專用VLAN配置
以下配置在端口設(shè)置 PVLANs介入。
ecomm-6500-2 (enable) set vlan 41 pvlan primary
VTP advertisements transmitting temporarily stopped,
Vlan 41 configuration successful
ecomm-6500-2 (enable) sh pvlan
Primary Secondary Secondary-Type Ports
------- --------- ---------------- ------------
41 - -
ecomm-6500-2 (enable) set vlan 42 pvlan isolated
VTP advertisements transmitting temporarily stopped,
and will resume after the command finishes.
Vlan 42 configuration successful
ecomm-6500-2 (enable) set pvlan 41 42 3/9-10
Successfully set the following ports to Private Vlan 41,42:
3/9-10
ecomm-6500-2 (enable) set pvlan mapping 41 42 3/35
Successfully set mapping between 41 and 42 on 3/35
ecomm-6500-2 (enable) set pvlan mapping 41 42 3/34
Successfully set mapping between 41 and 42 on 3/34
Port Name Status Vlan Duplex Speed Type
----- ------------------ ---------- ---------- ------ ----- ------------
3/9 server_dmz1 connected 41,42 a-half a-10 10/100BaseTX
3/10 server_dmz2 connected 41,42 a-half a-10 10/100BaseTX
3/34 to_6500_1 connected 41 auto auto 10/100BaseTX
3/35 external_router_dm connected 41 a-half a-10 10/100BaseTX
VACL配置在主VLAN
此部分是關(guān)鍵改進安全在DMZ。如所描述在 VACLs 和PVLANs 部分的 已知限制 ,即使服務(wù)器屬于二個不同 的輔助VLAN或同樣隔離VLAN,仍然有攻擊者能使用做他們彼此傳達 的一個方式。如果服務(wù)器設(shè)法直接地溝通,他們不會能執(zhí)行 它在L2由于PVLANs。 如果攻陷入侵者然后配置服務(wù)器在這種 情況下數(shù)據(jù)流為相同子網(wǎng)被發(fā)送到路由器,這一個在相同子網(wǎng)將路 由數(shù)據(jù)流因而阻撓目的對于PVLANs。
所以,VACL在運載數(shù)據(jù)流從路由器)的主VLAN (VLAN 需要配置用以下制度:
-
允許來源IP 是路由器的IP的數(shù)據(jù)流
-
否決數(shù)據(jù)流 帶有兩個包括源和目的地IPs是DMZ子網(wǎng)
-
允許數(shù)據(jù)流的所有其余
ecomm-6500-2 (enable) sh sec acl info protect_pvlan
set security acl ip protect_pvlan
---------------------------------------------------
1. permit ip host 172.16.65.193 any
2. permit ip host 172.16.65.201 any
3. deny ip 172.16.65.192 0.0.0.15 172.16.65.192 0.0.0.15
4. permit ip any any
ecomm-6500-2 (enable) sh sec acl
ACL Type VLANS
-------------------------------- ---- -----
protect_pvlan IP 41
此ACL不會影響服務(wù)器生成的數(shù)據(jù)流; 它只 將防止路由器路由來自服務(wù)器的數(shù)據(jù)流回到同樣VLAN。前二 個語句允許路由器寄發(fā)消息例如icmp重定向或icmp不可得到到服務(wù) 器。
VACL 配置在輔助VLAN
使用 以下配置日志顯示我們?nèi)绾卧O(shè)置VACL過濾服務(wù)器生成的數(shù)據(jù)流。 通過配置此VACL我們想要達到以下:
-
允許 ping 從服務(wù)器(允許 響應(yīng))
-
防止 從 離開服務(wù)器的ECHO回 復(fù)
-
允許從外面發(fā)起的HTTP連接
-
允許RADIUS認(rèn)證(UDP端口1645)和記 帳(UDP 端口1646)數(shù)據(jù)流
-
允許DNS 數(shù)據(jù)流(UDP端口53)
我們想要防止數(shù) 據(jù)流的所有其余。
只要分段,我們 假設(shè)以下在服務(wù)器分段:
-
服務(wù)器不 會生成分段的數(shù)據(jù)流
-
服務(wù)器也許收 到分段的數(shù)據(jù)流
假使Catalyst 6500 的Supervisor 1的PFC的硬件設(shè)計,明確地拒絕原因是的icmp片段最 好的ICMP 片段和ECHO回復(fù)由硬件認(rèn)為同樣,默認(rèn)情況下并且硬件 被編程明確地允許片段。如此如果想要從離開服務(wù)器終止回 應(yīng)數(shù)據(jù)包您必須用線路deny icmp any any fragment 明確配置 此。
ecomm-6500-2 (enable) Set sec acl ip dmz_servers_out deny icmp any any fragment
ecomm-6500-2 (enable) Set sec acl ip dmz_servers_out permit icmp host 172.16.65.199 any echo
ecomm-6500-2 (enable) Set sec acl ip dmz_servers_out permit icmp host 172.16.65.202 any echo
ecomm-6500-2 (enable) Set sec acl ip dmz_servers_out permit tcp host 172.16.65.199 eq 80 any established
ecomm-6500-2 (enable) Set sec acl ip dmz_servers_out permit tcp host 172.16.65.202 eq 80 any established
ecomm-6500-2 (enable) Set sec acl ip dmz_servers_out permit udp host 172.16.65.199
eq 1645 host 172.16.171.9 eq 1645
ecomm-6500-2 (enable) Set sec acl ip dmz_servers_out permit udp host 172.16.65.202
eq 1645 host 172.16.171.9 eq 1645
ecomm-6500-2 (enable) Set sec acl ip dmz_servers_out permit udp host 172.16.65.199
eq 1646 host 172.16.171.9 eq 1646
ecomm-6500-2 (enable) Set sec acl ip dmz_servers_out permit udp host 172.16.65.202
eq 1646 host 172.16.171.9 eq 1646
ecomm-6500-2 (enable) Set sec acl ip dmz_servers_out permit udp host 172.16.65.199 any eq 53
ecomm-6500-2 (enable) Set sec acl ip dmz_servers_out permit udp host 172.16.65.202 any eq 53
ecomm-6500-2 (enable) Commit sec acl all
ecomm-6500-2 (enable) Set sec acl map dmz_servers_out 42
ecomm-6500-2 (enable) sh sec acl
ACL Type VLANS
-------------------------------- ---- -----
protect_pvlan IP 41
dmz_servers_out IP 42
ecomm-6500-2 (enable) sh sec acl info dmz_servers_out
set security acl ip dmz_servers_out
---------------------------------------------------
1. deny icmp any any fragment
2. permit icmp host 172.16.65.199 any echo
3. permit icmp host 172.16.65.202 any echo
4. permit tcp host 172.16.65.199 eq 80 any established
5. permit tcp host 172.16.65.202 eq 80 any established
6. permit udp host 172.16.65.199 eq 1645 host 172.16.171.9 eq 1645
7. permit udp host 172.16.65.202 eq 1645 host 172.16.171.9 eq 1645
8. permit udp host 172.16.65.199 eq 1646 host 172.16.171.9 eq 1646
9. permit udp host 172.16.65.202 eq 1646 host 172.16.171.9 eq 1646
10. permit udp host 172.16.65.199 any eq 53
11. permit udp host 172.16.65.202 any eq 53
測試配置
以下輸出獲取當(dāng) PVLANs配置但是VACL其中不應(yīng)用。此試驗證明從外部路由器 用戶能 連接 內(nèi)部路由器 并且服務(wù)器。
external_router#ping 172.16.65.193
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.65.193, timeout is 2 seconds:
!!!!
external_router#ping 172.16.65.202
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.65.202, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
external_router#ping 172.16.65.199
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.65.199, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
以下示例表示,我們 能 從 服務(wù)器連接 對外部網(wǎng)絡(luò),默認(rèn)網(wǎng)關(guān),但屬于同樣輔助VLAN的不是服務(wù)器 。
server_dmz1#ping 203.5.6.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 203.5.6.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.65.193, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
server_dmz1#ping 172.16.65.202
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.65.202, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
在映射VACLs以后, ping 從外部路由器不 再成功:
external_router#ping 172.16.65.199
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.65.199, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
以下示例顯示收到 HTTP GET請求的服務(wù)器從內(nèi)部網(wǎng)絡(luò):
server_dmz1#debug ip http url
HTTP URL debugging is on
server_dmz1#debug ip hhtp tran
HTTP transactions debugging is on
server_dmz1#debug ip http auth
HTTP Authentication debugging is on
server_dmz1#
*Mar 7 09:24:03.092 PST: HTTP: parsed uri '/'
*Mar 7 09:24:03.092 PST: HTTP: client version 1.0
*Mar 7 09:24:03.092 PST: HTTP: parsed extension Connection
*Mar 7 09:24:03.092 PST: HTTP: parsed line Keep-Alive
*Mar 7 09:24:03.092 PST: HTTP: parsed extension User-Agent
*Mar 7 09:24:03.092 PST: HTTP: parsed line Mozilla/4.7 [en] (X11; I; SunOS 5.5.1 sun4u)
*Mar 7 09:24:03.092 PST: HTTP: parsed extension Host
*Mar 7 09:24:03.092 PST: HTTP: parsed line 172.16.65.199
*Mar 7 09:24:03.092 PST: HTTP: parsed extension Accept
*Mar 7 09:24:03.092 PST: HTTP: parsed line image/gif, image/x-xbitmap, image/jpeg, image/
*Mar 7 09:24:03.092 PST: HTTP: parsed extension Accept-Encoding
*Mar 7 09:24:03.092 PST: HTTP: parsed line gzip
*Mar 7 09:24:03.096 PST: HTTP: parsed extension Accept-Language
*Mar 7 09:24:03.096 PST: HTTP: parsed line en
*Mar 7 09:24:03.096 PST: HTTP: parsed extension Accept-Charset
*Mar 7 09:24:03.096 PST: HTTP: parsed line iso-8859-1,*,utf-8
*Mar 7 09:24:03.096 PST: HTTP: Authentication for url '/' '/' level 15 privless '/'
*Mar 7 09:24:03.096 PST: HTTP: authentication required, no authentication information was provided
*Mar 7 09:24:03.096 PST: HTTP: authorization rejected
*Mar 7 09:24:22.528 PST: HTTP: parsed uri '/'
*Mar 7 09:24:22.532 PST: HTTP: client version 1.0
*Mar 7 09:24:22.532 PST: HTTP: parsed extension Connection
*Mar 7 09:24:22.532 PST: HTTP: parsed line Keep-Alive
*Mar 7 09:24:22.532 PST: HTTP: parsed extension User-Agent
*Mar 7 09:24:22.532 PST: HTTP: parsed line Mozilla/4.7 [en] (X11; I; SunOS 5.5.1 sun4u)
*Mar 7 09:24:22.532 PST: HTTP: parsed extension Host
*Mar 7 09:24:22.532 PST: HTTP: parsed line 172.16.65.199
*Mar 7 09:24:22.532 PST: HTTP: parsed extension Accept
*Mar 7 09:24:22.532 PST: HTTP: parsed line image/gif, image/x-xbitmap, image/jpeg, image/
*Mar 7 09:24:22.532 PST: HTTP: parsed extension Accept-Encoding
*Mar 7 09:24:22.532 PST: HTTP: parsed line gzip
*Mar 7 09:24:22.532 PST: HTTP: parsed extension Accept-Language
*Mar 7 09:24:22.532 PST: HTTP: parsed line en
*Mar 7 09:24:22.532 PST: HTTP: parsed extension Accept-Charset
*Mar 7 09:24:22.532 PST: HTTP: parsed line iso-8859-1,*,utf-8
*Mar 7 09:24:22.532 PST: HTTP: parsed extension Authorization
*Mar 7 09:24:22.532 PST: HTTP: parsed authorization type Basic
*Mar 7 09:24:22.532 PST: HTTP: Authentication for url '/' '/' level 15 privless '/'
*Mar 7 09:24:22.532 PST: HTTP: Authentication username = 'martin' priv-level = 15 auth-type = aaa
*Mar 7 09:24:22.904 PST: HTTP: received GET ''
