In a typical campus network, a router is generally outside the firewall and is responsible for connecting to the Internet. In fact, this topology exposes the router to the campus network security defense line. If the router itself does not adopt an appropriate security defense policy, it may become a stepping stone for attackers to launch attacks, threats to internal network security.
This article takes the Cisco2621 router as an example to describe how to configure a router as a bastion router to make it the first security barrier for the campus network to defend against external attacks.
I. Access Table-based security policies
1. prevent external IP Address Spoofing
Users of the external network may use the valid IP address or loopback address of the internal network as the source address to achieve illegal access. To address this problem, you can create the following access list:
Access-list 101 deny ip 10.0.0.0 0.20.255.255 any
Access-list 101 deny ip 192.168.0.0 0.0.255.255 any
Access-list 101 deny ip 172.16.0.0 0.0.255.255 any
! Blocks all communication streams whose source address is private.
Access-list 101 deny ip 127.0.0.0 0.20.255.255 any
! Block all communication streams whose source address is the loopback address.
Access-list 101 deny ip 224.0.0.0 7.20.255.255 any
! Blocks all communication streams with the source address as a multi-destination address.
Access-list 101 deny ip host 0.0.0.0 any
! Blocks communication streams that do not list the source addresses.
Note: You can use 101 filter in the inner direction of the external interface.
2. prevent external illegal Detection
Illegal visitors often use ping or other commands to detect the network before initiating an attack on the internal network. Therefore, they can prevent attacks by Using ping, traceroute, and other network probes from outside. You can create the following access list:
Access-list 102 deny icmp any echo
! Prevents the use of ping to detect the network.
Access-list 102 deny icmp any time-exceeded
! Prevents network probing with traceroute.
Note: You can use 102 to filter out external interfaces. In this example, the reply output is blocked and the test entry is not blocked.
3. Protect the vro from attacks
Generally, a vrotelnet can be accessed through telnet or SNMP. It should be ensured that no one on the Internet can use these protocols to attack the vro. Assume that the IP address of the external router interface serial0 is 200.200.200.1, And the IP address of the Internal interface fastethernet0 is 200.200.100.1. You can generate an inner filter to prevent telnet and SNMP services from protecting the vro. Create the following access list:
Access-list 101 deny tcp any 200.200.200.1 0.0.0.0 eq 23
Access-list 101 deny tcp any 200.200.100.1 0.0.0.0 eq 23
Access-list 101 deny udp any 200.200.200.1 0.0.0.0 eq 161
Access-list 101 deny udp any 200.200.100.1 0.0.0.0 eq 161
Note: Use 101 filter in the inner direction of the external interface. Of course, this will cause some inconvenience to the Administrator's use, which requires a choice between convenience and security.
4. prevent unauthorized access to key ports
The key port may be the port used by the internal system or the port exposed by the firewall itself. Access to these ports should be restricted; otherwise, these devices will be vulnerable to attacks. Create the following access list:
Access-list 101 deny tcp any eq 135
Access-list 101 deny tcp any eq 137
Access-list 101 deny tcp any eq 138
Access-list 101 deny tcp any eq 139
Access-list 101 deny udp any eq 135
Access-list 101 deny udp any eq 137
Access-list 101 deny udp any eq 138
Access-list 101 deny udp any eq 139
5. Restrict access to important internal network servers
For campus networks without a dedicated firewall, it is particularly important to use dynamic grouping and filtering technology to establish access restrictions on important servers. For Campus Networks equipped with a dedicated firewall, this task can be completed on the firewall, which can reduce the burden on the router. A set of access rules should be formulated first, whether based on vro or firewall settings. You can create the following access rules:
● Allow external users to access requests from the Web server.
● Allow external replies from the Web server to external users.
● Allow external SMTP servers to send internal connection requests to internal email servers.
● Allow the internal email server to reply to the external SMTP server.
● Allows the internal email server to query external DNS.
● Allow internal DNS replies to internal email servers.
● Allow external TCP connections to internal hosts.
● Allow inbound TCP reply to the request host.
Other access rules can be created based on their actual conditions. After listing all the allowed communication streams, it is easy to design the access list. Note that all inner dialogs should be applied to the IN direction of the router's external interface, and all outer dialogs should be applied to the OUT direction of the router's external interface.
Ii. Common attack methods and countermeasures
1. prevent external ICMP redirection Spoofing
Attackers sometimes use ICMP redirection to redirect the router and redirect the information that should have been sent to the correct target to the specified device to obtain useful information. The command to prohibit external users from using ICMP redirection is as follows:
Interface serial0
No ip redirects
2. prevent external source route spoofing
Source Route Selection refers to the use of data link layer information to select routes for datagram. This technology spans the routing information at the network layer, allowing intruders to specify an illegal route for the internal network datagram, so that the datagram originally sent to a valid destination will be sent to the specified address of the intruder. The command to disable source routing is as follows:
No ip source-route
3. prevent theft of internal IP addresses
Attackers may steal internal IP addresses for illegal access. To solve this problem, you can use the ARP command of the Cisco router to bind a fixed IP address to a MAC address. The command is as follows:
Arp fixed IP address MAC address arpa
4. Prevent smurf attacks at the source site
To prevent smurf from the source site, the key is to prevent all inbound echo requests. This prevents the router from ing the communication pointing to the network broadcast address to the LAN broadcast address. You can enter the following command in the LAN interface mode:
No ip directed-broadcast
3. disable unnecessary services on the vro
In addition to path selection, a vro is also a server that provides some useful services. These services run by routers may be a breakthrough in enemy attacks. to ensure security, it is best to disable these services.
Through the methods described above, we successfully configured a general router as a bastion router, which improves the security of the whole campus network without any investment. However, it should be noted that the implementation of the bastion router is at the cost of sacrificing the efficiency of the entire network and may affect the external access speed of the campus network.