嘿,这里是目录!
⭐ 视频资源链接
8.1 网络安全分类
分层网络安全 | 具体的网络安全示例 |
---|---|
物理层 | 墙上的不用的网线接口,连接交换机的端口关掉 |
数据链路层 | ADSL拨号(帐号+密码) MAC地址绑定 交换机端口连接计算机数量控制 创建vlan |
网络层 | 基于源IP地址控制 基于目的IP地址等的控制 |
传输层 | 会话攻击 LAND攻击 SYN泛洪攻击 |
应用层 | 登录密码 |
8.2 典型的网络架构
8.3 使用标准ACL配置网络安全
-
基于源地址进行控制
-
访问控制列表和顺序有关系,条件苛刻的放上边(最开始就要写),条件宽泛的放下面(最后写)
-
针对路由器R0进行配置
en
conf t
access-list 10 deny host 192.168.2.2
access-list 10 permit 192.168.1.0 0.0.0.255
access-list 10 permit 192.168.2.0 0.0.0.255
access-list 20 deny 192.168.0.0 0.0.0.255
access-list 20 permit any
interface serial 3/0
ip access-group 10 out
exit
show access-list
no access-list 10
8.4 使用扩展ACL实现网络安全
- 基于源地址、目标地址、协议、端口号进行控制
en
conf t
access-list 100 permit ip 192.168.2.0 0.0.0.255 any
access-list 100 permit tcp 192.168.1.0 0.0.0.255 10.0.0.0 0.255.255.255 eq 80
access-list 100 permit icmp 192.168.0.0 0.0.0.255 any
interface serial 3/0
ip access-group 100 out
8.5 使用ACL保护路由器安全
- 将ACL绑定到telnet接口(对ip地址做限制,只有该ip地址的主机可以远程访问路由器)
access-class 10 in
en
conf t
line vty 0 15
password aaa
login
exit
access-list 10 permit host 192.168.1.3(或者写成access-list 10 permit 192.168.1.3 0.0.0.0)
line vty 0 15
access-class 10 in
exit
- 将ACL绑定到物理接口
ip access-group 10 in
en
conf t
access-list 10 permit host 192.168.1.3(或者写成access-list 10 permit 192.168.1.3 0.0.0.0)
interface fastEthernet 1/0
ip access-group 10 in
exit
8.6 ACL的具体应用
8.6.1 IP地址欺骗对策——入站
- 绝不允许任何源地址是内部主机地址或网络地址的数据包进入一个私有的网络
access-list 150 deny ip 127.0.0.0 0.255.255.255 any log(回环测试地址)
access-list 150 deny ip 0.0.0.0 255.255.255.255 any log(用作服务端,表示本机上的任意IPV4地址)
access-list 150 deny ip 10.0.0.0 0.255.255.255 any log(私网地址)
access-list 150 deny ip 172.16.0.0 0.15.255.255 any log(私网地址)
access-list 150 deny ip 192.168.0.0 0.0.255.255 any log(私网地址)
access-list 150 deny ip 224.0.0.0 15.255.255.255 any log(多播地址)
access-list 150 deny host 255.255.255.255 any log(受限的广播地址)
access-list 150 permit ip any any
8.6.2 IP地址欺骗对策——出站
- 绝不允许任何含有非内部网络有效地址的ip数据包出站
access-list 105 permit ip 192.168.0.0 0.0.255.255 any
access-list 105 deny ip any any log
interface serial 2/0
ip access-group 105 out
8.6.3 DoS TCP SYN攻击对策——阻塞外部访问
- 允许来自外部网络的对源自内部网络的请求响应,拒绝任何从外部网络发起的TCP连接
access-list 109 permit tcp any 192.168.0.0 0.0.255.255 established
access-list 109 deny ip any any log
interface serial 2/0
ip access-group 109 in
8.6.4 DoS Smurf攻击对策
- Smurf攻击是向一个路由器子网广播地址,发送大量的ICMP包,ip地址则伪装成属于这个子网
- 以下配置目的是过滤所有发往特定广播地址的ip数据包,防止转发广播,杜绝Smurf攻击
access-list 111 deny ip any host 192.168.0.255 log
access-list 111 deny ip any host 192.168.1.255 log
access-list 111 deny ip any host 192.168.2.255 log
access-list 111 deny ip any host 192.168.0.0 log
access-list 111 deny ip any host 192.168.1.0 log
access-list 111 deny ip any host 192.168.2.0 log
interface serial 2/0
ip access-group 111 in
8.6.5 过滤ICMP消息
- 禁止ICMP入站
access-list 112 deny icmp any any echo log
access-list 112 deny icmp any any redirect log
access-list 112 deny icmp any any mask-request log
access-list 112 permit icmp any 192.168.0.0 0.0.255.255
interface serial 2/0
ip access-group 112 in
- 出站
- echo(回声):允许用户ping外部主机
access-list 114 permit icmp 192.168.0.0 0.0.255.255 any echo
access-list 114 permit icmp 192.168.0.0 0.0.255.255 any parameter-problem
access-list 114 permit icmp 192.168.0.0 0.0.255.255 any packet-too-big
access-list 114 permit icmp 192.168.0.0 0.0.255.255 any source-quench
access-list 114 deny icmp any any log
interface serial 2/0
ip access-group 114 out