unaprjeñenje sigurnosti u mrežama pružatelja usluga · unaprjeñenje sigurnosti u mrežama...
TRANSCRIPT
Unaprjeñenje sig
urn
osti
u m
reža
ma pru
žate
lja
usluga
Miroslav Šimić
CCIE #19429
•Zaštita mrežne infrastrukture
•Zaštita na rubovima mreže
•Uočavanje i sprječavanje napada
Agenda
•Zaštita mrežne infrastrukture
•Zaštita na rubovima mreže
•Uočavanje i sprječavanje napada
Agenda
Gašenje nepotrebnih
serv
isa
•CDP:
Glo
baln
o n
a c
ijelo
m u
reñaju
route
r(config)#
no cdp run
Na p
oje
din
om
sučelju
route
r(config-if)
# no cdp enable
•Directed Broadcast (SMURF napad):
route
r(config-if)
# no ip directed-broadcast
U v
erz
iji I
OS
-a 1
1.2
ikasniji
mverz
ijam
a t
aje
funkcio
naln
ost
isklju
čena.
Gašenje nepotrebnih
serv
isa
•Finger:
Prije
12.1
(5)
i1
2.1
(5)T
bio
je u
klju
če
n
route
r(config)#
no service finger
Nakon 1
2.1
(5)
i12.1
(5)T
je isklju
če
n.
Ako g
a t
reba isklju
čiti:
route
r(config)#
no ip finger
•Maintenance Operations Protocol (MOP)
route
r(config-if)
# no mop enabled
•HTTP Server
Isklju
čen
je.
Ako g
a t
reba isklju
čiti:
route
r(config)#
no ip http server
Gašenje nepotrebnih
serv
isa
•IP BOOTP Server
route
r(config)#
no ip bootp server
•IP Redirects
route
r(config-if)
# no ip redirects
•IP Source Routing
route
r(config)#
no ip source-route
Gašenje nepotrebnih
serv
isa
•PAD
route
r(config)#
no service pad
•Proxy ARP
route
r(config-if)
# no ip proxy-arp
•Ident
route
r(config)#
no ip identd
•TCP i UDP small servers
echo,
charg
en,
da
ytim
e a
nd d
iscard
serv
ices
route
r(config)#
no service tcp-small-servers
route
r(config)#
no service udp-small-servers
Implementa
cija korisnih
alata
i servisa
•Authentication, authorization, and
accounting (AAA)
•Praćenje i spremanje konfiguracija
•Logiranje poruka –Syslog
•Network Time Protocol (NTP)
•Out-of-band pristup ureñajima
Osnovn
e tehnike za zaštitu
mre
že
•Input Queues
route
r(config-if)
# hold-queue 1500
•ICMP Unreachable
route
r(config-if)
# no ip unreachables
route
r(config)#
ip icmp rate-limit unreachable [df] milliseconds
route
r(config)#
mls rate-limit unicast ip icmp unreachable
(SU
P720 –
hard
ware
based r
ate
lim
it)
•Scheduler allocation
route
r(config)#
scheduler interval 500
route
r(config)#
scheduler allocate 4000 1000
Osnovn
e tehnike za zaštitu
mre
že
•“Skrivanje mreže”
MP
LS
VP
N –
MP
LS
Core
je s
akriven,
korisnik
im
a p
ristu
p
sam
o P
E u
sm
jern
iku
Route
r(co
nfig)#no mpls ip propagate-ttl [forwarded | local]
Kontrola pro
meta
koji pristu
papro
cesoru
•Control Plane Policing -COPP
–U
sm
jerivački pro
tokoli
–U
pra
vlja
čki pro
met –
teln
et,
SS
H, S
NM
P
–P
rom
et
koji
kao o
dre
diš
te im
a IP
adre
su k
oja
se n
ala
zi
na s
am
om
ure
ñaju
–R
azni dru
gi pro
meti –
ICM
P, IP
Options
Kontrola pro
meta
koji pristu
papro
cesoru
•Centralizirani COPP
route
r(config)#
control-plane
route
r(config-<
<???>
>)#
service-policy {input | output} service_policy_name
•COPP na distribuiranim platformama
12000
route
r(config)#
control-plane
route
r(config-<
<???>
>)#
service-policy input service_policy_name
route
r(config)#control-plane slot slot_number
route
r(config-<
<???>
>)#
service-policy input service_policy_name
Sup 720
route
r(config)#
mls qos
route
r(config)#
control-plane
route
r(config-<
<???>
>)#
service-policy input service_policy_name
route
r(config)#
mls qos protocol arp police bps
Kontrola pro
meta
koji pristu
papro
cesoru
•Receive Access Control List
route
r(config)#
ip receive access-list num
•Zaštita mrežne infrastrukture
•Zaštita na rubovima mreže
•Uočavanje i sprječavanje napada
Agenda
Zaštita
na rubovima m
reže
•Infrastructure Protection Access Control
Lists –iACL
Zaštita
na rubovima m
reže
1.Dio
! D
en
y y
our
infr
astr
uctu
re s
pa
ce a
s a
sourc
e o
f exte
rnal packets
access-list 101 deny ip your_public_infrastructure_block any
! D
en
y s
rc a
ddre
sses o
f 0.0
.0.0
and 1
27/8
(specia
l useIP
v4 a
ddre
sses)
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
! D
en
y R
FC
19
18 s
pace f
rom
ente
rin
g A
S
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.0.15.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
Zaštita
na rubovima m
reže
2. dio
! P
erm
it e
BG
P s
essio
n
access-list 101 permit tcp host bgp_peer host local_ip eq 179
access-list 101 permit tcp host bgp_peer eq 179 host local_ip
! P
erm
it O
SP
F
access-list 101 permit ospf host ospf_neighbour host 224.0.0.5
! P
erm
it D
R m
ultic
ast
addre
ss,
if n
eeded
access-list 101 permit ospf host ospf_neighbour host 224.0.0.6
access-list 101 permit ospf host ospf_neighbour host local_ip
3. dio
! D
en
y a
ll oth
er
access t
o infr
astr
uctu
re
access-list 101 deny ip any your_public_infrastructure_block
4. dio
! P
erm
it t
ransit t
raff
ic (
ISP
).
access-list 101 permit ip any any
Zaštita
na rubovima m
reže
•Filtriranje prometa od korisnika
! P
erm
it e
BG
P s
essio
n
access-list 101 permit tcp host bgp_peer host local_ip eq 179
access-list 101 permit tcp host bgp_peer eq 179 host local_ip
! P
erm
it O
SP
F
access-list 101 permit ospf host ospf_neighbour host 224.0.0.5
! P
erm
it D
R m
ultic
ast
addre
ss,
if n
eeded
access-list 101 permit ospf host ospf_neighbour host 224.0.0.6
access-list 101 permit ospf host ospf_neighbour host local_ip
! D
en
y a
ccess t
o infr
astr
uctu
re
access-list 101 deny ip anyyour_public_infrastructure_block
! P
erm
it t
ransit t
raff
ic (
ISP
).
access-list 101 permit ip user_address_block any
! D
en
y a
ny o
ther
traff
ic.
access-list 101 denyip any any
•Zaštita mrežne infrastrukture
•Zaštita na rubovima mreže
•Uočavanje i sprječavanje napada
Agenda
Uočava
nje i sprječava
nje napada
•ACL
Extended IP access list 169
permit icmp any any echo (2 matches)
permit icmp any any echo−reply (21374 matches)
permit udp any any eq echo
permit udp any eq echo any
permit tcp any any established (150 matches)
permit tcp any any (15 matches)
permit ip any any (45 matches)
Uočava
nje i sprječava
nje napada
•Netflow
Uočava
nje i sprječava
nje napada
•SinkHoles
Uočava
nje i sprječava
nje napada
•SinkHoles
Uočava
nje i sprječava
nje napada
•SinkHoles
Uočava
nje i sprječava
nje napada
•SinkHoles
! S
tatic r
oute
to 9
6.0
.0.0
/3 n
etw
ork
ip route 96.0.0.0 63.255.255.255 192.0.2.200
! ...
! ip arp 192.0.2.200 00.00.0c.12.34.56 arpa
!
Uočava
nje i sprječava
nje napada
•Black Holes
ip route 171.xxx.xxx.1 255.255.255.255 Null0
Uočava
nje i sprječava
nje napada
•Remote trigered Black Hole
Uočava
nje i sprječava
nje napada
•Remote trigered Black Hole–
preusmjeravanje po odredišnoj adresi
Svi ruteri:
ip route 192.0.2.0 255.255.255.0 Null0
Uočava
nje i sprječava
nje napada
•Remote trigered Black Hole–
preusmjeravanje po odredišnoj adresi
Ruter sa kojega se oglašava ruta:
router bgp 999
...redistribute static route-map STATIC-TO-BGP
! route-map STATIC-TO-BGP permit 10
match tag 66
set ip next-hop 192.0.2.1
set local-preference 50
set community no-export 999:000
! Route-map STATIC-TO-BGP permit 20
! ip route 171.xxx.xxx.1 255.255.255.255 Null0 Tag 66
!
Uočava
nje i sprječava
nje napada
•Remote trigered Black Hole–
preusmjeravanje po source adresi (Unicast Reverse
Path Forwarding (uRPF) Loose mode)
Svi ruteri:
! interface FastEthernet2/0
ip address 192.xxx.xxx.50 255.255.255.0
ip verify unicast source reachable-via any
...speed 100
full-duplex
!
Uočava
nje i sprječava
nje napada
•Remote trigered Black Hole–
preusmjeravanje po source adresi
Ruter sa kojega se oglašava ruta:
router bgp 999
...redistribute static route-map STATIC-TO-BGP
! route-map STATIC-TO-BGP permit 10
match tag 66
set ip next-hop 192.0.2.1
set local-preference 50
set community no-export 999:000
! Route-map STATIC-TO-BGP permit 20
! ip route 171.xxx.xxx.1 255.255.255.255 Null0 Tag 66
!
Uočava
nje i sprječava
nje napada
•Cisco Traffic Anomaly Detector Module
•Cisco Anomaly Guard Module
