2008年4月20日 星期日

Cisco PIX/ASA 中的一個設定上的專有名詞,叫做『 Security Level 』

The primary rule for security levels is that an interface with a higher security level can access an interface with a lower security level

Conversely, an interface with a lower security level cannot access an interface with a higher security level without an access control list (ACL).

Security levels range from 0 to 100

(1) Higher security level interface to a lower security level interface
- For traffic originating from the inside interface of the PIX with a security level of 100 to the outside interface of the PIX with a security level of 0, all IP-based traffic is allowed unless it is restricted by ACLs, authentication, or authorization

(2) Lower security level interface to a higher security level interface
- For traffic originating from the outside interface of the PIX with a security level of 0 to the inside interface of the PIX with a security level of 100,all packets are dropped unless specifically allowed by an access-list command. The traffic can be restricted further if authentication and authorization is used

(3) Same secure interface to a same secure interface
- No traffic flows between two Interfaces with the same security level

介紹一下 Cisco PIX/ASA 中的一個設定上的專有名詞,叫做『 Security Level 』,其設定值為 0 到 100 間的任一整數,數字越小代表由其連接的網路所進來封包資料,越不可靠、越危險,安全性 (security) 越低。因此,通常我們會設定連接到 Internet 的介面的『 Security Level 』設為 0 ,而連接內部或是可靠網路介面的『 Security Level 』設為 100 , DMZ 的『 Security Level 』則設為 0 到 100 中間的任一值;不同『 Security Level 』之間的資料流量有其規定,從『 Security Level 』大傳到『 Security Level 』小的資料不會被阻擋,從『 Security Level 』小傳到『 Security Level 』大的資料則會被阻擋,如過要讓其資料可以通過的話,則需要額外下達防火牆規則來檢驗,通過檢驗才可通過

沒有留言:

張貼留言