Tarmoq marshruzatorida dmz




Download 212.18 Kb.
Sana09.06.2023
Hajmi212.18 Kb.
#71475
Bog'liq
Kunduzgi-2022, PDF Scanner 191123 9.10.35




16-LABORATORIY A I SHI


Tarmoq marshruzatorida DMZ ni o’rnatish.


I shdan maqsad. Tarmoq marshruzatorida DMZ ni o’rnatish ko`ni kmal ari ni


hosi l qil ish.


Qisqacha nazariy ma'lumotlar


DMZ - bu mahalliy tarmoq va Internet o'rtasida bufer vazifasini baj aradi gan
j i smoni y yoki v i rtual server. U mahal l i y tarmoq f oydal anuvchi l ari ga el ektron
pochta xi zmatl ari , masof avi y serv erl ar, veb- ilovalar va World Wi de Web- ga
ki ri shni tal ab qi l adi gan boshqa dasturlarni taqdi m eti sh uchun i shlati ladi . Ichki
manbal arga tashqi tomondan ki ri sh uchun avtori zatsi ya tarti bi dan o'tish kerak,
rux satsi z foydalanuvchilar uchun tizimga kirish urinishi muvaf f aqi yatl i bo'l maydi .
Ko'pgina hollarda, bu marshrutizator sozlamalarida amalga oshiriladi.


Bu nom inglizcha qi sqarti ri shdan kelib chi qi b, al oqa qi l i nayotgan hududl ar
o'rtasida to'siq bo'l i b xi zmat qi ladi . Ushbu texnol ogi ya Internetga ul angan har
qanday kompyuterdan kirish kerak bo'lgan uy serv eri ni yaratishda ishlatiladi. Ichki
xavfsizligi yuqori bo'l gan yirik korporativ tarmoql arda haqi qi y aj rati l gan zonasi
qo'l l ani l adi . Routerlarning uy model l ari Internetga kirish uchun kompyuterni to'liq
ochadi .


Service Leg konfiguratsiyasi





DMZ tarmog'i ni ng konf i guratsi yal ari dan bi ri " servi ce l eg" deb noml angan
xavfsizlik devori konf i guratsi yasi . Ushbu konf i guratsi yada xavfsizlik devori
kamida uchta tarmoq interfeysiga ega. Bir tarmoq interfeysi Internetga, i kki nchi si
i chki tarmoqqa ul anadi va uchinchi tarmoq i nterf eysi DMZ tarmog'i ni tashki l
qil adi . Ushbu konf i guratsi ya DMZ tarmog'i da j oyl ashgan x i zmatl arga
yo'nal ti ri l gan DoS huj umi da xavfsizlik devori uchun xavf ni oshi ri shi mumki n.
Oddi y DMZ konf i guratsi yasi da veb- server kabi DMZ tarmog'i da j oyl ashgan
manbaga qarshi DoS huj umi f aqat ushbu maqsad resursga ta'si r qil adi . DMZ
tarmog'i konf i guratsi yasi ni ng xi zmat ko'rsatish qi smi da xavfsizlik devori DoS
hujumining asosiy yuki ni ol adi , chunki u trafik DMZ-da joylashgan manbaga etib
borguncha barcha tarmoq traf i gi ni tekshi ri shi kerak. Nati j ada, agar veb- serveri da
DoS huj umi amal ga oshi ri l sa, bu tashki l otni ng barcha traf i kl ari ga ta'sir qil ishi
mumki n.


I shni baj arish tartibi


1.
2.


Cisco packet tracer dasturi ishga tushiriladi.


Laboratoriya ishi uchun cisco 2960 kommutatori, 2911 marshruzatori ,


ASA0 5505 firewalli, server va kompyuterlar tanlanadi.


3.
4.


Quyida keltirilgan topologiya quriladi.
Qurilgan topologiya testlab ko`riladi.





16.1- rasm. Tadqiq qilinayotgan tarmoq topologiyasi
ASA0 ga quyidagi buyruqlar ketma ketligi ki ritil adi .


ciscoasa>en
ciscoasa#conf t
ciscoasa#no dhcpd enable inside
ciscoasa#no dhcpd address 192.168.1.5- 192.168.1.36 inside
ciscoasa(config)#interface vlan 1
ciscoasa(config- if)#ip address 192.168.100.1 255.255.255.0
ci scoasa(config- if)#exi t
ciscoasa(config)#dhcpd enable inside
ci scoasa(config)#dhcpd address 192.168.100.22- 192.168.100.50 inside
ciscoasa(config)#dhcpd dns 8.8.8.8
ciscoasa(config)#interface vlan 2
ciscoasa(config- if)#ip address 195.158.18.18 255.255.255.0
ci scoasa(config- if)#exi t
ciscoasa(config)#route outside 0.0.0.0 0.0.0.0 195.158.18.1
ciscoasa(config)#object network NAT
ci scoasa(confi g- network- obj ect)#subnet 192.168.100.0 255.255.255.0
ciscoasa(config- network- object)#nat (inside,outside) dynamic outside
ci scoasa(confi g- network- obj ect)#exi t
ciscoasa(config)#class- map qoida
ciscoasa(config- if)#match default- inspection- traffic
ci scoasa(config- if)#exi t


ciscoasa(config)#policy- map toplam





ciscoasa(config)#class qoida
ciscoasa(config)#inspect http
ciscoasa(config)#inspect icmp
ci scoasa(confi g)#exi t
ciscoasa(config)#service- policy toplam global
ci scoasa(confi g)#exi t
ciscoasa(config)#enable salom
ciscoasa(config)#username admin password tatu123
ci scoasa(config)#hostname ASA
ASA(config)#domai n- name tatu.uz
ASA(config)#ssh 192.168.100.0 255.255.255.0 inside
ASA(config)#aaa authentication ssh console LOCAL
ASA(config)#aaa authentication telnet console LOCAL
ASA(config)#ssh 8.8.8.8 255.255.255.255 outside
ASA(config)#interface vlan 3
ASA(config-if)#no forward interface vlan 1
ASA(config- if)#nameif DMZ
ASA(config- if)#ip address 192.168.70.1 255.255.255.0
ASA(config- if)#exit
ASA(config)#interface vlan 3
ASA(confi g- i f)#securi ty- l evel 70
ASA(config- if)#exit
ASA(config)#object network DMZ
ASA(config- network- obj ect)#nat (DMZ,outsi de) static 195.158.18.88
ASA(confi g- network- obj ect)#exi t
ASA#
ASA#conf t
ASA(config)#access-list DMZ permit icmp any host 195.158.18.88
ASA(config)#access-group DMZ in interface outside
ASA(config)#access-list DMZ permit tcp any host 195.158.10.88 eq www
ASA( confi g) #end


ROUTERga quyida buyruqlar ketma ketligi kiritiladi.


continue with configuration dialog? [ yes/no] : no
Router>enable
Router#conf t
Router(config)#interface gigabitEthernet 0/1
Router(config- if)#no shutdown
Router(config- if)#ip address 195.158.18.1 255.255.255.0
Router(config- i f)#exit
Router(config)#interface gigabitEthernet 0/0
Router(config- if)#no shutdown
Router(config- if)#ip address 8.8.8.1 255.255.255.0
Router(config- if)#do wr





16.2- rasm. Qurilgan topologiyani testl ash
T opshiriq:


Amaliy ish mavzusi bo'yicha hisobot tayyorlash. Hisobotning mazmuni:
- ishning raqami va mavzusi;


- Cisco PacketTracerda tadqiq qilinayotgan tarmoq topologiyasining tasviri;


- tarmoqdagi IP- manzi ll arni taqsimlash, ulanish diagrammasi (i nterf eys
raqamlari), shu jumladan modelning tavsifi;


- f oydal anuv chi noml ari va parollari;


- tarmoq el ementl ari ni sozlash ro'yxati;
- tarmoq elementlariga kirishga urinishlar natijalari.


Nazorat savollari


1.
2.
3.


DMZ nima?


Korporativ tarmoqlarda nima uchun DMZ zonalar tashkil eti l adi ?
DMZ ning ishlash tamoyilini tushuntirib bering?


Download 212.18 Kb.




Download 212.18 Kb.