Massimiliano Sbaraglia Network Engineer. Server Farm with Firewall SSG 520 Juniper

Massimiliano Sbaraglia Network Engineer Server Farm with Firewall SSG 520 Juniper

Server Farm Attuale INTERNET Privider 1 INTERNET Privider 2 E-BGP E-BGP VoIP 2 bigbang 1 bigbang 2 Moby Line 1 Moby Line 2 Moby Line 3 intranet.1.8 vlan ID 2.13.14.10.11.12.9 29.29.29.0 /24.3.4.5.6.7.15.16.17.18.19.20.21.22.23 Mail DNS primario Wrop DNS secondario NED Log Server TKTS / WIKI AAA Server Monitoring Monitor UTENTI Monitor RETE MySQL Manager MySQL STORAGE#1 MySQL STORAGE#2 Server POSTA Provisioning DB

1^ ipotesi di soluzione : routing IP pubblico on FW Subnet Mask CIDR Vlan Area VR 10.0.0.0 255.255.255.52 / 30 3 OUTSIDE untrust 29.29.29.0 255.255.255.0 / 24 2 INSIDE trust

1^ ipotesi di soluzione: routing IP pubblico on FW INTERNET Provider 1 INTERNET Provider 2 E-BGP VR untrust.1 vlan 3 10.0.0.0 /30 E-BGP VoIP 2.2 DMZ OUTSIDE bigbang 1 bigbang 2 Moby Line 1 Moby Line 2 Moby Line 3 Intranet Firewall SSG 520.8 VR trust vlan 2-29.29.29.0 /24.1 DMZ INSIDE.13.14.10.11.12.9.3.4.5.6.7.15.16.17.18.19.20.21.22.23 Mail DNS primario Wrop DNS secondario NED Log Server TKTS / WIKI AAA Server Monitoring Monitor UTENTI Monitor RETE MySQL Manager MySQL STORAGE#1 MySQL STORAGE#2 Server POSTA Provisioning DB

ZONE to Virtual Router Bindings (1^ ipotesi) Domain TRUST Domain UNTRUST trust-vr routing domain Firewall SSG 520 untrust-vr routing domain INSIDE set zone name INSIDE set zone name OUTSIDE! set zone INSIDE vrouter trust-vr set zone OUTSIDE vrouter untrust-vr OUTSIDE

Architettura fisica (1^ ipotesi) ge 0/0/1.0 0/1 0/2 0/3 0/4 Firewall SSG 520 SW Layer 2 DMZ INSIDE vlan 2 29.29.29.0 /24

Interface to Zone Bindings (1^ ipotesi) Domain TRUST Domain UNTRUST trust-vr routing domain Firewall SSG 520 untrust-vr routing domain INSIDE eth 0/2 29.29.29.0 /24 Vlan tag 2 set interface ethernet 0/1 zone OUTSIDE set interface ethernet 0/1 ip 10.0.0.2 /24 set interface ethernet 0/1 manage ping set interface ethernet 0/1 manage ssh! set interface ethernet 0/2 zone INSIDE set interface ethernet 0/2 ip 29.29.29.1 /24! OUTSIDE eth 0/1 10.0.0.0 /30 Vlan tag 3

Routing Domain (1^ ipotesi) Domain TRUST Domain UNTRUST trust-vr routing domain Firewall SSG 520 untrust-vr routing domain INSIDE eth 0/2 29.29.29.1 /27 Vlan tag 2 Route Forwarding OUTSIDE eth 0/1 10.0.0.2 /30 Vlan tag 3 Sul Firewall SSG 520 set vrouter untrust-vr route 0.0.0.0/0 interface ethernet 1/1 gateway 10.0.0.1 set vrouter untrust-vr route 29.29.29.0/24 vrouter trust-vr! set vrouter trust-vr route 0.0.0.0/0 vrouter untrust-vr Sul router M7i-01 set route 29.29.29.0 /24 interface ge0/0/1.0 gateway 10.0.0.2

2^ ipotesi di soluzione : IP privato NAT/PAT on FW Aggregato Subnet Mask CIDR Vlan Area VR 29.29.29.0 255.255.255.0 / 24 2 OUTSIDE untrust 10.0.0.32 255.255.255.240 / 28 204 Intranet trust 10.0.0.48 255.255.255.240 / 28 205 Big Bang trust 10.10.10.0 /24 10.0.0.64 255.255.255.240 / 28 206 Moby Line trust 10.0.0.0 255.255.255.224 / 27 203 INSIDE trust

2^ ipotesi di soluzione: IP privato NAT/PAT on FW INTERNET POP1 INTERNET POP2 E-BGP E-BGP untrust-vr DMZ OUTSIDE ge 0/0/1.0.1 Vlan 2 29.29.29.0 /24 eth 0/0.2 DMZ MOBY LINE Firewall SSG 520.33.49.65.1 Routing NAT / PAT Policy Security: ACL DMZ INTRANET eth 0/2 vlan 204 10.0.0.32 /28 eth 0/3.1 vlan205 10.0.0.48 /28 DMZ BIG BANG DMZ INSIDE eth 0/3.2 eth 0/1 vlan 206 10.0.0.64 /28 vlan 203 10.0.0.0 /27 trust-vr

ZONE ZONE: - OUTSIDE (voip) - INSIDE - INTRANET - MOBY LINE - BIG BANG

ZONE to Virtual Router Bindings Domain TRUST Domain UNTRUST trust-vr routing domain INSIDE INTRANET Moby Line Firewall SSG 520 set zone name INSIDE set zone name INTRANET set zone name MOBYLINE set zone name BIGBANG set zone name OUTSIDE! set zone INSIDE vrouter trust-vr set zone INTRANET vrouter trust-vr set zone MOBYLINE vrouter trust-vr set zone BIGBANG vrouter trust-vr set zone OUTSIDE vrouter untrust-vr untrust-vr routing domain OUTSIDE Big Bang

Architettura fisica ge 0/0/1.0 0/0 0/1 0/2 0/3 Firewall SSG 520 SW Layer 2 DMZ INTRANET vlan 204 10.0.0.32 /28 DMZ MOBY LINE DMZ BIG BANG DMZ INSIDE vlan 205 10.0.0.48 /28 vlan 206 10.0.0.64 /28 vlan 203 10.0.0.0 /27

Interface to Zone Bindings Domain TRUST Domain UNTRUST trust-vr routing domain Firewall SSG 520 untrust-vr routing domain INSIDE eth 0/1 10.0.0.1 /27 Vlan tag 203 INTRANET eth 0/2 10.0.0.33 /28 Vlan tag 204 Moby Line eth 0/3.1 10.0.0.49 /28 Vlan tag 205 Big Bang eth 0/3.2 10.0.0.65 /28 Vlan tag 206 set interface ethernet 0/0 zone OUTSIDE set interface ethernet 0/0 ip 29.171.58.2 /24 set interface ethernet 0/0 manage ping set interface ethernet 0/0 manage ssh! set interface ethernet 0/1 zone INSIDE set interface ethernet 0/1 ip 10.0.0.1 /27! set interface ethernet 0/2 zone INTRANET set interface ethernet 0/2 ip 10.0.0.33 /28! set interface ethernet 0/3.1 tag 205 zone MOBYLINE set interface ethernet 0/3.1 ip 10.0.0.49 /28! set interface ethernet 0/3.2 tag 206 zone BIGBANG set interface ethernet 0/3.2 ip 10.0.0.65 /28! OUTSIDE eth 0/0 29.171.58.2 /24 Vlan tag 2

Routing Domain Domain TRUST Domain UNTRUST trust-vr routing domain Firewall SSG 520 untrust-vr routing domain INSIDE eth 0/1 10.0.0.1 /27 Vlan tag 203 OUTSIDE eth 0/0 29.29.29.2 /24 Vlan tag 2 INTRANET eth 0/2 10. 0.0.33 /28 Vlan tag 204 Moby Line eth 0/3.1 10.0.0.49 /28 Vlan tag 205 set vrouter untrust-vr route 0.0.0.0/0 interface ethernet 0/0 gateway 29.29.29.1 set vrouter untrust-vr route 10.0.0.0/24 vrouter trust-vr! set vrouter trust-vr route 0.0.0.0/0 vrouter untrust-vr Big Bang eth 0/3.2 10.0.0.65 /28 Vlan tag 206 Route Forwarding

AREA OUTSIDE (schema fisico e logico) ge 0/0/0.0 trunk dot1.q allowed vlan 2 ge 0/0/1.0 M7i-01 Router CORE.1 Vlan 2 29.29.29.0 /24 EX4200-01.2 Outside.8 ge 0/0/1.0 trunk dot1.q allowed vlan 2 ge 0/0/3.0 access vlan 2 Server VOIP eth 0/0 Server VOIP Firewall-CED

AREA INSIDE (schema fisico) 1. Accendere solo lo switch EX4200-01 (master role) 2. Configurare la masterschip a 255 per lo swith Master 3. Configurare la masterschip sempre a 255 per lo swich Backup (sempre in EX4200-1) Firewall-CED CONFIG: edit virtual-chassis set member 0 masterschip-priority 255 set member 1 masterschip-priority 255 VCP on Master Switch: request virtual-chassis vc-port set pic-slot 1 port 0 request virtual-chassis vc-port set pic-slot 1 port 0 membrer 1 eth 0/1 ge 0/0/4.0 allowed vlan 203 ge-0/1/0.0 ge-0/1/0.0 EX4200-01 VCPs Virtual Chassis EX4200-02 SERVER INSIDE A SERVER INSIDE B

AREA INSIDE (schema fisico SERVER INSIDE A EX4200-1) Firewall-CED ge 0/0/4.0 allowed vlan 203 eth 0/1 VCPs Virtual Chassis EX4200-01 EX4200-02 EX4200-01 ge 0/0/10.0 access vlan 203 ge 0/0/11.0 access vlan 203 ge 0/0/12.0 access vlan 203 ge 0/0/13.0 access vlan 203 ge 0/0/14.0 access vlan 203 ge 0/0/15.0 access vlan 203 ge 0/0/16.0 access vlan 203 SERVER INSIDE A Mail DNS primario Wrop DNS secondario AAA Log Server TKTS / WIKI DB Server Monitoring Monitor UTENTI

AREA INSIDE (schema fisico SERVER INSIDE B EX4200-2) Firewall-CED VCPs Virtual Chassis ge 0/0/4.0 trunk dot1.q allowed vlan 203 eth 0/1 EX4200-02 EX4200-01 EX4200-02 ge 1/0/10.0 access vlan 203 ge 1/0/11.0 access vlan 203 ge 1/0/12.0 access vlan 203 ge 1/0/13.0 access vlan 203 ge 1/0/14.0 access vlan 203 ge 1/0/15.0 access vlan 203 ge 1/0/16.0 access vlan 203 SERVER INSIDE B Monitor RETE MySQL Manager MySQL STORAGE#1 MySQL STORAGE#2 Server POSTA Provisioning DB

AREA INSIDE (schema logico).1 Vlan 2 29.29.29.0 /24.2.1 Inside vlan 203 10.0.0.0 /27.3.4.5.6.7.15.16.17.18.19.20.21.22.23 Mail DNS primario Wrop DNS secondario NED Log Server TKTS / WIKI AAA Server Monitoring Monitor UTENTI Monitor RETE MySQL Manager MySQL STORAGE#1 MySQL STORAGE#2 Server POSTA Provisioning DB

AREA INTRANET (schema fisico e logico) ge 0/0/0.0 trunk dot1.q allowed vlan 2 ge 0/0/1.0 M7i-01 Router CORE.1.2 Vlan 2 29.29.29.0 /24 EX4200-01 ge 0/0/5.0 allowed vlan 204.33 vlan 204 10.0.0.32 /28 INTRANET eth 0/2 Firewall-CED

AREA MOBY LINE (schema fisico e logico) M7i-01 Router CORE ge 0/0/0.0 trunk dot1.q allowed vlan 2 ge 0/0/1.0 EX4200-02.1 Vlan 2 29.29.29.0 /24 EX4200-01 VCPs.2 ge 0/06.0 trunk dot1.q allowed vlan 205,206 ge 0/019.0 access vlan 205 ge 0/0/20.0 access vlan 205 ge 1/020.0 access vlan 205.49 vlan 205 10.0.0.48 /28 Moby Line.60.61.62 eth 0/3 Moby Line 1 Moby Line 2 Firewall-CED Moby Line 3 Moby Line 1 Moby Line 2 Moby Line 3

AREA BIG BANG (schema fisico e logico) M7i-01 Router CORE ge 0/0/0.0 trunk dot1.q allowed vlan 2 ge 0/0/1.0 EX4200-02.1 Vlan 2 29.29.29.0 /24 EX4200-01 VCPs.2 ge 0/06.0 trunk dot1.q allowed vlan 205,206 ge 0/021.0 access vlan 206 ge 1/0/21.0 access vlan 206.65 vlan 206 10.0.0.64 /28 Big Bang.77.78 eth 0/3 Big Bang 1 Big Bang 2 Big Bang 1 Big Bang 2 Firewall-CED

MIP on the interface untrust (eth 0/1) INTERNET Provider 1 INTERNET Provider 2 E-BGP E-BGP untrust-vr DMZ OUTSIDE ge 0/0/1.0.1 vlan 2 29.29.29.0 /24 eth 0/0.2 Firewall SSG 520.33.49.65.1 Routing NAT with MIP Policy Security: ACL DMZ INTRANET eth 0/2 vlan 204 10.0.0.32 /28 DMZ MOBY LINE DMZ BIG BANG DMZ INSIDE eth 0/3.1 eth 0/3.2 eth 0/1 vlan 205 10.0.0.48 /28 vlan 206 10.0.0.64 /28 vlan 203 10.0.0.0 /27 trust-vr

MIP on the untrust interface AREA INSIDE NAT interface untrust NAT interface trust IP eth untrust IP eth trust VR eth 0/0 eth 0/1 29.29.29.2 /24 10.0.0.1 /27 TRUST NAME MIP HOST Server Maskera VR Mail DNS primrio 29.29.29.3 10.0.0.3 255.255.255.255 TRUST Wrop DNS secondario 29.29.29.4 10.0.0.4 255.255.255.255 TRUST NED 29.29.29.5 10.0.0.5 255.255.255.255 TRUST TKTS WIKI 29.29.29.6 10.0.0.6 255.255.255.255 TRUST DB1 29.29.29.7 10.0.0.7 255.255.255.255 TRUST Monitoring 29.29.29.15 10.0.0.15 255.255.255.255 TRUST Utenti 29.29.29.16 10.0.0.16 255.255.255.255 TRUST AAA 29.29.29.17 10.0.0.17 255.255.255.255 TRUST Manager 29.29.29.18 10.0.0.18 255.255.255.255 TRUST Storage 1 29.29.29.19 10.0.0.19 255.255.255.255 TRUST Storage 2 29.29.29.20 10.0.0.20 255.255.255.255 TRUST Posta 29.29.29.21 10.0.0.21 255.255.255.255 TRUST Provisioning 29.29.29.22 10.0.0.22 255.255.255.255 TRUST DB 29.29.29.23 10.0.0.23 255.255.255.255 TRUST

NAT with MIP AREA INSIDE (configurazioni) Domain TRUST Domain UNTRUST trust-vr routing domain INSIDE eth 0/1 10.0.0.1 /27 Vlan tag 203 interface Firewall SSG 520 set interface ethernet 0/0 zone untrust set interface ethernet 0/0 ip 29.29.29.2 /24 set interface ethernet 0/1 nat set interface ethernet 0/1 zone trust set interface ethernet 0/1 ip 10.0.0.1 /27 untrust-vr routing domain OUTSIDE eth 0/0 29.29.29.2 /24 Vlan tag 2 MIP set interface ethernet0/0 mip 29.29.29.3 host 10.0.0.3 netmask 255.255.255.255 vrouter trust-vr set interface ethernet0/0 mip 29.29.29.4 host 10.0.0.4 netmask 255.255.255.255 vrouter trust-vr set interface ethernet0/0 mip 29.29.29.5 host 10.0.0.5 netmask 255.255.255.255 vrouter trust-vr set interface ethernet0/0 mip 29.29.29.6 host 10.0.0.6 netmask 255.255.255.255 vrouter trust-vr set interface ethernet0/0 mip 29.29.29.7 host 10.0.0.7 netmask 255.255.255.255 vrouter trust-vr set interface ethernet0/0 mip 29.29.29.15 host 10.0.0.15 netmask 255.255.255.255 vrouter trust-vr set interface ethernet0/0 mip 29.29.29.16 host 10.0.0.16 netmask 255.255.255.255 vrouter trust-vr set interface ethernet0/0 mip 29.29.29.17 host 10.0.0.17 netmask 255.255.255.255 vrouter trust-vr set interface ethernet0/0 mip 29.29.29.18 host 10.0.0.18 netmask 255.255.255.255 vrouter trust-vr set interface ethernet0/0 mip 29.29.29.19 host 10.0.0.19 netmask 255.255.255.255 vrouter trust-vr set interface ethernet0/0 mip 29.29.29.20 host 10.0.0.20 netmask 255.255.255.255 vrouter trust-vr set interface ethernet0/0 mip 29.29.29.21 host 10.0.0.21 netmask 255.255.255.255 vrouter trust-vr set interface ethernet0/0 mip 29.29.29.22 host 10.0.0.22 netmask 255.255.255.255 vrouter trust-vr set interface ethernet0/0 mip 29.29.29.23 host 10.0.0.23 netmask 255.255.255.255 vrouter trust-vr

POLICY AREA INSIDE (configurazioni) Domain TRUST Domain UNTRUST trust-vr routing domain INSIDE eth 0/1 10.0.0.1 /27 Vlan tag 203 Firewall SSG 520 untrust-vr routing domain OUTSIDE eth 0/0 29.29.29.2 /24 Vlan tag 2 POLICY set policy from untrust to trust any mip 29.29.29.3 http permit Esempio cisco access-list acl_out_planet permit tcp host 10.188.38.136 host 10.168.94.94 eq www! access-group acl_out_planet in interface outside-planet

MIP on the untrust interface AREA NETRESULTS NAT interface untrust NAT interface trust IP eth untrust IP eth trust VR eth 0/0 eth 0/2 29.29.29.2 /24 10.0.0.33 /28 TRUST NAME MIP HOST Server Maskera VR INTRANET 29.29.29.9 10.0.0.34 255.255.255.255 TRUST

NAT with MIP AREA INTRANET (configurazioni) Domain TRUST Domain UNTRUST trust-vr routing domain Firewall SSG 520 untrust-vr routing domain INTRANET eth 0/2 10.0.0.33 /28 Vlan tag 204 interface set interface ethernet 0/0 zone utrust set interface ethernet 0/0 ip 29.29.29.2 /24 set interface ethernet 0/2 nat set interface ethernet 0/2 zone trust set interface ethernet 0/2 ip 10.0.0.33 /27 OUTSIDE eth 0/0 29.29.29.2 /24 Vlan tag 2 MIP set interface ethernet0/0 mip 29.29.29.9 host 10.0.0.34 netmask 255.255.255.255 vrouter trust-vr

MIP on the untrust interface MOBY LINE NAT interface untrust NAT interface trust IP eth untrust IP eth trust VR eth 0/0 eth 0/3.1 29.29.29.2 /24 10.0.0.49 /28 TRUST NAME MIP HOST Server Maskera VR MOBY LINE 1 29.29.29.10 10.0.0.50 255.255.255.255 TRUST MOBY LINE 2 29.29.29.11 10.0.0.51 255.255.255255 TRUST MOBY LINE 3 29.29.29.12 10.0.0.52 255.255.255.255 TRUST

NAT with MIP AREA MOBY LINE (configurazioni) Domain TRUST Domain UNTRUST trust-vr routing domain Firewall SSG 520 untrust-vr routing domain Moby Line eth 0/3.1 10.0.0.49 /28 Vlan tag 205 interface set interface ethernet 0/0 zone untrust set interface ethernet 0/0 ip 29.29.29.2 /24 set interface ethernet0/3.1 nat set interface ethernet 0/3.1 zone trust set interface ethernet 0/3.1 ip 10.0.0.49 /27 OUTSIDE eth 0/0 29.29.29.2 /24 Vlan tag 2 MIP set interface ethernet0/0 mip 29.29.29.10 host 10.0.0.50 netmask 255.255.255.255 vrouter trust-vr set interface ethernet0/0 mip 29.29.29.11 host 10.0.0.51 netmask 255.255.255.255 vrouter trust-vr set interface ethernet0/0 mip 29.29.29.12 host 10.0.0.52 netmask 255.255.255.255 vrouter trust-vr

MIP on the untrust interface BIG BANG NAT interface untrust NAT interface trust IP eth untrust IP eth trust VR eth 0/0 eth 0/3.2 29.29.29.2 /24 10.0.0.65 /28 TRUST NAME MIP HOST Server Maskera VR BIG BANG 1 29.29.29.13 10.0.0.66 255.255.255.255 TRUST BIG BANG 2 29.29.29.14 10.0.0.67 255.255.255255 TRUST

NAT with MIP AREA BIG BANG (configurazioni) Domain TRUST Domain UNTRUST trust-vr routing domain Firewall SSG 520 untrust-vr routing domain Big Bang eth 0/3.2 10.0.0.65 /28 Vlan tag 206 interface set interface ethernet 0/0 zone trust set interface ethernet 0/0 ip 29.29.29.2 /24 set interface ethernet 0/3.2 zone untrust set interface ethernet 0/3.2 ip 10.0.0.65 /27 OUTSIDE eth 0/0 29.29.29.2 /24 Vlan tag 2 MIP set interface ethernet0/0 mip 29.29.29.13 host 10.0.0.66 netmask 255.255.255.255 vrouter trust-vr set interface ethernet0/0 mip 29.29.29.14 host 10.0.0.67 netmask 255.255.255.255 vrouter trust-vr