专用VLAN配置
以下配置在端口设置 PVLANs介入。
ecomm-6500-2 (enable) set vlan 41 pvlan primary
VTP advertisements transmitting temporarily stopped,
Vlan 41 configuration successful
ecomm-6500-2 (enable) sh pvlan
Primary Secondary Secondary-Type Ports
------- --------- ---------------- ------------
41 - -
ecomm-6500-2 (enable) set vlan 42 pvlan isolated
VTP advertisements transmitting temporarily stopped,
and will resume after the command finishes.
Vlan 42 configuration successful
ecomm-6500-2 (enable) set pvlan 41 42 3/9-10
Successfully set the following ports to Private Vlan 41,42:
3/9-10
ecomm-6500-2 (enable) set pvlan mapping 41 42 3/35
Successfully set mapping between 41 and 42 on 3/35
ecomm-6500-2 (enable) set pvlan mapping 41 42 3/34
Successfully set mapping between 41 and 42 on 3/34
Port Name Status Vlan Duplex Speed Type
----- ------------------ ---------- ---------- ------ ----- ------------
3/9 server_dmz1 connected 41,42 a-half a-10 10/100BaseTX
3/10 server_dmz2 connected 41,42 a-half a-10 10/100BaseTX
3/34 to_6500_1 connected 41 auto auto 10/100BaseTX
3/35 external_router_dm connected 41 a-half a-10 10/100BaseTX
VACL配置在主VLAN
此部分是关键改进安全在DMZ。如所描述在 VACLs 和PVLANs 部分的 已知限制 ,即使服务器属于二个不同 的辅助VLAN或同样隔离VLAN,仍然有攻击者能使用做他们彼此传达 的一个方式。如果服务器设法直接地沟通,他们不会能执行 它在L2由于PVLANs。 如果攻陷入侵者然后配置服务器在这种 情况下数据流为相同子网被发送到路由器,这一个在相同子网将路 由数据流因而阻挠目的对于PVLANs。
所以,VACL在运载数据流从路由器)的主VLAN (VLAN 需要配置用以下制度:
-
允许来源IP 是路由器的IP的数据流
-
否决数据流 带有两个包括源和目的地IPs是DMZ子网
-
允许数据流的所有其余
ecomm-6500-2 (enable) sh sec acl info protect_pvlan
set security acl ip protect_pvlan
---------------------------------------------------
1. permit ip host 172.16.65.193 any
2. permit ip host 172.16.65.201 any
3. deny ip 172.16.65.192 0.0.0.15 172.16.65.192 0.0.0.15
4. permit ip any any
ecomm-6500-2 (enable) sh sec acl
ACL Type VLANS
-------------------------------- ---- -----
protect_pvlan IP 41
此ACL不会影响服务器生成的数据流; 它只 将防止路由器路由来自服务器的数据流回到同样VLAN。前二 个语句允许路由器寄发消息例如icmp重定向或icmp不可得到到服务 器。
VACL 配置在辅助VLAN
使用 以下配置日志显示我们如何设置VACL过滤服务器生成的数据流。 通过配置此VACL我们想要达到以下:
-
允许 ping 从服务器(允许 响应)
-
防止 从 离开服务器的ECHO回 复
-
允许从外面发起的HTTP连接
-
允许RADIUS认证(UDP端口1645)和记 帐(UDP 端口1646)数据流
-
允许DNS 数据流(UDP端口53)
我们想要防止数 据流的所有其余。
只要分段,我们 假设以下在服务器分段:
-
服务器不 会生成分段的数据流
-
服务器也许收 到分段的数据流
假使Catalyst 6500 的Supervisor 1的PFC的硬件设计,明确地拒绝原因是的icmp片段最 好的ICMP 片段和ECHO回复由硬件认为同样,默认情况下并且硬件 被编程明确地允许片段。如此如果想要从离开服务器终止回 应数据包您必须用线路deny icmp any any fragment 明确配置 此。
ecomm-6500-2 (enable) Set sec acl ip dmz_servers_out deny icmp any any fragment
ecomm-6500-2 (enable) Set sec acl ip dmz_servers_out permit icmp host 172.16.65.199 any echo
ecomm-6500-2 (enable) Set sec acl ip dmz_servers_out permit icmp host 172.16.65.202 any echo
ecomm-6500-2 (enable) Set sec acl ip dmz_servers_out permit tcp host 172.16.65.199 eq 80 any established
ecomm-6500-2 (enable) Set sec acl ip dmz_servers_out permit tcp host 172.16.65.202 eq 80 any established
ecomm-6500-2 (enable) Set sec acl ip dmz_servers_out permit udp host 172.16.65.199
eq 1645 host 172.16.171.9 eq 1645
ecomm-6500-2 (enable) Set sec acl ip dmz_servers_out permit udp host 172.16.65.202
eq 1645 host 172.16.171.9 eq 1645
ecomm-6500-2 (enable) Set sec acl ip dmz_servers_out permit udp host 172.16.65.199
eq 1646 host 172.16.171.9 eq 1646
ecomm-6500-2 (enable) Set sec acl ip dmz_servers_out permit udp host 172.16.65.202
eq 1646 host 172.16.171.9 eq 1646
ecomm-6500-2 (enable) Set sec acl ip dmz_servers_out permit udp host 172.16.65.199 any eq 53
ecomm-6500-2 (enable) Set sec acl ip dmz_servers_out permit udp host 172.16.65.202 any eq 53
ecomm-6500-2 (enable) Commit sec acl all
ecomm-6500-2 (enable) Set sec acl map dmz_servers_out 42
ecomm-6500-2 (enable) sh sec acl
ACL Type VLANS
-------------------------------- ---- -----
protect_pvlan IP 41
dmz_servers_out IP 42
ecomm-6500-2 (enable) sh sec acl info dmz_servers_out
set security acl ip dmz_servers_out
---------------------------------------------------
1. deny icmp any any fragment
2. permit icmp host 172.16.65.199 any echo
3. permit icmp host 172.16.65.202 any echo
4. permit tcp host 172.16.65.199 eq 80 any established
5. permit tcp host 172.16.65.202 eq 80 any established
6. permit udp host 172.16.65.199 eq 1645 host 172.16.171.9 eq 1645
7. permit udp host 172.16.65.202 eq 1645 host 172.16.171.9 eq 1645
8. permit udp host 172.16.65.199 eq 1646 host 172.16.171.9 eq 1646
9. permit udp host 172.16.65.202 eq 1646 host 172.16.171.9 eq 1646
10. permit udp host 172.16.65.199 any eq 53
11. permit udp host 172.16.65.202 any eq 53
测试配置
以下输出获取当 PVLANs配置但是VACL其中不应用。此试验证明从外部路由器 用户能 连接 内部路由器 并且服务器。
external_router#ping 172.16.65.193
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.65.193, timeout is 2 seconds:
!!!!
external_router#ping 172.16.65.202
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.65.202, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
external_router#ping 172.16.65.199
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.65.199, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
以下示例表示,我们 能 从 服务器连接 对外部网络,默认网关,但属于同样辅助VLAN的不是服务器 。
server_dmz1#ping 203.5.6.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 203.5.6.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.65.193, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
server_dmz1#ping 172.16.65.202
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.65.202, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
在映射VACLs以后, ping 从外部路由器不 再成功:
external_router#ping 172.16.65.199
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.65.199, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
以下示例显示收到 HTTP GET请求的服务器从内部网络:
server_dmz1#debug ip http url
HTTP URL debugging is on
server_dmz1#debug ip hhtp tran
HTTP transactions debugging is on
server_dmz1#debug ip http auth
HTTP Authentication debugging is on
server_dmz1#
*Mar 7 09:24:03.092 PST: HTTP: parsed uri '/'
*Mar 7 09:24:03.092 PST: HTTP: client version 1.0
*Mar 7 09:24:03.092 PST: HTTP: parsed extension Connection
*Mar 7 09:24:03.092 PST: HTTP: parsed line Keep-Alive
*Mar 7 09:24:03.092 PST: HTTP: parsed extension User-Agent
*Mar 7 09:24:03.092 PST: HTTP: parsed line Mozilla/4.7 [en] (X11; I; SunOS 5.5.1 sun4u)
*Mar 7 09:24:03.092 PST: HTTP: parsed extension Host
*Mar 7 09:24:03.092 PST: HTTP: parsed line 172.16.65.199
*Mar 7 09:24:03.092 PST: HTTP: parsed extension Accept
*Mar 7 09:24:03.092 PST: HTTP: parsed line image/gif, image/x-xbitmap, image/jpeg, image/
*Mar 7 09:24:03.092 PST: HTTP: parsed extension Accept-Encoding
*Mar 7 09:24:03.092 PST: HTTP: parsed line gzip
*Mar 7 09:24:03.096 PST: HTTP: parsed extension Accept-Language
*Mar 7 09:24:03.096 PST: HTTP: parsed line en
*Mar 7 09:24:03.096 PST: HTTP: parsed extension Accept-Charset
*Mar 7 09:24:03.096 PST: HTTP: parsed line iso-8859-1,*,utf-8
*Mar 7 09:24:03.096 PST: HTTP: Authentication for url '/' '/' level 15 privless '/'
*Mar 7 09:24:03.096 PST: HTTP: authentication required, no authentication information was provided
*Mar 7 09:24:03.096 PST: HTTP: authorization rejected
*Mar 7 09:24:22.528 PST: HTTP: parsed uri '/'
*Mar 7 09:24:22.532 PST: HTTP: client version 1.0
*Mar 7 09:24:22.532 PST: HTTP: parsed extension Connection
*Mar 7 09:24:22.532 PST: HTTP: parsed line Keep-Alive
*Mar 7 09:24:22.532 PST: HTTP: parsed extension User-Agent
*Mar 7 09:24:22.532 PST: HTTP: parsed line Mozilla/4.7 [en] (X11; I; SunOS 5.5.1 sun4u)
*Mar 7 09:24:22.532 PST: HTTP: parsed extension Host
*Mar 7 09:24:22.532 PST: HTTP: parsed line 172.16.65.199
*Mar 7 09:24:22.532 PST: HTTP: parsed extension Accept
*Mar 7 09:24:22.532 PST: HTTP: parsed line image/gif, image/x-xbitmap, image/jpeg, image/
*Mar 7 09:24:22.532 PST: HTTP: parsed extension Accept-Encoding
*Mar 7 09:24:22.532 PST: HTTP: parsed line gzip
*Mar 7 09:24:22.532 PST: HTTP: parsed extension Accept-Language
*Mar 7 09:24:22.532 PST: HTTP: parsed line en
*Mar 7 09:24:22.532 PST: HTTP: parsed extension Accept-Charset
*Mar 7 09:24:22.532 PST: HTTP: parsed line iso-8859-1,*,utf-8
*Mar 7 09:24:22.532 PST: HTTP: parsed extension Authorization
*Mar 7 09:24:22.532 PST: HTTP: parsed authorization type Basic
*Mar 7 09:24:22.532 PST: HTTP: Authentication for url '/' '/' level 15 privless '/'
*Mar 7 09:24:22.532 PST: HTTP: Authentication username = 'martin' priv-level = 15 auth-type = aaa
*Mar 7 09:24:22.904 PST: HTTP: received GET ''
