ACL & Cisco IOS Firewall

@ACL & Cisco IOS Firewall.pdf

@[그림 13-1] 네트워크 토폴로지 preconfig.txt

 

 

[LAB-20] ACL.pdf

[lab-20] acl.txt

 

[LAB-21] TCP Intercept.pdf

[lab-21] tcp intercept.txt

 

 

 

- 장비 실습

 

네트워크 보안 실습.pdf

@방화벽 예제.txt

 

 

[유튜브] 동영상 강의 링크 (구독! 좋아요!!!)

'established'를 이용한 TCP 방화벽 구성   https://youtu.be/wc4cJdXSYXU

Reflexive ACL를 이용한 방화벽 구성   https://youtu.be/X-swZxyyndk 

CBAC을 이용한 방화벽 구성   https://youtu.be/jBLAMUvw980

Dynamic ACL(Lock&Key) 내부 접근 구성   https://youtu.be/o59HNDLKoNs

IP Fragments 공격 방지   https://youtu.be/xH2ebQ00jE4

ICMP 플러딩(Ping of Death) 공격 방지   https://youtu.be/kzQRjKdNpTs

TCP Syn Flooding 공격 방지   https://youtu.be/Xd5h-SDUdkA

uRPF를 이용한 IP 스푸핑 공격 방지   https://youtu.be/2QPxrLB55eY

SDM을 이용한 Cisco IOS Firewall 구성   https://youtu.be/G-SrZM8sOhk

 

 

 

 

 

제12장 ACL

 

           ACL 개요 ········· Page 336

           ACL 설정시 주의 사항 ········· Page 337

           ACL 유형 ········· Page 340

           와일드카드 마스크 ········· Page 341

           Number Standard ACL 설정 ········· Page 344

           Number Extended ACL 설정 ········· Page 347

 

 

제13장 Cisco IOS Firewall

 

           Cisco IOS Firewall 개요 ········· Page 352

           트래픽 필터링 ········· Page 352

           ‘established’ 키워드 ········· Page 354

           리플렉시브 ACL ········· Page 356

           CBAC ········· Page 360

           Dynamic ACL ········· Page 365

           IP Fragments 공격 방지 ········· Page 369

           ICMP 플러딩 공격 방지 ········· Page 372

           TCP SYN 플러딩 공격 방지 ········· Page 374

           uRPF를 이용한 IP 스푸핑 공격 방지 ········· Page 380

          

 

Ex) R1에서 리플렉시브 ACL를 이용하여 Cisco IOS 방화벽을 구성하여라.

 

 - 내부에서는 외부로부터 TCP, UDP, ICMP 서비스가 가능해야 한다.
 - 즉, 내부에서 생성된 TCP, UDP, ICMP 패켓들은 외부로 나갔다가, 들어올 수 있게 해야 한다.
 - 그외 외부에서 생성된 패켓들은 내부 접근을 차단해야 한다.
 - 차단되는 트래픽들은 Log 메세지를 발생하여, Syslog 서버로 전송되어야 한다.
 - R1과 R2 RIPv2 라우팅 업데이트에 문제가 발생되면 안된다.
 - R1은 외부에서 들어오는 TACACS+ 메세지가 차단되면 안된다.
 - R1은 외부에서 들어오는 NTP 동기화 관련 메세지가 차단되면 안된다.
 - R1은 외부에서 들어오는 Syslog 서버로 전송되는 Log 메세지는 차단되면 안된다.

 

 

Ex) R1에서 Dynamic ACL를 이용하여 Lock&Key 서비스를 구성하여라.

 

 - 외부에서 내부 네트워크로 접근하기 위해서는 R1 S1/0(13.13.9.1)로 Telnet 인증을 받아야 한다.
 - 이때, Telnet 인증 사용자 정보는 username : abc, password : abc1234 로 구성한다.

 

 

 

1. R2 내부 네트워크 '13.13.12.0/24'에 대해서 접근하는 트래픽을 차단하여라.

 

 1.1. '150.1.13.254'로부터 오는 Telnet 트래픽과 '150.3.13.254'로부터 오는 HTTP 트래픽를 차단하여라.

 1.2. 출발지 '13.13.11.0/24’, 목적지 '13.13.12.0/24' 서브넷으로 Ping이 되는 것을 차단하여라.

 1.3. 차단되는 트래픽은 log 메세지를 확인할 수 있어야 하며, 인터페이스 정보도 확인되어야 한다.

 1.4. 그 이외에 나머지 트래픽은 접근이 가능해야 한다. 설정은 R2에서 실시하여라.

 

@ R2   ip access-list extended DENY_Traffic  deny tcp host 150.1.13.254 13.13.12.0 0.0.0.255 eq telnet log-input  deny tcp host 150.3.13.254 13.13.12.0 0.0.0.255 eq www log-input  deny icmp 13.13.11.0 0.0.0.255 13.13.12.0 0.0.0.255 echo log-input  permit ip any any ! int s1/0.123  ip access-group DENY_Traffic in

R4#telnet 13.13.12.2 Trying 13.13.12.2 ... % Destination unreachable; gateway or host down

R5#telnet 13.13.12.2 80 Trying 13.13.12.2, 80 ... % Destination unreachable; gateway or host down

R1#ping 13.13.12.2 source 13.13.11.1   Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 13.13.12.2, timeout is 2 seconds: Packet sent with a source address of 13.13.11.1 U.U.U Success rate is 0 percent (0/5)

R2# *Mar  1 00:04:28.151: %SEC-6-IPACCESSLOGP: list DENY_Traffic denied tcp 150.1.13.254(20074) (Serial1/0.123 ) -> 13.13.12.2(23), 1 packet R2# *Mar  1 00:04:32.367: %SEC-6-IPACCESSLOGP: list DENY_Traffic denied tcp 150.3.13.254(34576) (Serial1/0.123 ) -> 13.13.12.2(80), 1 packet R2# *Mar  1 00:04:42.419: %SEC-6-IPACCESSLOGDP: list DENY_Traffic denied icmp 13.13.11.1 (Serial1/0.123 ) -> 13.13.12.2 (8/0), 1 packet R2# R2#show ip access-lists Extended IP access list DENY_Traffic     10 deny tcp host 150.1.13.254 13.13.12.0 0.0.0.255 eq telnet log-input (1 match)     20 deny tcp host 150.3.13.254 13.13.12.0 0.0.0.255 eq www log-input (1 match)     30 deny icmp 13.13.11.0 0.0.0.255 13.13.12.0 0.0.0.255 echo log-input (5 matches)     40 permit ip any any (12 matches)

@ R2   no ip access-list extended DENY_Traffic ! int s1/0.123  no ip access-group DENY_Traffic in

 

 

 

2. ‘established’ 명령어를 이용하여 다음 조건에 맞게 R2에서 ACL를 설정하여라.

 

2.1 외부 네트워크에서 R2 내부 네트워크 '13.13.12.0/24'로 접근하는 TCP 트래픽을 차단하여라.

2.2 대신, 내부 네트워크 ‘13.13.12.0/24’는 외부 네트워크로 TCP 접근이 허용되어야 한다.

 

@ R2   access-list 110 permit tcp any 13.13.12.0 0.0.0.255 established access-list 110 permit udp any eq 520 any eq 520 ! int s1/0.123  ip access-group 110 in

R2#telnet 150.1.13.254 /source-interface fa0/1 Trying 150.1.13.254 ... Open   User Access Verification   Password: R4>exit   [Connection to 150.1.13.254 closed by foreign host]

R4#telnet 13.13.12.2 Trying 13.13.12.2 ... % Destination unreachable; gateway or host down

R5#telnet 13.13.12.2 80 Trying 13.13.12.2, 80 ... % Destination unreachable; gateway or host down

@ R2   no access-list 110 ! int s1/0.123  no ip access-group 110 in

 

 

 

3. Reflexive ACL를 이용하여 다음 조건에 맞게 R1에서 ACL를 설정하여라.

 

 3.1 ‘13.13.z.z’ 네트워크는 외부 네트워크 ‘150.1.13.0/24’ 구간으로 TCP, UDP, ICMP 접근이 가능하지만, 반대로 외부 네트워크 ‘150.1.13.0/24’ 구간에서 ‘13.13.z.z’ 네트워크로 모든 트래픽이 접근 불가능하도록 하여라.

 

@ R1   ip access-list extended OUT_Traffic  permit tcp 13.13.0.0 0.0.255.255 150.1.13.0 0.0.0.255 reflect CISCO  permit udp 13.13.0.0 0.0.255.255 150.1.13.0 0.0.0.255 reflect CISCO permit icmp 13.13.0.0 0.0.255.255 150.1.13.0 0.0.0.255 reflect CISCO ! ip access-list extended IN_Traffic  permit udp any eq 520 any eq 520 evaluate CISCO ! int fa0/0  ip access-group OUT_Traffic out  ip access-group IN_Traffic in

R1#show ip access-lists Reflexive IP access list CISCO Extended IP access list IN_Traffic     10 permit udp any eq rip any eq rip 20 evaluate CISCO Extended IP access list OUT_Traffic     10 permit tcp 13.13.0.0 0.0.255.255 150.1.13.0 0.0.0.255 reflect CISCO     20 permit udp 13.13.0.0 0.0.255.255 150.1.13.0 0.0.0.255 reflect CISCO     30 permit icmp 13.13.0.0 0.0.255.255 150.1.13.0 0.0.0.255 reflect CISCO

R4#ping 13.13.12.2   Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 13.13.12.2, timeout is 2 seconds: U.U.U Success rate is 0 percent (0/5)

R2#ping 150.1.13.254 source 13.13.12.2   Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 150.1.13.254, timeout is 2 seconds: Packet sent with a source address of 13.13.12.2 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 28/41/52 ms

R1#show ip access-lists Reflexive IP access list CISCO      permit icmp host 150.1.13.254 host 13.13.12.2  (20 matches) (time left 296) Extended IP access list IN_Traffic     10 permit udp any eq rip any eq rip 20 evaluate CISCO Extended IP access list OUT_Traffic     10 permit tcp 13.13.0.0 0.0.255.255 150.1.13.0 0.0.0.255 reflect CISCO     20 permit udp 13.13.0.0 0.0.255.255 150.1.13.0 0.0.0.255 reflect CISCO     30 permit icmp 13.13.0.0 0.0.255.255 150.1.13.0 0.0.0.255 reflect CISCO (10 matches)

 

 

 3.2 단, R1에서 관리 목적상 ‘150.1.13.254’로 Telnet 접근이 가능하도록 하여라.

 

R1#telnet 150.1.13.254 Trying 150.1.13.254 ... % Connection timed out; remote host not responding

@ R1   ip access-list extended IN_Traffic  permit tcp host 150.1.13.254 eq telnet host 150.1.13.1

R1#telnet 150.1.13.254 Trying 150.1.13.254 ... Open   User Access Verification   Password: R4>exit [Connection to 150.1.13.254 closed by foreign host]

@ R1   no ip access-list extended OUT_Traffic no ip access-list extended IN_Traffic ! int fa0/0  no ip access-group OUT_Traffic out  no ip access-group IN_Traffic in

 

 

 

4. R5에 연결된 서버(13.13.5.5)가 출발지가 ‘13.13.12.2’로부터 IP Fragments 공격에 의한 DoS 공격을 당하고 있다. 이 문제를 R3에서 해결하여라.

 

R2#ping Protocol [ip]: Target IP address: 13.13.5.5 Repeat count [5]: 1 Datagram size [100]: 4000 Timeout in seconds [2]: Extended commands [n]: Sweep range of sizes [n]: Type escape sequence to abort. Sending 1, 4000-byte ICMP Echos to 13.13.5.5, timeout is 2 seconds: ! Success rate is 100 percent (1/1), round-trip min/avg/max = 52/52/52 ms

@ R3   ip access-list extended Deny_Fragments  deny ip any host 13.13.5.5 fragments  permit ip any any ! int fa0/0  ip access-group Deny_Fragments out

R2#ping Protocol [ip]: Target IP address: 13.13.5.5 Repeat count [5]: 1 Datagram size [100]: 4000 Timeout in seconds [2]: Extended commands [n]: Sweep range of sizes [n]: Type escape sequence to abort. Sending 1, 4000-byte ICMP Echos to 13.13.5.5, timeout is 2 seconds: . Success rate is 0 percent (0/1)

@ R3   no ip access-list extended Deny_Fragments ! int fa0/0  no ip access-group Deny_Fragments out

 

 

 

5. Dynamic ACL를 이용하여 다음 조건에 맞게 R3에서 ACL를 설정하여라.

 

5.1 외부 네트워크 ‘150.3.13.0/24’는 내부 네트워크 '13.13.0.0/16'으로 텔넷 접속으로 인한 인증이 허용된 다음에 접근이 가능하도록 Dynamic ACL을 설정하여라.

5.2 텔넷 인증 정보 : Username ‘admin’, Password ‘cisco’

 

@ R3   username admin password cisco username admin autocommand access-enable host ! line vty 0 4  login local ! ip access-list extended IN_Traffic  permit tcp 150.3.13.0 0.0.0.255 host 13.13.3.3 eq telnet  dynamic Lock&Key timeout 10 permit ip 150.3.13.0 0.0.0.255 13.13.0.0 0.0.255.255  deny ip 150.3.13.0 0.0.0.255 13.13.0.0 0.0.255.255  permit ip any any ! int fa0/0  ip access-group IN_Traffic in

R3#show ip access-lists Extended IP access list IN_Traffic     10 permit tcp 150.3.13.0 0.0.0.255 host 13.13.3.3 eq telnet     20 Dynamic Lock&Key permit ip 150.3.13.0 0.0.0.255 13.13.0.0 0.0.255.255     30 deny ip 150.3.13.0 0.0.0.255 13.13.0.0 0.0.255.255     40 permit ip any any

R5#ping 13.13.12.2   Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 13.13.12.2, timeout is 2 seconds: U.U.U Success rate is 0 percent (0/5) R5# R5#telnet 13.13.3.3 Trying 13.13.3.3 ... Open   User Access Verification   Username: admin Password: [Connection to 13.13.3.3 closed by foreign host] R5# R5#ping 13.13.12.2   Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 13.13.12.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 20/36/52 ms

R3#show ip access-lists Extended IP access list IN_Traffic     10 permit tcp 150.3.13.0 0.0.0.255 host 13.13.3.3 eq telnet (69 matches)     20 Dynamic Lock&Key permit ip 150.3.13.0 0.0.0.255 13.13.0.0 0.0.255.255        permit ip host 150.3.13.254 13.13.0.0 0.0.255.255 (5 matches)     30 deny ip 150.3.13.0 0.0.0.255 13.13.0.0 0.0.255.255 (11 matches)     40 permit ip any any (6 matches)

@ R3   no ip access-list extended IN_Traffic ! int fa0/0  no ip access-group IN_Traffic in

 

 

6. CBAC을 이용하여 다음 조건에 맞게 R1에서 ACL을 설정하여라.

 

6.1 내부 '13.13.0.0/16'은 외부 네트워크 ‘150.1.13.0/24’로 TCP, UDP, FTP, TELNET 접근을 허용하여라.

6.2 단, 외부 네트워크 ‘150.1.13.0/24’에서 내부 네트워크 '13.13.0.0/16'으로 접근하는 것은 차단하여라.

6.3 CBAC으로 처리되는 트래픽에 대해서는 로그 메세지를 확인할 수 있도록 하여라.

6.4 외부 네트워크로 텔넷 접속 이후, 5분 동안 사용하지 않으면, 자동으로 접속 종료가 되도록 하여라.

 

@ R1   ip inspect name CISCO tcp ip inspect name CISCO udp ip inspect name CISCO ftp ip inspect name CISCO telnet timeout 300 ! ip inspect audit-trail ! ip access-list extended IN_Traffic  permit udp any eq 520 any eq 520 ! int fa0/0 ip access-group IN_Traffic in  ip inspect CISCO out

R4#telnet 13.13.12.2 Trying 13.13.12.2 ... % Destination unreachable; gateway or host down

R2#telnet 150.1.13.254 Trying 150.1.13.254 ... Open   User Access Verification   Password: R4>

R1# *Mar  1 00:42:23.771: %FW-6-SESS_AUDIT_TRAIL_START: Start telnet session: initiator (13.13.9.2:20125) -- responder (150.1.13.254:23) R1# R1#show ip inspect session Established Sessions  Session 66A88824 (13.13.9.2:20125)=>(150.1.13.254:23) telnet SIS_OPEN R1# R1#show ip inspect interface Interface Configuration  Interface FastEthernet0/0   Inbound inspection rule is not set   Outgoing inspection rule is CISCO     tcp alert is on audit-trail is on timeout 3600     udp alert is on audit-trail is on timeout 30     ftp alert is on audit-trail is on timeout 3600     telnet alert is on audit-trail is on timeout 300   Inbound access list is IN_Traffic   Outgoing access list is not set

 

 

6.5 단, R1에서 관리 목적상 ‘150.1.13.254’로 Telnet 접근이 가능하도록 하여라.

R1#telnet 150.1.13.254 Trying 150.1.13.254 ... % Connection timed out; remote host not responding

@ R1   ip access-list extended IN_Traffic  permit tcp host 150.1.13.254 eq telnet host 150.1.13.1

R1#telnet 150.1.13.254 Trying 150.1.13.254 ... Open   User Access Verification   Password: R4>exit   [Connection to 150.1.13.254 closed by foreign host]

 

 

 

----------------R2-------------------[S1/0]R1[F0/0]--------------------------[F0/0]R4

13.13.12.2/24                     13.13.9.1/24  150.1.13.1/254         150.1.13.254/24

 

 

@Cisco IOS Firewall 설정.txt

 

@ R1

 

username admin privilege 15 password cisco
username admin autocommand access-enable host timeout 10
!
line vty 0 4
 login local
!
ip access-list extended In-Filter
 permit udp any eq 520 any eq 520
 permit tcp any host 13.13.9.1 eq telnet
 dynamic Lock&Key permit ip any 150.1.13.0 0.0.0.255
 deny ip any any fragments
 deny ip any any
!
ip inspect name CISCO tcp
ip inspect name CISCO udp
ip inspect name CISCO icmp
!
int s1/0
 ip inspect CISCO out
 ip access-group In-Filter in
 ip verify unicast reverse-path
!
access-list 100 deny ip 150.1.13.0 0.0.0.255 host 141.101.121.207
access-list 100 deny ip 150.1.13.0 0.0.0.255 host 141.101.121.207
access-list 100 permit ip any any
!
int fa0/0
 ip access-group 100 in
 ip verify unicast reverse-path
!
access-list 110 permit tcp any any
!
ip tcp intercept list 110
ip tcp intercept mode intercept
ip tcp intercept connection-timeout 30
!