第二章 防火墙-硬件防火墙.ppt

网络安全网络安全-防火墙防火墙防火墙Cisco PIX和ASA防火墙学习任务v了解Cisco PIX和ASA防火墙基础v掌握PIX的基础配置 v掌握PIX基本的NAT配置 v理解Cisco PIX和ASA的访问控制 重点与难点v重点q了解CiscoIOS防火墙特性 q理解状态包过滤v难点q配置实现CiscoIOS防火墙 Cisco PIX和ASA防火墙概述防火墙Cisco PIX和ASAvCisco安全设备提供了企业级别的安全,其可以用于小型,中型的商务公司和企业网络:q专用的操作系统q状态包检测q基于用户的认证q协议和应用的检测q模块化的策略框架q虚拟防火墙特性q虚拟私用网络VPNqFailover特性q透明防火墙q基于WEB的管理解决方案状态包检测v状态包检测提供了状态型连接安全性.q其跟踪源和目标端口和地址,TCP的序列号和附加的TCP的标记.q为每个连接随机产生的TCP的序列号v 默认情况下,状态包检测算法允许起源自内网主机的通讯.v另外,状态包检测算法会丢弃来自外部不安全网络的连接数据包v状态包检测算法同时还支持认证,授权和计费高级特性.Cut-Through Proxy Operation内网或外内网或外网用户网用户ISP1.用户向用户向ISP发起请求发起请求.2.安全代理检测连接安全代理检测连接.3.在安全设备层在安全设备层,安全代理提安全代理提示用户提供帐号和密码示用户提供帐号和密码.随随后安全代理通过后安全代理通过RADIUS或或TACACS+服务器对用户进服务器对用户进行认证行认证.5.安全设备直接连接到内网或外安全设备直接连接到内网或外网的用户到网的用户到ISP.其通讯处于其通讯处于OSI模型的低层模型的低层.4.安全代理初始化到安全代理初始化到ISP的的连接连接.CiscoSecureSecurity ApplianceUsername and Password RequiredEnter username for CCO at User Name:Password:OKCancelstudent1234563.协议和应用的检测q类似于FTP,HTTP,H.323和SQL的连接需要协商连接并且动态在防火墙上启用源和目标端口.q防火墙在网络层上检测数据包获取会话信息.q防火墙为通过其自己的连接开启合法的client-server的连接端口.FTPServerClientControlPort2008DataPort2010DataPort20ControlPort21Data-Port 2010 Port 2010 OKData虚拟私用网络VPNB A N KSite to SiteRemote AccessIPsec VPNSSL VPNInternetB A N KHeadquarters虚拟防火墙特性v能够在一个防火墙上创建多个虚拟防火墙.Four Physical FirewallsOne Physical FirewallFour Virtual FirewallsInternetInternet透明桥q可以将安全防火墙部署为透明桥模式q提供了丰富的二到七层的安全服务.192.168.1.2192.168.1.5Internet基于WEB的管理解决方案Cisco PIX&ASA 设备防火墙PIX 525前置面板PowerActivePIX 525背板接口Expansion slotsFixed interfacesASA 5550 前置面板PowerStatusActiveFlashVPNASA 5550 背板接口Slot 1Slot 0PowerconnectorConsole port10/100 out-of-bandmanagement portCompactFlashPower switchFour FiberGigabit EthernetportsFour 10/100/1000Gigabit Ethernet portsFour 10/100/1000Gigabit Ethernet ports USB 2.0portsAUX port基本的用户操作接口防火墙访问模式ciscopixciscopix#ciscopix(config)#vCisco防火墙三种主要的管理访问模式:q无特权q特权q配置特权模式ciscopix enablepassword:ciscoasa#enable priv_levelciscopixq进入特权模式Internet全局配置模式configure terminalciscopix#q进入全局配置模式ciscopix enablepassword:ciscopix#configure terminalciscopix(config)#exitciscopix#exitciscopixexitciscopix#退出全局配置模式退出全局配置模式帮助命令ciscopix help?enable Turn on privileged commands exit Exit the current command mode login Log in as a particular user logout Exit from current user profile to unprivileged mode perfmon Change or view performance monitoring options ping Test connectivity from specified interface to an IP address quit Exit the current command modeciscopix help enable USAGE:enable DESCRIPTION:enable Turn on privileged commands文件系统管理防火墙查看和保存配置v如下命令可以让您查看或保存配置:qcopy run startqshow running-configqshow startup-configqwrite memoryqwrite terminal保存改变的配置保存改变的配置:copy run startrunning-configstartup-config(saved)Configuration Changes清除 Running Configurationciscopix(config)#clear configure all清除清除 running configurationciscopix(config)#clear config all清除清除 running configuration:clear config allrunning-config(default)startup-config清除 Startup Configurationciscopix#write erase清除清除 startup configurationciscopix#write erase清除清除 startup configuration:write eraserunning-configstartup-config(default)重载配置q重启防火墙同时载入配置q可以配置计划任务的重启ciscopix#reloadProceed with reload?confirm y Rebooting.reload at hh:mm month day|day month cancel in hh:mm max-hold-time hh:mm noconfirm quick reason text save-configciscopix#文件系统Software imageConfiguration filePrivate data filePDM imageCrash informationRelease 6.0and earlierRelease 7.0and laterSoftware imageConfiguration filePrivate dataASDM imageBackup image*Backup configuration file*Virtual firewall configuration file*Space available查看文件系统q查看目录内容ciscopix#PIX Security Applianceflash:ASAdisk0:disk1:ciscopix#dirDirectory of disk0:/8 -rw-8202240 13:37:33 Jul 28 2006 pix721-k8.bin1264 -rw-5539756 13:21:13 Jul 28 2006 asdm-521.bin62947328 bytes total(49152000 bytes free)dir/all/recursive all-filesystems disk0:|disk1:|flash:|system:Internet选择系统引导文件ciscopix#dirDirectory of disk0:/8 -rw-8202240 13:37:33 Jul 28 2006 pix721-k8.bin1264 -rw-5539756 13:21:13 Jul 28 2006 asdm-521.bin62947328 bytes total(49152000 bytes free)q能够存储一个或多个系统镜像文件q指定那个文件在下一次系统启动时被加载ciscopix(config)#boot system disk0:/pix721-k8.binboot system|config urlciscopix(config)#确认启动镜像文件qDisplay the system boot image.show bootvarciscopix#show bootvarBOOT variable=disk0:/pix721-k8.binCurrent BOOT variable=disk0:/pix622-k9.binCONFIG_FILE variable=Current CONFIG_FILE variable=ciscoapix(config)#ConfiguredRunning10.0.1.11Boot imagedisk0:/pix622-k9.binInternet安全级别防火墙防火墙设备:安全算法q用于实现通过安全设备的状态型连接控制.q通过配置允许one-way(outbound)连接数量.出站的连接是指源自于受保护网络的主机到不安全的外部网络.q监测返回的数据包以确保其有效性.q随机的TCP序列号以最小化受到网络攻击可能.安全级别示例Outside NetworkEthernet0 Security level 0 Interface name=outsideDMZ NetworkEthernet2 Security level 50 Interface name=DMZInside NetworkEthernet1 Security level 100 Interface name=insidee0e2e1Internet防火墙基本配置防火墙基本命令行qhostnameqinterfaceq nameifq ip addressq security-levelq speedq duplexq no shutdowne0e2e1Internet配置主机名ciscopix(config)#q改变主机名配置ciscopix(config)#hostname pix1pix1(config)#hostname newnameNew York(pix1)ServerBoston(pix2)ServerServerDallas(pix3)Internet接口命令interface physical_interface.subinterface|mapped_nameciscopix(config)#pix1(config)#interface Ethernet0pix1(config-if)#q进入到接口配置模式Ethernet0Ethernet2Ethernet1e0e2e1Internet配置接口命名nameif if_nameciscopix(config-if)#pix1(config)#interface Ethernet0pix1(config-if)#nameif outsideq为接口配置名称.Ethernet2 Interface name=dmzEthernet0 Interface name=outsideEthernet1 Interface name=inside e0e2e1Internet配置接口IP地址ip address ip_address mask standby ip_addressciscopix(config-if)#q为接口配置IP地址pix1(config)#interface Ethernet0pix1(config-if)#nameif outsidepix1(config-if)#ip address 192.168.1.2 255.255.255.0Ethernet0 Interface name=outside IP address=192.168.1.2e0e2e1Internet配置接口自动获取地址pix1(config)#interface Ethernet0pix1(config-if)#nameif outside pix1(config-if)#ip address dhcpciscopix(config-if)#ip address dhcp setroute启用接口启用接口DHCP方式自动获取地址方式自动获取地址Ethernet0 Interface name=outside IP address=dhcpe/0DHCP AssignedInternet配置接口的安全级别security-level numberciscopix(config-if)#q为接口配置安全级别pix1(config)#interface Ethernet0pix1(config-if)#nameif outsidepix1(config-if)#ip address 192.168.1.2pix1(config-if)#security-level 0 Ethernet0 Interface name=outside IP address=192.168.1.2 Security level=0e0e2e1Internet同级别的端口通讯q能够让相同级别端口之间进行通讯,或者能够让数据进入离开相同的接口.ciscopix(config)#pix1(config)#same-security-traffic permit inter-interfacesame-security-traffic permit inter-interface|intra-interface DMZ NetworkEthernet2 Security level 100 Interface name=dmze0e2e1InternetInside NetworkEthernet1 Security level 100 Interface name=inside配置接口的速率和双工模式speed 10|100|1000|auto|nonegotiateduplex auto|full|half q配置接口的速率和双工模式ciscopix(config-if)#Ethernet0 Speed=100 Duplex=fulle0e2e1Internetpix1(config)#interface Ethernet0pix1(config-if)#nameif outsidepix1(config-if)#ip address 192.168.1.2pix1(config-if)#security-level 0 pix1(config-if)#speed 100pix1(config-if)#duplex full配置管理接口management-onlyciscopix(config-if)#qDisables management-only mode (for ASA 5520,5540 and 5550)pix1(config)#interface Ethernet3pix1(config-if)#no management-onlyno management-onlyq配置当前的接口仅仅接受管理流量q禁用管理接口Ethernet3 Management only=noe0e2e1Internete3启用和禁用接口qDisables management-only mode (for ASA 5520,5540 and 5550)pix1(config)#interface Ethernet0pix1(config-if)#no shutdownshutdownq禁用接口qno shutdown=enabledciscopix(config-if)#Ethernet0 Enablede0e2e1Internet配置基本的NAT防火墙网络地址转换Inside LocalOutside Mapped Pool10.0.0.11192.168.0.2010.0.0.1110.0.0.4Translation Table10.0.0.11192.168.0.20192.168.10.11NATInternet启用NATpix1(config)#nat-control 启用或禁用启用或禁用NAT的配置需求的配置需求Inside LocalOutside Mapped Pool10.0.0.11192.168.0.2010.0.0.1110.0.0.4Translation Table10.0.0.11192.168.0.20200.200.200.11NATInternetnat Commandnat(if_name)nat_id address netmask dnsciscopix(config)#q启用IP地址转换pix1(config)#nat(inside)1 0.0.0.0 0.0.0.010.0.1.1110.0.1.410.0.1.11X.X.X.XNATInternetglobal Commandq当内部网络主机访问到外网时,基与nat命令共同工作,用于分配公网的或已注册的IP地址给内部主机.pix1(config)#nat(inside)1 0.0.0.0 0.0.0.0pix1(config)#global(outside)1 192.168.1.20-192.168.1.254global(if_name)nat_id mapped_ip-mapped_ipnetmask mapped_mask|interfaceciscopix(config)#10.0.1.1110.0.1.410.0.1.11192.168.1.20NATInternet配置静态路由route if_name ip_address netmask gateway_ip metricciscopix(config)#q为接口定义静态或默认路由pix1(config)#route outside 0.0.0.0 0.0.0.0 192.168.1.1 1pix1(config)#route inside 10.1.1.0 255.255.255.0 10.0.1.102 1192.168.1.110.1.1.1110.1.1.4Default Route10.0.1.102Static RouteInternet配置名称到IP地址映射pix1(config)#namespix1(config)#name 172.16.1.2 bastionhostpix1(config)#name 10.0.1.11 insidehostq配置名称到IP地址的映射name ip_address nameciscopix(config)#.2.110.0.1.0.1Internet“bastionhost”172.16.1.2172.16.1.0.11“insidehost”10.0.1.11查看NAT配置pix1#show running-config natnat(inside)1 0.0.0.0 0.0.0.0pix1#查看单个主机或是主机地址范围的转换项查看单个主机或是主机地址范围的转换项ciscopix#show run nat10.0.1.1110.0.1.410.0.1.XX.X.X.XNATInternet查看nat global配置pix1#show run globalglobal(outside)1 192.168.1.20-192.168.1.254 netmask 255.255.255.0查看映射地址池查看映射地址池ciscopix#show run globalMapped Pool192.168.1.20-192.168.1.25410.0.1.1110.0.1.410.0.1.XInternet查看nat转换项pix1#show xlate1 in use,1 most usedGlobal 192.168.1.20 Local 10.0.1.11查看查看nat转换项内容转换项内容ciscopix#show xlate192.168.1.2010.0.1.1110.0.1.410.0.1.11Inside localOutside mapped pool10.0.1.11192.168.1.20Xlate TableInternet查看路由pix1(config)#show routeS 0.0.0.0 0.0.0.0 1/0 via 192.168.1.1,outsideC 10.0.1.0 255.255.255.0 is directly connected,insideC*127.0.0.0 255.255.0.0 is directly connected,cplaneC 172.16.1.0 255.255.255.0 is directly connected,dmzC 192.168.1.0 255.255.255.0 is directly connected,outsidee0e2e1Internet10.0.1.0192.168.1.0.1172.16.1.0查看路由查看路由ciscopix#show route interface_name ip_address netmask static 使用ping命令q确定目标主机是否处于active状态pix1#ping 10.0.1.11Sending 5,100-byte ICMP Echos to 10.0.1.11,timeout is 2 seconds:!Success rate is 100 percent(5/5),round-trip min/avg/max=10/12/20 msping if_name host data pattern repeat count size bytes timeout seconds validate ciscopix#10.0.1.1110.0.1.4Internet路由跟踪pix1#traceroute 172.26.26.20traceroute destination_ip|hostname source source_ip|source-interface numeric timeout timeout_value probe probe_num ttl min_ttl max_ttl port port_value use-icmp ciscopix#q确定数据包如何到目标网络Internet配置示例pix1(config)#write terminal.interface Ethernet0 speed 100 duplex full nameif outside security-level 0 ip address 192.168.1.2 255.255.255.0interface Ethernet1 speed 100 duplex full nameif inside security-level 100 ip address 10.0.1.1 255.255.255.0.Ethernet0 Interface name=outside Security level=0 IP address=192.168.1.2Ethernet1 Interface name=inside Security level=100 IP address=10.0.1.1172.16.1.0.110.0.1.0.1192.168.1.0.210.1.1.0.1Internet配置示例(Cont.)interface Ethernet2 nameif dmz security-level 50 speed 100 duplex full ip address 172.16.1.1 255.255.255.0 hostname asa1 names name 172.16.1.2 bastionhost name 10.1.1.11 insidehost172.16.1.0.110.0.1.0.1192.168.1.0.210.1.1.0.1Ethernet2 Interface name=dmz Security level=50 IP address=172.16.1.1“insidehost”10.1.1.11“bastionhost”172.16.1.2Internet配置示例(Cont.)nat-controlnat(inside)1 0.0.0.0 0.0.0.0 0 0global(outside)1 192.168.1.20-192.168.1.254route outside 0.0.0.0 0.0.0.0 192.168.1.1 1route inside 10.1.1.0 255.255.255.0 10.0.1.102 110.0.0.0Mapped Pool192.168.1.20-254172.16.1.0.2.1.102“insidehost”10.1.1.11“bastionhost”172.16.1.210.0.1.0.1192.168.1.0.2.110.1.1.0.1Default RouteStatic RouteInternet确认防火墙状态防火墙查看当前配置和接口信息pix1#show interface Interface Ethernet0 inside,is up,line protocol is up Hardware is i82559,BW 100 Mbps Auto-Duplex(Full-duplex),Auto-Speed(100 Mbps)MAC address 0000.ab6e.c400,MTU 1500 IP address 192.168.1.1,subnet mask 255.255.255.0 12 packets input,0 bytes,0 no buffer Received 9 broadcasts,0 runts,0 giants 0 input errors,0 CRC,0 frame,0 overrun,0 ignored,0 abort 6 L2 decode drops 0 packets output,0 bytes,0 underruns 0 output errors,0 collisions,0 interface resets 0 babbles,0 late collisions,0 deferred 0 lost carrier,0 no carrier input queue(curr/max blocks):hardware(128/128)software(0/8)output queue(curr/max blocks):hardware(0/0)software(0/0)pix1#show run interface.interface Ethernet0 speed 100 duplex full nameif outside security-level 0 ip address 192.168.1.2 255.255.255.0!interface Ethernet1 speed 100 duplex full nameif inside security-level 100 ip address 10.0.1.1 255.255.255.0.show run interfaceshow interface查看内存使用pix1#show memoryFree memory:468962336 bytes(87%)Used memory:67908576 bytes(13%)-Total memory:536870912 bytes(100%)ciscopix#show memory查看CPU使用率pix1#show cpu usageCPU utilization for 5 seconds=0%;1 minute:0%;5 minutes:0%ciscopix#show cpu usage10.0.1.1110.0.1.4Internet查看系统版本q显示防火墙的系统版本信息,工作时间,最后一次启动,处理器类型,存储器类型,接口,序列 号和激活key等重要信息.pix1#show version Cisco PIX Security Appliance Software Version 7.2(2)Compiled on Wed 22-Nov-06 14:16 by buildersSystem image file is Unknown,monitor mode tftp booted imageConfig file at boot was startup-configpix1 up 7 mins 29 secsHardware:PIX-525,128 MB RAM,CPU Pentium II 300 MHzFlash E28F128J3 0 xfff00000,16MBBIOS Flash AM29F400B 0 xfffd8000,32KB 0:Ext:Ethernet0 :address is 0000.ab6e.c400,irq 9 1:Ext:Ethernet1 :address is 0000.ab6e.c401,irq 11 2:Ext:Ethernet2 :address is 0000.ab6e.c402,irq 11 3:Ext:Ethernet3 :address is 0000.ab6e.c403,irq 11 4:Ext:Ethernet4 :address is 0000.ab6e.c404,irq 11查看IP地址信息pix1#show ip address System IP Addresses:Interface Name IP address Subnet mask Method Ethernet0 inside 192.168.1.1 255.255.255.0 manualEthernet1 outside 202.102.1.1 255.255.255.0 manualCurrent IP Addresses:Interface Name IP address Subnet mask Method Ethernet0 inside 192.168.1.1 255.255.255.0 manualEthernet1 outside 202.102.1.1 255.255.255.0 manualInternet192.168.1.010.0.1.010.1.1.0172.16.1.0.2.1.1.1查看接口命名信息pix1#show nameif Interface Name SecurityEthernet0 inside 0Ethernet1 outside 100Ethernet2 dmz 50Ethernet0 Interface name=outside Security level=0Ethernet2 Interface name=dmz Security level=50Ethernet1 Interface name=inside Security level=100e0e2e1Internet总结v你都掌握了吗？qCisco PIX和ASA防火墙基础qPIX的基础配置 qCisco PIX和ASA的访问控制结束语谢谢！