27.1. 使用AutoSecure
提问 tyle="FONT-FAMILY: 宋体">傻瓜化的方式来加固你的路由器
回答
Router2#auto secure
--- AutoSecure Configuration ---
*** AutoSecure configuration enhances the security of
the router, but it will not make it absolutely resistant
to all security attacks ***
AutoSecure will modify the configuration of your device.
All configuration changes will be shown. For a detailed
explanation of how the configuration changes enhance security
and any possible side effects, please refer to Cisco.com for
Autosecure documentation.
At any prompt you may enter ''?'' for help.
Use ctrl-c to abort this session at any prompt.
Gathering information about the router for AutoSecure
Is this router connected to internet? [no]:
<Removed for brevity>
注释 12.3(1)开始路由器增加了autosecure的特性来通过问题的方式自动对路由器进行加固,下面是一个生成的配置实例
Router2#show auto secure config
no service finger
no service pad
no service udp-small-servers
no service tcp-small-servers
service password-encryption
service tcp-keepalives-in
service tcp-keepalives-out
no cdp run
no ip bootp server
no ip http server
no ip finger
no ip source-route
no ip gratuitous-arps
no snmp-server community public
no snmp-server community private
banner ^C Test ^C
security passwords min-length 6
security authentication failure rate 10 log
enable password 7 00071A1507545B54
aaa new-model
aaa authentication login local_auth local
line con 0
login authentication local_auth
exec-timeout 5 0
transport output telnet
line aux 0
login authentication local_auth
exec-timeout 10 0
transport output telnet
line vty 0 6
login authentication local_auth
transport input telnet
login block-for 5 attempts 5 within 6
crypto key generate rsa general-keys modulus 1024
ip ssh time-out 60
ip ssh authentication-retries 2
line vty 0 6
transport input ssh telnet
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
logging facility local2
logging trap debugging
service sequence-numbers
logging console critical
logging buffered
interface FastEthernet0/0
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
!
interface Serial0/0
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
!
ip cef
Router2#
27.2. 使用基于上下文的控制列表(Context-Based Access-Lists)
提问 配置路由器类似防火墙的高级过滤功能
回答
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#access-list 166 deny ip any any
Router1(config)#access-list 167 permit tcp any any eq telnet
Router1(config)#ip inspect name Telnet tcp
Router1(config)#interface Serial0/1
Router1(config-if)#ip access-group 166 in
Router1(config-if)#ip access-group 167 out
Router1(config-if)#ip inspect Telnet out
Router1(config-if)#exit
Router1(config)#end
Router1#
注释 必须安装了支持IOS防火墙特性集的IOS才可以有此功能。CBAC提供了类似防火墙的状态检查功能,可以动态的生成控制列表来允许回程的数据包,对于上述例子,回来的telnet数据包可以允许通过
Router1#show ip inspect sessions
Established Sessions
Session 821061C0 (172.25.1.1:1379)=>(10.2.2.2:23) tcp SIS_OPEN
Router1#
对于以前提到的被动FTP访问问题,也可以采用才方法安全解决
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#access-list 155 permit tcp any any eq ftp
Router1(config)#access-list 155 deny ip any any
Router1(config)#ip inspect name TEST ftp
Router1(config)#interface Serial0/0
Router1(config-subif)#ip access-group 155 in
Router1(config-subif)#ip inspect TEST in
Router1(config-subif)#exit
Router1(config)#end
Router1#
Router1#show ip access-list 155
Extended IP access list 155
permit tcp host 172.20.1.2 eq 11252 host 172.25.1.3 eq 49155 (1415 matches)
permit tcp any any eq ftp (151 matches)
deny ip any any (3829 matches)
Router1#
同时也提供了对不同的会话的定时器配置
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#ip inspect tcp idle-time 1800
Router1(config)#ip inspect udp idle-time 20
Router1(config)#ip inspect tcp finwait-time 1
Router1(config)#ip inspect tcp synwait-time 15
Router1(config)#end
Router1#
通过show ip inspect config命令来显示当前CBAC的配置
也增加了对log的支持ip inspect name Telnet tcp audit-trail on
转载地址:http://www.net130.com/CMS/Pub/Tech/tech_zh/2007_04_09_98133.htm
