Network Security

For the Sun ONE network configuration, firewalls were configured between each service module to provide network security. FIGURE 7-20 shows the relationship between the firewalls and the service modules.

In the lab, one physical firewall device was used to create multiple virtual firewalls. Network traffic was directed to pass through the firewalls between the service modules, as shown in FIGURE 7-21.

The core switch is only configured for Layer 2 with separate port-based VLANs. The connection between the Netscreen and the core switch uses tagged VLANS. Trust zones are created on the Netscreen device, and they map directly to the tagged VLANs. The Netscreen firewall device performs the Layer 3 routing. This configuration directs all traffic through the firewall, resulting in firewall protection between each service module.

Netscreen Firewall

CODE EXAMPLE 7-5 shows a partial example of a configuration file used to configure the Netscreen device.

Code example 7-5. Configuration File Used for Netscreen Device

 set auth timeout 10 set clock "timezone" 0 set admin format dos set admin name "netscreen" set admin password nKVUM2rwMUzPcrkG5sWIHdCtqkAibn set admin sys-ip 0.0.0.0 set admin auth timeout 0 set admin auth type Local set zone id 1000 "DMZ1" set zone id 1001 "web" set zone id 1002 "appsrvr" set zone "Untrust" block set zone "DMZ" vrouter untrust-vr set zone "MGT" block set zone "DMZ1" vrouter trust-vr set zone "web" vrouter trust-vr set zone "appsrvr" vrouter trust-vr set ip tftp retry 10 set ip tftp timeout 2 set interface ethernet1 zone DMZ1 set interface ethernet2 zone web set interface ethernet3 zone appsrvr set interface ethernet1 ip 192.168.0.253/24 set interface ethernet1 route set interface ethernet2 ip 10.10.0.253/24 set interface ethernet2 route set interface ethernet3 ip 20.20.0.253/24 set interface ethernet3 route unset interface vlan1 bypass-others-ipsec unset interface vlan1 bypass-non-ip set interface ethernet1 manage ping unset interface ethernet1 manage scs unset interface ethernet1 manage telnet unset interface ethernet1 manage snmp unset interface ethernet1 manage global unset interface ethernet1 manage global-pro unset interface ethernet1 manage ssl set interface ethernet1 manage web unset interface ethernet1 ident-reset set interface vlan1 manage ping set interface vlan1 manage scs set interface vlan1 manage telnet set interface vlan1 manage snmp set interface vlan1 manage global set interface vlan1 manage global-pro set interface vlan1 manage ssl set interface vlan1 manage web set interface v1-trust manage ping set interface v1-trust manage scs set interface v1-trust manage telnet set interface v1-trust manage snmp set interface v1-trust manage global set interface v1-trust manage global-pro set interface v1-trust manage ssl set interface v1-trust manage web unset interface v1-trust ident-reset unset interface v1-untrust manage ping unset interface v1-untrust manage scs unset interface v1-untrust manage telnet unset interface v1-untrust manage snmp unset interface v1-untrust manage global unset interface v1-untrust manage global-pro unset interface v1-untrust manage ssl unset interface v1-untrust manage web unset interface v1-untrust ident-reset set interface v1-dmz manage ping unset interface v1-dmz manage scs unset interface v1-dmz manage telnet unset interface v1-dmz manage snmp unset interface v1-dmz manage global unset interface v1-dmz manage global-pro unset interface v1-dmz manage ssl unset interface v1-dmz manage web unset interface v1-dmz ident-reset set interface ethernet2 manage ping unset interface ethernet2 manage scs unset interface ethernet2 manage telnet unset interface ethernet2 manage snmp unset interface ethernet2 manage global unset interface ethernet2 manage global-pro unset interface ethernet2 manage ssl unset interface ethernet2 manage web unset interface ethernet2 ident-reset set interface ethernet3 manage ping unset interface ethernet3 manage scs unset interface ethernet3 manage telnet unset interface ethernet3 manage snmp unset interface ethernet3 manage global unset interface ethernet3 manage global-pro unset interface ethernet3 manage ssl unset interface ethernet3 manage web unset interface ethernet3 ident-reset set interface v1-untrust screen tear-drop set interface v1-untrust screen syn-flood set interface v1-untrust screen ping-death set interface v1-untrust screen ip-filter-src set interface v1-untrust screen land set flow mac-flooding set flow check-session set address DMZ1 "dmznet" 192.168.0.0 255.255.255.0 set address web "webnet" 10.10.0.0 255.255.255.0 set address appsrvr "appnet" 20.20.0.0 255.255.255.0 set snmp name "ns208" set traffic-shaping ip_precedence 7 6 5 4 3 2 1 0 set ike policy-checking set ike respond-bad-spi 1 set ike id-mode subnet set l2tp default auth local set l2tp default ppp-auth any set l2tp default radius-port 1645 set policy id 0 from DMZ1 to web "dmznet" "webnet" "ANY" Permit set policy id 1 from web to DMZ1 "webnet" "dmznet" "ANY" Permit set policy id 2 from DMZ1 to appsrvr "dmznet" "appnet" "ANY" Permit set policy id 3 from appsrvr to DMZ1 "appnet" "dmznet" "ANY" Permit set ha interface ethernet8 set ha track threshold 255 set pki authority default scep mode "auto" set pki x509 default cert-path partial _____________________