#
firewall packet-filter default permit interzone local trust direction inbound
firewall packet-filter default permit interzone local trust direction outbound
firewall packet-filter default permit interzone local untrust direction inbound
firewall packet-filter default permit interzone local untrust direction outbound
firewall packet-filter default permit interzone local dmz direction inbound
firewall packet-filter default permit interzone local dmz direction outbound
firewall packet-filter default permit interzone local vzone direction inbound
firewall packet-filter default permit interzone local vzone direction outbound
firewall packet-filter default permit interzone trust untrust direction inbound
firewall packet-filter default permit interzone trust untrust direction outbound
firewall packet-filter default permit interzone trust dmz direction inbound
firewall packet-filter default permit interzone trust dmz direction outbound
firewall packet-filter default permit interzone trust vzone direction inbound
firewall packet-filter default permit interzone trust vzone direction outbound
firewall packet-filter default permit interzone dmz untrust direction inbound
firewall packet-filter default permit interzone dmz untrust direction outbound
firewall packet-filter default permit interzone untrust vzone direction inbound
firewall packet-filter default permit interzone untrust vzone direction outbound
firewall packet-filter default permit interzone dmz vzone direction inbound
firewall packet-filter default permit interzone dmz vzone direction outbound
改造后配置:
1、在原区域互访基础上精简
#
firewall packet-filter default permit interzone local trust direction inbound
firewall packet-filter default permit interzone local trust direction outbound
firewall packet-filter default permit interzone local untrust direction inbound
firewall packet-filter default permit interzone local untrust direction outbound
firewall packet-filter default permit interzone local dmz direction inbound
firewall packet-filter default permit interzone local dmz direction outbound
注:安全域间的数据流动具有方向性,包括入方向(Inbound)和出方向(Outbound)。
入方向:数据由低优先级的安全区域向高优先级的安全区域传输。
出方向:数据由高优先级的安全区域向低优先级的安全区域传输。
2、设置地址集:
[Quidway]#
ip address-set addressgroup1
address 4 192.29.141.130 0
address 5 192.29.141.132 0
address 6 192.29.141.140 0
address 7 192.29.141.142 0
[Quidway]#
ip address-set addressgroup4
address 0 192.29.141.25 0
address 1 192.29.141.26 0
address 2 192.29.141.27 0
3、增加特定地址集间的访问规则和限制
[Quidway]#
acl number 3201
rule 10 permit tcp source address-set addressgroup1 destination address-set addressgroup4 destination-port eq sqlnet
rule 11 permit tcp source address-set addressgroup1 destination address-set addressgroup4 destination-port eq ssh
rule 15 permit udp source address-set addressgroup1 destination address-set addressgroup4 destination-port eq snmp
rule 16 permit udp source address-set addressgroup1 destination address-set addressgroup4 destination-port eq ntp
rule 17 permit udp source address-set addressgroup1 destination address-set addressgroup4 destination-port eq snmptrap
rule 3000 deny ip
[Quidway]#
acl number 3202
rule 10 permit tcp source address-set addressgroup4 destination address-set addressgroup1 destination-port eq ssh
rule 15 permit udp source address-set addressgroup4 destination address-set addressgroup1 destination-port eq snmp
rule 16 permit udp source address-set addressgroup4 destination address-set addressgroup1 destination-port eq ntp
rule 17 permit udp source address-set addressgroup4 destination address-set addressgroup1 destination-port eq snmptrap
rule 3000 deny ip
4、在区域间匹配ACL
[Quidway]#
firewall interzone dmz untrust
packet-filter 3201 inbound
packet-filter 3202 outbound
detect ftp
detect http
session log enable acl-number 3201 inbound
session log enable acl-number 3202 outbound
其他区域间的安全改造如上类似。
安全改造后在一定程度上提高了网络安全性,当然大家还可以再针对具体情况ACL(访问控制列表)、AM(访问管理配置)、AAA、dot1x、MAC绑定等方面进行查缺补漏来进行不断完善。
本文出自 “滴水穿石” 博客
