【Firewall系列一】浅析根据区域的防火墙计划怎么监测网络环境中表里流量与程序会话51CTO博客 - 千亿集团

【Firewall系列一】浅析根据区域的防火墙计划怎么监测网络环境中表里流量与程序会话51CTO博客

2019年02月28日11时39分20秒 | 作者: 芷天 | 标签: 流量,区域,防火墙 | 浏览: 843

【Firewall系列一】浅析依据区域的防火墙计划怎么监测网络环境中

表里流量与程序会话

 

 

 

 

 

 

一、.布景描绘

1.网络环境装备为中心站点shanghai与分支站点nanjing

2.中心站点具有三个区域:外网区域、内网区域、DMZ区域

3.DMZ区域具有企业内部效劳器(DNS、WEB、Email、FTP)而且经过SSH和HTTPS加密方法进行远程办理

4.中心站点dmz地址池:172.18.100.0/24

   中心站点inside地址池:172.18.101.0/24

二、依据区域的防火墙要害装备

 怎么放行out拜访DMZ的正常拜访流量?

要害在于怎么界说什么是正常的拜访流量。

DMZ内部布置有企业的效劳器(DNS、WEB、Email、FTP)而且经过SSH和HTTPS加密方法进行远程办理,那么这些流量就是正常的流量,表明为:

http 80

https 443

ftp   20/21

pop3 110

imap 143

imap over ssl  993

ssh 22

smtp 25

指令表明为:

流量map匹配规矩:

留意match-any与match-all的差异

 class-map type inspect match-any dns.traffic.any.class
 match protocol dns
 match protocol http
 match protocol https
 match protocol icmp
class-map type inspect match-any multi.traffic.any.class
 match protocol dns
 match protocol http
 match protocol https
 match protocol smtp
 match protocol pop3
 match protocol imap
 match protocol imap3
 match protocol ssh
 match protocol icmp
class-map type inspect match-all multi.traffic.all.class
 match access-group name multi.traffic.acl
 match class-map multi.traffic.any.class
class-map type inspect match-all dns.traffic.all.class
 match access-group name dns
 match class-map dns.traffic.any.class
class-map type inspect match-any app.inspect.class
 match protocol ssh
 match protocol ftp
 match protocol pop3
 match protocol imap3
 match protocol smtp
 match protocol http
 match protocol https
 match protocol icmp

 

 

装备policy-map,设定契合规矩的流量将怎么处置:

契合就放行,并进行检测会话

不契合就默许丢掉

 policy-map type inspect out.dmz.policy
 class type inspect multi.traffic.all.class
  inspect
 class class-default
  drop
policy-map type inspect dmz.out.policy
 class type inspect dns.traffic.all.class
  inspect
 class class-default
  drop
policy-map type inspect in.dmz.policy
 class type inspect app.inspect.class
  inspect
 class class-default
  drop

 

 

三、装备NAT

只要是衔接外网的网络设备,一般都要设定NAT,ip地址有限,都是money,性能与费用是要权衡的噢。。

依据DMZ供给的效劳,装备如下:

要害效劳都是有必要设定为静态映射,其他内部拜访外网运用动态映射即可。

看效劳,看端口,这个要了解。

 ip nat inside source static tcp 172.18.100.14 80 interface Serial1/0 80
ip nat inside source static tcp 172.18.100.12 443 interface Serial1/0 443
ip nat inside source static tcp 172.18.100.13 22 interface Serial1/0 22
ip nat inside source static udp 172.18.100.2 53 interface Serial1/0 53
ip nat inside source static tcp 172.18.100.2 110 interface Serial1/0 110
ip nat inside source static tcp 172.18.100.2 143 interface Serial1/0 143
ip nat inside source static tcp 172.18.100.2 993 interface Serial1/0 993
ip nat inside source static tcp 172.18.100.2 20 interface Serial1/0 20
ip nat inside source static tcp 172.18.100.2 21 interface Serial1/0 21
ip nat inside source static tcp 172.18.100.2 25 interface Serial1/0 25


ip nat inside source list nat-i-o interface Serial1/0 overload

 

 

四、成果显现

好了,咱们来看看概况

先看nat 转化

内部client ping 分支站点,成功启用动态映射

分支站点ssh办理,dzm区域设备,成功登陆

分支站点成功拜访web效劳器

分支站点成功经过https拜访加密效劳

 shanghai#show ip nat tr
Pro Inside global      Inside local       Outside local      Outside global
icmp 200.0.10.2:2      172.18.100.2:2     200.0.30.2:2       200.0.30.2:2
tcp 200.0.10.2:20      172.18.100.2:20    -                -
tcp 200.0.10.2:21      172.18.100.2:21    -                -
tcp 200.0.10.2:22      172.18.100.13:22    172.18.103.3:49392 172.18.103.3:49392
tcp 200.0.10.2:22      172.18.100.13:22    200.0.30.2:17648   200.0.30.2:17648
tcp 200.0.10.2:22      172.18.100.13:22    -                -
tcp 200.0.10.2:25      172.18.100.2:25    -                -
udp 200.0.10.2:53      172.18.100.2:53    -                -
tcp 200.0.10.2:80      172.18.100.14:80    172.18.103.3:49480 172.18.103.3:49480
tcp 200.0.10.2:80      172.18.100.14:80    172.18.103.3:49481 172.18.103.3:49481
tcp 200.0.10.2:80      172.18.100.14:80    172.18.103.3:49482 172.18.103.3:49482
tcp 200.0.10.2:80      172.18.100.14:80    -                -
tcp 200.0.10.2:110     172.18.100.2:110   -                -
tcp 200.0.10.2:143     172.18.100.2:143   -                -
tcp 200.0.10.2:443     172.18.100.12:443   172.18.103.3:49476 172.18.103.3:49476
tcp 200.0.10.2:443     172.18.100.12:443   172.18.103.3:49477 172.18.103.3:49477
tcp 200.0.10.2:443     172.18.100.12:443   172.18.103.3:49478 172.18.103.3:49478
tcp 200.0.10.2:443     172.18.100.12:443   172.18.103.3:49479 172.18.103.3:49479
tcp 200.0.10.2:443     172.18.100.12:443   -                -
tcp 200.0.10.2:993     172.18.100.2:993   -                -
tcp 200.0.10.2:18018   172.18.100.2:18018 172.18.103.3:80    172.18.103.3:80

 

现在来看防火墙监测的流量与程序会话数目

 shanghai#show policy-map ty in zone-pair se

policy exists on zp in2dmz
 Zone-pair: in2dmz

  Service-policy inspect : in.dmz.policy

    Class-map: app.inspect.class (match-any)
      Match: protocol ssh
        2 packets, 48 bytes
        30 second rate 0 bps
      Match: protocol ftp
        0 packets, 0 bytes
        30 second rate 0 bps
      Match: protocol pop3
        0 packets, 0 bytes
        30 second rate 0 bps
      Match: protocol imap3
        0 packets, 0 bytes
        30 second rate 0 bps
      Match: protocol smtp
        0 packets, 0 bytes
        30 second rate 0 bps
      Match: protocol http
        0 packets, 0 bytes
        30 second rate 0 bps
      Match: protocol https
        0 packets, 0 bytes
        30 second rate 0 bps
      Match: protocol icmp
        0 packets, 0 bytes
        30 second rate 0 bps

   Inspect

      Number of Established Sessions = 1
      Established Sessions
        Session 68A2ED20 (172.18.101.2:55222)=>(172.18.100.13:22) ssh:tcp SIS_OPEN/TCP_ESTAB
          Created 00:01:45, Last heard 00:01:40
          Bytes sent (initiator:responder) [936:1164]


    Class-map: class-default (match-any)
      Match: any
      Drop
        4 packets, 96 bytes

 

policy exists on zp out2dmz
 Zone-pair: out2dmz

  Service-policy inspect : out.dmz.policy

    Class-map: multi.traffic.all.class (match-all)
      Match: access-group name multi.traffic.acl
      Match: class-map match-any multi.traffic.any.class
        Match: protocol dns
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol http
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol https
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol smtp
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol pop3
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol imap
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol imap3
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol ssh
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol icmp
          0 packets, 0 bytes
          30 second rate 0 bps

   Inspect

      Number of Established Sessions = 2
      Established Sessions
        Session 68A2E620 (172.18.103.3:49392)=>(172.18.100.13:22) ssh:tcp SIS_OPEN/TCP_ESTAB
          Created 00:06:11, Last heard 00:05:51
          Bytes sent (initiator:responder) [3433:3004]
        Session 68A2E9A0 (200.0.30.2:17648)=>(172.18.100.13:22) ssh:tcp SIS_OPEN/TCP_ESTAB
          Created 00:03:17, Last heard 00:01:25
          Bytes sent (initiator:responder) [1832:3160]


    Class-map: class-default (match-any)
      Match: any
      Drop
        4 packets, 96 bytes

policy exists on zp dmz2out
 Zone-pair: dmz2out

  Service-policy inspect : dmz.out.policy

    Class-map: dns.traffic.all.class (match-all)
      Match: access-group name dns
      Match: class-map match-any dns.traffic.any.class
        Match: protocol dns
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol http
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol https
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol icmp
          0 packets, 0 bytes
          30 second rate 0 bps

   Inspect

      Number of Established Sessions = 1
      Established Sessions
        Session 68A2D120 (172.18.100.14:62666)=>(172.18.103.3:80) http:tcp SIS_OPEN/TCP_ESTAB
          Created 00:25:14, Last heard 00:25:13
          Bytes sent (initiator:responder) [0:0]

 


    Class-map: class-default (match-any)
      Match: any
      Drop
        0 packets, 0 bytes

 

 

结语

1.依据区域的防火墙,默许是各区域之间各不相通的,所以有必要清晰装备战略用以放行所需流量,这是状况化防火墙,只要被监控放行流量,那么他也会放回流量。

2.本拓扑包括三个方向战略:

inside ——》DMZ

outside——》DMZ

DMZ——》outside

一般来说还得有inside——》outside

可是假如企业关于职工上网办理很严的话,那么这也是一个精密装备作业。

3.装备前一定要理清思路,哪些流量要放行,哪些流量要drop,NAT装备要精准,TCP仍是udp,要查清楚,还有就是ftp,存在多个端口的效劳

4.设定默许路由条目,必备的,你不行能对外网配个动态路由协议,与ISP起街坊,那样的话,神了^_^

5.最好配个syslog效劳器,记载log,以备过失或排故。

版权声明
本文来源于网络,版权归原作者所有,其内容与观点不代表千亿集团立场。转载文章仅为传播更有价值的信息,如采编人员采编有误或者版权原因,请与我们联系,我们核实后立即修改或删除。

猜您喜欢的文章