当前位置: 首页 > article >正文

防御保护作业1

article 2025/2/6 13:12:32

拓扑

需求
1、vlan2为办公区 vlan3为生产区
2、办公区PC在工作时间(周1-5 8:00-18:00)可以正常访问OA,其他时间不允许
3、办公区PC可以在任意时刻访问Web
4、生产区PC可以在任意时刻访问OA
特例:生产区PC3可以在周一上午10:00-11:00访问Web,用来更新产品信息

需求分析
1. 按拓扑图进行IP地址的配置,在FW1上的GE1/0/1上增加子接口,将192.168.1.126和192.168.1.254划分到trust区域,将10.0.0.254划分到dmz区域。
2.在LSW1上进行VLAN划分,VLAN2-GE0/0/2-192.168.1.126,VLAN3-GE0/0/3,GE0/0/4-192.168.1.254。
3.在FW1上进行安全策略的配置。

配置信息
交换机
SW1

[SW1]vlan 2
[SW1-vlan2]vlan 3
[SW1-GigabitEthernet0/0/1]port link-type trunk 
[SW1-GigabitEthernet0/0/1]port trunk allow-pass vlan all

SW2

[SW2]vlan 2
[SW2]vlan 3
[SW2-GigabitEthernet0/0/1]port link-type trunk 
[SW2-GigabitEthernet0/0/1]port trunk allow-pass vlan all
[SW2-GigabitEthernet0/0/2]port link-type access 
[SW2-GigabitEthernet0/0/2]port default vlan 2
[SW2-GigabitEthernet0/0/3]port link-type access 
[SW2-GigabitEthernet0/0/3]port default vlan 3
[SW2-GigabitEthernet0/0/4]port link-type access 
[SW2-GigabitEthernet0/0/4]port default vlan 3

 防火墙

命令行配置

[FW1]ip address-set BG
[FW1-object-address-set-BG]
[FW1-object-address-set-BG]address 192.168.1.0 mask 25
[FW1]security-policy
[FW1-policy-security]rule name policy_1
[FW1-policy-security-rule-policy_1]description BG_to_OA	
[FW1-policy-security-rule-policy_1]source-zone trust 
[FW1-policy-security-rule-policy_1]destination-zone dmz 
[FW1-policy-security-rule-policy_1]source-address address-set BG
[FW1-policy-security-rule-policy_1]destination-address address-set "OA Server"
[FW1-policy-security-rule-policy_1]time-range worktime	
[FW1-policy-security-rule-policy_1]action permit

图形化配置

fw

命令行配置

IP地址和区域划分

[fw]interface GigabitEthernet 0/0/0
[fw-GigabitEthernet0/0/0]ip address 172.25.254.100 24
[fw-GigabitEthernet0/0/0]service-manage all permit 
[fw]interface GigabitEthernet 1/0/1.1
[fw-GigabitEthernet1/0/1.1]ip address 192.168.1.126 25
[fw-GigabitEthernet1/0/1.1]vlan-type dot1q 2
[fw-GigabitEthernet1/0/1.1]service-manage ping permit 
[fw]interface GigabitEthernet 1/0/1.2
[fw-GigabitEthernet1/0/1.2]ip address 192.168.1.254 25
[fw-GigabitEthernet1/0/1.2]vlan-type dot1q 3
[fw-GigabitEthernet1/0/1.2]service-manage ping permit 
[fw]interface GigabitEthernet 1/0/0
[fw-GigabitEthernet1/0/0]ip address 10.0.0.254 24
[fw]firewall zone trust 
[fw-zone-trust]add interface GigabitEthernet 1/0/1.1
[fw-zone-trust]add interface GigabitEthernet 1/0/1.2
[fw]firewall zone dmz 
[fw-zone-dmz]add interface GigabitEthernet 1/0/0

办公区PC在工作时间(周1-5 8:00-18:00)可以正常访问OA,其他时间不允许

[fw]ip address-set bg type object
[fw-object-address-set-bg]address 192.168.1.0 mask 25
[fw]ip address-set oa type object 
[fw-object-address-set-oa]address 10.0.0.1 mask 32
[fw]time-range worktime
[fw-time-range-worktime]period-range 08:00:00 to 18:00:00 working-day 
[fw]security-policy
[fw-policy-security-rule-policy_1]description bg_to_oa
[fw-policy-security-rule-policy_1]source-zone trust
[fw-policy-security-rule-policy_1]destination-zone dmz 
[fw-policy-security-rule-policy_1]source-address address-set bg
[fw-policy-security-rule-policy_1]destination-address address-set oa 
[fw-policy-security-rule-policy_1]time-range worktime
[fw-policy-security-rule-policy_1]action permit

办公区PC可以在任意时刻访问Web

[fw]ip address-set web type object
[fw-object-address-set-web]address 10.0.0.2 mask 32
[fw]security-policy
[fw-policy-security]rule name policy_2
[fw-policy-security-rule-policy_2]description bg_to_web
[fw-policy-security-rule-policy_2]source-zone trust 
[fw-policy-security-rule-policy_2]destination-zone dmz 
[fw-policy-security-rule-policy_2]source-address address-set bg
[fw-policy-security-rule-policy_2]destination-address address-set web
[fw-policy-security-rule-policy_2]action permit


生产区PC可以在任意时刻访问OA,但是不能访问web

[fw]ip address-set sc type object
[fw-object-address-set-sc]address 192.168.1.128 mask 25
[fw]security-policy
[fw-policy-security]rule name policy_3
[fw-policy-security-rule-policy_3]description sc_to_oa
[fw-policy-security-rule-policy_3]source-zone trust
[fw-policy-security-rule-policy_3]destination-zone dmc
[fw-policy-security-rule-policy_3]source-address address-set sc
[fw-policy-security-rule-policy_3]destination-address address-set oa
[fw-policy-security-rule-policy_3]action permit
[fw-policy-security]rule name policy_4
[fw-policy-security-rule-policy_4]description sc_to_web
fw-policy-security-rule-policy_4]source-zone trust 
[fw-policy-security-rule-policy_4]destination-zone dmz
[fw-policy-security-rule-policy_4]source-address address-set sc
[fw-policy-security-rule-policy_4]destination-address address-set web
[fw-policy-security-rule-policy_4]action deny


生产区PC3可以在周一上午10:00-11:00访问Web,用来更新产品信息

[fw]time-range aaa
[fw-time-range-aaa]period-range 10:00:00 to 11:00:00 Mon
[fw]security-policy
[fw-policy-security]rule name policy_5
[fw-policy-security-rule-policy_5]description pc3_to_web
[fw-policy-security-rule-policy_5]source-zone trust 
[fw-policy-security-rule-policy_5]destination-zone dmz
[fw-policy-security-rule-policy_5]source-address 192.168.1.130 32
[fw-policy-security-rule-policy_5]destination-address address-set web
[fw-policy-security-rule-policy_5]time-range aaa
[fw-policy-security-rule-policy_5]action permit
[fw-policy-security]rule move policy_5 before policy_4

web

IP地址和区域划分

安全策略 

测试

PC1

PC2 

PC3 


http://www.kler.cn/a/533716.html

相关文章:

  • 配置@别名路径,把@/ 解析为 src/
  • 服务端渲染技术
  • 二维数组 C++ 蓝桥杯
  • 使用 Axios 获取用户数据并渲染——个人信息设置
  • 结构体和类
  • 实战:如何利用网站外部链接提升收录?
  • 19.[前端开发]Day19-王者荣项目耀实战(二)
  • 【缴纳过路费——并查集】
  • 嵌入式经典面试题之操作系统(二)
  • 【Block总结】DASI,多维特征融合
  • 人工智能DeepSeek培训讲师叶梓AI大模型DeepSeek基础培训提纲
  • 【大数据技术】用户行为日志分析(python+hadoop+mapreduce+yarn+hive)
  • ce修改器lua加载错误是怎么回事
  • 程序诗篇里的灵动笔触:指针绘就数据的梦幻蓝图<5>
  • 优化fm.jiecao.jcvideoplayer_lib中视频横竖屏自动适配原视频方案
  • Macos给brew安装的neo4j配置apoc插件
  • R 语言植沟文件读取及保存方式
  • ubuntu重启网络服务
  • 手动计算conv1d 及pytorch源码
  • 【Mybatis Plus】JSqlParser解析sql语句
  • 子集问题(LeetCode 78 90)
  • js-对象-Array数组
  • 机理模型与数据模型融合的方式
  • 深度探索未来的搜索引擎 —— DeepSeek
  • 请解释 Java 中的 IO 和 NIO 的区别,以及 NIO 如何实现多路复用?
  • 如何在页面中弹出菜单