Juniper网络公司集成式安全网关(ISG)是一种专用安全解决方案,它采用了第四代安全ASIC GigaScreen3,以及高性能微处理器,能够提供无与伦比的防火墙和VPN性能。Juniper网络公司 ISG 1000 ISG 2000 非常适合因需要运行VoIP和流媒体等高级应用而需要可以扩展的一致性能的企业、运营商和数据中心环境。ISG 1000ISG 2000 将最佳深层检测防火墙、VPNDoS解决方案集成在一起不但能提供安全、可靠的连接,还能为重要的高流量网段提供网络和应用级保护。
   
    此产品不做作解释了,下面主要了解ISG-1000的安全配置,配置可以在Web界面下(WEBUI),也可以在命令模式下(CLI)。
    
     一、一普通攻击保护
      1.ip地址扫描保护
       WebUI:
            Screening > Screen (Zone: 选择区段名称): 输入以下内容,然后单Apply:
            IP Address Sweep Protection: ( 选择)
            Threshold: ( 输入触发 IP 地址扫描保护的值)
        CLI:
            set zone zone screen ip-sweep threshold number
            set zone zone screen ip-sweep
      2.端口扫描保护
        WebUI:
            Screening > Screen (Zone: 选择区段名称): 输入以下内容,然后击Apply:
            Port Scan Protection: ( 选择)
            Threshold: ( 输入触发端口扫描保护的值)
        CLI:
            set zone zone screen port-scan threshold number
            set zone zone screen port-scan
      3.使用 IP 选项的网络侦查
         WebUI:
            Screening > Screen (Zone: 选择区段名称): 输入以下内容,然后单Apply:
            IP Record Route Option Detection: ( 选择)
            IP Timestamp Option Detection: ( 选择)
            IP Security Option Detection: ( 选择)
            IP Stream Option Detection: ( 选择)
         CLI:
            set zone zone screen ip-record-route
            set zone zone screen ip-timestamp-opt
            set zone zone screen ip-security-opt
            set zone zone screen ip-stream-opt
       4.设置 SYN 和 FIN 标志
         WebUI:
              Screening > Screen (Zone: 选择区段名称): 选择 SYN and FIN Bits
                          Set Protection,然后单击 Apply。
                        
         CLIZ:set zone zone screen syn-fin
       5.IP欺骗
          WebUI:
            (1) 接口
              
          Network > Interfaces > Edit ( 对于 ethernet1): 输入以下内容,然后单击Apply:
                         Zone Name: Trust
                         Static IP: ( 出现时选择此选项)
                         IP Address/Netmask: 10.1.1.1/24
                         输入以下内容,然后单击 OK:
                         Interface Mode: NAT
                         Network > Interfaces > Edit ( 对于 ethernet2): 输入以下内容,然后单击 OK:
                         Zone Name: DMZ
                         Static IP: ( 出现时选择此选项)
                         IP Address/Netmask: 1.2.2.1/24
                         Network > Interfaces > Edit ( 对于 ethernet3): 输入以下内容,然后单击 OK:
                         Zone Name: Untrust
                         Static IP: ( 出现时选择此选项)
                         IP Address/Netmask: 1.1.1.1/24
                                                                        
      (2)路由
 
 
              Network > Routing > Routing Entries > trust-vr New: 输入以下内容,然后单击 OK:
               Network Address/Netmask: 10.1.2.0/24
               Gateway: ( 选择)
               Interface: ethernet1
               Gateway IP Address: 10.1.1.250
               Network > Routing > Routing Entries > trust-vr New: 输入以下内容,然后单击 OK:
               Network Address/Netmask: 1.2.3.0/24
               Gateway: ( 选择)
               Interface: ethernet2
               Gateway IP Address: 1.2.2.250
               Network > Routing > Routing Entries > trust-vr New: 输入以下内容,然后单击 OK:
               Network Address/Netmask: 0.0.0.0/0
               Gateway: ( 选择)
               Interface: ethernet3
               Gateway IP Address: 1.1.1.250
 
      ( 3)IP欺骗保护
 
Screening > Screen (Zone: Trust): 选择 IP Address Spoof Protection,然后单击 Apply。
Screening > Screen (Zone: DMZ): 选择 IP Address Spoof Protection,然后单
击 Apply。
Screening > Screen (Zone: Untrust): 选择 IP Address Spoof Protection,然后单击 Apply。
 
CLI:
 
   
   (1)接口
   set interface ethernet1 zone trust
   set interface ethernet1 ip 10.1.1.1/24
   set interface ethernet1 nat
   set interface ethernet2 zone dmz
   set interface ethernet2 ip 1.2.2.1/24
   set interface ethernet3 zone untrust
   set interface ethernet3 ip 1.1.1.1/24
   (2)路由
   set vrouter trust-vr route 10.1.2.0/24 interface ethernet1 gateway       10.1.1.250
   set vrouter trust-vr route 1.2.3.0/24 interface ethernet2 gateway     1.2.2.250
   set vrouter trust-vr route 0.0.0.0/0 interface ethernet3 gateway      1.1.1.250
(3)IP 欺骗保护
   set zone trust screen ip-spoofing
   set zone dmz screen ip-spoofing
   set zone untrust screen ip-spoofing
   save
 
 
二、拒绝服务攻击防御
  1.基于源的会话限制
   
WebUI:
     Screening > Screen (Zone: DMZ): 输入以下内容,然后单击 OK:
     Source IP Based Session Limit: ( 选择)
     Threshold: 1 Sessions
     Screening > Screen (Zone: Trust): 输入以下内容,然后单击 OK:
     Source IP Based Session Limit: ( 选择)
     Threshold: 80 Sessions
CLI:
     set zone dmz screen limit-session source-ip-based 1
     set zone dmz screen limit-session source-ip-based
     set zone trust screen limit-session source-ip-based 80
     set zone trust screen limit-session source-ip-based
     save
 
 2.基于目标的会话限制
 
WebUI:
    Screening > Screen (Zone: Untrust): 输入以下内容,然后单击 OK:
    Destination IP Based Session Limit: ( 选择)
    Threshold: 4000 Sessions
CLI:
    set zone untrust screen limit-session destination-ip-based 4000
    set zone untrust screen limit-session destination-ip-based
    save
 
3.SYN-ACK-ACK 代理泛滥
 
WebUI:

Screening > Screen (Zone: 选择区段名称): 输入以下内容,然后单击 Apply:
SYN-ACK-ACK Proxy Protection: ( 选择)
Threshold: ( 输入触发 SYN-ACK-ACK 代理泛滥保护的值)
 
CLI:
set zone zone screen syn-ack-ack-proxy threshold number
set zone zone screen syn-ack-ack-proxy
 
 
4.ICMP 泛滥
 
WebUI:
Screening > Screen (Zone: 选择区段名称): 输入以下内容,然后单击 Apply:
ICMP Flood Protection: ( 选择)
Threshold: ( 输入触发 ICMP 泛滥保护的值)
 
CLI
set zone zone screen icmp-flood threshold number
set zone zone screen icmp-flood
 
5.UDP 泛滥
 
WebUI:
Screening > Screen (Zone: 选择区段名称): 输入以下内容,然后单击 Apply:
UDP Flood Protection: ( 选择)
Threshold: ( 输入触发 UDP 泛滥保护的值)
 
CLI:
set zone zone screen udp-flood threshold number
set zone zone screen udp-flood
 
 
6.陆地攻击
 
WebUI:
Screening > Screen (Zone: 选择区段名称): 选择 Land Attack Protection,然
后单击 Apply。
 
CLI:
set zone zone screen land
 
 
7.Ping of Death
 
WebUI:
Screening > Screen (Zone: 选择区段名称): 选择 Ping of Death Attack
Protection,然后单击 Apply。
CLI:
set zone zone screen ping-death
 
8.Teardrop 攻击
 
WebUI:
Screening > Screen (Zone: 选择区段名称): 选择 Teardrop Attack Protection,然后单击 Apply。
CLI:
set zone zone screen tear-drop
 
9.WinNuke
 
WebUI:
Screening > Screen (Zone: 选择区段名称): 选择 WinNuke Attack
Protection,然后单击 Apply。
CLI:
set zone zone screen winnuke
 
 
以上只是简单的配置了一些常见的攻击,juniper防火墙是硬件防火墙,功能强大,大家可以去专门了解下,我们公司就用了ISG-1000,感觉非常不错,到底是的全球最大的安全设备制造商啊!