Shulou(Shulou.com)06/01 Report--

Network Security-Border Security (1)

Nowadays, people are more and more dependent on the Internet, and network security is gradually entering people's daily vision, such as the leakage of credit card information, the inquiry of room records, the leakage of trade secrets, and so on. It all affects the nerves of a person, a company, or even a country. With the development of technology, the network boundary is becoming more and more complex, such as web application, wireless access, DCI, × × and other technologies, which makes the network boundary seem to be so complicated that there is no way to start. However, whether it is to strengthen the boundary layer by layer, or to strengthen the security audit of each network entrance, or to conduct security training for users, they must have a clear idea of their respective networks. Network boundary devices are generally routers, switches, or firewalls.

Border Security-ACL

When routers or switches are used as boundaries, access control lists (ACL) are basically configured. In some places, such as banks, the number of ACL may be very large, reaching thousands or more. The devices that are widely used in the border are generally: Nexus7K, cisco7600, Cisco6500, huawei 9300, huwei CloudEngine, and so on. The following will take cisco as an example to introduce the important border security measures ACL.

ACL application scenario:

1. Control routing information between neighboring devices.

2. Control the traffic network access of traversing devices.

3. Control console and VTY access.

4. Define the stream of interest of IPsec × ×, etc.

5. Implement other features such as QoS.

ACl configuration

1. Create an ACL

2. Apply ACL to an interface.

ACl Typ

1. Standard ACL. Number 1-99, only source IP packets can be filtered.

2. Extend ACL. Number 100-199, traffic can be filtered based on source IP, destination IP, protocol, port, flag, and so on.

3. Name ACL. Can be applied to the standard and extended ACL, using names instead of numbers, convenient configuration management, more use.

4. Classify ACL. It is generally used for security identification such as DoS.

5. Other rarely used ACL types. Dynamic ACL, reflexive ACL, time ACL, debug ACL, etc.

ACL implementation guidelines

1. ACL can be used on multiple interfaces at the same time (reuse).

2. The same interface can only use one ACL for the same protocol, such as one outbound ACL and one inbound ACL. For different protocols, more than two ACL can be applied to one interface.

3. ACL matching sequence processing, put accurately in front.

4. Always follow that the ACL is created first and then applied to the interface; when you modify it, remove the acl first, and then apply it to the interface after the modification is completed.

5. The outbound ACL applied to the router only checks the traffic passing through the router, that is, it does not check the traffic generated by itself.

6. For standard ACL, it should be applied at the location closest to the destination of traffic transmission, and for extended ACL, it should be applied at the location closest to the source.

Examples of ACL applications

1. If the boundary of a data center is a switch, only Web,DNS applications are provided internally, and ACL control is implemented for security reasons.

Ipaccess test-sample

Deny ip 10.0.0.0 Deny ip 8 any-reject RFC1918 address

Deny ip 172.16.0.0/21 any

Deny ip 192.168.0.0/16 any

Permit tcp any 1.1.1.2 Permit tcp any 32 eq www-Open port 80 of web tcp

Permit udp any 1.1.1.3 Permit udp any 32 eq 53-Open port 53 of DNS udp

Then apply the acl to the in direction of the connection exit.

2. If the data center server is suffering from *, use acl for troubleshooting because there is no other protective detection equipment.

Access-list 169 permit icmp any any echo

Access-list 169 permit icmp any anyecho-reply

Access-list 169 permit udp any any eq echo

Access-list 169 permit udp any eq echo any

Access-list 169 permit tcp any anyestablished

Access-list 169 permit tcp any any

Access-list 169 permit ip any any

Then apply the API to the in direction of the egress, then check the number of matches through showip access-list, and finally use log-input on the acl entries with large matching data. Then you can find the * * source IP by looking at the log. (statistics per-entry needs to be added on the Nexus switch to perform acl match counting).

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.