CiscoSwitches/RouterLayer3Security-创新互联

1. Enable secure Telnet access to a router user interface, and consider using Secure Shell (SSH) instead of Telnet.
2. Enable SNMP security, particularly adding SNMPv3 support.
3. Turn off all unnecessary services on the router platform ( AutoSecure ).
4. Turn on logging to provide an audit trail.
5. Enable routing protocol authentication.
6. Enable the CEF forwarding path to avoid using flow-based paths like fast switching.

成都创新互联长期为上千家客户提供的网站建设服务,团队从业经验10年,关注不同地域、不同群体,并针对不同对象提供差异化的产品和服务;打造开放共赢平台,与合作伙伴共同营造健康的互联网生态环境。为金湖企业提供专业的成都做网站、成都网站设计、成都外贸网站建设金湖网站改版等技术服务。拥有十年丰富建站经验和众多成功案例,为您定制开发。

7. Using RPF Checks

example:

R1(config)# ip cef
R1(config)# int s0/0
R1(config-if)# ip verify unicast source reachable-via rx allow-default

8. Using ACL to prevent TCP SYN Flood from outside

example:

ip access-list extended prevent-syn
  permit tcp any 10.0.0.0 0.255.255.255 established
  deny tcp any 1.0.0.0 0.255.255.255
  permit (whatever)
!
interface s0/0 # Internet faced port
  ip access-group prevent-syn in

Notes: The above ACL works well when clients outside a network are not allowed to make TCP connections into the network. However, in cases where some inbound TCP connections are allowed, this ACL cannot be used. Another Cisco IOS feature, called TCP intercept, provides an alternative that allows TCP connections into the network, but monitors those TCP connections for TCP SYN attacks.

example:

ip access-list extended match-tcp-from-internet
  permit tcp any 10.0.0.0 0.255.255.255

ip tcp intercept-list match-tcp-from-internet
ip tcp intercept mode watch
ip tcp intercept watch-timeout 20

9.Cisco IOS Firewall CBAC

example:

ip inspect name CLASSIC_FW icmp timeout 10
ip inspect name CLASSIC_FW tcp timeout 30
ip inspect name CLASSIC_FW udp timeout 30
!
ip access-list extended IOS_FW
  deny ip any any
!
interface Serial0/0 #Internet faced interface
  ip address 192.168.1.3 255.255.255.0
  ip access-group IOS_FW in
  ip inspect CLASSIC_FW out

!

10. Cisco IOS Zone-Based Firewall

example:

Cisco Switches/Router Layer 3 Security

In this example, the network administrators have decided to apply the following policies to traffic from the LAN zone going through the WAN zone:
■ Only traffic from the LAN subnet is allowed.
■ HTTP traffic to corporate web-based intranet servers is allowed.
■ All other HTTP traffic is allowed but policed to 1 Mbps.
■ ICMP is blocked.
■ For all other traffic, the TCP and UDP timeouts must be lowered to 300 seconds.

Follow these steps to configure ZFW:

Step 1: Decide the zones you will need, and create them on the router.

Branch2(config)# zone security LAN
Branch2(config-sec-zone)# description LAN zone
!
Branch2(config)# zone security WAN
Branch2(config-sec-zone)# description WAN zone

Step 2: Decide how traffic should travel between the zones, and create zone-pairs on the router.

Branch2(config)# zone-pair security Internal source LAN destination WAN
Branch2(config)# zone-pair security External source WAN destination LAN

Step 3: Create class maps to identify the inter-zone traffic that must be inspected by the firewall.

Branch2(config)# ip access-list extended LAN-Subnet
Branch2(config-ext-nacl)# permit ip 10.1.1.0 0.0.0.255 any
!
Branch2(config-ext-nacl)# ip access-list extended Web_Servers
Branch2(config-ext-nacl)# permit tcp 10.1.1.0 0.0.0.255 host 10.150.2.1
Branch2(config-ext-nacl)# permit tcp 10.1.1.0 0.0.0.255 host 10.150.2.2
!
Branch2(config-ext-nacl)# class-map type inspect match-all Corp_Servers
Branch2(config-cmap)# match access-group name Web_Servers
Branch2(config-cmap)# match protocol http
!
Branch2(config-cmap)# class-map type inspect Other_HTTP
Branch2(config-cmap)# match protocol http
Branch2(config-cmap)# match access-group name LAN_Subnet
!
Branch2(config-cmap)# class-map type inspect ICMP
Branch2(config-cmap)# match protocol icmp
!
Branch2(config-cmap)# class-map type inspect Other_Traffic
Branch2(config-cmap)# match access-group name LAN_Subnet

Branch2(config)# parameter-map type inspect Timeouts
Branch2(config-profile)# tcp idle-time 300
Branch2(config-profile)# udp idle-time 300

Step 4: Assign policies to the traffic by creating policy maps and associating class maps with them.

Branch2(config-profile)# policy-map type inspect LAN2WAN
Branch2(config-pmap)# class type inspect Corp_Servers
Branch2(config-pmap-c)# inspect
!
Branch2(config-pmap-c)# class type inspect Other_HTTP
Branch2(config-pmap-c)# inspect
Branch2(config-pmap-c)# police rate 1000000 burst 8000
!
Branch2(config-pmap-c)# class type inspect ICMP
Branch2(config-pmap-c)# drop
!
Branch2(config-pmap-c)# class type inspect Other_Traffic
Branch2(config-pmap-c)# inspect Timeouts

Step 5: Assign the policy maps to the appropriate zone-pair.

Branch2(config)# zone-pair security Internal source LAN destination WAN
Branch2(config-sec-zone-pair)# service-policy type inspect LAN2WAN

Step 6: Assign interfaces to zones. An interface may be assigned to only one security zone.

Branch2(config)# interface fa 0/0
Branch2(config-if)# zone-member security LAN
!
Branch2(config-if)# interface s0/0/0
Branch2(config-if)# zone-member security WAN

另外有需要云服务器可以了解下创新互联scvps.cn,海内外云服务器15元起步,三天无理由+7*72小时售后在线,公司持有idc许可证,提供“云服务器、裸金属服务器、高防服务器、香港服务器、美国服务器、虚拟主机、免备案服务器”等云主机租用服务以及企业上云的综合解决方案,具有“安全稳定、简单易用、服务可用性高、性价比高”等特点与优势,专为企业上云打造定制,能够满足用户丰富、多元化的应用场景需求。


分享标题:CiscoSwitches/RouterLayer3Security-创新互联
浏览路径:http://myzitong.com/article/dcdjoc.html