Scribd Logo
Hochladen

Willkommen bei Scribd!

  • Modul 4 Security

    Hochgeladen von

    Raka Raka
    29 Ansichten54 Seiten
    Modul 4 ini berisi tutorial security pada jaringan.

    Originaltitel

    modul 4 Security

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Verfügbare Formate

    PDF, TXT oder online auf Scribd lesen

    Stufen Sie dieses Dokument als nützlich ein?

    Sind diese Inhalte unangemessen?

    Dieses Dokument melden
    Modul 4 ini berisi tutorial security pada jaringan.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Als PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    29 Ansichten54 Seiten

    Modul 4 Security

    Hochgeladen von

    Raka Raka
    Modul 4 ini berisi tutorial security pada jaringan.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Als PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    von 54

    Module 4: Security

    2011 Cisco and/or its affiliates. All rights reserved.

    Cisco Confidential

    National Security Telecommunications and Information Systems Security Committee (NSTISSC) Network security is the protection of information and systems and hardware that use, store, and transmit that information. Network security encompasses those steps that are taken to ensure the confidentiality, integrity, and availability of data or resources.

    2011 Cisco and/or its affiliates. All rights reserved.

    Cisco Confidential

    Network security initiatives and network security specialists can be found in private and public, large and small companies and organizations. The need for network security and its growth are driven by many factors:
    1. Internet connectivity is 24/7 and is worldwide 2. Increase in cyber crime 3. Impact on business and individuals 4. Legislation & liabilities

    5. Proliferation of threats
    6. Sophistication of threats

    2011 Cisco and/or its affiliates. All rights reserved.

    Cisco Confidential

    Confidentiality
    Prevent the disclosure of sensitive information from unauthorized people, resources, and processes

    Integrity
    The protection of system information or processes from intentional or accidental modification

    Availability
    The assurance that systems and data are accessible by authorized users when needed

    2011 Cisco and/or its affiliates. All rights reserved.

    Cisco Confidential

    2011 Cisco and/or its affiliates. All rights reserved.

    Cisco Confidential

    2011 Cisco and/or its affiliates. All rights reserved.

    Cisco Confidential

    2011 Cisco and/or its affiliates. All rights reserved.

    Cisco Confidential

    Filtering: Manage IP traffic by filtering packets passing through a router Classification: Identify traffic for special handling
    2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8

    Permit or deny packets moving through the router. Permit or deny vty access to or from the router.

    Without ACLs, all packets could be transmitted to all parts of your network.
    2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9

    Special handling for traffic based on packet tests


    2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10

    2011 Cisco and/or its affiliates. All rights reserved.

    Cisco Confidential

    11

    Inbound ACL

    2011 Cisco and/or its affiliates. All rights reserved.

    Cisco Confidential

    12

    If no ACL statement matches, discard the packet.


    2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13

    2011 Cisco and/or its affiliates. All rights reserved.

    Cisco Confidential

    14

    Standard ACL

    Checks source address Generally permits or denies entire protocol suite


    Extended ACL

    Checks source and destination address

    Generally permits or denies specific protocols and applications


    Two methods used to identify standard and

    extended ACLs: Numbered ACLs use a number for identification Named ACLs use a descriptive name or number for identification

    2011 Cisco and/or its affiliates. All rights reserved.

    Cisco Confidential

    15

    2011 Cisco and/or its affiliates. All rights reserved.

    Cisco Confidential

    16

    Numbered standard IPv4 lists (199) test conditions of all IP packets for source addresses. Expanded range (13001999). Numbered extended IPv4 lists (100199) test conditions of source and destination addresses, specific TCP/IP protocols, and destination ports. Expanded range (20002699). Named ACLs identify IP standard and extended ACLs with an alphanumeric string (name).
    2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17

    Standard or extended indicates what can be filtered. Only one ACL per interface, per protocol, and per direction is allowed. The order of ACL statements controls testing, therefore, the most specific statements go at the top of the list. The last ACL test is always an implicit deny everything else statement, so every list needs at least one permit statement. ACLs are created globally and then applied to interfaces for inbound or outbound traffic. An ACL can filter traffic going through the router, or traffic to and from the router, depending on how it is applied. When placing ACLs in the network: Place extended ACLs close to the source Place standard ACLs close to the destination

    2011 Cisco and/or its affiliates. All rights reserved.

    Cisco Confidential

    18

    2011 Cisco and/or its affiliates. All rights reserved.

    Cisco Confidential

    19

    0 means to match the value of the corresponding address bit 1 means to ignore the value of the corresponding address bit
    2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20

    Match for IP subnets 172.30.16.0/24 to 172.30.31.0/24.


    Address and wildcard mask:
    172.30.16.0 0.0.15.255

    2011 Cisco and/or its affiliates. All rights reserved.

    Cisco Confidential

    21

    172.30.16.29 0.0.0.0 matches

    all of the address bits


    Abbreviate this wildcard mask

    using the IP address preceded by the keyword host (host 172.30.16.29)

    0.0.0.0 255.255.255.255 ignores all address bits


    Abbreviate expression with the keyword any

    2011 Cisco and/or its affiliates. All rights reserved.

    Cisco Confidential

    22

    2011 Cisco and/or its affiliates. All rights reserved.

    Cisco Confidential

    23

    RouterX(config)#

    access-list access-list-number {permit | deny | remark} source [mask]


    Uses 1 to 99 for the access-list-number. The first entry is assigned a sequence number of 10, and successive entries are incremented by 10.

    Default wildcard mask is 0.0.0.0 (only standard ACL).


    no access-list access-list-number removes the entire ACL. remark lets you add a description to the ACL. RouterX(config-if)#

    ip access-group access-list-number
    Activates the list on an interface. Sets inbound or outbound testing.

    {in | out}

    no ip access-group access-list-number {in | out} removes the ACL from the interface.

    2011 Cisco and/or its affiliates. All rights reserved.

    Cisco Confidential

    24

    RouterX(config)# access-list 1 permit 172.16.0.0 (implicit deny all - not visible in the list) (access-list 1 deny 0.0.0.0 255.255.255.255) RouterX(config)# interface ethernet RouterX(config-if)# ip access-group RouterX(config)# interface ethernet RouterX(config-if)# ip access-group 0 1 out 1 1 out

    0.0.255.255

    Permit my network only


    2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25

    RouterX(config)# access-list 1 deny 172.16.4.13 0.0.0.0 RouterX(config)# access-list 1 permit 0.0.0.0 255.255.255.255 (implicit deny all) (access-list 1 deny 0.0.0.0 255.255.255.255) RouterX(config)# interface ethernet 0 RouterX(config-if)# ip access-group 1 out

    Deny a specific host


    2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26

    RouterX(config)# access-list 1 deny 172.16.4.0 RouterX(config)# access-list 1 permit any (implicit deny all) (access-list 1 deny 0.0.0.0 255.255.255.255) RouterX(config)# interface ethernet 0 RouterX(config-if)# ip access-group 1 out

    0.0.0.255

    Deny a specific subnet


    2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27

    2011 Cisco and/or its affiliates. All rights reserved.

    Cisco Confidential

    28

    RouterX(config)# access-list access-list-number {permit | deny} protocol source source-wildcard [operator port] destination destination-wildcard [operator port] [established] [log] Sets parameters for this list entry

    RouterX(config-if)# ip access-group access-list-number

    {in | out}

    Activates the extended list on an interface

    2011 Cisco and/or its affiliates. All rights reserved.

    Cisco Confidential

    29

    RouterX(config)# access-list 101 RouterX(config)# access-list 101 RouterX(config)# access-list 101 (implicit deny all) (access-list 101 deny ip 0.0.0.0

    deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 21 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 20 permit ip any any 255.255.255.255 0.0.0.0 255.255.255.255)

    RouterX(config)# interface ethernet 0 RouterX(config-if)# ip access-group 101 out

    Deny FTP traffic from subnet 172.16.4.0 to subnet 172.16.3.0 out E0 Permit all other traffic
    2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30

    RouterX(config)# access-list 101 deny tcp 172.16.4.0 RouterX(config)# access-list 101 permit ip any any (implicit deny all) RouterX(config)# interface ethernet 0 RouterX(config-if)# ip access-group 101 out

    0.0.0.255

    any eq 23

    Deny only Telnet traffic from subnet 172.16.4.0 out E0


    Permit all other traffic
    2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31

    RouterX(config)#

    ip access-list {standard | extended} name


    Alphanumeric name string must be unique RouterX(config {std- | ext-}nacl)# [sequence-number] {permit | deny} {ip access list test conditions} {permit | deny} {ip access list test conditions} If not configured, sequence numbers are generated automatically starting at 10 and incrementing by 10 no sequence number removes the specific test from the named ACL RouterX(config-if)# ip access-group name {in | out} Activates the named IP ACL on an interface

    2011 Cisco and/or its affiliates. All rights reserved.

    Cisco Confidential

    32

    RouterX(config)#ip access-list standard troublemaker RouterX(config-std-nacl)#deny host 172.16.4.13 RouterX(config-std-nacl)#permit 172.16.4.0 0.0.0.255 RouterX(config-std-nacl)#interface e0 RouterX(config-if)#ip access-group troublemaker out

    Deny a specific host

    2011 Cisco and/or its affiliates. All rights reserved.

    Cisco Confidential

    33

    RouterX(config)#ip access-list extended badgroup RouterX(config-ext-nacl)#deny tcp 172.16.4.0 0.0.0.255 any eq 23 RouterX(config-ext-nacl)#permit ip any any RouterX(config-ext-nacl)#interface e0 RouterX(config-if)#ip access-group badgroup out

    Deny Telnet from a specific subnet

    2011 Cisco and/or its affiliates. All rights reserved.

    Cisco Confidential

    34

    RouterX(config)#

    ip access-list {standard|extended} name

    Creates a named ACL


    RouterX(config {std- | ext-}nacl)#

    remark remark

    Creates a named ACL comment

    Or
    RouterX(config)#

    access-list access-list-number remark remark

    Creates a numbered ACL comment

    2011 Cisco and/or its affiliates. All rights reserved.

    Cisco Confidential

    35

    RouterX# show access-lists {access-list number|name} RouterX# show access-lists Standard IP access list SALES 10 deny 10.1.1.0, wildcard bits 0.0.0.255 20 permit 10.3.3.1 30 permit 10.4.4.1 40 permit 10.5.5.1 Extended IP access list ENG 10 permit tcp host 10.22.22.1 any eq telnet (25 matches) 20 permit tcp host 10.33.33.1 any eq ftp 30 permit tcp host 10.44.44.1 any eq ftpdata Displays all access lists
    2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36

    RouterX# show ip interfaces e0 Ethernet0 is up, line protocol is up Internet address is 10.1.1.11/24 Broadcast address is 255.255.255.255 Address determined by setup command MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is not set Inbound access list is 1 Proxy ARP is enabled Security level is default Split horizon is enabled ICMP redirects are always sent ICMP unreachables are always sent ICMP mask replies are never sent IP fast switching is enabled IP fast switching on the same interface is disabled IP Feature Fast switching turbo vector IP multicast fast switching is enabled IP multicast distributed fast switching is disabled <text ommitted>

    2011 Cisco and/or its affiliates. All rights reserved.

    Cisco Confidential

    37

    Dynamic ACLs (lock-and-key): Users that want to traverse the router are blocked until they use Telnet to connect to the router and are authenticated.

    2011 Cisco and/or its affiliates. All rights reserved.

    Cisco Confidential

    38

    Reflexive ACLs: Used to allow outbound traffic and limit inbound traffic in response to sessions that originate inside the router

    2011 Cisco and/or its affiliates. All rights reserved.

    Cisco Confidential

    39

    Time-based ACLs: Allow for access control based on the time of day and week
    2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40

    2011 Cisco and/or its affiliates. All rights reserved.

    Cisco Confidential

    41

    An IP address is either local or global. Local IPv4 addresses are seen in the inside network. Global IPv4 addresses are seen in the outside network.
    2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42

    2011 Cisco and/or its affiliates. All rights reserved.

    Cisco Confidential

    43

    2011 Cisco and/or its affiliates. All rights reserved.

    Cisco Confidential

    44

    RouterX(config)# ip nat inside source static local-ip global-ip Establishes static translation between an inside local address and an inside global address

    RouterX(config-if)# ip nat inside Marks the interface as connected to the inside RouterX(config-if)# ip nat outside Marks the interface as connected to the outside RouterX# show ip nat translations Displays active translations

    2011 Cisco and/or its affiliates. All rights reserved.

    Cisco Confidential

    45

    interface s0 ip address 192.168.1.1 255.255.255.0 ip nat outside ! interface e0 ip address 10.1.1.1 255.255.255.0 ip nat inside ! ip nat inside source static 10.1.1.2 192.168.1.2

    RouterX# show ip nat translations Pro Inside global Inside local Outside local Outside global --- 192.168.1.2 10.1.1.2 ---- 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 46

    RouterX(config)# ip nat pool name start-ip end-ip {netmask netmask | prefix-length prefix-length} Defines a pool of global addresses to be allocated as needed

    RouterX(config)# access-list access-list-number permit source [source-wildcard] Defines a standard IP ACL permitting those inside local addresses that are to be translated
    RouterX(config)# ip nat inside source list access-list-number pool name Establishes dynamic source translation, specifying the ACL that was defined in the previous step RouterX# show ip nat translations Displays active translations

    2011 Cisco and/or its affiliates. All rights reserved.

    Cisco Confidential

    47

    RouterX# show ip nat translations Pro Inside global Inside local Outside local Outside global --- 171.69.233.209 192.168.1.100 ------- 171.69.233.210 192.168.1.101 ---- 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 48

    2011 Cisco and/or its affiliates. All rights reserved.

    Cisco Confidential

    49

    RouterX(config)# access-list access-list-number permit source source-wildcard Defines a standard IP ACL that will permit the inside local addresses that are to be translated

    RouterX(config)# ip nat inside source list access-list-number interface interface overload Establishes dynamic source translation, specifying the ACL that was defined in the previous step

    RouterX# show ip nat translations Displays active translations

    2011 Cisco and/or its affiliates. All rights reserved.

    Cisco Confidential

    50

    hostname RouterX ! interface Ethernet0 ip address 192.168.3.1 255.255.255.0 ip nat inside ! interface Ethernet1 ip address 192.168.4.1 255.255.255.0 ip nat inside ! interface Serial0 description To ISP ip address 172.17.38.1 255.255.255.0 ip nat outside ! ip nat inside source list 1 interface Serial0 overload ! ip route 0.0.0.0 0.0.0.0 Serial0 ! access-list 1 permit 192.168.3.0 0.0.0.255 access-list 1 permit 192.168.4.0 0.0.0.255 ! RouterX# show ip nat translations Pro Inside global Inside local Outside local TCP 172.17.38.1:1050 192.168.3.7:1050 10.1.1.1:23 TCP 172.17.38.1:1776 192.168.4.12:1776 10.2.2.2:25

    Outside global 10.1.1.1:23 10.2.2.2:25

    2011 Cisco and/or its affiliates. All rights reserved.

    Cisco Confidential

    51

    RouterX# clear ip nat translation *

    Clears all dynamic address translation entries


    RouterX# clear ip nat translation inside global-ip local-ip [outside local-ip global-ip] Clears a simple dynamic translation entry that contains an inside translation or both an inside and outside translation RouterX# clear ip nat translation outside local-ip global-ip Clears a simple dynamic translation entry that contains an outside translation RouterX# clear ip nat translation protocol inside global-ip global-port local-ip local-port [outside local-ip local-port global-ip global-port] Clears an extended dynamic translation entry (PAT entry)
    2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 52

    RouterX# debug ip nat NAT: s=192.168.1.95->172.31.233.209, d=172.31.2.132 [6825] NAT: s=172.31.2.132, d=172.31.233.209->192.168.1.95 [21852] NAT: s=192.168.1.95->172.31.233.209, d=172.31.1.161 [6826] NAT*: s=172.31.1.161, d=172.31.233.209->192.168.1.95 [23311] NAT*: s=192.168.1.95->172.31.233.209, d=172.31.1.161 [6827] NAT*: s=192.168.1.95->172.31.233.209, d=172.31.1.161 [6828] NAT*: s=172.31.1.161, d=172.31.233.209->192.168.1.95 [23312] NAT*: s=172.31.1.161, d=172.31.233.209->192.168.1.95 [23313] RouterX# show ip nat statistics Total active translations: 1 (1 static, 0 dynamic; 0 extended) Outside interfaces: Ethernet0, Serial2 Inside interfaces: Ethernet1 Hits: 5 Misses: 0
    2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 53

    Thank you.

    2011 Cisco and/or its affiliates. All rights reserved.

    Cisco Confidential

    54

    Das könnte Ihnen auch gefallen