Network security-border security (1)

Network security-border security (1)

Nowadays, people are increasingly dependent on the Internet, and network security is gradually entering People's Daily vision. Credit card information leaks, house opening records are queried, and trade secrets are leaked; it affects the nerves of a person, a company, or even a country. With the development of technology, network boundaries become more and more complex, such as web applications, wireless access, DCI, VPN and other technology applications, resulting in network boundaries become very complex and difficult to start; however, whether it is layer-Based Reinforcement of boundaries, enhanced security auditing of network entries, or security training for users, you must be aware of your network. Network border devices are generally routers, switches, or firewalls.

 

Border security-ACL

 

When a vro or vswitch acts as a border, the access control list ACL is basically configured. For example, the number of ACLs in some places such as a bank may be very large, reaching thousands or more, generally, devices that use multiple boundaries are nexus7k, cisco7600, cisco6500, Huawei 9300, and huwei cloudengine. The following uses Cisco as an example to describe the ACL of important security measures on the border.

ACL application:

1. Control routing information between neighboring devices.

2. control traffic network access through devices.

3. control console and vty access.

4. Define the streams of interest such as IPSec VPN.

5. implement QoS and other features.

 

ACL Configuration

1. Create an ACL

2. Apply the ACL to an interface.

 

ACL type

 

1. Standard ACL. 1 ~ 99. Only Source IP data packets can be filtered.

2. Extend the ACL. No. 100 ~ 199. You can filter traffic based on the source IP address, destination IP address, protocol, port, and flag.

3. Name the ACL. It can be applied to standard and extended ACLs and replaced with numbers by names to facilitate configuration management and use more.

4. Category ACL. It is generally used for DOS and other security authentication.

5. Other rarely used ACL types. Dynamic ACL, self-reverse ACL, time ACL, and debug ACL.

 

ACL implementation guidelines

 

1. ACL can be used (reused) simultaneously on multiple interfaces ).

2. the same interface can only use one ACL for the same protocol, such as one outbound ACL and One inbound ACL. For different protocols, multiple ACLs and two ACLs can be applied on one interface.

3. Perform sequential processing of ACL matching, Which is precise to the front.

4. Always follow the procedure of creating an ACL first and then applying the ACL to the interface. to modify the ACL, you must first remove the ACL and apply the ACL to the interface after modification.

5. the outbound ACL applied to the router only checks the traffic passing through the router. That is to say, it does not check its own traffic.

6. For the standard ACL, it should be applied to the location closest to the destination of traffic transmission, and the extended ACL should be applied to the location closest to the source.

 

ACL application example

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M00/40/C6/wKioL1PPYjSgoWzRAADHePtIzts812.jpg "Title =" aclapplication interface .png "alt =" wkiol1ppyjsgowzraadheptizts812.jpg "/>

1. If the border of a data center is a vswitch, only web and DNS applications are provided internally, and ACL control is implemented for security considerations.

Ipaccess test-Sample

Deny IP 10.0.0.0/8 Any ------ reject rfc1918 address

Deny IP 172.16.0.0/21 Any

Deny IP 192.168.0.0/16 Any

Permit TCP any 1.1.1.2/32 eq www ------- open port 80 of Web TCP

Permit UDP any 1.1.1.3/32 EQ 53 -------- open port 53 of DNS UDP

Then, apply the acl to the in direction of the connection exit.

2. If the data center server is under attack and there are no other protection and detection devices, use the ACL for troubleshooting.

 

Access-list 169 permit ICMP any echo

Access-list 169 permit ICMP any anyecho-reply

Access-list 169 permit udp any eq echo

Access-list 169 permit UDP any EQ echo any

Access-list 169 permit TCP any anyestablished

Access-list 169 permit TCP any

Access-list 169 permit IP any

Then, apply the interface to the in direction of the exit, view the matching number through showip access-list, and use Log-input on the ACL entries with large matching data, next, you can view the log to find the IP address of the attack source. (You must add statistics per-entry to the nexus switch to perform the ACL matching count ).

This article from the "the brightest star in the night sky" blog, please be sure to keep this source http://wangxl.blog.51cto.com/621714/1445101