About ACL in vro settings

At present, the routing industry is developing very rapidly, and some users are not very familiar with vro settings. Here we mainly introduce the security analysis in vro settings, this section describes the ACL settings. As we all know, setting an access control list ACL on a vro or vswitch can improve security and prevent hacker and virus attacks to a certain extent, my company has been using this method.

However, I found a problem affecting security in my actual work. If I do not pay attention to the router settings, it is likely that the powerful ACL list will be invalidated, like the maqino line of defense in World War II, viruses and hackers can bypass Intranet computers very easily.

Security Analysis

Readers who have experience in router configuration should know that network administrators often set access control lists on routers or switches to prevent viruses and hackers. By default, the "DENYANYANY" statement is added to the access control list of vrouters or vswitches produced by Cisco) the data packet of the rule is discarded.

Recently, my company has added the 2621 series routers of Huawei. Generally, the configuration methods for CISCO and Huawei devices are basically the same. Therefore, I have developed ACL rules according to the setting statements on the Cisco router, and enter these rules into the Huawei router settings. Because CISCO automatically adds the DENYANYANY Statement by default, I also assume that the Huawei router will add this command by default. However, after the configuration, it is found that all ACL filtering rules have not taken effect, and the filtered data packets are still forwarded properly by the router.

After repeated research and query of data, I found that the original Access Control List of Huawei company was added with the "PERMITANYANY" statement at the end, so that the access control list (ACL) does not comply with) the packet with the Rule Set in the statement will be allowed to pass, which causes a serious consequence: packets that do not comply with the ACL rule will also be set to unconditional forwarding by the router rather than discarded by Cisco, as a result, the filtered data packets are not filtered, and the network security is at risk. Illegal data packets bypass the anti-virus "magino line" carefully set by the network administrator, which easily intrude into the user's intranet.

Solution

How can this problem be solved? This problem is caused by Huawei router settings. We can add the "DENYANYANY" statement at the end of the ACL or set the default ACL end statement to DENYANYANY. the first method only applies to the current ACL. When a new ACL is set later, the router settings allow all data packets to pass. The second method modifies the default value of the router settings, change it to the same default as the CISCO device to block all packets.

1. Add ACL rules directly

After setting all the ACL statements on the Huawei device, use "ruledenyipsourceanydestinationany" to discard packets that do not comply with the rules.

2. Modify the default settings

Use "firewalldefadendeny" on a Huawei device to change the default settings from permitted forwarding to discarded packets. To solve the default vulnerability problem. Therefore, we recommend that you use the second method to solve the defects in this default setting.

Summary

After this "maqino" event, we can find that even the same configuration command, if the vendor is different, it is best to read the user manual in advance (pay special attention to the default settings ), the default settings may cause many unknown faults. Do not easily suspect that the hardware of the device is faulty after the problem is discovered. You should start from the software and configuration commands to find the problem. A small default setting will completely break through the well-developed anti-virus system. Therefore, our network administrators should carefully test the network conditions after each setting to ensure that the implemented measures take effect.