Using Cisco router to establish the security mechanism of enterprise network

In recent years, the computer network, especially the Internet development is very rapid, ATM and IP over DWDM technology development so that the network transmission bandwidth quickly increased. While the development of network security and management technology is relatively lagging behind, although the voice of network security is high, but really fall to actually few. It is often believed that increasing the security mechanism of the enterprise network requires the addition of firewalls, authentication servers and other devices, but expensive security devices, but the cost of many small enterprises increase the production costs, and in fact, the widely used Cisco routers in China embedded in iOS security mechanism to meet the requirements of the general enterprise interconnection.

From a traditional point of view, the main function of a router is to transfer data packets from one network to another. Routers operate at the network level, corresponding to the third layer of the OSI Reference Model, by detecting the network address of the message, the router makes the decision of forwarding the message and the corresponding action, another function that exists with the message is to create and maintain the routing table. In terms of security, routers are the first to secure network security, and their protection is done in the form of access control lists (Access-list), and the access lists created can be used to allow or deny messages through routers.

Packet filtering at Cisco routers allows users to control the flow of data flowing into the network based on the source address, destination address, and application type of the message. An access list is a sort table that allows or rejects a message based on matching rules and messages. The router's control of the message is based on the order in which the statements are created in the access list, and at the end of the list, there is an implied "deny all", indicating that the message that has not been passed by the previous access list in this sentence will be rejected by this sentence.

The standard used to allow or reject a message is based on the information contained within the message itself. Typically, this information is limited to the network address (access list) of the third layer of the OSI Reference model contained in the message header and the port at Layer fourth (Extended access list) information. Therefore, the access list basically cannot use the information filtering message above the fourth level, for example, the extended access list can control FTP message access, but can not filter specific FTP commands such as LS or get.

The access list is based on a lot of information about Cisco IOS, and I'll just take a look at some of the things I've accumulated in my set up access list.

First, the establishment of a reasonable access list, must understand the application of enterprises

The access list is built to protect the security of your corporate network, therefore, the establishment of a safe and reasonable access to the list, the first need for the enterprise's application in-depth understanding of the application, what the use of ports, access to which addresses and so on, so that the establishment of access list, will not affect the normal network operation of enterprises.

You can establish access list log files by using the following commands to establish the port number used by the corporate network:

interface serial 0
ip access-group 101 in
ip access-group 102 out
access-list 101 permit tcp any any log
access-list 101 permit udp any any log
access-list 101 permit ip any any log
access-list 102 permit tcp any any log
access-list 102 permit udp any any log
access-list 102 permit ip any any log logging buffered

After a period of time, use the show log command to display details about each message that matches the access list. Because of the limited log buffer for the router, you can use the "Logging A.B.C.E" command to transfer log information collected by routers to a syslog server with an IP address of A.B.C.E for a more thorough understanding of the enterprise's use of TCP/IP ports. Free syslog Server Software on the Windows platform can be downloaded at http://support.3com.com/software/utilities_for_windows_32_bit.htm.

Second, according to the concrete application, establishes the access list the content

1. Filtering TCP (Transmission Control Protocol) protocol

For example: An Enterprise (as pictured) headquarters on the network for its affiliates to provide the main applications: ⑴ telnet access (telnet:tcp port 23) ⑵ send receive e-mail (smtp:tcp port 25,pop3:tcp port 110) ⑶www (http: TCP Port 80), and the headquarters has access to his branch office at random,

Then his router's access list is defined as follows:

access-list 100 permit tcp any 192.168.18.0 0.0.0.255 eq 23
access-list 100 permit tcp any 192.168.18.0 0.0.0.255 eq 25
access-list 100 permit tcp any 192.168.18.0 0.0.0.255 eq 110
access-list 100 permit tcp any 192.168.18.0 0.0.0.255 eq 80
access-list 100 permit tcp any any established ……
interface serial 0
ip access-group 100 in

Because the router detects TCP packets flowing through serial 0 according to the order of the contents of the Access-list access list, this will undoubtedly greatly increase the burden on the router's CPU, therefore, after establishing the access list for a period of time, you can use the command "show Access-list 100" Check the matched number of TCP messages in parentheses behind each entry, and rearrange the order of each access-list of the access list according to the matched number from large to small, which reduces the access-list of the message in the Access list. Reduce the time of specific packet lookup access list, reduce the burden of router CPU.

It is important to note that the Access-list 100 uses the keyword "established" At the end, which is used by the Cisco router access list to allow TCP to return messages. It detects the presence of an ACK or RST sign bit in a TCP message, if the ACK or RST bit in the message is set, it usually means that the message is part of an ongoing session, so using the keyword "established" is a simple way to determine whether a message is part of a known session. However, as a cyber hacker, it is very easy to write a program that generates these two flags and sends out messages with ACK or RST flags, which are not part of a legitimate session in progress. In practice, we found that TCP returned packets randomly selected port number range of 1024~65536 (because Well-know port range is 1~1023), so we can have the keyword "established" To change the access control statement to:

Access-list permit TCP any 192.168.18.0 0.0.0.255 GT 1023 established

This ensures that messages entering the enterprise's internal network must have a destination port number greater than 1023. So, even if the hacker's attack message uses the ACK and the RST bit fraudulently to escape the control of the access list item, its port number must be greater than 1023, which makes the deceptive message not affect the network devices such as FTP, DNS, HTTP and so on that the port number is less than 1024. To some extent, the security of the network is improved.