Juniper-SRX-技术文档-SecurityPolicies

pandoraeyes
1 ℃
2020-01-14

整理文档很辛苦，赏杯茶钱您下走！

还剩 ... 页未读，继续阅读 >>

免费阅读已结束，点击下载阅读编辑剩下 ... 页

阅读已结束，您可以下载文档离线阅读编辑

资源描述

SecurityPoliciesChapterTitleINTERNALUSEONLYSecurityPolicies2©2008JuniperNetworks,Inc.Allrightsreserved.WhatisaSecurityPolicy?Asecuritypolicyisasetofstatementsthatcontrolstrafficfromaspecifiedsourcetoaspecifieddestinationusingaspecifiedservice.Ifapacketarrivesthatmatchesthosespecifications,theservicesgatewayperformstheactionspecifiedinthepolicy.Networksecuritypoliciesarehighlyvaluableforsecurenetworkfunctionality.Networksecuritypoliciesoutlineallnetworkresourceswithinabusinessandtherequiredsecuritylevelforeachresource.JUNOSsoftwareprovidesasetoftoolstoimplementanetworksecuritypolicywithinyourorganization.Securitypoliciesenforceasetofrulesfortransittraffic,identifyingwhichtrafficcanpassthroughthefirewallandtheactionstakenonthetrafficasitpassesthroughthefirewall.INTERNALUSEONLYSecurityPolicies©2008JuniperNetworks,Inc.Allrightsreserved.3Review:PacketFlowTheslidereviewspacketflowthroughtheflowmoduleofanSRX-seriesservicesgateway.Whentheservicesgatewayexaminesthefirstpacketofaflow,basedonincomingandoutgoingzones,itdeterminesthecorrespondingsecuritypolicy,anditperformsasecuritypolicylookup.Thesystemchecksthepacketagainstpoliciesthataredefinedtodeterminehowthepacketistobetreated.INTERNALUSEONLYSecurityPolicies4©2008JuniperNetworks,Inc.Allrightsreserved.TransitTrafficExaminationJUNOSsoftwarefortheSRX-seriesservicesgatewayalwaysexaminestransittrafficbyusingsecuritypolicies.Asillustratedontheslide,shouldnomatchexistinthesecuritypolicy,thedefaultsecuritypolicyappliestothepacket.Wehighlightthedefaultsecuritypolicyinasubsequentslide.INTERNALUSEONLYSecurityPolicies©2008JuniperNetworks,Inc.Allrightsreserved.5host-inbound-trafficExaminationIftrafficisdestinedtotheservicegateway’sincominginterface,securitypoliciesarenotapplicable.Theonlyexaminationthattakesplaceisthelistofservicesandprotocolsallowedintothatinterfaceusingthehost-inbound-trafficstatementwithinazonedefinition.Theservicesgatewayexaminessecuritypoliciesiftrafficisdestinedtoanyinterfaceotherthantheincominginterface.Thisprocessistrueregardlessofwhethertheincominginterfaceandthedestinationinterfaceareinthesamezone(intrazonetraffic)orindifferentzones(interzonetraffic).Theflowchartontheslideillustratestheorderofpacketexamination.Whentheservicesgatewayreceivestrafficdestinedtoitself,itfirstexamineswhetherthetrafficisdestinedtotheincominginterface.Ifso,thepolicyexaminationisskipped.Otherwise,thecorrespondingsecuritypoliciesevaluatethetraffic.Ifnopolicymatchexistsforthetraffic,thedefaultpolicyactionapplies.Wediscussthedefaultsecuritypolicyonthenextslide.Iftrafficmatchesasecuritypolicyandthetrafficispermitted,theservicesgatewaythenexaminesthelistofservicesandprotocolsspecifiedtobeallowedintothedestinationinterfacewithinthecorrespondingzone,andappliesthecorrespondingaction.INTERNALUSEONLYSecurityPolicies6©2008JuniperNetworks,Inc.Allrightsreserved.System-DefaultSecurityPolicyBydefault,JUNOSsoftwaredeniesalltrafficthroughtheservicesgateway.Infact,animplicitdefaultsecuritypolicyexiststhatdeniesallpackets.Youcanchangethisbehaviorbyconfiguringastandardsecuritypolicythatpermitscertaintypesoftrafficorbyconfiguringthedefaultpolicytopermitalltraffic.[editsecuritypolicies]user@host#setdefault-policypermit-all[editsecuritypolicies]user@host#Factory-DefaultSecurityPoliciesThefactory-defaultconfigurationfilehasthreepreconfiguredsecuritypolicies(nottobeconfusedwiththesystem-defaultsecuritypolicydiscussedinthepreviousparagraph).Thesepoliciesarethefollowing:1.Trust-to-trustzonepolicypermitsallintrazonetrafficwithinthetrustzone;2.Trust-to-untrustzonepolicypermitsalltrafficfromthetrustzonetotheuntrustzone;and3.Untrust-to-trustzonepolicydeniesalltrafficfromtheuntrustzonetothetrustzone.INTERNALUSEONLYSecurityPolicies©2008JuniperNetworks,Inc.Allrightsreserved.7SecurityPolicyConceptualExampleWenowexamineanexampleofapacketflowthroughanSRX-seriesservicesgateway.Theservicesgateway’sinterfacesareseparatedintothreesecurityzones—private,external,andpublic.ThebusinessrequirementcallsforanSSHapplicationtobeallowedfromHostB,locatedintheprivatezone,toHostD,locatedintheexternalzone.Tomeettherequirement,wecreatedthesecuritypolicyillustratedontheslide.Thefollowingisthesequenceofeventsthattakesplace:1.HostBinitiatestheSSHsessiontoHostD.2.Theservicesgatewayreceivestrafficandexaminesitusingitssecuritypolicyfromtheprivatezonetotheexternalzone.Thesecuritypolicypermitsthattraffic.3.TheHostB-to-HostDflowtriggersthecreationofthereverseflowfromHostDtoHostB.Theslideidentifiesthecontentsofthisnewlyformedsession.Itconsistsoftwoflows—sourcetodestinationanddestinationtosource.4.HostDsendsthereturntraffic,fromHostDtoHostB.Theservicesgateway,usingapre-createdsession,permitsthereturntrafficthroughtoHostB.INTERNALUSEONLYSecurityPolicies8©2008JuniperNetworks,Inc.Allrightsreserved.PolicyOrderingAspoliciesareexecutedintheorderoftheirappearanceintheconfigurationfile,youshouldbeawareofthefollowing:•Policyorderisimportant.•Newpoliciesareaddedtotheendofthepolicylist.•YoucanchangetheorderofpoliciesintheconfigurationfileusingtheJUNO