본문 바로가기

카테고리 없음

네전따 펌 - 라우터 보안 설정관련


사이트 현재 상태
사이트 사이즈 : 2500node
사이트 현재 사용 라우터 : 7200VXR NPE225 --> 3년 전 구매
라우터 평균 CPU 사용률 : 25%~30%
외부 인터넷 사용회선 : T3(45Mbps)
평균 인터넷 사용량 : 80~90%
 
라우터 튜닝 요구 사항
코드레드,님다필터링
P2P 프로그램 Worktime 제한
 
configuration 변경 후
외부로 부터 유입되는 코드레드,님다필터링 가능
P2P Worktime 제한 --> 인터넷 회선 사용률 50%로 급감.
인터넷 접속 체감 속도 크게 개선.
 
version 12.2
no service single-slot-reload-enable
service timestamps debug datetime
service timestamps log datetime
service password-encryption
!
hostname Router
!
boot system flash slot0:c7200-is-mz.122-1d.bin
logging rate-limit console 10 except errors
 
!
clock timezone KST 0
ip subnet-zero
no ip source-route
ip cef
!
!
no ip finger
no ip domain-lookup
!
no ip bootp server
no ip dhcp-client network-discovery
!
class-map match-any http-hacks       --> Code-Red,Nimda Pattern 정의
  match protocol http url "*.default.ida*"
  match protocol http url "*x.ida*"
  match protocol http url "*.ida*"
  match protocol http url "*cmd.exe*"
  match protocol http url "*root.exe*"
  match protocol http url "*readme.eml"
!
!
policy-map mark-inbound-http-hacks  --> Code-Red,Nimda Pattern에 Match되면 Packet에 Marking
  class http-hacks
   set ip dscp 1
!
 
interface FastEthernet4/0
 ip address 192.168.10.1 255.255.255.0
 ip access-group 190 in
 ip access-group 190 out
 no ip redirects
 ip nbar protocol-discovery
 duplex full
 no cdp enable
!
interface Hssi6/0
 bandwidth 45000
 ip address 2.2.2.6 255.255.255.252
 ip access-group 100 in
 no ip redirects
 no ip proxy-arp
 ip accounting output-packets
 no ip mroute-cache
 service-policy input mark-inbound-http-hacks  --> Code-Red,Nimda가 외부로 부터 들어오면 Marking 시킴
 no cdp enable
!
ip classless
ip route 0.0.0.0 0.0.0.0 2.2.2.4
ip route 192.168.1.0 255.255.255.0 192.168.10.2
ip route 192.168.2.0 255.255.255.0 192.168.10.2
ip route 192.168.3.0 255.255.255.0 192.168.10.2
ip route 192.168.4.0 255.255.255.0 192.168.10.2
ip route 192.168.9.0 255.255.255.0 192.168.10.2
ip route 192.168.10.0 255.255.255.0 192.168.10.2
ip route 192.168.11.0 255.255.255.0 192.168.10.2
ip route 111.2.30.0 255.255.255.0 192.168.10.2
ip route 111.2.31.0 255.255.255.0 192.168.10.2
ip route 111.2.32.0 255.255.248.0 192.168.10.2
!
 
!
access-list compiled  --> Turbo ACL 적용
access-list 100 permit tcp any any established
access-list 100 deny   ip 10.0.0.0 0.255.255.255 any 외부로 부터 사설 IP 유입 제한
access-list 100 deny   ip 192.168.0.0 0.0.255.255 any
access-list 100 deny   ip 172.16.0.0 0.0.15.255 any

access-list 100 deny   tcp any any eq 31337
access-list 100 deny   udp any any eq 31337
access-list 100 deny   tcp any any eq lpd
access-list 100 deny   tcp any any eq 137
access-list 100 deny   udp any any eq netbios-ns
access-list 100 deny   tcp any any eq 138
access-list 100 deny   udp any any eq netbios-dgm
access-list 100 deny   tcp any any eq 139
access-list 100 deny   tcp any any eq 391
access-list 100 deny   udp any any eq 391
access-list 100 deny   tcp any any eq 445
access-list 100 deny   tcp any any eq 705
access-list 100 deny   tcp any any eq 1052
access-list 100 deny   udp any any eq 1052
access-list 100 deny   tcp any any eq 1434
access-list 100 deny   udp any any eq 1434
access-list 100 deny   tcp any any eq 1993
access-list 100 deny   udp any any eq 1993
access-list 100 deny   tcp any any eq 1978
access-list 100 deny   udp any any eq 1978
access-list 100 deny   tcp any any eq 2002
access-list 100 deny   udp any any eq 2002
access-list 100 deny   tcp any any eq 4156
access-list 100 deny   udp any any eq 4156
access-list 100 deny   tcp any any eq 4661
access-list 100 deny   udp any any eq 4661
access-list 100 deny   tcp any any eq 4662
access-list 100 deny   udp any any eq 4662
access-list 100 deny   tcp any any eq 6112
access-list 100 deny   udp any any eq 6112
access-list 100 deny   tcp any any eq 6699
access-list 100 deny   udp any any eq 6699
access-list 100 deny   tcp any any eq 9292
access-list 100 deny   udp any any eq 9292
access-list 100 deny   tcp any any eq 12345
access-list 100 deny   udp any any eq 12345
access-list 100 deny   tcp any any eq 12346
access-list 100 deny   udp any any eq 12346
access-list 100 deny   tcp any any eq 7674
access-list 100 deny   udp any any eq 7674
access-list 100 deny   tcp any any eq 7676
access-list 100 deny   udp any any eq 7676
access-list 100 deny   tcp any any eq 22321
access-list 100 deny   udp any any eq 22321
access-list 100 deny   tcp any any eq 161
access-list 100 deny   udp any any eq snmp
access-list 100 deny   tcp any any eq 162
access-list 100 deny   udp any any eq snmptrap
access-list 100 deny   tcp any any eq 199
access-list 100 deny   udp any any eq 199
access-list 100 deny   tcp any any eq 6723
access-list 100 deny   udp any any eq 6723
access-list 100 deny   tcp any any eq 15104
access-list 100 deny   udp any any eq 15104
access-list 100 deny   tcp any any eq 12754
access-list 100 deny   udp any any eq 12754
access-list 100 deny   tcp any any eq 9325
access-list 100 deny   udp any any eq 9325
access-list 100 deny   tcp any any eq 6838
access-list 100 deny   udp any any eq 6838
access-list 100 deny   tcp any any eq 7983
access-list 100 deny   udp any any eq 7983
access-list 100 deny   tcp any any eq 10498
access-list 100 deny   udp any any eq 10498
access-list 100 deny   ip any host 146.20.80.97
access-list 100 deny   ip any host 24.203.80.202
access-list 100 deny   icmp any 내부 IP address echo  --> 외부에서 오는 Ping 차단
access-list 100 deny   icmp any 내부 IP address echo-reply
access-list 100 deny   icmp 내부 IP address any echo
access-list 100 deny   icmp 내부 IP address any echo-reply

access-list 100 permit ip any any
 
이부분 부터 중요....^^;
access-list 190 deny   ip any any dscp 1  --> Code-Red,Nimda는 모두 Packet 내부 DSCP field에 1을 Marking
access-list 190 deny   tcp any any eq 8282 time-range test  --> P2P 관련 프로그램은 모두 ACL을 적용(Work-time에만....) QoS도 시간대 별로 가능....
access-list 190 deny   tcp any eq 8282 any time-range test
access-list 190 deny   tcp any eq 31200 any time-range test
access-list 190 deny   tcp any any eq 31200 time-range test
access-list 190 deny   tcp any any eq 6699 time-range test
access-list 190 deny   tcp any eq 6699 any time-range test
access-list 190 deny   tcp any eq 4661 any time-range test
access-list 190 deny   tcp any any eq 4661 time-range test
access-list 190 deny   tcp any any eq 4665 time-range test
access-list 190 deny   tcp any eq 4665 any time-range test
access-list 190 deny   tcp any any eq 1236 time-range test
access-list 190 deny   tcp any eq 1236 any time-range test
access-list 190 deny   tcp any any eq 1214 time-range test
access-list 190 deny   tcp any eq 1214 any time-range test
access-list 190 deny   tcp any any eq 9292 time-range test
access-list 190 deny   tcp any eq 9292 any time-range test
access-list 190 deny   tcp any eq 4662 any time-range test
access-list 190 deny   tcp any any eq 4662 time-range test
access-list 190 deny   tcp any any eq 28290 time-range test
access-list 190 deny   tcp any eq 28290 any time-range test
access-list 190 deny   udp any eq 22321 any time-range test
access-list 190 deny   udp any any eq 22321 time-range test
access-list 190 deny   udp any eq 7674 any time-range test
access-list 190 deny   udp any any eq 7674 time-range test
access-list 190 deny   udp any eq 7675 any time-range test
access-list 190 deny   udp any any eq 7675 time-range test
access-list 190 deny   udp any any eq 1236 time-range test
access-list 190 deny   udp any eq 1236 any time-range test
access-list 190 deny   ip any host 211.43.216.56 time-range test
access-list 190 deny   ip any 211.218.152.0 0.0.0.255 time-range test
access-list 190 permit ip any any
access-list 190 remark P2P제한_GameSite_Access_Deny
!
!
생략
!
time-range test   --> 아침 9시 부터 19시 까지 P2P를 제한
 periodic daily 09:00 to 19:00

!
end
 
Router#sh ip access-lists 190
Extended IP access list 190
    deny ip any any dscp 1 (13469 matches) --> Code Red,Nimda 적용 후 10분동안 Filtering Packet
    deny tcp any any eq 8282 time-range test (active) --> P2P 프로그램들이 Worktime에 적용되고 있음, 저녁 7시 부터는 자동 해제....
    deny tcp any eq 8282 any time-range test (active)
    deny tcp any eq 31200 any time-range test (active)
    deny tcp any any eq 31200 time-range test (active)
    deny tcp any any eq 6699 time-range test (active) (59 matches)
    deny tcp any eq 6699 any time-range test (active) (28 matches)
    deny tcp any eq 4661 any time-range test (active) (58 matches)
    deny tcp any any eq 4661 time-range test (active) (337 matches)
    deny tcp any any eq 4665 time-range test (active) (40 matches)
    deny tcp any eq 4665 any time-range test (active) (46 matches)
    deny tcp any any eq 1236 time-range test (active)
    deny tcp any eq 1236 any time-range test (active) (42 matches)
    deny tcp any any eq 1214 time-range test (active) (2 matches)
    deny tcp any eq 1214 any time-range test (active) (53 matches)
    deny tcp any any eq 9292 time-range test (active)
    deny tcp any eq 9292 any time-range test (active)
    deny tcp any eq 4662 any time-range test (active) (2098 matches)
    deny tcp any any eq 4662 time-range test (active) (17216 matches)
    deny tcp any any eq 28290 time-range test (active) (561 matches)
    deny tcp any eq 28290 any time-range test (active) (17 matches)
    deny udp any eq 22321 any time-range test (active) (6976 matches)
    deny udp any any eq 22321 time-range test (active)
    deny udp any eq 7674 any time-range test (active) (1162 matches)
    deny udp any any eq 7674 time-range test (active)
    deny udp any eq 7675 any time-range test (active)
    deny udp any any eq 7675 time-range test (active)
    deny udp any any eq 1236 time-range test (active)
    deny udp any eq 1236 any time-range test (active) (1 match)
    deny ip any host 211.43.216.56 time-range test (active)
    deny ip any 211.218.152.0 0.0.0.255 time-range test (active) (31 matches)
    permit ip any any (3701785 matches)
Router#sh proce
Router#sh processes cpu --> Code Red,Nimda, P2P filtering 후에 CPU Load 현황

CPU utilization for five seconds: 29%/29%; one minute: 34%; five minutes: 34%
 PID  Runtime(ms)  Invoked  uSecs    5Sec   1Min   5Min TTY Process
   1           0     19961      0   0.00%  0.00%  0.00%   0 Load Meter      
   2          44      1664     26   0.00%  0.00%  0.00%   0 CEF Scanner     
   3       22164     10136   2186   0.00%  0.02%  0.00%   0 Check heaps     
   4           0         1      0   0.00%  0.00%  0.00%   0 Chunk Manager    
이하 생략
 
Router#sh version
Cisco Internetwork Operating System Software
IOS (tm) 7200 Software (C7200-IS-M), Version 12.2(1d), RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2002 by cisco Systems, Inc.
Compiled Mon 04-Feb-02 22:26 by srani
Image text-base: 0x60008960, data-base: 0x61320000
 
ROM: System Bootstrap, Version 12.2(1r) [dchih 1r], RELEASE SOFTWARE (fc1)
BOOTFLASH: 7200 Software (C7200-BOOT-M), Version 12.0(17)S, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)
 
중간 생략..
 
cisco 7206VXR (NPE225) processor (revision A) with 114688K/16384K bytes of memory.
Processor board ID 21292902
R527x CPU at 262Mhz, Implementation 40, Rev 10.0, 2048KB L2 Cache
6 slot VXR midplane, Version 2.0
 
이하 생략
 
7200 Router 그것도 무려 3년전 NPE225 Processor로도 Nimda,Code Red Filtering이 끄덕없죠???^^;
필드에서 일어나는 현황을 보여드리는 것이 도움이 될 것 같아 올렸습니다.
 
IP Address는 제가 임으로 바꾸었습니다.
혹여 시스코 라우터, 스위치 사용하시는 분들은 아래와 같은 요소들을 참조하시기 바라며,
되도록이면, ISP보다는 Enterprise Site(기업,학교,관공서,병원,연구소 등...)에서 권고 합니다.
 
시스코 라우터, 스위치에서 가능한 보안 요소들...
 
기존 라우터
Code-Red,Nimda 등 일부 Virus Filtering
CAR를 통한 특정 Traffic 제한 --> 시간대별로 자동 조절 가능
IP 변조 방어
TCP syn Attack 제한
Smurf 방어
UDP Flooding 제한
Ping 제한
Ping Fragmentation Attack 제한
특정 IP,Port 시간대별로 제한
등등..
 
 
기존 스위치
동일 Subnet 내에서 특정 port,IP 제한
CAR를 통한 특정 Traffic 제한 --> 시간대별로 자동 조절 가능
Code-Red,Nimda 등 일부 Virus Filtering (WAN 사용시, Metro는 불가)
IP 변조 방어
TCP syn Attack 제한
Smurf 방어
UDP Flooding 제한
Ping 제한
Ping Fragmentation Attack 제한
특정 IP,Port 시간대별로 제한
동일 VLAN,Subnet 내부에서의 접근 제어
등등...