For the Sun ONE network configuration, firewalls were configured between each service module to provide network security. FIGURE 7-20 shows the relationship between the firewalls and the service modules.
Figure 7-20. Firewalls between Service Modules
In the lab, one physical firewall device was used to create multiple virtual firewalls. Network traffic was directed to pass through the firewalls between the service modules, as shown in FIGURE 7-21.
Figure 7-21. Virtual Firewall Architecture Using Netscreen and Foundry Networks Products
The core switch is only configured for Layer 2 with separate port-based VLANs. The connection between the Netscreen and the core switch uses tagged VLANS. Trust zones are created on the Netscreen device, and they map directly to the tagged VLANs. The Netscreen firewall device performs the Layer 3 routing. This configuration directs all traffic through the firewall, resulting in firewall protection between each service module.
Netscreen Firewall
CODE EXAMPLE 7-5 shows a partial example of a configuration file used to configure the Netscreen device.
Code example 7-5. Configuration File Used for Netscreen Device
set auth timeout 10
set clock "timezone" 0
set admin format dos
set admin name "netscreen"
set admin password nKVUM2rwMUzPcrkG5sWIHdCtqkAibn
set admin sys-ip 0.0.0.0
set admin auth timeout 0
set admin auth type Local
set zone id 1000 "DMZ1"
set zone id 1001 "web"
set zone id 1002 "appsrvr"
set zone "Untrust" block
set zone "DMZ" vrouter untrust-vr
set zone "MGT" block
set zone "DMZ1" vrouter trust-vr
set zone "web" vrouter trust-vr
set zone "appsrvr" vrouter trust-vr
set ip tftp retry 10
set ip tftp timeout 2
set interface ethernet1 zone DMZ1
set interface ethernet2 zone web
set interface ethernet3 zone appsrvr
set interface ethernet1 ip 192.168.0.253/24
set interface ethernet1 route
set interface ethernet2 ip 10.10.0.253/24
set interface ethernet2 route
set interface ethernet3 ip 20.20.0.253/24
set interface ethernet3 route
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet1 manage ping
unset interface ethernet1 manage scs
unset interface ethernet1 manage telnet
unset interface ethernet1 manage snmp
unset interface ethernet1 manage global
unset interface ethernet1 manage global-pro
unset interface ethernet1 manage ssl
set interface ethernet1 manage web
unset interface ethernet1 ident-reset
set interface vlan1 manage ping
set interface vlan1 manage scs
set interface vlan1 manage telnet
set interface vlan1 manage snmp
set interface vlan1 manage global
set interface vlan1 manage global-pro
set interface vlan1 manage ssl
set interface vlan1 manage web
set interface v1-trust manage ping
set interface v1-trust manage scs
set interface v1-trust manage telnet
set interface v1-trust manage snmp
set interface v1-trust manage global
set interface v1-trust manage global-pro
set interface v1-trust manage ssl
set interface v1-trust manage web
unset interface v1-trust ident-reset
unset interface v1-untrust manage ping
unset interface v1-untrust manage scs
unset interface v1-untrust manage telnet
unset interface v1-untrust manage snmp
unset interface v1-untrust manage global
unset interface v1-untrust manage global-pro
unset interface v1-untrust manage ssl
unset interface v1-untrust manage web
unset interface v1-untrust ident-reset
set interface v1-dmz manage ping
unset interface v1-dmz manage scs
unset interface v1-dmz manage telnet
unset interface v1-dmz manage snmp
unset interface v1-dmz manage global
unset interface v1-dmz manage global-pro
unset interface v1-dmz manage ssl
unset interface v1-dmz manage web
unset interface v1-dmz ident-reset
set interface ethernet2 manage ping
unset interface ethernet2 manage scs
unset interface ethernet2 manage telnet
unset interface ethernet2 manage snmp
unset interface ethernet2 manage global
unset interface ethernet2 manage global-pro
unset interface ethernet2 manage ssl
unset interface ethernet2 manage web
unset interface ethernet2 ident-reset
set interface ethernet3 manage ping
unset interface ethernet3 manage scs
unset interface ethernet3 manage telnet
unset interface ethernet3 manage snmp
unset interface ethernet3 manage global
unset interface ethernet3 manage global-pro
unset interface ethernet3 manage ssl
unset interface ethernet3 manage web
unset interface ethernet3 ident-reset
set interface v1-untrust screen tear-drop
set interface v1-untrust screen syn-flood
set interface v1-untrust screen ping-death
set interface v1-untrust screen ip-filter-src
set interface v1-untrust screen land
set flow mac-flooding
set flow check-session
set address DMZ1 "dmznet" 192.168.0.0 255.255.255.0
set address web "webnet" 10.10.0.0 255.255.255.0
set address appsrvr "appnet" 20.20.0.0 255.255.255.0
set snmp name "ns208"
set traffic-shaping ip_precedence 7 6 5 4 3 2 1 0
set ike policy-checking
set ike respond-bad-spi 1
set ike id-mode subnet
set l2tp default auth local
set l2tp default ppp-auth any
set l2tp default radius-port 1645
set policy id 0 from DMZ1 to web "dmznet" "webnet" "ANY" Permit
set policy id 1 from web to DMZ1 "webnet" "dmznet" "ANY" Permit
set policy id 2 from DMZ1 to appsrvr "dmznet" "appnet" "ANY" Permit
set policy id 3 from appsrvr to DMZ1 "appnet" "dmznet" "ANY" Permit
set ha interface ethernet8
set ha track threshold 255
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
_____________________
