz vzone direction inbound
firewall packet-filter default permit interzone dmz vzone direction outbound
改造後配置:
1、在原區域互訪基礎上精簡
#
firewall packet-filter default permit interzone local trust direction inbound
firewall packet-filter default permit interzone local trust direction outbound
firewall packet-filter default permit interzone local untrust direction inbound
firewall packet-filter default permit interzone local untrust direction outbound
firewall packet-filter default permit interzone local dmz direction inbound
firewall packet-filter default permit interzone local dmz direction outbound
注:安全域間的數據流動具有方向性,包括入方向(Inbound)和出方向(Outbound)。
-
入方向:數據由低優先級的安全區域向高優先級的安全區域傳輸。
-
出方向:數據由高優先級的安全區域向低優先級的安全區域傳輸。
2、設置地址集:
[Quidway]#
ip address-set addressgroup1
address 4 192.29.141.130 0
address 5 192.29.141.132 0
address 6 192.29.141.140 0
address 7 192.29.141.142 0
[Quidway]#
ip address-set addressgroup4
address 0 192.29.141.25 0
address 1 192.29.141.26 0
address 2 192.29.141.27 0
3、增加特定地址集間的訪問規則和限製
[Quidway]#
acl number 3201
rule 10 permit tcp source address-set addressgroup1 destination address-set addressgroup4 destination-port eq sqlnet
rule 11 permit tcp source address-set addressgroup1 destination address-set addressgroup4 destination-port eq ssh
rule 15 permit udp source address-set addressgroup1 destination address-set addressgroup4 destination-port eq snmp
rule 16 permit udp source address-set addressgroup1 destination address-set addressgroup4 destination-port eq ntp
rule 17 permit udp source address-set addressgroup1 destination address-set addressgroup4 destination-port eq snmptrap
rule 3000 deny ip
[Quidway]#
acl number 3202
rule 10 permit tcp source address-set addressgroup4 destination address-set addressgroup1 destination-port eq ssh
rule 15 permit udp source address-set addressgroup4 destination address-set addressgroup1 destination-port eq snmp
rule 16 permit udp source address-set addressgroup4 destination address-set addressgroup1 destination-port eq ntp
rule 17 permit udp source address-set addressgroup4 destination address-set addressgroup1 destination-port eq snmptrap
rule 3000 deny ip
4、在區域間匹配ACL
[Quidway]#
firewall interzone dmz untrust
packet-filter 3201 inbound
packet-filter 3202 outbound
detect ftp
detect http
session log enable acl-number 3201 inbound
session log enable acl-number 3202 outbound
其他區域間的安全改造如上類似。
安全改造後在一定程度上提高了網絡安全性,當然大家還可以再針對具體情況ACL(訪問控製列表)、AM(訪問管理配置)、AAA、dot1x、MAC綁定等方麵進行查缺補漏來進行不斷完善。
最後更新:2017-04-02 00:06:54