Configure an Internet bastion Router

The following uses the Cisco2611 router as an example to configure an Internet bastion router: 1. Access Table-based security protection policy 1. to prevent external IP addresses from spoofing users in the external network, they may use the valid IP address or loopback address of the Intranet as the source address, thereby achieving illegal access. To address this problem, you can create the following access list: access-list 101 deny ip 10.0.0.0 0.20.255.255 any access-list 101 deny ip 192.168.0.0 0.0.255.255 any access-list 101 deny ip 172.16.0.0 0.0.255.255 any www.2cto.com blocks all communication streams whose source address is private. Access-list 101 deny ip 127.0.0.0 0.20.255.255 any blocks all communication streams whose source address is the loopback address. Access-list 101 deny ip 224.0.0.0 7.20.255.255 any blocks all communication flows from the source address to the multi-destination address. Access-list 101 deny ip host 0.0.0.0 any prevents communication streams with no source addresses listed. Note: You can use 101 filter in the inner direction of the external interface. 2. attackers often use ping or other commands to detect the network before initiating an attack on the internal network, therefore, you can prevent attacks by using external networks such as ping and traceroute. You can create the following access list: access-list 102 deny icmp any echo www.2cto.com to prevent the use of ping to detect the network. Access-list 102 deny icmp any time-exceeded prevents network probing with traceroute. Note: You can use 102 to filter out external interfaces. In this example, the reply output is blocked and the test entry is not blocked. 3. Protect the vro from attacks. Generally, the vro can be accessed through telnet or SNMP. Make sure that no one on the Internet can use these protocols to attack the vro. Assume that the IP address of the external router interface serial0 is 200.200.200.1, And the IP address of the Internal interface fastethernet0 is 200.200.100.1. You can generate an inner filter to prevent telnet and SNMP services from protecting the vro. Create the following access list: access-list 101 deny tcp any 200.200.200.1 0.0.0.0 eq 23 access-list 101 deny tcp any 200.200.100.1 0.0.0.0 eq 23 access-list 101 deny udp any 200.200.200.1 0.0.0.0 eq 161 access-list 101 deny udp any 200.200.100.1 0.0.0.0 eq 161 note: use 101 filter in the inner direction of the external interface. Of course, this will cause some inconvenience to the Administrator's use, which requires a choice between convenience and security. 4. Blocking unauthorized access to key ports may be the port used by the internal system or the port exposed by the firewall. Access to these ports should be restricted; otherwise, these devices will be vulnerable to attacks. Create the following access list: access-list 101 deny tcp any eq 135 access-list 101 deny tcp any eq 137 access-list 101 deny tcp any eq 138 access-list 101 deny tcp any eq 139 access-list 101 deny udp any eq 135 access-list 101 deny udp any eq 137 access-list 101 deny udp any eq 138 access-list 101 deny udp any eq 139 5. restrict access to important internal network servers. For campus networks without a dedicated firewall, it is particularly important to use dynamic grouping and filtering technology to establish access restrictions on important servers. For Campus Networks equipped with a dedicated firewall, this task can be completed on the firewall, which can reduce the burden on the router. A set of access rules should be formulated first, whether based on vro or firewall settings. You can consider setting up the following access rules: ● allow external users to access requests from the Web server. ● Allow external replies from the Web server to external users. ● Allow external SMTP servers to send internal connection requests to internal email servers. ● Allow the internal email server to reply to the external SMTP server. ● Allows the internal email server to query external DNS. Www.2cto.com ● allow internal DNS replies to internal email servers. ● Allow external TCP connections to internal hosts. ● Allow inbound TCP reply to the request host. Other access rules can be created based on their actual conditions. After listing all the allowed communication streams, it is easy to design the access list. Note that all inner dialogs should be applied to the IN direction of the router's external interface, and all outer dialogs should be applied to the OUT direction of the router's external interface. Ii. Common attack methods and countermeasures 1. to prevent external ICMP redirection spoofing, Attackers sometimes use ICMP redirection to redirect the vro and redirect the information that should have been sent to the correct target to the specified devices to obtain useful information. The command to prohibit external users from using ICMP redirection is as follows: interface serial0 no ip redirects 2. Preventing external source route spoofing source route selection is to use the data link layer information to select a route for the datagram. This technology spans the routing information at the network layer, allowing intruders to specify an illegal route for the internal network datagram, so that the datagram originally sent to a valid destination will be sent to the specified address of the intruder. The command to prohibit source routing is as follows: no ip source-route 3. Attackers may steal internal ip addresses for illegal access. To solve this problem, you can use the ARP command of the Cisco router to bind a fixed IP address to a MAC address. The specific command is as follows: www.2cto.com arp fixed IP address MAC address arpa 4. In the source site, to prevent smurf from preventing smurf at the source site, the key is to prevent all inbound echo requests. This prevents the router from ing the communication pointing to the network broadcast address to the LAN broadcast address. You can enter the following command in the LAN interface mode: no ip directed-broadcast 3. disable a service router that is not needed on the router. In addition to providing path selection, it is also a server, it can provide some useful services. These services run by routers may be a breakthrough in enemy attacks. to ensure security, it is best to disable these services. Through the methods described above, we successfully configured a general router as a bastion router, which improves the security of the whole campus network without any investment. However, it should be noted that the implementation of the bastion router is at the cost of sacrificing the efficiency of the entire network and may affect the external access speed of the campus network.