In a typical campus network environment, the router is generally outside the firewall and is responsible for the connection to the Internet. This topology actually exposes the router to the campus network security line. If the router itself does not adopt appropriate security prevention strategies, it may become a springboard for attackers to launch attacks and pose a threat to internal network security.
This article will take the Cisco2621 router as an example to introduce in detail the implementation method of configuring a router as a bastion router, making it the first security barrier for campus networks to resist external attacks.
1. Security prevention policy based on access tables
1. Prevent external IP address spoofing
Users of external networks may use the legal IP address or loopback address of the intranet as the source address to achieve illegal access. For such problems, the following access list can be established:
Blocks all traffic flows with the source address being a private address.
Blocks all traffic flows whose source address is a loopback address.
Blocks all traffic flows with source addresses that are multiple destination addresses.
Block traffic that does not have the source address listed.
Note: 101 filtering can be used in the inward direction of the external interface.
2. Prevent illegal external detection
Before an illegal visitor attacks an internal network, he often uses ping or other commands to detect the network, so he can prevent it by prohibiting the use of ping, traceroute, and other networks from outside to detect it. The following access list can be created:
Prevent ping from detecting the network.
Prevent the network detection using traceroute.
Note: 102 filtering can be used in the outward direction of the external interface. Here, it mainly prevents reply output and does not prevent detection from entering.
3. Protect the router from attacks
Routers can generally be accessed through telnet or SNMP, and it should be ensured that no one on the Internet can use these protocols to attack the router. Assume that the IP of the external interface serial0 of the router is 200.200.200.1, and the IP of the internal interface fastethernet0 is 200.200.100.1. Inward filtering protection routers can be generated that blocks telnet and SNMP services. Create the following access list:
Note: Use 101 filtering in the inward direction of the external interface. Of course, this will cause certain inconvenience to the administrator's use, which requires a choice between convenience and security.
4. Block illegal access to critical ports
The critical port may be the port used by the internal system or the port exposed by the firewall itself. Access to these ports should be restricted, otherwise these devices will be vulnerable to attacks. Create the following access list:
5. Restrict access to important servers on the intranet
For campus networks that do not have dedicated firewalls, it is particularly important to use dynamic packet filtering technology to establish access restrictions on important servers. For campus networks equipped with dedicated firewalls, this task can be done on the firewall, which can reduce the burden on the router. Whether it is based on a router implementation or completing the setup on a firewall, a set of access rules should be formulated first. You can consider establishing the following access rules:
● Allow external users to request inward connections to the web server.
● Allow outgoing reply from the web server to external users.
● Allows an inward connection request from an external SMTP server to an internal mail server.
● Allow outgoing reply from the internal mail server to the external SMTP server.
● Allow internal mail servers to query outward DNS.
● Allow inward DNS replies to the internal mail server.
● Allow outward TCP connections to the internal host.
● Allow inward TCP reply to the requesting host.
Other access rules can be established based on their actual situation. After listing all allowed traffic, designing access lists becomes simple. Note that all inward conversations should be applied to the IN direction of the router's external interface, and all outward conversations should be applied to the OUT direction of the router's external interface.
2. Common attack methods and countermeasures
1. Prevent external ICMP redirect spoofing
Attackers sometimes use ICMP redirection to redirect routers, redirecting information that should be sent to the correct target to the device they specify, thus obtaining useful information. The commands that prohibit external users from using ICMP redirection are as follows:
2. Prevent external source routing spoofing
Source routing refers to the use of data link layer information to route datagrams. This technology spans the network layer routing information, allowing the intruder to specify an illegal route for the intranet datagrams, so that the datagrams that should have been sent to the legal destination will be sent to the address specified by the intruder. The commands that prohibit the use of source routing are as follows:
3. Prevent theft of internal IP addresses
An attacker may use internal IP addresses for illegal access. To address this problem, you can use the ARP command of the Cisco router to bind a fixed IP address to a certain MAC address. The specific commands are as follows:
4. Prevent smurf at the source site
To prevent smurf at the source site, the key is to prevent all inward echo requests. This prevents the router from mapping communications to network broadcast addresses to LAN broadcast addresses. You can enter the following command in the LAN interface:
3. Turn off unused services on the router
In addition to providing path selection, a router is also a server that can provide some useful services. These services run by the router may become a breakthrough for enemy attacks, and it is best to turn them off for security reasons.
Through the various methods introduced above, we have successfully configured a normal router as a bastion router, which has improved the security of the entire campus network without increasing any investment. However, it should be noted that the implementation of the fortress router is at the expense of the efficiency of the entire network and may affect the speed of external access of the park network.
Article entry: csh Editor in charge: csh
This article will take the Cisco2621 router as an example to introduce in detail the implementation method of configuring a router as a bastion router, making it the first security barrier for campus networks to resist external attacks.
1. Security prevention policy based on access tables
1. Prevent external IP address spoofing
Users of external networks may use the legal IP address or loopback address of the intranet as the source address to achieve illegal access. For such problems, the following access list can be established:
access-list 101 deny ip 10.0.0.0 0.255.255.255 any access-list 101 deny ip 192.168.0.0 0.0.255.255 any access-list 101 deny ip 172.16.0.0 0.0.255.255 any
Blocks all traffic flows with the source address being a private address.
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
Blocks all traffic flows whose source address is a loopback address.
access-list 101 deny ip 224.0.0.0 7.255.255.255 any
Blocks all traffic flows with source addresses that are multiple destination addresses.
access-list 101 deny ip host 0.0.0.0 any
Block traffic that does not have the source address listed.
Note: 101 filtering can be used in the inward direction of the external interface.
2. Prevent illegal external detection
Before an illegal visitor attacks an internal network, he often uses ping or other commands to detect the network, so he can prevent it by prohibiting the use of ping, traceroute, and other networks from outside to detect it. The following access list can be created:
access-list 102 deny icmp any any echo
Prevent ping from detecting the network.
access-list 102 deny icmp any any time-exceeded
Prevent the network detection using traceroute.
Note: 102 filtering can be used in the outward direction of the external interface. Here, it mainly prevents reply output and does not prevent detection from entering.
3. Protect the router from attacks
Routers can generally be accessed through telnet or SNMP, and it should be ensured that no one on the Internet can use these protocols to attack the router. Assume that the IP of the external interface serial0 of the router is 200.200.200.1, and the IP of the internal interface fastethernet0 is 200.200.100.1. Inward filtering protection routers can be generated that blocks telnet and SNMP services. Create the following access list:
access-list 101 deny tcp any 200.200.200.1 0.0.0.0 eq 23 access-list 101 deny tcp any 200.200.100.1 0.0.0.0 eq 23 access-list 101 deny udp any 200.200.200.1 0.0.0.0 eq 161 access-list 101 deny udp any 200.200.100.1 0.0.0.0 eq 161
Note: Use 101 filtering in the inward direction of the external interface. Of course, this will cause certain inconvenience to the administrator's use, which requires a choice between convenience and security.
4. Block illegal access to critical ports
The critical port may be the port used by the internal system or the port exposed by the firewall itself. Access to these ports should be restricted, otherwise these devices will be vulnerable to attacks. Create the following access list:
access-list 101 deny tcp any any eq 135 access-list 101 deny tcp any any eq 137 access-list 101 deny tcp any any eq 138 access-list 101 deny tcp any any eq 139 access-list 101 deny udp any any eq 135 access-list 101 deny udp any any eq 137 access-list 101 deny udp any any eq 138 access-list 101 deny udp any any eq 139
5. Restrict access to important servers on the intranet
For campus networks that do not have dedicated firewalls, it is particularly important to use dynamic packet filtering technology to establish access restrictions on important servers. For campus networks equipped with dedicated firewalls, this task can be done on the firewall, which can reduce the burden on the router. Whether it is based on a router implementation or completing the setup on a firewall, a set of access rules should be formulated first. You can consider establishing the following access rules:
● Allow external users to request inward connections to the web server.
● Allow outgoing reply from the web server to external users.
● Allows an inward connection request from an external SMTP server to an internal mail server.
● Allow outgoing reply from the internal mail server to the external SMTP server.
● Allow internal mail servers to query outward DNS.
● Allow inward DNS replies to the internal mail server.
● Allow outward TCP connections to the internal host.
● Allow inward TCP reply to the requesting host.
Other access rules can be established based on their actual situation. After listing all allowed traffic, designing access lists becomes simple. Note that all inward conversations should be applied to the IN direction of the router's external interface, and all outward conversations should be applied to the OUT direction of the router's external interface.
2. Common attack methods and countermeasures
1. Prevent external ICMP redirect spoofing
Attackers sometimes use ICMP redirection to redirect routers, redirecting information that should be sent to the correct target to the device they specify, thus obtaining useful information. The commands that prohibit external users from using ICMP redirection are as follows:
interface serial0 no ip redirects
2. Prevent external source routing spoofing
Source routing refers to the use of data link layer information to route datagrams. This technology spans the network layer routing information, allowing the intruder to specify an illegal route for the intranet datagrams, so that the datagrams that should have been sent to the legal destination will be sent to the address specified by the intruder. The commands that prohibit the use of source routing are as follows:
no ip source-route
3. Prevent theft of internal IP addresses
An attacker may use internal IP addresses for illegal access. To address this problem, you can use the ARP command of the Cisco router to bind a fixed IP address to a certain MAC address. The specific commands are as follows:
arp fixed IP address MAC address arpa
4. Prevent smurf at the source site
To prevent smurf at the source site, the key is to prevent all inward echo requests. This prevents the router from mapping communications to network broadcast addresses to LAN broadcast addresses. You can enter the following command in the LAN interface:
no ip directed-broadcast
3. Turn off unused services on the router
In addition to providing path selection, a router is also a server that can provide some useful services. These services run by the router may become a breakthrough for enemy attacks, and it is best to turn them off for security reasons.
Through the various methods introduced above, we have successfully configured a normal router as a bastion router, which has improved the security of the entire campus network without increasing any investment. However, it should be noted that the implementation of the fortress router is at the expense of the efficiency of the entire network and may affect the speed of external access of the park network.
Article entry: csh Editor in charge: csh