集训营walls rs123cciers123学习计划

模块《网络安全》课程模块《网络安全》课程内••••Zone-©2009CiscoSystems,Inc.AllrightsAccess-©2009Access-©2009CiscoSystems,Inc.AllrightsTestingPacketswithTestingPacketswithStandard©2009CiscoSystems,Inc.AllrightsTestingPacketswithTestingPacketswithExtended©2009CiscoSystems,Inc.AllrightsACLConfigurationACLConfigurationACLnumbersindicatewhichprotocolisOneACLperinterface,perprotocol,perdirectionisTheorderofACLstatementscontrolsThemostrestrictivestatementsgoatthetopoftheThelastACLtestisalwaysanimplicitdenyanystatement,soeverylistneedsatleastonepermitstatement.ACLsmustbecreatedbeforeapplyingthemtoACLsfiltertrafficgoingthroughtherouter.ACLsdonotfiltertrafficoriginatingfromtherouter.©2009CiscoSystems,Inc.Allrights标准编IPv4ACL的配使用标准编IPv4ACL的配使用19913001999作为access-list-number第一个条目分配的序列号10，后续条目以10为增量递增。默认通配符掩码是（仅针对标准ACL）noaccess-listaccess-list-number命令可删除整个ACL。remark用于向ACL添加说明。RouterX(config-noipaccess-groupaccess-list-number{in|out}ACL©2009CiscoSystems,Inc.Allrights用标ACL控vty访RouterX(config-限制特定用标ACL控vty访RouterX(config-限制特定地址之间的入站或出站连示例仅允许网vty线中的主机连接到路由器©2009CiscoSystems,Inc.Allrights扩展编IPv4ACL的配设扩展编IPv4ACL的配设置此列表条目的参RouterX(config-激活接口上的扩展列©2009CiscoSystems,Inc.Allrights字母数字命名的字符串字母数字命名的字符串必须是唯一RouterX(config{std-|ext-如果未配置，则从10开始自动生成序列号，并以10为增量递增中删除指定测RouterX(config-激活接口上的命IP©2009CiscoSystems,Inc.AllrightsACL语显示所有访ACL语显示所有访问列©2009CiscoSystems,Inc.Allrights©2009Cisco©2009CiscoSystems,Inc.Allrights©2009©2009CiscoSystems,Inc.AllrightsCiscoIOSStandardAccessControlListsWhenusedfortrafficfiltering,IPv6standardCiscoIOSStandardAccessControlListsWhenusedfortrafficfiltering,IPv6standardaccesscontrollists(ACLs)offerthefollowingfunctions:FiltertrafficbasedonsourceanddestinationFiltertrafficinboundoroutboundtoaspecificImplicit"denyall"attheendofaccess©2002,CiscoSystems,Inc.AllrightsCiscoIOSAccessControlLists•FilteroutgoingtrafficCiscoIOSAccessControlLists•Filteroutgoingtrafficfromsite-localsourceGlobalSite-localprefix:©2009CiscoSystems,Inc.AllrightsCiscoIOSExtendedAccessControlLists•IPv6extendedCiscoIOSExtendedAccessControlLists•IPv6extendedaccesscontrollistsSimilarfilteringfeaturesasIPaddress,trafficclass,upper-layerNewIPv6Flowlabel,extensionheaders,Usedfortrafficfilteringonly.Routingprotocolprefixesfilteringuses"ipv6prefix-list"©2009CiscoSystems,Inc.AllrightsCiscoIOSAccessControlCiscoIOSAccessControlLists•IPv6extendedaccesscontrollistsImplicitIPv6rulesattheendofeachPermiticmpanyanynd-Permiticmpanyanynd-Denyipv6any©2009CiscoSystems,Inc.AllrightsCiscoIOSIPv6ExtendedACLCommandSyntaxEnteraccesscontrollistCiscoIOSIPv6ExtendedACLCommandSyntaxEnteraccesscontrollistrouter(config-ipv6-{permit|{<src-prefix>{<dst-prefix>any|host<addr>}any|host[dscp<value>][flow-[fragments][reflect<reflexive-acl-name>[timeout<val>]][time-range<time-range-name>][log|log-Accesscontrol©2009CiscoSystems,Inc.AllrightsCiscoIOSIPv6ExtendedACLInterfaceCommandsCiscoIOSIPv6ExtendedACLInterfaceCommandsrouter(config-Filterincomingoroutgoingtrafficaccordingtothespecifiedaccesslist©2009CiscoSystems,Inc.AllrightsCiscoIOSIPv6ExtendedACLConfigurationExample•FilterincomingtrafficfromtheIPv6InternettowebsiteandDNSserver©2009CiscoSystems,CiscoIOSIPv6ExtendedACLConfigurationExample•FilterincomingtrafficfromtheIPv6InternettowebsiteandDNSserver©2009CiscoSystems,Inc.AllrightsCiscoIOSACLshow,clear,anddebugCommands•show,clearandCiscoIOSACLshow,clear,anddebugCommands•show,clearanddebugcommandsareavailabletodisplayandverifydefinedIPv6extendedACLs:©2009CiscoSystems,Inc.AllrightsZone-©2009Zone-©2009CiscoSystems,Inc.AllrightsBasicTheprivatezonemustreachtheInternet,withaccessBasicTheprivatezonemustreachtheInternet,withaccesstoHTTP,SMTP,andDNSservices.TheInternetshouldnothaveanyinbound ©2009CiscoSystems,Inc.AllrightsDMZ•NetworkconsistsofthreeInternetzone:InternetDMZzone:/24Privatezone:Privatenetwork,DMZ•NetworkconsistsofthreeInternetzone:InternetDMZzone:/24Privatezone:Privatenetwork,InternalNetwork©2009CiscoSystems,Inc.AllrightsSecurityZoneZone©2009CiscoSystems,Inc.AllrightsSecurityZoneZone©2009CiscoSystems,Inc.AllrightsZoningRulesIftwoZoningRulesIftwointerfacesareinsamezones,trafficflowsfreelybetweenIfoneinterfaceisinazone,andanotherinterfaceisnotinazone,trafficmayneverflowbetweenthem.Iftwointerfacesareintwodifferentzones,trafficwillnotflowbetweentheinterfacesuntilapolicyisdefinedtoallowthetraffic.©2009CiscoSystems,Inc.AllrightsSecurityZoneZoneZone©2009CiscoSystems,Inc.AllrightsSecurityZoneZoneZone©2009CiscoSystems,Inc.AllrightsSpecifyingAppliesCiscoSpecifyingAppliesCiscoPolicyLanguageBasedonexistingMQCframeworkinCiscoIOSSoftwareOnlythreeconstructs:Policy-mapassociatesactionswiththeabove-specifiedParameter-mapspecifiesoperatingparametersfortheclassificationandactionapplication.©2009CiscoSystems,Inc.AllrightsThe“inspect”typeclass-The“inspect”typeclass-Applieslogicalqualifiersmatch-allandmatch-any.DeterminesthewayapacketismatchedagainstfiltersinaclassmapAppliesthreetypesofmatchstatementsmatchprotocol<protocol-matchaccess-group<number|matchclass<class-map-©2009CiscoSystems,Inc.Allrightsclass-maptypeSpecifieswebtrafficthatalsomatchesclass-maptypeSpecifieswebtrafficthatalsomatchesACLSpecifiestrafficthatisboundforanyofthethreeprotocolsSpecifiestrafficthatisboundforanyofthethreeprotocolsinc2andthatalsomatchesACL199©2009CiscoSystems,Inc.AllrightsZBFPolicy••ZBFPolicy••NostatefulMonitoroutboundtrafficaccordingtopermitordenyAnticipatereturntrafficaccordingtosessiontableDropanytrafficthatisnotspecificallyinspected(class-defaulttraffic)•©2009CiscoSystems,Inc.AllrightsLayers3,4,and7Layers3,4,and7PolicyLayer3/Layer4policyisatoplevelpolicy-whichisattachedtothezonepair.Aggregatetrafficusingmatchprotocol/ACLsselections,applyhigh-levelactionslikedrop,inspect,urlfilteranddeep-Layer7orapplicationpolicyisoptionalandistypicallyappliedtocontrolthefinerdetailsofanapplication(e.g.,HTTP,SMTPetc).ItiscontainedinaLayer3/Layer4policyandcannotbedirectlyattachedtoatarget.Layer3/Layer4policysufficesforbasicinspection.Finerapplication-levelinspectioncallsforcreationofanLayer7policywhichisnested(hierarchical)intheLayer3/Layer4policy.©2009CiscoSystems,Inc.AllrightsLayers3,4,and7PolicyLayers3,4,and7PolicyTypesLayer7class/policy-mapsareprotocolspecific.Theoptionsappearingunderthemdependontheprotocolandthecapabilitiesoftheexistingapplicationinspectionmodule.Asofnow,Layer7policiescanbeconfiguredforthefollowingprotocols:HTTP,SMTP,POP3,IMAP,andRPC.TheLayer7policymapisattachedtothetop-levelpolicyusingtheservice-policyinspect<http|smtp|…><policy-name>Theclassinthetop-levelpolicyforwhichanLayer7policy-mapisconfiguredmusthaveamatchprotocolfilter.ThisprotocolandtheLayer7Policymapprotocolmustbethesame.Ifonly‘matchaccess-group’filtersarepresentintheclassmap,aLayer7policycannotbeconfiguredforthatclass.AsingleLayer7policymapmaybeusedinmultiple©2009CiscoSystems,Inc.AllrightsApplytoplevelpolicyon©2009CiscoApplytoplevelpolicyon©2009CiscoSystems,Inc.Allrightsclass-maptypeinspecthttplong- HTTPmatchrequesturilengthgt withURLpolicy-maptypeinspecthttphttp-classtypeinspecthttplong- Layer7action:class-maptypeinspectmatch-allhttp-matchprotocolhttpmatchaccess-group199policy-maptypeinspectclasstypeinspecthttp-traffic HTTPinspectionservice-policyinspecthttphttp-zone-pairsecurityin-outsourcein-zonedestout-service-policytypeinspectParameterSpecifyparameterssuchParameterSpecifyparameterssuchasoldinspect©2009CiscoSystems,Inc.AllrightsConfiguringaCiscoIOSZone-BasedPolicyFirewallIdentifyConfiguringaCiscoIOSZone-BasedPolicyFirewallIdentifyinterfacesthatsharethesamefunctionsecurityandgroupthemintothesamesecurityzones.Determinetherequiredtrafficflowbetweenzonesinbothdirections.Setupzones.Setupzonepairsforanypolicyotherthandenyall.Defineclassmapstodescribetrafficbetweenzones.Associateclassmapswithpolicymapstodefineactionsappliedtospecificpolicies.Assignpolicymapstozone©2009CiscoSystems,Inc.AllrightsTwo-InterfaceCiscoIOSZone-BasedPolicyFirewallConfigurationListzoCTwo-InterfaceCiscoIOSZone-BasedPolicyFirewallConfigurationListzoCRS-©2009CiscoSystems,Inc.Allrightsclass-maptypeinspectmatch-anysnrsprotocolsmatchprotocolhttpmatchprotocol definedinfirewallmatchprotocolmatchaccessgroup!policy-maptypeinspect Applyaction(inspectclasstypeinspect stateful!zonesecurity Zoneszonesecurity!interfacefastethernet Interfacesassignedzone-membersecurity !interfacefastethernet0/1zone-membersecurityinternet!zone-pairsecuritypriv-to-internetsourceprivatedestinationinternetservice-policytypeinspectsnrsfwpolicy InspectionfromprivateVerificationshowzonesecurityshowVerificationshowzonesecurityshowzone-pairsecurityshowpolicy-maptypeshowpolicy-maptypeinspectzone-pair–Examinesthefirewallstatetableshowclass-maptypeinspect©2009CiscoSystems,Inc.Allrights©2009©2009CiscoSystems,Inc.AllrightsAAAWhoareAAAWhoareyou?WhatcanyouWhatdidyoudoandhowlongdidyoudo©2009CiscoSystems,Inc.AllrightsCiscoSecureACSCiscoSecureACSProvidesauthentication,authorization,andaccounting(AAA)fornetworks©2009CiscoSystems,Inc.AllrightsCiscoSecureACSCiscoSecureACS©2009CiscoSystems,Inc.AllrightsGUIClient©GUIClient©2009CiscoSystems,Inc.AllrightsAAAOverviewandAAAOverviewandAAAdefinitionAAARouteraccess©2009CiscoSystems,Inc.AllrightsRouterAccess©RouterAccess©2009CiscoSystems,Inc.AllrightsAAA©2009AAA©2009CiscoSystems,Inc.AllrightsEnablingAAAandIdentifyingtheServer•TACACS+EnablingAAAandIdentifyingtheServer•TACACS+or©2009CiscoSystems,Inc.Allrights定义aaaserver定义aaaserver©2009CiscoSystems,Inc.AllrightsConfiguringLoginAuthenticationConfiguringLoginAuthenticationUsing©2009CiscoSystems,Inc.AllrightsConfiguringPPPAuthenticationUsingConfiguringPPPAuthenticationUsing©2009CiscoSystems,Inc.AllrightsConfiguringAAAAuthorizationConfiguringAAAAuthorizationUsingNamedMethodLists©2009CiscoSystems,Inc.AllrightsAAAAuthorization©AAAAuthorization©2009CiscoSystems,Inc.AllrightsConfiguringAAAAccountingConfiguringAAAAccountingUsingNamedMethodLists©2009CiscoSystems,Inc.AllrightsAccounting©2009Accounting©2009CiscoSystems,Inc.Allrights©©2009CiscoSystems,Inc.AllrightsCharacterModeLoginCharacterModeLogin©2009CiscoSystems,Inc.AllrightsAAAAuthorization©AAAAuthorization©2009CiscoSystems,Inc.AllrightsCharacterModewith©CharacterModewith©2009CiscoSystems,Inc.AllrightsPacketMode©PacketMode©2009CiscoSystems,Inc.AllrightsIf-needed解©2009If-needed解©2009CiscoSystems,Inc.AllrightsIf-authenticated解©2009If-authenticated解©2009CiscoSystems,Inc.Allrights©2009©2009CiscoSystems,Inc.AllrightsNAT©2009NAT©2009CiscoSystems,Inc.AllrightsNAT地址类•内部本地（insidelocal）：内部主机的内网地址，NAT地址类•内部本地（insidelocal）：内部主机的内网地址，内部全局（insideglobal）：内部主机与外网通信外部全局（outsideglobal）：外网主机的地址，一外部本地（outsidelocal）：在内网为外网主机定•••©2009CiscoSystems,Inc.AllrightsNAT转换类型NAT转换类型扩展转换条©2009CiscoSystems,Inc.AllrightsNAT对内网源地址的转换（访NAT对内网源地址的转换（访问Internet或者地址隐藏对外网源地址的转换（解决地址冲突对内网目的地址的转换（tcp负载均衡，内网多镜像服务器对内网源地址静态扩展转换（基于服务端口的内部全局地址复用端口地址转换（复用内部全局地址，访问互联网©2009CiscoSystems,Inc.Allrights1、TranslatingInside1、TranslatingInsideSource©2009CiscoSystems,Inc.AllrightsStaticInsideSourceNATConfigurationExampleStaticInsideSourceNATConfigurationExample©2009CiscoSystems,Inc.AllrightsDynamicNAT©DynamicNAT©2009CiscoSystems,Inc.Allrights2、TranslatingOutside2、TranslatingOutsideSource©2009CiscoSystems,Inc.Allrights