Cisco Security Practices & mdash; transform your router into a firewall

In many people's ideas, routers are routers and firewalls are firewalls. Both vrouters and firewalls can be used as egress gateways. The security of vrouters as gateways is poor, and the firewall is highly secure. In fact, for routers and firewalls, they can be regarded as a family. As a gateway, firewalls have routing functions. Why cannot routers have security functions? For routers and firewalls, they are all talented, but their respective fields are different. Routers are proficient in routing and protection, firewalls are proficient in protection, and routers are used. Just like our network engineers, we should not only understand the network but not the system, but be proficient in the network and the system. This is the best choice. The following describes how to change a common vro into a firewall.
We all know about IOS security. There is a traditional vro firewall called CBAC (context-based access control), which is the commands starting with ip inspect, it provides interface-based traffic protection. CBAC has outstanding performance in traffic filtering, traffic detection, warning and auditing, intrusion detection, and other aspects. For example, CBAC uses the timeout value and threshold value to determine the session Status and duration. It can clear incomplete sessions and idle sessions for Dos detection and protection. However, the disadvantage of CBAC is that it performs the same review policies on all traffic passing through the interface and cannot precisely control the firewall policies, which is relatively difficult to deploy.
To address this problem, a new IOS Firewall emerged, namely ZFW (Zone-base Firewall ). This firewall changes the interface-based configuration mode of the old-fashioned CBAC, and is configured in a region. Take the familiar firewall as an example. We all know that there is a DMZ area in the internal and external areas. ZFW shares the same points with the hardware firewall, you can decide which interface you want to add and the functions of each region. High Degree of Freedom, easy to use. Next we will use an experiment to verify that this experiment requires the 7200 secure IOS or L3IOU simulator ).
A company has a server that needs to be mapped to the Internet for access by others.
 

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/02223S615-0.jpg "/>

The specific requirements are as follows:
1. Only Internet users are allowed to ping the server and log on to the server through SSH;
2. Only Intranet users are allowed to ping the server and log on to the server through telnet;
3. Intranet users can access the Internet freely;
4. The server cannot access the Internet.
Step 1:
First, ensure that the server and PC can ping the gateway GW, then perform NAT on the GW, and ensure that the Intranet PC can ping the internet. Here, the NAT address pool of the gateway is 100.1.1.2-100.1.1.5, and the server performs static ing. The mapped public IP address is 100.1.1.6. The Intranet PC interface is F0/1, and the Internet interface is S1/0.
GW:
Access-list 1 permit any
Ip nat pool cisco 100.1.1.2 100.1.1.5 netmask 255.255.255.0
Ip nat inside source list 1 pool cisco overload
Ip nat inside source static 172.16.1.2 100.1.1.6
Ip route 0.0.0.0 0.0.0.0 Serial1/0
Int f0/1
Ip nat inside
Int s1/0
Ip nat outside
Enable SSH and telnet logon on the server
Server:
Ip domain name hujw.com
Crypto key generate rsa
Line vty 0 4
Password cisco
Login
Transport input ssh telnet
Step 2:
Divide the region and add the corresponding interface to the region.
Here we divide three areas: private, internet, and dmz. Private corresponds to the internal host, dmz corresponds to the server, and internet corresponds to the internet. Then, add the corresponding interfaces to these three regions. The server interface is F0/2.
GW:
Zone security internet
Zone security dmz
Zone security private
Int f0/1
Zone-member security private
Int f0/2
Zone-member security dmz
Int s1/0
Zone-member security internet
Step 3:
Create a class-map and add the protocols required for each region
First, access the Internet class-map from the Intranet. In ZFW, all traffic is denied by default. Because the Intranet PC is free, you can use the ACL to match all traffic. Here we use the previously created access-list 1.
Class-map type inspect match-any pri-to-int
Match access-group 1
Second, create an Intranet PC Access DMZ policy. As required, only ping and telnet servers are allowed. Therefore, icmp and telnet protocols must be matched.
Class-map type inspect match-any pri-to-dmz
Match protocol icmp
Match protocol telnet
The last is the policy for accessing the DMZ server through the Internet. Only the ssh server can be pinged as required, so the icmp and ssh protocols should be matched.
Class-map type inspect match-any int-to-dmz
Match protocol ssh
Match protocol icmp
Step 4:
Create policy-map and apply the policy you just created.
ZFW policies include pass, drop, and inspect. Drop is the default action, and inspect is the traffic review. The returned traffic is determined by checking the session table of the router. The PASS action does not track connections or traffic sessions, but only allows a single PASS. That is to say, if you want to configure the PASS, you must configure the PASS in both directions.
Create three policies: private-to-dmz, private-to-internet, and internet-to-dmz to call the corresponding class-map.
Policy-map type inspect private-to-dmz
Class type inspect pri-to-dmz
Inspect
Class-default
Drop

Policy-map type inspect private-to-internet
Class type inspect pri-to-int
Inspect
Class-default
Drop

Policy-map type inspect internet-to-dmz
Class type inspect int-to-dmz
Inspect
Class-default
Drop
Step 5:
Associate a policy with an API.
ZFW is not a common physical interface. It has its own dedicated interface, that is, zone-pair. Here, physical interfaces are no longer important. They are the real guard of routers! Enter the name of the source region and target region, and apply policy-map to zone-pair.
Zone-pair security private-internet source private destination internet
Service-policy type inspect private-to-internet

Zone-pair security internet-dmz source internet destination dmz
Service-policy type inspect internet-to-dmz

Zone-pair security private-dmz source private destination dmz
Service-policy type inspect private-to-dmz
Step 6:
Test the functions of each region.
Test Access from an intranet PC to a DMZ server
650) this. width = 650; "style =" border-bottom: 0px; border-left: 0px; border-top: 0px; border-right: 0px "title =" clip_image002 "border =" 0 "alt =" clip_image002 "height =" 214 "src =" http://www.bkjia.com/uploads/allimg/131227/02223Q111-1.jpg "/>
The server can be pinged and accessed via telnet.
Test the access of an Internet PC to a DMZ server
650) this. width = 650; "style =" border-bottom: 0px; border-left: 0px; border-top: 0px; border-right: 0px "title =" clip_image002 [7] "border =" 0 "alt =" clip_image002 [7] "height =" 188 "src =" http://www.bkjia.com/uploads/allimg/131227/02223U443-2.jpg "/>
You can ping and ssh to log on to the server, but cannot telnet to the server.
The Intranet PC can access the Internet at will.
A vro has become a firewall with a pattern. Although not very professional, if the professional hardware firewall is a tool for your network, this "amateur" firewall is no longer suitable!

This article from the "Searching" blog, please be sure to keep this source http://power1990.blog.51cto.com/2673141/725438