Topology
The topology can be saved locally, and then enlarged to view, so that it can be seen more clearly. (Drag to a new window to open it)
Security strategy deployment of firewall articles
Analyze what technologies need to be deployed in the firewall . The role of a firewall is to protect the security of the internal network, perform detection, and how to detect it. The firewall is divided into zones. When the Trust zone (high level) accesses the Untrust (low level, that is, the ISP network), all of them can be accessed. The firewall dynamically creates stateful information. When the data packet is returned from the outside, it is released according to the stateful information. However, the ISP's network wants to actively access the internal, because the low-level access to the high-level inbound traffic is denied unless it is done. Strategy is open, so the first thing we need to do is strategy. If you want to access the internet, the internal network is all private network addresses. If you need to access the ISP, you must access the private network address as a public network address, so NAT technology must be deployed, and external services [such as WeB, fTP, etc.] are required Do NAT Server technology. In the case of multiple ISPs, we hope to achieve load sharing or backup functions, then we must deploy policy routing, static routing, floating routing, NQA or IP-lInk technology to dynamically detect the status of the link, thereby dynamically Switch. In addition, branch offices and employees on business trips need to access the company's intranet, so they also need to deploy VPN technology. The summary is: 1. Deploy Policy 2. Deploy Nat 3. Deploy dual ISP export routing and automatic switching technology. 4. Deployment***
9.1 Policy deployment
Note: The default firewall policies of different USG models are different from the factory. For example, the USG 5500 needs to be configured with policy release by default, otherwise the traffic will not pass. Only some traffic from Local to Trust is allowed by default, while for the USG 2200 series, it is The default is Permit, and no traffic is required. If you are unsure, you can use the display firewall packet-filter default all command to check.
It can be seen that only a few are Permit, and the rest are deny by default. Before deployment, you must first understand the directionality. Only those who understand the directionality can deploy.
What is inbound and outbound traffic.
First of all, we must understand that inbound and outbound are based on priority. The traffic from a zone with a high priority to a zone with a low priority is the outbound traffic, such as the traffic from Trust to Untrust, that is, the traffic from the internal network to the external network. flow. The low-level to high-level traffic becomes inbound, that is, the traffic from Untrust to Trust, and the external network actively accesses the internal network.
1. Suppose we need to access the external network, and the zone from Trust to ISP is deny by default, then we need to release the outbound traffic from Trust to ISP so that we can access the external network normally (assuming that Nat has been deployed)
2 , Suppose we map a WeB service to the external network, then the ISP's traffic arrives at Trust or dMZ. At this time, we need to release the inbound traffic from ISP to Trust or dMZ.
Factors to be considered for deployment
1. Do you need time control, such as only allowing employees to access external networks or specific resources within a specified period of time
? 2. Do you need to exclude certain IPs from accessing external networks
? 3. Do you need log records or traffic statistics.
9.1.1 Specific implementation configuration [Internet access strategy]
1.
Why does NTP need to deploy NTP ? The main reason is that if you want to deploy time control, you must use accurate time. Sometimes if the battery of the device is dead, the time will not be saved, which will cause the time to be incorrect. , Under incorrect circumstances, time-based strategies become meaningless.
As for the NTP server, it can be Baidu. If there are several public servers in the country, you can also assume a server in the intranet.
[USG-GW] ntp-service unicast-server 192.168.88.251
Within a certain period of time, the USG will synchronize with the time server. Of course, if there is authentication, the authentication function needs to be enabled. Generally, there is no authentication in public.
2. Defining a time strategy.
We hope that all departments except Boss can access the public network during off-hours, and Boss has no restrictions. [Demand can be determined according to the actual situation. 】
[USG-GW]time-range access-internet-control-1 12:00 to 13:30 working-day
[USG-GW]time-range access-internet-control-1 17:00 to 23:59 working- day
[USG-GW]time-range access-internet-control-1 00:00 to 8:50 working-day
[USG-GW]time-range access-internet-control-1 00:00 to 23:59 off- Day
description: A total of 4 items are defined. On weekdays, except for the noon break, the Internet can be accessed during off-duty hours, but not during working hours, but they are all open on weekends. This can be decided according to your own needs.
3. Customized policy
description: There are 2 ISPs in this deployment, and the previous is a custom zone, so here is not Untrust, but ISP_dx, ISP_lT
intranet to telecom ISP strategy
[USG-GW]policy interzone trust isp_dx outbound
[USG-GW-policy-interzone-trust-isp_dx-outbound]policy 1
[USG-GW-policy-interzone-trust-isp_dx-outbound-1]policy source 192.168.20.0 mask 24
[USG-GW-policy -interzone-trust-isp_dx-outbound-1]action permit
[USG-GW-policy-interzone-trust-isp_dx-outbound]policy 2
[USG-GW-policy-interzone-trust-isp_dx-outbound-2]policy source 192.168 .0.0 mask 16
[USG-GW-policy-interzone-trust-isp_dx-outbound-2]policy time-range access-internet-control-1
[USG-GW-policy-interzone-trust-isp_dx-outbound-2]action permit
Note: This defines a Trust’s outbound traffic to ISP-dx, that is, high-priority to low-priority traffic. Two policies are set, one is to let it go directly when the matching source is 192.168.20.0 [ This network segment is the BOSS network segment], and the next one directly matches all the network segments of the intranet and then invokes the time strategy . During the release, the effect of this is that the BOSS will never be restricted by time, because the strategy is Matches in order from top to bottom. When one match is successful, it does not continue to match down. Therefore, the traffic of BOSS goes directly out of POlicy 1 without being affected by Policy 2.
Verification strategy
Note: Nat has not been deployed here, so you can’t actually operate it, but you can check to see if the policy takes effect
You can see that there are 2 strategies, and there is no match now.
You can see that it is now inactive, that is, it is not effective.
Because it is 10 o'clock in the morning on Thursday, which is not within the scope of the strategy.
Intranet to China Unicom ISP strategy [only configuration is given here, consistent with the above]
