Security Zone: The Juniper Firewall adds the concept of a new security zone (Security Zone), a logical structure that is a collection of multiple physical interfaces in the same property area. When communicating between different security zones, you must pass a predefined policy check to pass, and when you communicate in the same security zone, the default state allows for no policy checks and, if configured, enforces policy checks to improve security.
The emergence of security zone concept makes the configuration of firewall more flexible and combined with existing network structure. The following figure, for example, through the implementation of security zone configuration, communication between different departments in the intranet must be checked by the policy, and further improve the security of the system.
Interface (Interface): The flow of information through the physical interface and Sub-interface access to the security Zone (Zone). In order for the network information flow to flow into and out of the security zone, an interface must be bound to a security zone, and if it belongs to the 3rd-tier security zone, it needs to assign an IP address to the interface.
Virtual Router: Juniper Firewall Support Virtual router technology, in a firewall device, the original single route in a single routing table, evolved into multiple virtual routers and the corresponding multiple independent routing table, Improve the security of the firewall system and the flexibility of IP address configuration.
Security Policy (Policy): Juniper Firewall When defining a policy, the primary need is to set the source IP address, destination IP address, network Service, and firewall action. When setting up a network service, the Juniper Firewall has a built-in default for a large number of common types of network services, and it is also possible for the customer to define their own network services.
When a customer defines a service through a firewall, it is necessary to select the protocol for the Network Service, UDP, TCP, or other, to define the source port or port range, destination port or port range, and the timeout definition for network services in the absence of traffic. Therefore, through the definition of the network service and the definition of IP address, the strategy of Juniper Firewall is greatly enhanced and the security is improved.
In addition to defining these key parameters, the policy can also define the user's authentication, define whether to do address translation, bandwidth management, and so on in the policy. Through the control of these main security elements and additional elements, the system administrator can control the data traffic in and out of the firewall strictly, so as to protect the resource security of intranet system.
Mapped IP (MIP): MIP is a one-to-one mapping from one IP address to another. When the firewall receives an inward data stream with a target address of MIP, the data is forwarded to the host by the policy control firewall, and the source IP address of the host is converted to the MIP address through the policy control firewall when the MIP-mapped host initiates the outbound data stream.
Virtual IP (VIP): VIP is a network through the firewall outside the public IP address of the different ports (protocol ports such as: 21, 25, 110, etc.) and internal multiple private IP address the different service port mapping relationship. Typically applied to servers with a small number of public-network IP addresses, but with multiple private IP addresses, and these servers are required to provide a variety of services externally.
This column more highlights: http://www.bianceng.cnhttp://www.bianceng.cn/Network/Firewall/