网络安全 · 2026年5月24日 · VirtLab
网络安全仿真:在虚拟环境中构建企业级防火墙实验
详细介绍如何在网络仿真平台中配置企业级防火墙实验,包括 ASA、FortiGate 和华为防火墙的部署与策略配置。
网络安全仿真:在虚拟环境中构建企业级防火墙实验
防火墙是企业网络安全的核心组件。本文将介绍如何在主流仿真平台中构建企业级防火墙实验,包括 Cisco ASA、FortiGate 和华为防火墙的配置。
防火墙实验概述
实验拓扑
ISP
│
┌────┴────┐
│ 防火墙 │
│ 外网口 │
└────┬────┘
│
┌────────────┼────────────┐
│ │ │
┌────┴────┐ ┌────┴────┐ ┌────┴────┐
│ DMZ │ │ 内部 │ │ 来宾 │
│ Zone │ │ Zone │ │ Zone │
│ │ │ │ │ │
Web DB PCs WiFi
Server Server Users安全区域划分
| 区域 | 安全级别 | 访问控制策略 |
|---|---|---|
| Trust (内网) | 高 | 允许访问所有区域 |
| DMZ | 中 | 仅允许特定服务访问 |
| Untrust (外网) | 低 | 仅允许响应流量 |
| Guest (来宾) | 低 | 仅允许互联网访问 |
Cisco ASA 配置
基础配置
! 基本设置
hostname ASA-FW
enable password cisco123
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 203.0.113.2 255.255.255.252
no shutdown
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
no shutdown
!
interface GigabitEthernet0/2
nameif dmz
security-level 50
ip address 10.1.1.1 255.255.255.0
no shutdownNAT 配置
! 配置 PAT(端口地址转换)
object network INSIDE_NET
subnet 192.168.1.0 255.255.255.0
!
nat (inside,outside) source dynamic INSIDE_NET interface
!
! 配置静态 NAT(DMZ 服务器)
object network WEB_SERVER
host 10.1.1.10
!
nat (dmz,outside) static 203.0.113.100 dnsACL 配置
! 允许内网访问外网
access-list OUTSIDE extended permit icmp any any echo-reply
access-list OUTSIDE extended permit tcp any host 203.0.113.100 eq 80
access-list OUTSIDE extended permit tcp any host 203.0.113.100 eq 443
!
access-group OUTSIDE in interface outside安全策略
! 阻止恶意流量
access-list BLOCK_MALWARE extended deny tcp any any eq 4444
access-list BLOCK_MALWARE extended deny tcp any any eq 135
access-list BLOCK_MALWARE extended deny udp any any eq 135
access-list BLOCK_MALWARE extended permit ip any any
!
! 应用安全策略
access-group BLOCK_MALWARE in interface insideFortiGate 配置
初始配置
config system interface
edit port1
set name "wan1"
set ip 203.0.113.2 255.255.255.252
set vdom "root"
set role wan
next
edit port2
set name "internal"
set ip 192.168.1.1 255.255.255.0
set vdom "root"
set role lan
next
end防火墙策略
config firewall policy
edit 1
set name "LAN-to-WAN"
set srcintf "internal"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set nat enable
next
edit 2
set name "DMZ-Web-Server"
set srcintf "wan1"
set dstintf "dmz"
set srcaddr "all"
set dstaddr "WEB_SERVER"
set action accept
set schedule "always"
set service "HTTP" "HTTPS"
next
edit 3
set name "Block-P2P"
set srcintf "internal"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action deny
set schedule "always"
set service "BITTORRENT" "EDONKEY"
next
end应用控制
config application list
edit "BLOCK_SOCIAL"
set comment "Block social media apps"
config entries
edit 1
set category 2
set action block
next
edit 2
set app "facebook"
set action block
next
edit 3
set app "twitter"
set action block
next
end
next
end华为防火墙配置
! 配置安全区域
firewall zone trust
add interface GigabitEthernet0/0/1
!
firewall zone dmz
add interface GigabitEthernet0/0/2
!
firewall zone untrust
add interface GigabitEthernet0/0/0策略配置
! 配置安全策略(允许内网访问外网)
[FW] security-policy
[FW-policy] rule name TRUST_TO_UNTRUST
[FW-policy-rule-TRUST_TO_UNTRUST] source-zone trust
[FW-policy-rule-TRUST_TO_UNTRUST] destination-zone untrust
[FW-policy-rule-TRUST_TO_UNTRUST] source-address 192.168.1.0 24
[FW-policy-rule-TRUST_TO_UNTRUST] action permit
[FW-policy-rule-TRUST_TO_UNTRUST] quit
[FW-policy] quit源 NAT 配置
! 配置源 NAT(Easy IP)
[FW] nat-policy
[FW-nat-policy] rule name EASY_IP
[FW-nat-policy-rule-EASY_IP] source-zone trust
[FW-nat-policy-rule-EASY_IP] destination-zone untrust
[FW-nat-policy-rule-EASY_IP] action nat easy-ip
[FW-nat-policy-rule-EASY_IP] quit目的 NAT 配置
! 配置目的 NAT(发布 DMZ 服务器)
[FW] nat-policy
[FW-nat-policy] rule name DMZ_SERVER_NAT
[FW-nat-policy-rule-DMZ_SERVER_NAT] source-zone untrust
[FW-nat-policy-rule-DMZ_SERVER_NAT] destination-address 203.0.113.100 32
[FW-nat-policy-rule-DMZ_SERVER_NAT] action nat static destination 10.1.1.10IPS 配置实验
Snort IDS/IPS 规则
# 检测恶意流量
alert tcp any any -> any 4444 (msg:"WannaCry Port"; sid:1000001; rev:1;)
alert tcp any any -> any 135 (msg:"RPC Traffic"; sid:1000002; rev:1;)
alert icmp any any -> any any (msg:"ICMP Ping"; sid:1000003; rev:1;)流量分析实验
捕获防火墙日志
# ASA 查看日志
show log
show firewall
show conn all流量统计
! 查看流量统计
show traffic
show running-config object-group
show access-list高级安全实验
场景 1:零信任网络架构
┌─────────────────────────────────────────────────────┐
│ 零信任架构 │
│ │
│ ┌───────┐ ┌─────────┐ ┌─────────────────┐ │
│ │ 用户 │───▶│ IAM │───▶│ 策略引擎 │ │
│ └───────┘ │ 身份 │ │ (Policy Engine)│ │
│ │ 验证 │ └────────┬────────┘ │
│ └─────────┘ │ │
│ ┌──┴──┐ │
│ ┌────▶│ 微 │────┐ │
│ │ │ 隔 │ │ │
│ │ └─────┘ │ │
│ │ ▼ │
│ │ ┌─────────┐ │
│ └────────▶│ 资源 │◀──┘
│ │ (业务) │
│ └─────────┘
└─────────────────────────────────────────────────────┘场景 2:防火墙高可用性
ISP
│
┌────┴────┐
│ 交换机 │
└───┬──┬──┘
│ │
┌────┴──┴────┐
│ │
┌──┴──┐ ┌──┴──┐
│ ASA │◀───▶│ ASA │
│ 主 │ │ 备 │
└──┬──┘ └──┬──┘
│ 主备切换 │
└───────────┘总结
通过本文的学习,您掌握了在仿真平台中构建企业级防火墙实验的方法。建议从基础配置开始,逐步尝试更复杂的安全策略,如 IPS、应用控制和零信任架构。
#防火墙
#ASA
#FortiGate
#安全
#网络安全