꼬물이

라우터를 통한 네트워크 보안(ACL) 본문

정보보안/네트워크 보안

라우터를 통한 네트워크 보안(ACL)

빨간고양이 2018. 10. 31. 10:22

* standard access-list (1~99)

  access-list acl-번호 [permit 또는 deny] [소스-IP 소스-wildcard 또는 any]


* extended access-list (100~199)

  access-list acl-번호 [permit 또는 deny] 프로토콜 소스-IP 소스-wildcard 목적지-IP 목적지-wildcard


항목

설정방법

콘솔, AUX, VTY 포트 패스워드 보안

> enable

# config t

(config) line console 0

(config-line) login

(config-line) password <패스워드>

(config-line) ^Z

# config t

(config) line aux 0

(config-line) login

(config-line) password <패스워드>

(config-line) ^Z

# config t

(config) line vty 0 4                         #0에서 4번까지 5 user 접속가능

(config-line) login

(config-line) password <패스워드>

(config-line) ^Z

텔넷 접속 제한

관리자 IP만 허용

> enable

# config t

(config) access-list 10 permit host <허용IP>

(config) access-list 10 deny any

(config) line vty 0 4

(config-line) access-class 10 in

(config-line) ^Z

#

SSH 프로토콜 사용

> enable

# config t

(config) hostname <라우터명>

(config) IP domain-name <도메인명>

(config) crypto key generate rsa

(config) IP ssh time-out <타임아웃>

(config) IP ssh authentication-retries <재시도횟수>

(config) line vty 0 4

(config-line) transport input ssh

(config-line) ^Z

#

SNMP 설정

> enable

# config t

(config) snmp-server community <비번> ro 11

(config) snmp-server contact <메일주소>

(config) access-list 11 permit host <허용IP>

(config) access-list 11 deny any

(config) interface FastEthernet 0/0

(config-if) ip access-group 11 in

(config-line) ^Z

#

불필요한 서비스 제거

ICMP MTU Discovery

> enable

# config t

(config) access-list 103 permit icmp any any 3 4

(config) access-list 103 deny icmp any any

(config) access-list 103 permit ip any any

(config) interface FastEthernet 0/0

(config-if) ip access-group 103 in

(config-if) ^Z

#

ICMP Redirects

> enable

# config t

(config) interface FastEthernet 0/0

(config-if) no ip redirects

(config-if) ^Z

#

ICMP Directed Broadcasts

> enable

# config t

(config) interface FastEthernet 0/0

(config-if) no ip directed-broadcast

(config-if) ^Z

#

ICMP Mask Reply

> enable

# config t

(config) interface FastEthernet 0/0

(config-if) no ip mask-reply

(config-if) ^Z

#

ICMP Unreachables

> enable

# config t

(config) interface FastEthernet 0/0

(config-if) no ip unreachables

(config-if) ^Z

#

ICMP Timestamp and Information Requests

> enable

# config t

(config) access-list 102 deny icmp any any timestamp-request

(config) access-list 102 deny icmp any any information-request

(config) access-list 102 permit ip any any

(config) interface FastEthernet 0/0

(config-if) ip access-group 102 in

(config-if) ^Z

#

Source Route

> enable

# config t

(config) no ip source-route

(config) ^Z

#

Small Service

> enable

# config t

(config) no service tcp-small-servers

(config) no service udp-small-servers

(config) ^Z

#

Finger

> enable

# config t

(config) no service finger

(config) ^Z

#

HTTP Server

> enable

# config t

(config) no ip http server

(config) ^Z

#

CDP

> enable

# config t

(config) no cdp run          # 전체 설정

(config) interface FastEthernet 0/0

(config-if) no cdp enable # 특정 인터페이스만 설정

(config) ^Z

#

proxy-arp

> enable

# config t

(config) interface FastEthernet 0/0

(config-if) no ip proxy-arp

(config-line) ^Z

#

외부에 유입되는 내부IP 차단

> enable

# config t

(config) access-list 15 deny 130.18.0.0 0.0.255.255 # 내부IP 가 130.18 대역이라면

(config) access-list 15 permit any

(config) interface FastEthernet 0/0

(config-if) ip access-group 15 in

(config-if) ^Z

#

예약된 IP 차단

> enable

# config t

(config) access-list 15 deny 127.0.0.0 0.255.255.255   #로컬호스트 Loopback 주소

(config) access-list 15 deny 10.0.0.0 0.255.255.255     #사설IP

(config) access-list 15 deny 172.16.0.0 0.15.255.255   #사설IP

(config) access-list 15 deny 192.168.0.0 0.0.255.255   #사설IP

(config) access-list 15 deny 224.0.0.0 15.255.255.255 #멀티캐스트IP

(config) access-list 15 deny 240.0.0.0 7.255.255.255   #예약됨

(config) access-list 15 deny 255.255.255.255 0.0.0.0

(config) access-list 15 permit any

(config) interface FastEthernet 0/0

(config-if) ip access-group 15 in

(config-if) ^Z

#

외부로 전송되는 패킷 내부 IP만 허용

> enable

# config t

(config) access-list 16 permit 130.18.0.0 0.0.255.255 # 내부IP 가 130.18 대역이라면

(config) access-list 16 deny any

(config) interface FastEthernet 0/0

(config-if) ip access-group 16 out

(config-if) ^Z

#

주소 위변조 방지(Unicast RPF)

> enable

# config t

(config) interface FastEthernet 0/0

(config-if) ip verify unicast reverse-path

(config-if) ^Z

#

BlackHole 보안 설정

> enable

# config t

(config) interface null 0

(config-if) no ip unreachables

(config-if) exit

(config) ip route 211.1.1.1 255.255.255.255 null 0 # 211.1.1.1을 차단

(config-if) ^Z

#


'정보보안 > 네트워크 보안' 카테고리의 다른 글

snort 사용법  (0) 2018.10.31
iptables 명령어 사용법  (0) 2018.10.31
라우터를 통한 네트워크 보안(ACL)  (0) 2018.10.31
SIEM(Security Information & Event Management)  (0) 2018.06.28
0 Comments
댓글쓰기 폼