Change the default value when configuring vro settings

Many people may not have a special understanding of vro settings. Here we mainly introduce how to change the default value when setting vro. As we all know, setting an access control list ACL on a vro or vswitch can improve security and prevent hacker and virus attacks to a certain extent, my company has been using this method.

However, I found a problem affecting security in my actual work. If I do not pay attention to the router settings, it is likely that the powerful ACL list will be invalidated, like the maqino line of defense in World War II, viruses and hackers can bypass Intranet computers very easily.

Security Analysis:

Readers who have experience in router configuration should know that network administrators often set access control lists on routers or switches to prevent viruses and hackers. By default, the "DENYANYANY" statement is added to the access control list of vrouters or vswitches produced by Cisco) the data packet of the rule is discarded.

Recently, my company has added the 2621 series routers of Huawei. Generally, the configuration methods for CISCO and Huawei devices are basically the same. Therefore, I have developed ACL rules according to the configuration statements on the Cisco router, enter these rules on the Huawei router. Because CISCO automatically adds the DENYANYANY Statement by default, I also assume that the Huawei router will add this command by default. However, after the configuration, it is found that all ACL filtering rules have not taken effect, and the filtered data packets are still forwarded by the router normally.

After repeated research and query of data, I found that the original Access Control List of Huawei company was added with the "PERMITANYANY" statement at the end, so that the access control list (ACL) does not comply with) the packet with the Rule Set in the statement will be allowed to pass, which causes a serious consequence: packets that do not comply with the ACL rules will also be unconditionally forwarded by the router rather than discarded by Cisco, as a result, the filtered data packets are not filtered, and the network security is at risk. Illegal data packets bypass the anti-virus "magino line" carefully set by the network administrator, which easily intrude into the user's intranet.

Solution:

How can this problem be solved? This problem is caused by Huawei router settings. We can add the "DENYANYANY" statement at the end of the ACL or set the default ACL end statement to DENYANYANY. the first method only applies to the currently configured ACL. When a new ACL is set later, the router still allows all data packets to pass through by default. The second method modifies the default value of the router setting, change it to the same default as the CISCO device to block all packets.

1. Add ACL rules directly. After setting all ACL statements on the Huawei device, use "ruledenyipsourceanydestinationany" to discard packets that do not comply with the rules.

2. modify the default setting method <br> & nbsp; Use "firewalldefadendeny" on the Huawei device to change the default setting from permitted forwarding to discarded packets. To solve the default vulnerability problem. Therefore, we recommend that you use the second method to solve the defects in this default setting.

Summary:

After this "maqino" event, we can find that even the same configuration command, if the vendor is different, it is best to read the user manual in advance (pay special attention to the default settings ), the default settings may cause many unknown faults. Do not easily suspect that the hardware of the device is faulty after the problem is discovered. You should start from the software and configuration commands to find the problem. A small default setting will completely break through the well-developed anti-virus system. Therefore, our network administrators should carefully test the network conditions after each setting to ensure that the implemented measures take effect.