这个星期开始学习cisco安全的课程,手头有几本大砖头等着研究,还有很长的路要走啊,吼吼,加油!
第一篇安全学习笔记学习一下防火墙的一些基本特性。
拓扑:
说明:
基本配置
R1:
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
ip ospf network point-to-point
!
interface FastEthernet0/0
ip address 14.1.1.1 255.255.255.0
duplex auto
speed auto
!
router ospf 10
router-id 1.1.1.1
log-adjacency-changes
passive-interface Loopback0
network 1.1.1.0 0.0.0.255 area 0
network 14.1.1.1 0.0.0.0 area 0
!
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0 14.1.1.4
!
R2:
!
interface Loopback0
ip address 2.2.2.2 255.255.255.0
ip ospf network point-to-point
!
interface FastEthernet0/0
ip address 24.1.1.2 255.255.255.0
duplex auto
speed auto
!
router ospf 10
router-id 2.2.2.2
log-adjacency-changes
passive-interface Loopback0
network 2.2.2.0 0.0.0.255 area 0
network 24.1.1.2 0.0.0.0 area 0
!
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0 24.1.1.4
R3:
interface Loopback0
ip address 3.3.3.3 255.255.255.0
ip ospf network point-to-point
!
interface FastEthernet0/0
ip address 34.1.1.3 255.255.255.0
duplex auto
speed auto
!
router ospf 10
router-id 3.3.3.3
log-adjacency-changes
passive-interface Loopback0
network 3.3.3.0 0.0.0.255 area 0
network 34.1.1.3 0.0.0.0 area 0
!
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0 34.1.1.4
PIX:
PIX Version 8.0(2)
!
hostname PIX
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0
nameif outside
security-level 0
ip address 24.1.1.4 255.255.255.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 14.1.1.4 255.255.255.0
!
interface Ethernet2
nameif dmz
security-level 0
ip address 34.1.1.4 255.255.255.0
!
router ospf 10
network 14.1.1.4 255.255.255.255 area 0 #注意使用的不是反掩码
network 24.1.1.4 255.255.255.255 area 0
network 34.1.1.4 255.255.255.255 area 0
log-adj-changes
!
对于PIX的配置的几点说明:
1. PIX的接口必须配置nameif,这个跟router或者switch下配置接口的说明不一样,如果不配置nameif的话,数据流量不允许通过。在后续深入的学习中,我们如果在一个接口上开启子接口划分vlan,如果不想子接口有数据流量通过,就可以根据这个特性来实现。
2. 如果我们给一个接口配置nameif为inside的话,那么默认的安全级别为100;其他名字的接口的安全级别默认都是0。防火墙默认拒绝低安全级别接口下的流量访问安全级别接口下的网络,同级别接口间默认拒绝互相访问。
3. 防火墙不拒绝到达设备的流量,但是对穿越的流量进行过滤。
下面是PIX设备上经常使用的几个查看命令
1. 查看版本信息
PIX# sh version
Cisco PIX Security Appliance Software Version 8.0(2)
Compiled on Fri 15-Jun-07 18:25 by builders
System p_w_picpath file is "Unknown, monitor mode tftp booted p_w_picpath"
Config file at boot was "startup-config
PIX up 1 hour 25 mins
Hardware: PIX-525, 256 MB RAM, CPU Pentium II 1 MHz
Flash E28F128J3 @ 0xfff00000, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB
0: Ext: Ethernet0 : address is 00aa.00f2.1b00, irq 9
1: Ext: Ethernet1 : address is 00aa.00f2.1b01, irq 11
2: Ext: Ethernet2 : address is 00aa.00f2.1b02, irq 11
3: Ext: Ethernet3 : address is 0000.abcd.ef03, irq 11
4: Ext: Ethernet4 : address is 0000.abcd.ef04, irq 11
Licensed features for this platform:
Maximum Physical Interfaces : 10
Maximum VLANs : 100
Inside Hosts : Unlimited
Failover : Active/Active
×××-DES : Enabled
×××-3DES-AES : Enabled
Cut-through Proxy : Enabled
Guards : Enabled
URL Filtering : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
××× Peers : Unlimited
This platform has an Unrestricted (UR) license.
Serial Number: 808102688
Running Activation Key: 0xd2390d2c 0x9fc4b36d 0x98442d99 0xeef7d8b1
Configuration last modified by enable_15 at 14:56:59.977 UTC Tue Oct 19 2010
2. 查看接口信息
PIX# sh ip add
System IP Addresses:
Interface Name IP address Subnet mask Method
Ethernet0 outside 24.1.1.4 255.255.255.0 manual
Ethernet1 inside 14.1.1.4 255.255.255.0 manual
Ethernet2 dmz 34.1.1.4 255.255.255.0 manual
Current IP Addresses:
Interface Name IP address Subnet mask Method
Ethernet0 outside 24.1.1.4 255.255.255.0 manual
Ethernet1 inside 14.1.1.4 255.255.255.0 manual
Ethernet2 dmz 34.1.1.4 255.255.255.0 manual
3. 查看路由
PIX# sh route
(….omitted)
Gateway of last resort is not set
C 34.1.1.0 255.255.255.0 is directly connected, dmz
O 1.1.1.0 255.255.255.0 [110/11] via 14.1.1.1, 0:00:47, inside
O 2.2.2.0 255.255.255.0 [110/11] via 24.1.1.2, 0:00:39, outside
O 3.3.3.0 255.255.255.0 [110/11] via 34.1.1.3, 0:00:29, dmz
C 24.1.1.0 255.255.255.0 is directly connected, outside
C 14.1.1.0 255.255.255.0 is directly connected, inside
PIX上有一个比较好用的查看路由的命令,我们可以查看从某个接口上接收到了哪些路由。
PIX# sh route inside
(…..omitted)
Gateway of last resort is not set
O 1.1.1.0 255.255.255.0 [110/11] via 14.1.1.1, 0:02:51, inside
C 14.1.1.0 255.255.255.0 is directly connected, inside
PIX# sh route outside
(…..omitted)
Gateway of last resort is not set
O 2.2.2.0 255.255.255.0 [110/11] via 24.1.1.2, 0:03:08, outside
C 24.1.1.0 255.255.255.0 is directly connected, outside
下面测试防火墙的一些基本特性
1. 允许到达流量,不允许穿越流量
用R1 ping PIX的直连接口,然后在跨越这个直连接口ping PIX的另一个接口。
R1#ping 14.1.1.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 14.1.1.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/100/192 ms
R1#ping 24.1.1.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 24.1.1.4, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
第一个可以通,第二个要穿越防火墙的一个接口,因此被拒绝了。
2. 高安全级别可访问低安全级别,低安全级别不能访问高安全级别。
我们先用ping来测试,用R1的loopback 0 ping R2,R3的loopback 0。
R1#ping 2.2.2.2 sou l0 re 2
Type escape sequence to abort.
Sending 2, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
..
Success rate is 0 percent (0/2)
Ping不通,这个ping包是可以到达R2的,之所以没有回包是因为R2在回包的时候,根据低安全级别接口不可访问高安全级别的接口的默认原则,这个包被丢弃。下面是R2上的deb输出。
R2#
*Mar 1 00:59:17.839: ICMP: echo reply sent, src 2.2.2.2, dst 1.1.1.1
R2#
*Mar 1 00:59:19.819: ICMP: echo reply sent, src 2.2.2.2, dst 1.1.1.1
如果要让R2的回包不被干掉就要在PIX上手工定义一个ACL去允许这种流量。
access-list per-icmp extended permit icmp 2.2.2.0 255.255.255.0 1.1.1.0 255.255.255.0
access-group per-icmp in int outside
再ping就能通了。
R1#ping 2.2.2.2 sou l0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/127/204 ms
3. Telnet应用
完成基本配置后的PIX,不需要任何其他的策略,就可以实现高安全级别接口下的网络telnet低安全级别的网络,反之或者同级别接口下的网络间不可以telnet。
1) 下面首先把dmz接口的安全 级别修改为50。
PIX(config)# in e 2
PIX(config-if)# security-level 50
2) 先测试从inside去telnet outside和dmz。
R1#telnet 2.2.2.2 /sour l0
Trying 2.2.2.2 ... Open
R2>exi
[Connection to 2.2.2.2 closed by foreign host]
R1#telnet 3.3.3.3 /sour l0
Trying 3.3.3.3 ... Open
R3>exit
[Connection to 3.3.3.3 closed by foreign host]
能够telnet成功。
3) 在测试从dmz去telnet outside。
R3#telnet 2.2.2.2 /sour l0
Trying 2.2.2.2 ... Open
R2>exit
[Connection to 2.2.2.2 closed by foreign host]
也能够telnet成功。
4) 测试从低安全级别telnet高安全级别。
R3#telnet 1.1.1.1 /sour l0
Trying 1.1.1.1 ...
% Connection timed out; remote host not responding
R2#telnet 3.3.3.3 /sour l0
Trying 3.3.3.3 ...
% Connection timed out; remote host not responding
telnet不上去。
4. 测试相同安全级别接口间的访问控制。
1) 首先将防火墙的三个接口的安全级别调整为相同值。
PIX(config)# in e0
PIX(config-if)# sec 10
PIX(config-if)# in e1
PIX(config-if)# sec 10
PIX(config-if)# in e 2
PIX(config-if)# sec 10
2) 测试telnet应用。
R1#telnet 2.2.2.2 /sour l0
Trying 2.2.2.2 ...
% Connection timed out; remote host not responding
R1#telnet 3.3.3.3 /sour l0
Trying 3.3.3.3 ...
% Connection timed out; remote host not responding
telnet失败,防火墙默认拒绝同级别接口间互相访问,可以手动关闭这种限制,使用如下命令:
PIX(config)# same-security-traffic permit inter-interface
再来测试看看。
R1#telnet 3.3.3.3 /sour l0
Trying 3.3.3.3 ... Open
R3>exit
[Connection to 3.3.3.3 closed by foreign host]
R1#telnet 2.2.2.2 /sour l0
Trying 2.2.2.2 ... Open
R2>exi
[Connection to 2.2.2.2 closed by foreign host]
转载于:https://blog.51cto.com/edges/407833