Firewall Overview
Firewall definition:
An Advanced Access Control device is a combination of components placed between different network security domains. It is the only channel for communication flows between different network security domains, control inbound and outbound network access behaviors (allow, deny, monitor, and record) According to enterprise security policies.
DMZ is the abbreviation of "demilitarized zone". It is called the "isolation zone" in Chinese. It is used to solve the problem that the external network cannot access the internal network server after the firewall is installed, the buffer zone between a non-security system and a security system is located in a small network area between the enterprise's internal network and the external network, in this small network area, you can place public server facilities, such as Enterprise Web servers, FTP servers, and forums.
The firewall should have the following features:
Communication between networks protected by the firewall must go through the firewall.
Only valid data packets verified by various configuration policies can pass the firewall.
The firewall must have strong anti-attack and penetration capabilities.
The firewall can protect the security of internal networks, so that protected networks can be prevented from being attacked by external networks. The hardware firewall should support several network interfaces, all of which are LAN interfaces (such as Ethernet, Token Ring, and FDDI), which are used to connect to several networks. All connections in these networks must go through the hardware firewall to control these connections and verify and filter the connections.
DMZ is generally used to connect a region between a trusted network area and a non-trusted network area;
DMZ is the abbreviation of demilitarized zone. It is called the "isolation zone" in Chinese. It aims to solve the problem that the external network cannot access the internal network server after the firewall is installed, the buffer zone between a non-security system and a security system is located in a small network area between the enterprise's internal network and the external network, in this small network area, you can place public server facilities, such as Enterprise Web servers, FTP servers, and forums.
Lab environment:
Simulator: GNS3-0.8.6-Standalone-64-bit
Firewall IOs: Cisco PIX Security Appliance Software Version 7.2 (2) Quantity: 2
PC: Number of vpcs: Several
Router IOs: Cisco IOS software, c1700 software (C1700-BK9NO3R2SY7-M), version 12.3 (7) XR, release software (FC1) Quantity: Several
Router IOs: Cisco IOS software, 2600 software (C2691-ADVSECURITYK9-M), version 12.4 (11) T2, release software (FC4) Quantity: Several
Ethernet cable: Quantity: Several
Firewall Configuration Task 1
Firewall connectivity and user verification
650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M00/49/D8/wKioL1Qb6DqzT1QkAADejTQVFb8632.jpg "Title =" pix1.jpg "alt =" wkiol1qb6dqzt1qkaadejtqvfb8632.jpg "/>
Task 1 topology 1.1
1. configure the internal and external interfaces of the firewall. The internal E1 interface is inside, the network is 192.168.2.0/24, the external network interface E0 is outside, the network is 10.10.1.0/24, and the interface security level is default.
650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M01/49/D7/wKiom1Qb6DiBOyy_AAF54v4st8A619.jpg "Title =" pix2.jpg "alt =" wkiom1qb6diboyy_aaf54v4st8a619.jpg "/>
Fig 1.2
2. Configure IP address 192.168.2.8/24 and getway as 192.168.2.1 on the real machine.
650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M02/49/D8/wKioL1Qb6GmTrWe1AAE1bgN0Vys740.jpg "Title =" pix3.jpg "alt =" wkiol1qb6gmtrwe1aae1bgn0vys740.jpg "/>
Fig 1.3
3. Enable ip dhcpd on the VM and automatically obtain the IP address after setting. And obtained successfully. The obtained IP address is 192.168.2.10/24 in the DHCP address pool.
650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M02/49/D7/wKiom1Qb6HuCVPX8AAFpnlYFhf0829.jpg "Title =" pix4.jpg "alt =" wkiom1qb6hucvpx8aafpnlyfhf0829.jpg "/>
Fig 1.4
4. Configure the default route to the Internet. The next hop is 10.10.1.1.
650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M00/49/D8/wKioL1Qb6KfCVFdKAADAP5NG50I182.jpg "Title =" pix5.jpg "alt =" wkiol1qb6kfcvfdkaadap5ng50i182.jpg "/>
Fig 1.5
5. Enable the DHCP service in the firewall, set the address pool range to 192.168.2.10-192.168.2.100, and apply it to the inside network.
650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M02/49/D8/wKioL1Qb6MOxvG_LAAFPUoRJzcw000.jpg "Title =" pix6.jpg "alt =" wkiol1qb6moxvg_laafpuorjzcw000.jpg "/>
Fig 1.6
6. Set static address conversion to convert 192.168.2.8 to 169.254.10.8.
650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M00/49/D7/wKiom1Qb6L7D7_alAAApaH9oVtU346.jpg "Title =" pix7.jpg "alt =" wkiom1qb6l7d7_alaaapah9ovtu346.jpg "/>
7. set global address translation. The conversion address pool is 169.254.10.1-169.254.1.100 netmask 255.255.255.0. Set pnat address conversion to outside, and the internal address translation network is 192.168.2.0 255.255.255.0.
650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M02/49/D7/wKiom1Qb6Nbx_pJwAAGv_OlCNa4442.jpg "Title =" pix8.jpg "alt =" wkiom1qb6nbx_pjwaagv_olcna4442.jpg "/>
Fig 1.7
8. Set the access control list. The list name is icmplist. The inside network can be pinged to the outside network and applied to the inside and outside interfaces. Set the DNS service address to 192.168.100.99 192.168.100.100, which is allocated by the DHCP server.
650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M01/49/D7/wKiom1Qb6OySf3prAAEwjrbKEdg260.jpg "Title =" pix9.jpg "alt =" wkiom1qb6oysf3praaewjrbkedg260.jpg "/>
Fig 1.8
9. Set a local user, the user name is domain, and the password is domain.
650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M01/49/D9/wKioL1Qb6WPBhcqIAAFg-6pUn1c238.jpg "Title =" pix10.jpg "alt =" wKioL1Qb6WPBhcqIAAFg-6pUn1c238.jpg "/>
Fig 1.9
10. The firewall can be configured remotely, and the internal host 192.168.2.8 can be remotely configured. The timeout time is 15 minutes.
650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M00/49/D9/wKioL1Qb6XHxmEi1AADZGhLoc2c276.jpg "Title =" pix11.jpg "alt =" wkiol1qb6xhxmei1aadzghloc2c276.jpg "/>
Fig 1.10
11. Set arp mac Address binding for external interface access to prevent IP address spoofing.
650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M00/49/D7/wKiom1Qb6WuD4kbzAAD5uBCNJLc221.jpg "Title =" pix12.jpg "alt =" wkiom1qb6wud4kbzaad5ubcnjlc221.jpg "/>
Fig 1.11
This article is from the network blog, please be sure to keep this source http://zznetwork.blog.51cto.com/9398550/1555211
One of the top ten Firewall Configuration Tasks