CCNA Security第四天
4.1 Configure TCP Intercept
access-list 101 permit tcp any 202.2.6.0 0.0.0.255
ip tcp intercept list 101
ip tcp intercept connection-timeout 120
注:单位为秒。
ip tcp intercept max-incomplete low 800
ip tcp intercept max-incomplete high 1000
ip tcp intercept one-minute low 800
ip tcp intercept one-minute high 1000
ip tcp intercept drop-mode random
注:默认丢弃最老的会话oldset。
TCP intercept operates in two modes: the passive watch mode or the default active intercept mode.
In watch mode, all connection requests are allowed to pass through the
router with the software passively watching the connection that is being established. If a connection fails to establish in a configurable interval, the software then intervenes and terminates the connection attempt.
In intercept mode, the software actively intercepts all incoming connection SYN request and responds on behalf of the server with an SYN-ACK waiting for an ACK from the server. When an ACK is received back from the TCP server, the original SYN is sent to the server and the software performs a three-way handshake with the server. When this is complete, the two half-connections are joined.
4.2 Configure uRPF
----1.1.1.1/24---R1-----202.100.1.x/24--------R2-------202.100.2.x/24-----R3------2.2.2.2/24
一、基本网络配置
R1:
interface Loopback0
ip address 1.1.1.1 255.255.255.0
interface FastEthernet0/0
ip address 202.100.1.1 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 202.100.1.10
R2:
interface FastEthernet0/0
ip address 202.100.1.10 255.255.255.0
no shut
interface FastEthernet0/1
ip address 202.100.2.10 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 202.100.2.1
ip route 1.1.1.1 255.255.255.255 202.100.1.1
R3
interface Loopback0
ip address 2.2.2.2 255.255.255.0
interface FastEthernet0/0
ip address 202.100.2.1 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 202.100.2.10
二、启用uRPF
interface FastEthernet0/1
ip address 202.100.2.10 255.255.255.0
no shut
ip verify unicast source reachable-via rx (any)
注:配置URPF前必须启用ip cef。
% CEF not enabled. Enable first
注:rx为strict mode,该接口进入的源必须由该接口收到。
any该路由器里有明细路由就可以进入。
reachable-via 为关键字没有任何意义。
三、测试
R1#ping 2.2.2.2 so lo 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
.....
分析:当icmp包抵达R3时,返回的数据包在R2上没有去往2.2.2.2的明细路由,所以该包drop。
R2#sh ip int f1/0
FastEthernet1/0 is up, line protocol is up
11 verification drops
解法方法
1.Bypass
R2(config)#access-list 111 permit ip host 2.2.2.2 ho 1.1.1.1
R2(config)#access-list 111 den ip an an log
R2(config-if)# ip verify unicast source reachable-via rx 111
R1#ping 2.2.2.2 so lo 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!!!!
R2#sh access-lists
Extended IP access list 111
10 permit ip host 2.2.2.2 host 1.1.1.1 (5 matches)
20 deny ip any any log
2.加明细路由
R2(config)#ip route 2.2.2.2 255.255.255.255 202.100.2.1
3.允许默认路由
interface FastEthernet0/1
ip address 202.100.2.10 255.255.255.0
ip verify unicast source reachable-via rx allow-default
R2#pin 202.100.2.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.100.2.10, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
分析:默认启用uRPF接口,不允许自己ping自己。不影响其它接口。
解决方法
R2(config-if)#ip verify unicast source reachable-via rx allow-self-ping
R2#pin 202.100.2.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.100.2.10, timeout is 2 seconds:
!!!!!
uRPF特性是一个安全工具,通过在路由表里边检查IP源地址来丢弃违规IP包,有效帮助减弱IP源地址欺骗攻击。
uRPF两种工作模式: 1.loose 2.strict
4.3 Configure IP Source tracker
ip source-track syslog-interval 2 (可选)
注:多少分钟产生一个syslog。
ip source-track 2.2.2.2
注:2.2.2.2被攻击主机。
ip source-track address-limit 100 (可选)
注:最多track主机的数量。
测试:
*Mar 1 00:45:59.011: %DOS_TRACK-5-CFG: IP Source Tracker configured for 1 hosts
R2#sh ip source-track 2.2.2.2
Address SrcIF Bytes Pkts Bytes/s Pkts/s
2.2.2.2 Fa0/0 283K 2839 205 1
传统的路由跟踪技术是通过ACL(log-input)方式收集被攻击主机的流量信息,并且判断攻击
入口点。需要注意的是,不论是传统方式还是Ip source tracker只是判断攻击入口点,不能阻止攻击。
4.4 Configure Netflow
interface FastEthernet0/0
ip flow ingress
ip flow egress
注:该接口进与出的包都做captures。
ip flow-export destination 202.100.1.100 2011
注:将flow相关信息导出到目的服务器。比如MRTG、PRTG服务器。
4.5 Configure NBAR
class-map match-all drop.t.s
match protocol ssh
match protocol telnet
policy-map control
class drop.t.s
drop
interface FastEthernet0/1
ip nbar protocol-discovery
service-policy input control
4.6 Configure CBAC
Inside--1------202.100.1.x----------10-IOSFW---10----202.100.2.x------1--Outside
一、基本网络配置
Inside
interface FastEthernet0/0
no shut
ip address 202.100.1.100 255.255.255.0 secondary
ip address 202.100.1.1 255.255.255.0
ip route 0.0.0.0 0.0.0.0 202.100.1.10
IOSFW
interface FastEthernet0/0
no shut
ip address 202.100.1.10 255.255.255.0
interface FastEthernet0/1
no shut
ip address 202.100.2.10 255.255.255.0
Outside
interface FastEthernet0/1
no shut
ip address 202.100.2.1 255.255.255.0
ip route 0.0.0.0 0.0.0.0 202.100.2.10
二、配置CBAC
ip inspect audit-trail
注:默认关闭(可选)。
ip inspect alert-off
注:默认打开(可选)。
ip inspect name CBAC ftp
ip inspect name CBAC http
ip inspect name CBAC telnet
ip inspect name CBAC icmp
ip access-list extended control-outside
permit tcp any host 202.100.1.100 eq www
deny ip any any log
注:允许合法的外部主机到内部的主机的流量,拒绝非法流量。
interface FastEthernet0/1
ip address 202.100.2.10 255.255.255.0
ip access-group control-outside in
注:建议运用在外部接口入方向。
ip inspect CBAC out
注:建议运用在外部接口出方向。
三、测试
IOSFW#sh ip inspect sessions
Established Sessions
Session 6720CBC4 (202.100.1.1:16440)=>(202.100.2.1:23) telnet SIS_OPEN
Session 6720C614 (202.100.1.1:8)=>(202.100.2.1:0) icmp SIS_OPEN
注:状态化表现信息。
Outside#telnet 202.100.1.100 80
Trying 202.100.1.100, 80 ... Open
get
HTTP/1.1 400 Bad Request
Date: Fri, 01 Mar 2002 00:27:47 GMT
Server: cisco-IOS
Accept-Ranges: none
400 Bad Request
[Connection to 202.100.1.100 closed by foreign host]
IOSFW#sh ip inspect sessions
Established Sessions
Session 6720CBC4 (202.100.1.1:16440)=>(202.100.2.1:23) telnet SIS_OPEN
IOSFW#
*Mar 1 00:32:17.987: %FW-6-SESS_AUDIT_TRAIL_START: Start icmp session: initiator (202.100.1.1:8) -- responder (202.100.2.1:0)
注:审计信息。
IOSFW#sh ip inspect all
Session audit trail is enabled
Session alert is disabled
one-minute (sampling period) thresholds are [unlimited : unlimited] connections
max-incomplete sessions thresholds are [unlimited : unlimited]
max-incomplete tcp connections per host is unlimited. Block-time 0 minute.
tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec
tcp idle-time is 3600 sec -- udp idle-time is 30 sec
tcp reassembly queue length 16; timeout 5 sec; memory-limit 1024 kilo bytes
dns-timeout is 5 sec
Inspection Rule Configuration
Inspection name CBAC
ftp alert is off audit-trail is on timeout 3600
telnet alert is off audit-trail is on timeout 3600
icmp alert is off audit-trail is on timeout 10
tcp alert is off audit-trail is on timeout 3600
Interface Configuration
Interface FastEthernet0/1
Inbound inspection rule is not set
Outgoing inspection rule is CBAC
ftp alert is off audit-trail is on timeout 3600
telnet alert is off audit-trail is on timeout 3600
icmp alert is off audit-trail is on timeout 10
tcp alert is off audit-trail is on timeout 3600
Inbound access list is control-outside
Outgoing access list is not set
Established Sessions
Session 6720CBC4 (202.100.1.1:16440)=>(202.100.2.1:23) telnet SIS_OPEN
4.7 Configure ZFW
Inside--1------202.100.1.x----------10-IOSFW---10----202.100.2.x------1--Outside
一、基本网络配置
Inside
interface FastEthernet0/0
no shut
ip address 202.100.1.100 255.255.255.0 secondary
ip address 202.100.1.1 255.255.255.0
ip route 0.0.0.0 0.0.0.0 202.100.1.10
IOSFW
interface FastEthernet0/0
no shut
ip address 202.100.1.10 255.255.255.0
interface FastEthernet0/1
no shut
ip address 202.100.2.10 255.255.255.0
Outside
interface FastEthernet0/1
no shut
ip address 202.100.2.1 255.255.255.0
ip route 0.0.0.0 0.0.0.0 202.100.2.10
二、配置zone
zone security Internal
zone security External
三、接口划入zone
interface FastEthernet0/0
ip address 202.100.1.10 255.255.255.0
zone-member security Internal
interface FastEthernet0/1
ip address 202.100.2.10 255.255.255.0
zone-member security External
四、匹配Outbound与Inbound流量
class-map type inspect match-any In-To-Out
match protocol http
match protocol ftp
match protocol telnet
match protocol icmp
ip access-list extended IN-To-Web
permit ip any host 201.100.1.100
class-map type inspect match-all Out-To-In
match protocol http
match access-group name IN-To-Web
五、配置parameter-maps(可选配置)
parameter-map type inspect In-To-Out.Pa
max-incomplete low 800
max-incomplete high 1000
tcp idle-time 20
audit-trail on
tcp synwait-time 15
parameter-map type inspect Out-To-In.Pa
max-incomplete low 800
max-incomplete high 1000
六、配置Policy-maps
policy-map type inspect In-To-Out.P
class type inspect In-To-Out
inspect In-To-Out.Pa
policy-map type inspect Out-To-In.P
class type inspect Out-To-In
inspect Out-To-In.Pa
七、调用Policy-maps到Zone-pairs
zone-pair security Internal source Internal destination External
service-policy type inspect In-To-Out.P
zone-pair security External source External destination Internal
service-policy type inspect Out-To-In.P
测试
#sh policy-map type inspect zone-pair sessions 注:查看状态化信息,相当于CBAC sh ip inspect sessions
Zone-pair: Internal
Service-policy inspect : In-To-Out.P
Class-map: In-To-Out (match-any)
Match: protocol http
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol ftp
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol telnet
1 packets, 24 bytes
30 second rate 0 bps
Match: protocol icmp
1 packets, 80 bytes
30 second rate 0 bps
Inspect
Established Sessions
Session 66C6F028 (202.100.1.1:17374)=>(202.100.2.1:23) telnet SIS_OPEN
Created 00:00:22, Last heard 00:00:21
Bytes sent (initiator:responder) [24:66]
Class-map: class-default (match-any)
Match: any
Drop (default action)
0 packets, 0 bytes
Zone-pair: External
Service-policy inspect : Out-To-In.P
Class-map: Out-To-In (match-all)
Match: protocol http
Match: access-group name IN-To-Web
Inspect
Class-map: class-default (match-any)
Match: any
Drop (default action)
5 packets, 400 bytes
- 文章
- 推荐
- 热门新闻