Massimiliano Sbaraglia Network Engineer. Server Farm with Firewall SSG 520 Juniper

Transcription

1 Massimiliano Sbaraglia Network Engineer Server Farm with Firewall SSG 520 Juniper

2 Server Farm Attuale INTERNET Privider 1 INTERNET Privider 2 E-BGP E-BGP VoIP 2 bigbang 1 bigbang 2 Moby Line 1 Moby Line 2 Moby Line 3 intranet.1.8 vlan ID / Mail DNS primario Wrop DNS secondario NED Log Server TKTS / WIKI AAA Server Monitoring Monitor UTENTI Monitor RETE MySQL Manager MySQL STORAGE#1 MySQL STORAGE#2 Server POSTA Provisioning DB

3 1^ ipotesi di soluzione : routing IP pubblico on FW Subnet Mask CIDR Vlan Area VR / 30 3 OUTSIDE untrust / 24 2 INSIDE trust

4 1^ ipotesi di soluzione: routing IP pubblico on FW INTERNET Provider 1 INTERNET Provider 2 E-BGP VR untrust.1 vlan /30 E-BGP VoIP 2.2 DMZ OUTSIDE bigbang 1 bigbang 2 Moby Line 1 Moby Line 2 Moby Line 3 Intranet Firewall SSG VR trust vlan /24.1 DMZ INSIDE Mail DNS primario Wrop DNS secondario NED Log Server TKTS / WIKI AAA Server Monitoring Monitor UTENTI Monitor RETE MySQL Manager MySQL STORAGE#1 MySQL STORAGE#2 Server POSTA Provisioning DB

5 ZONE to Virtual Router Bindings (1^ ipotesi) Domain TRUST Domain UNTRUST trust-vr routing domain Firewall SSG 520 untrust-vr routing domain INSIDE set zone name INSIDE set zone name OUTSIDE! set zone INSIDE vrouter trust-vr set zone OUTSIDE vrouter untrust-vr OUTSIDE

6 Architettura fisica (1^ ipotesi) ge 0/0/1.0 0/1 0/2 0/3 0/4 Firewall SSG 520 SW Layer 2 DMZ INSIDE vlan /24

7 Interface to Zone Bindings (1^ ipotesi) Domain TRUST Domain UNTRUST trust-vr routing domain Firewall SSG 520 untrust-vr routing domain INSIDE eth 0/ /24 Vlan tag 2 set interface ethernet 0/1 zone OUTSIDE set interface ethernet 0/1 ip /24 set interface ethernet 0/1 manage ping set interface ethernet 0/1 manage ssh! set interface ethernet 0/2 zone INSIDE set interface ethernet 0/2 ip /24! OUTSIDE eth 0/ /30 Vlan tag 3

8 Routing Domain (1^ ipotesi) Domain TRUST Domain UNTRUST trust-vr routing domain Firewall SSG 520 untrust-vr routing domain INSIDE eth 0/ /27 Vlan tag 2 Route Forwarding OUTSIDE eth 0/ /30 Vlan tag 3 Sul Firewall SSG 520 set vrouter untrust-vr route /0 interface ethernet 1/1 gateway set vrouter untrust-vr route /24 vrouter trust-vr! set vrouter trust-vr route /0 vrouter untrust-vr Sul router M7i-01 set route /24 interface ge0/0/1.0 gateway

9 2^ ipotesi di soluzione : IP privato NAT/PAT on FW Aggregato Subnet Mask CIDR Vlan Area VR / 24 2 OUTSIDE untrust / Intranet trust / Big Bang trust / / Moby Line trust / INSIDE trust

10 2^ ipotesi di soluzione: IP privato NAT/PAT on FW INTERNET POP1 INTERNET POP2 E-BGP E-BGP untrust-vr DMZ OUTSIDE ge 0/0/1.0.1 Vlan /24 eth 0/0.2 DMZ MOBY LINE Firewall SSG Routing NAT / PAT Policy Security: ACL DMZ INTRANET eth 0/2 vlan /28 eth 0/3.1 vlan /28 DMZ BIG BANG DMZ INSIDE eth 0/3.2 eth 0/1 vlan /28 vlan /27 trust-vr

11 ZONE ZONE: - OUTSIDE (voip) - INSIDE - INTRANET - MOBY LINE - BIG BANG

12 ZONE to Virtual Router Bindings Domain TRUST Domain UNTRUST trust-vr routing domain INSIDE INTRANET Moby Line Firewall SSG 520 set zone name INSIDE set zone name INTRANET set zone name MOBYLINE set zone name BIGBANG set zone name OUTSIDE! set zone INSIDE vrouter trust-vr set zone INTRANET vrouter trust-vr set zone MOBYLINE vrouter trust-vr set zone BIGBANG vrouter trust-vr set zone OUTSIDE vrouter untrust-vr untrust-vr routing domain OUTSIDE Big Bang

13 Architettura fisica ge 0/0/1.0 0/0 0/1 0/2 0/3 Firewall SSG 520 SW Layer 2 DMZ INTRANET vlan /28 DMZ MOBY LINE DMZ BIG BANG DMZ INSIDE vlan /28 vlan /28 vlan /27

14 Interface to Zone Bindings Domain TRUST Domain UNTRUST trust-vr routing domain Firewall SSG 520 untrust-vr routing domain INSIDE eth 0/ /27 Vlan tag 203 INTRANET eth 0/ /28 Vlan tag 204 Moby Line eth 0/ /28 Vlan tag 205 Big Bang eth 0/ /28 Vlan tag 206 set interface ethernet 0/0 zone OUTSIDE set interface ethernet 0/0 ip /24 set interface ethernet 0/0 manage ping set interface ethernet 0/0 manage ssh! set interface ethernet 0/1 zone INSIDE set interface ethernet 0/1 ip /27! set interface ethernet 0/2 zone INTRANET set interface ethernet 0/2 ip /28! set interface ethernet 0/3.1 tag 205 zone MOBYLINE set interface ethernet 0/3.1 ip /28! set interface ethernet 0/3.2 tag 206 zone BIGBANG set interface ethernet 0/3.2 ip /28! OUTSIDE eth 0/ /24 Vlan tag 2

15 Routing Domain Domain TRUST Domain UNTRUST trust-vr routing domain Firewall SSG 520 untrust-vr routing domain INSIDE eth 0/ /27 Vlan tag 203 OUTSIDE eth 0/ /24 Vlan tag 2 INTRANET eth 0/ /28 Vlan tag 204 Moby Line eth 0/ /28 Vlan tag 205 set vrouter untrust-vr route /0 interface ethernet 0/0 gateway set vrouter untrust-vr route /24 vrouter trust-vr! set vrouter trust-vr route /0 vrouter untrust-vr Big Bang eth 0/ /28 Vlan tag 206 Route Forwarding

16 AREA OUTSIDE (schema fisico e logico) ge 0/0/0.0 trunk dot1.q allowed vlan 2 ge 0/0/1.0 M7i-01 Router CORE.1 Vlan /24 EX Outside.8 ge 0/0/1.0 trunk dot1.q allowed vlan 2 ge 0/0/3.0 access vlan 2 Server VOIP eth 0/0 Server VOIP Firewall-CED

17 AREA INSIDE (schema fisico) 1. Accendere solo lo switch EX (master role) 2. Configurare la masterschip a 255 per lo swith Master 3. Configurare la masterschip sempre a 255 per lo swich Backup (sempre in EX4200-1) Firewall-CED CONFIG: edit virtual-chassis set member 0 masterschip-priority 255 set member 1 masterschip-priority 255 VCP on Master Switch: request virtual-chassis vc-port set pic-slot 1 port 0 request virtual-chassis vc-port set pic-slot 1 port 0 membrer 1 eth 0/1 ge 0/0/4.0 allowed vlan 203 ge-0/1/0.0 ge-0/1/0.0 EX VCPs Virtual Chassis EX SERVER INSIDE A SERVER INSIDE B

18 AREA INSIDE (schema fisico SERVER INSIDE A EX4200-1) Firewall-CED ge 0/0/4.0 allowed vlan 203 eth 0/1 VCPs Virtual Chassis EX EX EX ge 0/0/10.0 access vlan 203 ge 0/0/11.0 access vlan 203 ge 0/0/12.0 access vlan 203 ge 0/0/13.0 access vlan 203 ge 0/0/14.0 access vlan 203 ge 0/0/15.0 access vlan 203 ge 0/0/16.0 access vlan 203 SERVER INSIDE A Mail DNS primario Wrop DNS secondario AAA Log Server TKTS / WIKI DB Server Monitoring Monitor UTENTI

19 AREA INSIDE (schema fisico SERVER INSIDE B EX4200-2) Firewall-CED VCPs Virtual Chassis ge 0/0/4.0 trunk dot1.q allowed vlan 203 eth 0/1 EX EX EX ge 1/0/10.0 access vlan 203 ge 1/0/11.0 access vlan 203 ge 1/0/12.0 access vlan 203 ge 1/0/13.0 access vlan 203 ge 1/0/14.0 access vlan 203 ge 1/0/15.0 access vlan 203 ge 1/0/16.0 access vlan 203 SERVER INSIDE B Monitor RETE MySQL Manager MySQL STORAGE#1 MySQL STORAGE#2 Server POSTA Provisioning DB

20 AREA INSIDE (schema logico).1 Vlan / Inside vlan / Mail DNS primario Wrop DNS secondario NED Log Server TKTS / WIKI AAA Server Monitoring Monitor UTENTI Monitor RETE MySQL Manager MySQL STORAGE#1 MySQL STORAGE#2 Server POSTA Provisioning DB

21 AREA INTRANET (schema fisico e logico) ge 0/0/0.0 trunk dot1.q allowed vlan 2 ge 0/0/1.0 M7i-01 Router CORE.1.2 Vlan /24 EX ge 0/0/5.0 allowed vlan vlan /28 INTRANET eth 0/2 Firewall-CED

22 AREA MOBY LINE (schema fisico e logico) M7i-01 Router CORE ge 0/0/0.0 trunk dot1.q allowed vlan 2 ge 0/0/1.0 EX Vlan /24 EX VCPs.2 ge 0/06.0 trunk dot1.q allowed vlan 205,206 ge 0/019.0 access vlan 205 ge 0/0/20.0 access vlan 205 ge 1/020.0 access vlan vlan /28 Moby Line eth 0/3 Moby Line 1 Moby Line 2 Firewall-CED Moby Line 3 Moby Line 1 Moby Line 2 Moby Line 3

23 AREA BIG BANG (schema fisico e logico) M7i-01 Router CORE ge 0/0/0.0 trunk dot1.q allowed vlan 2 ge 0/0/1.0 EX Vlan /24 EX VCPs.2 ge 0/06.0 trunk dot1.q allowed vlan 205,206 ge 0/021.0 access vlan 206 ge 1/0/21.0 access vlan vlan /28 Big Bang eth 0/3 Big Bang 1 Big Bang 2 Big Bang 1 Big Bang 2 Firewall-CED

24 MIP on the interface untrust (eth 0/1) INTERNET Provider 1 INTERNET Provider 2 E-BGP E-BGP untrust-vr DMZ OUTSIDE ge 0/0/1.0.1 vlan /24 eth 0/0.2 Firewall SSG Routing NAT with MIP Policy Security: ACL DMZ INTRANET eth 0/2 vlan /28 DMZ MOBY LINE DMZ BIG BANG DMZ INSIDE eth 0/3.1 eth 0/3.2 eth 0/1 vlan /28 vlan /28 vlan /27 trust-vr

25 MIP on the untrust interface AREA INSIDE NAT interface untrust NAT interface trust IP eth untrust IP eth trust VR eth 0/0 eth 0/ / /27 TRUST NAME MIP HOST Server Maskera VR Mail DNS primrio TRUST Wrop DNS secondario TRUST NED TRUST TKTS WIKI TRUST DB TRUST Monitoring TRUST Utenti TRUST AAA TRUST Manager TRUST Storage TRUST Storage TRUST Posta TRUST Provisioning TRUST DB TRUST

26 NAT with MIP AREA INSIDE (configurazioni) Domain TRUST Domain UNTRUST trust-vr routing domain INSIDE eth 0/ /27 Vlan tag 203 interface Firewall SSG 520 set interface ethernet 0/0 zone untrust set interface ethernet 0/0 ip /24 set interface ethernet 0/1 nat set interface ethernet 0/1 zone trust set interface ethernet 0/1 ip /27 untrust-vr routing domain OUTSIDE eth 0/ /24 Vlan tag 2 MIP set interface ethernet0/0 mip host netmask vrouter trust-vr set interface ethernet0/0 mip host netmask vrouter trust-vr set interface ethernet0/0 mip host netmask vrouter trust-vr set interface ethernet0/0 mip host netmask vrouter trust-vr set interface ethernet0/0 mip host netmask vrouter trust-vr set interface ethernet0/0 mip host netmask vrouter trust-vr set interface ethernet0/0 mip host netmask vrouter trust-vr set interface ethernet0/0 mip host netmask vrouter trust-vr set interface ethernet0/0 mip host netmask vrouter trust-vr set interface ethernet0/0 mip host netmask vrouter trust-vr set interface ethernet0/0 mip host netmask vrouter trust-vr set interface ethernet0/0 mip host netmask vrouter trust-vr set interface ethernet0/0 mip host netmask vrouter trust-vr set interface ethernet0/0 mip host netmask vrouter trust-vr

27 POLICY AREA INSIDE (configurazioni) Domain TRUST Domain UNTRUST trust-vr routing domain INSIDE eth 0/ /27 Vlan tag 203 Firewall SSG 520 untrust-vr routing domain OUTSIDE eth 0/ /24 Vlan tag 2 POLICY set policy from untrust to trust any mip http permit Esempio cisco access-list acl_out_planet permit tcp host host eq www! access-group acl_out_planet in interface outside-planet

28 MIP on the untrust interface AREA NETRESULTS NAT interface untrust NAT interface trust IP eth untrust IP eth trust VR eth 0/0 eth 0/ / /28 TRUST NAME MIP HOST Server Maskera VR INTRANET TRUST

29 NAT with MIP AREA INTRANET (configurazioni) Domain TRUST Domain UNTRUST trust-vr routing domain Firewall SSG 520 untrust-vr routing domain INTRANET eth 0/ /28 Vlan tag 204 interface set interface ethernet 0/0 zone utrust set interface ethernet 0/0 ip /24 set interface ethernet 0/2 nat set interface ethernet 0/2 zone trust set interface ethernet 0/2 ip /27 OUTSIDE eth 0/ /24 Vlan tag 2 MIP set interface ethernet0/0 mip host netmask vrouter trust-vr

30 MIP on the untrust interface MOBY LINE NAT interface untrust NAT interface trust IP eth untrust IP eth trust VR eth 0/0 eth 0/ / /28 TRUST NAME MIP HOST Server Maskera VR MOBY LINE TRUST MOBY LINE TRUST MOBY LINE TRUST

31 NAT with MIP AREA MOBY LINE (configurazioni) Domain TRUST Domain UNTRUST trust-vr routing domain Firewall SSG 520 untrust-vr routing domain Moby Line eth 0/ /28 Vlan tag 205 interface set interface ethernet 0/0 zone untrust set interface ethernet 0/0 ip /24 set interface ethernet0/3.1 nat set interface ethernet 0/3.1 zone trust set interface ethernet 0/3.1 ip /27 OUTSIDE eth 0/ /24 Vlan tag 2 MIP set interface ethernet0/0 mip host netmask vrouter trust-vr set interface ethernet0/0 mip host netmask vrouter trust-vr set interface ethernet0/0 mip host netmask vrouter trust-vr

32 MIP on the untrust interface BIG BANG NAT interface untrust NAT interface trust IP eth untrust IP eth trust VR eth 0/0 eth 0/ / /28 TRUST NAME MIP HOST Server Maskera VR BIG BANG TRUST BIG BANG TRUST

33 NAT with MIP AREA BIG BANG (configurazioni) Domain TRUST Domain UNTRUST trust-vr routing domain Firewall SSG 520 untrust-vr routing domain Big Bang eth 0/ /28 Vlan tag 206 interface set interface ethernet 0/0 zone trust set interface ethernet 0/0 ip /24 set interface ethernet 0/3.2 zone untrust set interface ethernet 0/3.2 ip /27 OUTSIDE eth 0/ /24 Vlan tag 2 MIP set interface ethernet0/0 mip host netmask vrouter trust-vr set interface ethernet0/0 mip host netmask vrouter trust-vr