tag:blogger.com,1999:blog-5660251691016620362011-11-27T15:24:47.933-08:00생각 THINK 더하기Petehttp://www.blogger.com/profile/11210091684240727558noreply@blogger.comBlogger11100tag:blogger.com,1999:blog-566025169101662036.post-69004273150358344722011-02-11T23:26:00.000-08:002011-02-11T23:26:26.625-08:00Router 보안 - 안전한 라우터 운영을 위한 튜닝 전체공개Router 보안 - 안전한 라우터 운영을 위한 튜닝 <br />불필요한 Global Service 정지<br />Disabling service finger – Finger Service 정지<br />Disabling service pad – PAD(X.25) Service 정지<br />Disabling udp & tcp small servers – Echo,Discard,Chargen,Daytime Service 정지<br />Enabling service password encryption – Password 암호화 기능 구동<br />Enabling service tcp-keepalives-in/out – Session Keepalive Service 구동<br />Disabling the cdp protocol – CDP Service 정지<br />Disabling the bootp server – Bootp Server Service 정지<br />Disabling the http server – Http Server 기능 정지<br />Disabling source routing – IP 변조 방지를 위한 Source Routing 기능 정지<br />Disabling gratuitous arp – PPP connection,IP negotiation 등에 사용되는 ARP 도용 서비스 차단<br />Configuring aaa local authentication – AAA 생성 서비스<br />외부로 부터의 접속 강화 서비스 – Telnet,Console,Aux 등…<br />Banner 자동 생성 기능<br /><br /><br />불필요한 Interface Service 정지<br />no ip redirects – icmp redirect message 차단<br />no ip proxy-arp – Proxy arp service 정지<br />no ip unreachables – ICMP unreachable service 정지<br />no ip directed-broadcast – Broadcast service 정지<br />no ip mask-reply – ICMP mask-reply 정지<br /><br />성능 강화와 IP filtering<br />CEF Enable <br />Ingress Filtering – 사용하지 않는 사설 IP, IANA address<br />uRPF - IP 변조방지 구성<br /><br />“Auto Secure” 명령어를 통한 보안 강화<br /> “One Touch” device lock down process – command 한줄로 라우터의 보안구성을 자동으로 실행<br /><br />CPP 구성<br />CPP (Control Plane Policing) 구성 예제 <br /><br />##Access-list 작성##<br />Router(config)# access-list 141 permit icmp any any port-unreachable<br /><br />##Class-Map 작성##<br />Router(config)# class-map icmp-class <br />Router(config-cmap)# match access-group 141 <br /><br />##Policy-Map 작성##<br />Router(config)# policy-map control-plane-out-policy <br />Router(config-pmap)# class icmp-class <br />Router(config-pmap-c)# police 80000 conform transmit exceed drop <br /><br />##Control Plane 에 적용##<br />Router(config)# control-plane <br />Router(config-cp)# service-policy output control-plane-policy <br /><br />Port Security – MAC 변조 방지 기능<br />Switch(config)# interface fastethernet 5/12<br />Switch(config-if)# switchport mode access<br />Switch(config-if)# switchport port-security<br />Switch(config-if)# switchport port-security maximum 5 à 최대 허용 MAC Address<br />Switch(config-if)# switchport port-security mac-address 1000.2000.3000 à 허용 MAC address<br />Switch(config-if)# switchport port-security violation [protect/restrict/shutdown] <br /> à 규칙 위반 시 Action<br /><br />Port Security – MAC flooding 방어<br />Console> (enable) set port security 2/1 enable<br />Console> (enable) set port security 2/1 enable 00-90-2b-03-34-08 à 허용 MAC address<br />Console> (enable) set port security 2/1 maximum 20 à 최대 허용 MAC Address<br />Console> (enable) set port security 2/1 violation [restrict/shutdown] à 규칙 위반 시 Action<br /><br />Port Security – 공격자 MAC 제어 기술<br />Attacker로 의심이 되는 특정 MAC Address 만을 Filtering <br />4500(config)# mac-address-table static 0050.3e8d.4444 vlan (해당vlan) drop<br /> à 해당 Vlan Interface에 올라오는 MAC Address Filtering<br />4500(config)# show mac-address-table dynamic <br /> à 현재 Switch로 올라오는 CAM Table 조회 명령<br /><br />Console> (enable) set cam static filter 00-02-03-04-05-06 12(해당 Vlan 번호)<br /> à 해당 Vlan Interface에 올라오는 MAC Address Filtering <br />Console> (enable) clear cam 00-02-03-04-05-06 12(해당 Vlan 번호)<br /> à filtering 해제 <br />Console> show cam static à 현재 Switch로 올라오는 CAM Table 조회 명령<br /><br />Multi/Broadcast Flooding 제어기술 : Storm Control (Bandwidth 대비 Percentage 적용)<br />Router# configure terminal<br />Router(config)# interface gigabitethernet 3/16<br />Router(config-if)# storm-control multicast level 70.5<br /> à Multicast 70.5% 이상이면 억제<br /><br />Console> (enable) set port broadcast 2/1 80% multicast enable <br /> à Multicast 70.5% 이상이면 억제 : default packet drop <br />Console> (enable) clear port broadcast 2/1 <br /> à 구성 해제<br />Console> (enable) set port broadcast 4/6 90% violation errdisable <br /> à Broadcast 90% 이상 이면 Interface errdisable로 만듦 <br /><br />공격자 MAC 추적 기술 : L2 Trace<br />(Cat OS, Native IOS 지원 : 특정 MAC이 연결된 장비 및 포트 현황 추적 기능 지원)<br />Cat OS Layer 2 Trace를 통한 MAC address 추적<br />의심이 가는 Switch에서 Layer 2 trace 명령을 통한 추적<br />6509> (enable) l2trace 00-00-e8-34- 00-01-e6-27- detail <br />l2trace vlan number is 222.<br />Attention: Source 00-00-e8-34-d2-96 is not directly attached to this system.<br />Source 00-00-e8-34- found in WS-C4006 : 100.248.2.254 <br />WS-C4006 : cat4006 : 100.248.2.254: 4/27 10MB half duplex -> 2/1-2 1000MB full duplex<br />WS-C6509 : cat6509 : 100.248.117.78: 3/14,4/14 1000MB full duplex <br />-> 8/44 10MB half duplex<br />Destination 00-01-e6-27- found in WS-C6509 named BB_6509 <br />on port 8/44 10MB half duplex<br />DHCP사용환경, IP Spoofing 시 유용한 추적<br /><br />Cisco IOS Layer 2 Trace를 통한 MAC address 추적<br />의심이 가는 Switch에서 Layer 2 trace 명령을 통한 추적<br />Switch# traceroute mac 0000.0201.0601 0000.0201.0201 detail<br />Source 0000.0201.0601 found on con6[WS-C3750-12T] (2.2.6.6)<br />con6 / WS-C3750-12T / 2.2.6.6 :<br />Gi0/0/2 [auto, auto] => Gi0/0/3 [auto, auto]<br />con5 / WS-C2950G-24-EI / 2.2.5.5 :<br />Fa0/3 [auto, auto] => Gi0/1 [auto, auto]<br />con1 / WS-C3550-12G / 2.2.1.1 :<br />Gi0/1 [auto, auto] => Gi0/2 [auto, auto]<br />con2 / WS-C3550-24 / 2.2.2.2 :<br />Gi0/2 [auto, auto] => Fa0/1 [auto, auto]<br />Destination 0000.0201.0201 found on con2[WS-C3550-24] (2.2.2.2)<br />Layer 2 trace completed.<br />DHCP사용환경, IP Spoofing 시 유용한 추적<br /><br />Snooping 방지 : Private VLAN<br />Private Vlan : 동일 Vlan 내부에서의 불필요한 Traffic 제어<br />Community Vlan : C-vlan 간 Host만 통신이 가능<br />Isolated Vlan : I-Vlan 간 Host도 통신 불가<br />Promiscuous Port : 모든 Pvlan Host는 P-port를 통한 외부 통신 가능<br /><br />Private VLAN 생성 및 Sub VLAN 역할 담당<br />vlan 65<br /> private-vlan primary<br /> private-vlan association 651-653<br />vlan 651<br /> private-vlan community<br />vlan 652<br /> private-vlan isolated<br />vlan 653<br /> private-vlan community<br />Primary VLAN과 Secondary VLAN Association 구성<br />vlan 65<br /> private-vlan association 651,652,653<br />interface vlan 65<br />private-vlan mapping add 651,652,653<br />물리적 포트에 secondary vlan 할당<br />Router(config)# interface fastethernet 9/1<br />Router(config-if)# switchport mode private-vlan host<br />Router(config-if)# switchport private-vlan host-association 65 651<br />Layer 2 장비로 운용시 promiscuous port 할당<br />Router(config)# interface fast 9/48<br />Router(config-if)# switchport mode private-vlan promiscuous<br />Router(config-if)# switchport private-vlan mapping 65,651,652,653<br />※ Catalyst 4000 / 4500 series 는 Isolated VLAN 만 구성가능 / Community VLAN 구성 불가<br /><br />Cat OS에서의 PVLAN 구성 방법<br />set vlan 65 pvlan-type primary : Pvlan Primary Vlan 생성<br />set vlan 651 pvlan-type community : Pvlan Secondary Vlan 생성 – Community Vlan<br />set vlan 652 pvlan-type isolated : Pvlan Secondary Vlan 생성 – Isolated Vlan<br />set vlan 65 651 9/1 : 물리적 Port에 Secondary Vlan 할당<br />set vlan 65 652 9/2 : 물리적 Port에 Secondary Vlan 할당<br />set vlan mapping 7 651 5/11 : Promiscuous 생성 및 할당<br />set vlan mapping 7 652 5/11 <br /><br />Private Vlan Edge 기능<br />Isolated Vlan : Protected기능을 통한 특정 Host 보호간 상호 독립 기능<br />Protected와 설정되지 않은 Port간, G/W를 통한 외부 통신 가능<br /><br />Private VLAN edge 기능 구성 예제<br />3550(config)# interface gigabitethernet0/3 <br />3550(config-if)# switchport protected <br />3550(config-if)# end <br />3550# show interfaces gigabitethernet0/3 switchport <br />Name: Gi0/3 <br />Switchport: Enabled <br /><output truncated><br />Protected: True <br />Unknown unicast blocked: disabled <br />Unknown multicast blocked: disabled <br />Broadcast Suppression Level: 100 <br />Multicast Suppression Level: 100 <br /><br />IP 변조 방지 기능 : uRPF(Unicast Reverse Path Forwarding)<br /><br />DHCP request flooding 공격 방어 : DHCP snooping rate limit 기능<br />-> DHCP Scope Size 전체에 IP 할당을 요청하여, DHCP Server 과부하 발생 시킴<br />DHCP Request Flooding 공격 방어 구성 예제.<br />Switch(config)# ip dhcp snooping à DHCP Snooping enable<br />Switch(config)# ip dhcp snooping vlan 10 à DHCP Snooping 적용 Vlan 정의 <br />Switch(config-if)# ip dhcp snooping limit rate 100(pps) à DHCP Request 허용 수치 제한<br /><br />DHCP Server 위조 공격 방어 : DHCP snooping Trust 기능<br />-> DHCP Request 에 대해, 공격자가 거짓된 정보를 전달함<br />DHCP Request Flooding 공격 방어 구성 예제.<br />Switch(config)# ip dhcp snooping à DHCP Snooping enable<br />Switch(config)# ip dhcp snooping vlan 10 à DHCP Snooping 적용 Vlan 정의 <br />Switch(config-if)# ip dhcp snooping trust à DHCP discover, request 등 메시지를 해당 Port만 수용<br /><br />DHCP Snooping을 통한 MAC 변조 방지 기능 – ARP Inspection<br />DHCP Snooping을 통한 IP 변조 방지 기능 – IP Source Guard<br /><br />-> ARP Inspection<br />S1(config)# ip arp inspection vlan 1<br />S1(config-if)# ip arp inspection trust<br />S1# show ip dhcp snooping binding<br />MacAddress IpAddress Lease(sec) Type VLAN Interface<br />------------ --------- ---------- ---------- ---- -------------<br />01:01:01:11 1.1.1.11 4993 dhcp-snooping 1 FastEthernet6/4<br />00:12:08: %SW_DAI-4-DHCP_SNOOPING_DENY: 2 Invalid ARPs (Req) on Fa6/4, vlan<br />1.([01.01.01.11/1.1.1.22/0000.0000.0000/0.0.0.0/02:42:35 UTC Tue Jul 10 2001])<br /><br />-> IP Source Guard 구성<br />Switch(config)# ip dhcp snooping<br />Switch(config)# ip dhcp snooping vlan 10 20<br />Switch(config-if)# no ip dhcp snooping trust<br />Switch(config-if)# ip verify source vlan dhcp-snooping port-security<br />Switch(config)# ip source binding ip-addr ip vlan number interface interface<br />Switch# sh ip verify source interface f6/1<br />Interface Filter-type Filter-mode IP-address Mac-address Vlan<br />------- -------- ----------- ----------- ------------- -------<br />Fa6/1 ip-mac active 10.0.0.1 10<br />Fa6/1 ip-mac active deny-all 11-20<br /><br />Packet filtering을 위한 ACL의 이해 – Nachi Worm 취약점 Blocking <br />일반적인 ACL 정의<br />Switch(config)#ip access-list extended worm_block<br />Switch(config)# deny tcp any any 135<br />Switch(config)# deny tcp any any 139<br />Switch(config)# deny tcp any any 445<br />Switch(config)# deny tcp any any 4444<br />Switch(config)# deny tcp any any 707<br />Switch(config)# deny udp any any 69<br />Switch(config)# deny icmp any any echo <br />Switch(config)# deny icmp any any echo-reply<br />Switch(config)# permit ip any any<br />à ICMP Echo Service 막을 경우 network 진단 방법이 어려워지므로, PBR을 권고<br /><br />Vlan AccessMap 정의<br />Switch(config) #vlan access-map worm_vacl 10<br />Switch(config)#match ip address worm_block à 앞서 정의된 일반적인 ACL을 불러들임<br />Switch(config)#action forward <br />à 일반적인 ACL에 정의된 내용에 대한 부분은 모두 Drop 해당 Vlan Interface에 적용<br />Switch(config)#vlan filter worm_vacl vlan-list 100 - 150 <br />à VACL이 적용될 해당 Vlan을 선언해 주는 부분<br /><br />-> Catalyst OS를 통한 VACL 구성 방법<br />Vlan 기반 ACL 정의<br />set security acl ip VACL deny udp any eq 4444 any <br />set security acl ip VACL deny udp any any eq 4444 <br />set security acl ip VACL deny tcp any eq 135 any <br />set security acl ip VACL deny tcp any any eq 135 <br />à Blaster Worm 관련 config<br />set security acl ip VACL deny tcp any eq 707 any <br />set security acl ip VACL deny tcp any any eq 707<br />à Nachi worm 관련 config<br />set security acl ip VACL permit ip any any <br />à Worm을 제외한 모든 traffic permit<br />정의된 VACL을 해당 Vlan에 적용<br />commit security acl VACL<br />set security acl map VACL <적용하고자 하는 VLAN번호><br />VACL 해제 방법<br />clear security acl VACL<br />commit secuirty acl VACL<br /><br />유연한 ACL 구성 – Time Based ACL<br />“ MSN Messenger 를 Work Time에만 사용토록 설정 “<br />“ 주말에는 모든 시간대에 사용토록 설정 “<br />Router#sh clock <- 현재 라우터 또는 스위치의 시간 설정 확인<br />16:58:53.719 KST Sat Nov 1 2003<br />Time-Based ACL 구성 방법<br />access-list 101 deny ip any 207.46.104.0 0.0.0.255 time-range msn<br />access-list 101 deny tcp any any eq 1863 time-range msn<br />access-list 101 deny tcp any any range 6891 6900 time-range msn<br />access-list 101 deny udp any any eq 6901 time-range msn<br />access-list 101 permit ip any any <br /><br />ACL 적용<br />interface fastethernet 0 --> 내부 이더넷<br />ip access-group 101 in<br />Time Rule 설정<br />Router(config)#time-range msn<br />Router(config-time-range)#periodic weekdays 09:00 to 18:00 <br /> --> 월요일 부터 금요일 까지 매일 아침 9시 부터 저녁 6시 까지만 적용<br /> 정상 작동 확인<br />Router#sh access-lists<br />Extended IP access list 101<br />deny ip any 207.46.104.0 0.0.0.255 time-range msn (inactive)<br />--> 현재 시각이 토요일 이므로 자동 비활성<br />deny tcp any any eq 1863 time-range msn (inactive)<br />deny tcp any any range 6891 6900 time-range msn (inactive)<br />deny udp any any eq 6901 time-range msn (inactive)<br />permit ip any any <br /><br />Catalyst 4500 에서의 QoS를 통한 TCP Synflood Attack 방어 요령<br />qos aggregate-policer limit 32000 bps 4000 byte conform-action transmit exceed-action drop <br />qos<br />!<br />class-map match-all c_syn<br />match access-group 101<br />!<br />policy-map p_syn<br /> class c_syn<br /> police aggregate limit<br />!<br />interface FastEthernet4/34<br />switchport access vlan 45<br />switchport mode access<br />qos vlan-based<br />!<br />interface Vlan45<br />ip address 10.10.45.2 255.255.255.0<br />service-policy input p_syn<br />!<br />ip classless<br />ip route 0.0.0.0 0.0.0.0 10.10.45.1<br />no ip http server<br />!<br />!<br />ip access-list extended syn_acl<br />permit tcp any any syn<br />!<br />access-list 101 permit tcp any any syn<br /><br />잠재적인 공격 대비 QoS 구성 : Cat6500 Policing<br />mls qos <br />-> mls QoS enable<br />access-list 113 permit icmp any any echo<br />access-list 113 permit icmp any any echo-reply<br />-> icmp attack marking<br />access-list 111 permit tcp any any eq 135<br />access-list 111 permit tcp any any eq 4444<br />access-list 111 permit tcp any any eq 707<br />access-list 111 permit udp any any eq 69<br />-> Blaster worm,Nachi worm marking<br />access-list 112 permit tcp any any syn<br />-> syn flooding attack 방어 marking<br />access-list 101 permit tcp any any syn<br />-> syn flooding attack 방어 marking<br /><br />해당 Class-map 정의 <br />class-map match-all icmp_attack<br /> match access-group 113<br />class-map match-all Blaster_0815_attack<br /> match access-group 112<br />class-map match-all Blaster_Nachi<br /> match access-group 111<br />각 Class에 해당되는 ACL 포함시킴<br /><br />policy-map QoS<br /> class icmp_attack<br /> police 32000 1000 1000 conform-action transmit exceed-action drop violate-action drop<br /> class Blaster_0815_attack<br /> police 32000 1000 1000 conform-action transmit exceed-action drop violate-action drop<br /> class Blaster_Nachi<br /> police 32000 1000 1000 conform-action transmit exceed-action drop violate-action drop<br />-> 각 Class 모두 32Kbps 이상이면 모두 Drop 시킴<br /><br />set qos enable<br /> à QoS 활성화 시키기<br />set qos policer aggregate policer_worm rate 32 policed-dscp erate 32 drop burst 4 eburst 4 <br /> à 32Kbps 이상 worm에 관련된 ACL이 들어올 경우 Drop 시킨다.<br />set qos acl ip worm dscp 8 aggregate policer_worm tcp any any eq 135 <br />set qos acl ip worm dscp 8 aggregate policer_worm tcp any any eq 4444 <br />set qos acl ip worm dscp 8 aggregate policer_worm tcp any any eq 707 <br />set qos acl ip worm dscp 8 aggregate policer_worm udp any any eq 69 <br />set qos acl ip worm dscp 8 aggregate policer_worm icmp any any echo <br />set qos acl ip worm dscp 8 aggregate policer_worm icmp any any echo-reply<br />à Blaster worm, Nachi worm,ICMP Attack 관련 정의<br /><br />활성화 및 적용/해제/Monitoring<br />commit qos acl worm à QoS ACL 활성화<br />set qos acl map worm 100 à 적용하고자 하는 Vlan or Interface 적용<br /><br />Clear qos acl worm<br />Commit qos acl worm à QoS 해제 <br />Cat6500> (enable) sh qos statistics aggregate-policer policer_worm<br />QoS aggregate-policer statistics:<br />Aggregate policer Allowed packet Packets exceed Packets exceed<br /> count normal rate excess rate<br />------------------------------- -------------- -------------- --------------<br />policer_worm 268 11 11<br />à 해당 QoS 에 적용되어 Drop 되는 packet monitoring<br /><br />NBAR(Network Based Application Recognition) – 어플리케이션 레벨의 특정 서비스 인지<br />※ Virus Pattern 인식 – Code Red, Nimda<br />-> 인지 후 DSCP Marking을 통해 Drop Action 가능<br />※ 다양한 Service Protocol 인식을 통한 통계 분석 가능<br />※ Core Router/Switch 구간의 NBAR Enable을 통한 P2P 통계치 분석 가능 <br />-> MIB 지원, QPM, QDM 을 통한 GUI 환경의 사용자 기반 관리 도구 제공<br /><br />DoS 방어를 위한 CAR Rate Limiting<br />※ Limit outbound ping to 256 Kbps <br />interface xy <br />rate-limit output access-group 102 256000 8000 8000<br />conform-action transmit exceed-action drop <br />!<br />access-list 102 permit icmp any any echo<br />access-list 102 permit icmp any any echo-reply<br />※ Limit inbound TCP SYN packets to 8 Kbps<br />interface xy <br />rate-limit input access-group 103 8000 8000 8000<br />conform-action transmit exceed-action drop <br />!<br />access-list 103 permit tcp any any syn<br /><div style="margin: 15px 0px 0px;">출처 : <a href="http://tong.nate.com/boxitem/post.do?action=read&_boxID=2592282&_tongID=1104853&_boxItemID=37196881&_reloadTag=y" target="_blank" title="제목 부분을 클릭하면원 게시물을 볼 수 있습니다.">Tong - eelee777님의 network통</a></div>네이트 통 이제 서비스 안하네요.<br />자료 저장도 못했는데.... 다른분이 복사해간걸 다시 복사..^^ by 파란 - 천사<br /><script>function hrefMark(){ }function hrefPageGo(mark){ try{ if(mark == 'top'){ parent.window.scrollTo(0,0); }else{ document.location.href=this.location.href+"#comment"; } }catch(e){}}//포스트 글로딩후 top포커수 주기setTimeout('hrefPageGo("top")',300);</script><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/566025169101662036-6900427315035834472?l=thinkplay.blogspot.com' alt='' /></div>Petehttp://www.blogger.com/profile/11210091684240727558noreply@blogger.com0