It is a very important step before you use vro settings. Many people may not be familiar with the handling of these default details in vro settings. After reading this article, you will certainly have a lot of GAINS, I hope this article will teach you more things. As we all know, setting access control list ACLs on vrouters or vswitches can improve security and prevent hacker and virus attacks to a certain extent, my company has been using this method. However, I found a problem affecting security in my actual work. If I do not pay attention to the router settings, it is likely that the powerful ACL list will be invalidated, like the magino line of defense in World War II, viruses and hackers can bypass and attack computers on the Intranet very easily.
Security Analysis:
Readers who have experience in router configuration should know that network administrators often set access control lists on routers or switches to prevent viruses and hackers. By default, the "deny any" statement is added to the access control list of vrouters or vswitches produced by Cisco) the data packet of the rule is discarded.
Recently, my company has added the 2621 series routers of Huawei. Generally, the configuration methods for CISCO and Huawei devices are basically the same. Therefore, I have developed ACL rules according to the configuration statements on the Cisco router, enter these rules on the Huawei router. Because CISCO automatically adds the deny any statement by default, I also take it for granted that the Huawei router settings add this command. However, after the configuration, it is found that all ACL filtering rules have not taken effect, and the filtered data packets are still forwarded by the router normally.
After repeated research and data query, I found that the original Access Control List of Huawei company was added with the "PERMIT ANY" statement at the end, so that the access control list (ACL) does not comply with) the packet with the Rule Set in the statement will be allowed to pass, which causes a serious consequence: packets that do not comply with the ACL rules will also be unconditionally forwarded by the router rather than discarded by Cisco, as a result, the filtered data packets are not filtered, and the network security is at risk. Illegal data packets bypass the anti-virus "magino line" carefully set by the network administrator, which easily intrude into the user's intranet.
Solution:
How can this problem be solved? This problem is caused by Huawei router settings. We can add the "deny any" statement at the end of the ACL or set the default ACL end statement to deny any. the first method takes effect only for the current ACL. When the new ACL is set later, the router settings still allow all data packets to pass by default. The second method modifies the default value of the router, change it to the same default as the CISCO device to block all packets.
1. Add ACL rules directly
After setting all the ACL statements on the Huawei device, use "rule deny ip source any destination any" to discard packets that do not comply with the rules.
2. modify default settings <br> & nbsp; Use "firewall default deny" on Huawei devices ", change the default settings from permitted forwarding to discarded packets. To solve the default vulnerability problem. Therefore, we recommend that you use the second method to solve the defects in this default setting.
Summary:
After this "maqino" event, we can find that even the same configuration command, if the vendor is different, it is best to read the user manual in advance (pay special attention to the default settings ), the default settings may cause many unknown faults. Do not easily suspect that the hardware of the device is faulty after the problem is discovered. You should start from the software and configuration commands to find the problem. A small default setting will completely break through the well-developed anti-virus system. Therefore, our network administrators should carefully test the network conditions after each setting to ensure that the implemented measures take effect.