Beruflich Dokumente
Kultur Dokumente
> Upon completion of this module, you should be familiar with the following:
Security Zone Types Zone Configuration Network Interface Types Interface configuration DHCP Server/Client IP Address Groups Network Address Translation Routing Support Network Tools
Security Zones
WAN
LAN 1
x505
DMZ
LAN 2
VPN
3
Security Zones
> X505 is fundamentally built on the concept of Security Zones Policy Enforcement Point
LAN
Security Zone
WAN
Security Zone
2 main applications
> this-device used to control access to the X505 device management or SNMP Example: If you want to manage the x505 from the LAN zone make sure you have a policy rule that allows access from the LAN zone to the secure web interface. > VPN Used to apply policy for traffic emanating from a VPN tunnel
> Traffic from remote sites and/or users connecting to the network via VPN can be terminated into any configured security zone > In order to provide maximum protection, it may be wise to use the preconfigured VPN zone to implement policy (Firewall and IPS)
10
Increased flexibility for management access Support for Inter-VLAN Firewalling Support for complex / flexible control of traffic through VPN tunnels
11
Network Interfaces
> The External Interface can be configured in one of the following ways
Static Addressing DHCP Client PPPoE Client PPTP Client L2TP Client
> The Internal Interface must be configured manually with a Static IP Address > GRE Interface
Configure GRE interfaces for connecting to a remote site via a VPN tunnel to allow multicasting and dynamic routing between sites.
12
Interface Setup
13
> Security Zones are assigned to interfaces > An interface can represent more than one zone (transparent deployment) > NATed or Routed deployment
14
Layer 3
internal
external
VPN
Layer 2
LAN
LAN2
LAN3
WAN
X
Layer 1 Port1 Port2 Port3 Port4
15
16
Three Interfaces, one for each zone. Each Network Interface will be a different IP on a different Subnet
17
Totally Transparent All Addresses in same subnet, but with policy between zones.
18
DHCP
19
DHCP Precautions
> By default, there should be a firewall rule that permits DHCP requests from the LAN zone to the this-device zone > Given the above, if any hosts connected to a different zone will be assigned IP addresses via DHCP, then you must create a new firewall rule or modify the default DHCP rule (Firewall rules will be covered in the next module)
20
IP Address Groups
> IP Address Groups allow you to create Network Objects that can be referenced in Security Zones, Firewall Rules or DHCP configuration > Addresses can be grouped by
Host Subnet Address Range
21
One-to-one NAT
> Use this mode to map a unique IP address between internal and external hosts > Can be configured for All Services or can be configured for Port Address Translation (PAT)
22
Routing
RIP v2
> Simple Text Authentication and MD5 authentication > Classless Inter-Domain Routing i.e. supports subnetting
RIP Features
> Split Horizon Reduces convergence time by not allowing routers to advertise networks in the direction from which those networks were learned. > Poison Reverse Routes learned from a neighbor are advertised back to it with metric 16 (unreachable), preventing routing loops.
> RIP can be implemented in any configured interface > Static Routes
23
Multicast Routing
> Useful for voice applications or video conferencing > In multicasting, a host joins a multicast group and can send packets to all hosts participating in the group > The X505 supports IGMP v2 and Protocol Independent Mutlicast Dense Mode (PIM-DM)
24
Network Tools
25