Elkezdtem tanulni az IINS vizsgára (ez a CCNA security vizsga). A vizsga előfeltétele bármely CCSP vizsgának. Én jelenleg CBT Nuggets video anyagot használok a tanuláshoz, de ezen kívül a study guide-ot , illetve a NIL-es PEC laborokat is meg fogom nézni.

A Cisco elég nagy hangsúlyt fektet az SDM használatára. Kicsit jobban megnéztem, és egészt használható. A legjobb feature azonban a Security Audit, illetve a one-step lockdown. Amúgy a tool tök jól használható tanulásra is: ha bekapcsoljuk az Edit/Options-nél hogy mutassa milyen parancsokat fog az SDM a routeren kiadni, akkor a CLI részt is gyakorolhatjuk.

Kíváncsi voltam, hogy nézhet ki egy igazán Secure IOS router, ezért GNS3-ban, egy 7200-asra ráeresztettem az Audit után a javításokat. Nos, a következő beállításokat javasolta az SDM magas biztonsági szint esetén:

Note: Do not select the interface through which you accessed SDM as the outside (untrusted) interface. If you do, you will not be able to launch SDM from that interface after you complete the Firewall Wizard.

Inside(trusted) Interfaces:
FastEthernet1/1 (10.10.10.1)

Outside(untrusted) Interfaces:
FastEthernet1/0 (Dynamic IP)

Service Policy Configuration:

In-zone -> Out-zone:
Inspect TCP,UDP,H323,SIP,SCCP and other protocols
Deny packets with invalid ip address as source
Application Inspection for HTTP:
Block HTTP port-misuse for IP,P2P
Block HTTP protocol violation
Block HTTP request methods other than post,head,get
Block http request response containing non-ascii characters
Application Inspection for Instant Messaging:
Block all services of msn,yahoo,aol with log action
Application Inspection for P2P:
Block file transfer over edonkey,fasttrack,gnutella and kazaa2
Block text-chat over edonkey
Application Inspection for Email:
Block invalid command for imap,pop3
Block SMTP session with data length over 5 MB

Self -> Out-zone:
Inspect router generated ICMP traffic
Inspect router generated voice traffic.

Out-zone -> Self:
Permit secure SDM Access to router (HTTP,SSH,RCP) from specified source.
Inspect H323 protocol.
Deny all other traffic.

DNS Configuration:
Primary DNS:172.16.254.254
Secondary DNS: Not set

Itt pedig a biztonsági javítások összegzése látható:

Pad Service will be disabled
IP bootp server Service  will be enabled
CDP will be disabled
IP source route will be disabled
Password encryption Service will be enabled
TCP Keepalives for inbound telnet sessions will be enabled
TCP Keepalives for outbound telnet sessions will be enabled
Sequence Numbers and Time Stamps on Debugs will be enabled
Minimum Password length will be set for 6 characters or more
Authentication Failure Rate will be set for 3 retries
TCP Synwait time will be set to 10 sec
Banner will be set
Logging will be enabled
Enable Secret Password will be set
Scheduler Allocate will be set
Telnet settings will be enabled
NetFlow switching will be enabled
IP Redirects will be disabled
IP Proxy Arp will be disabled
MOP service will be disabled
IP Unreachables will be disabled
IP Unreachables will be disabled on NULL interface
Firewall will be enabled on all outside interfaces
Access class will be set on VTY lines
SSH will be enabled for access to the router
AAA will be enabled

És végezetül, nézzük milyen új parancsokat fog kiadni a routeren (default config) az SDM:

aaa new-model
aaa authentication login local_authen local
aaa authorization exec local_author local
ip access-list extended SDM_SHELL
remark SDM_ACL Category=1
permit tcp any any eq cmd
exit
access-list 102 remark VTY Access-class list
access-list 102 remark SDM_ACL Category=1
access-list 102 permit ip 10.10.10.1 0.0.0.255 any
access-list 102 deny ip any any
access-list 101 remark SDM_ACL Category=128
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
ip access-list extended SDM_HTTPS
remark SDM_ACL Category=1
permit tcp any any eq 443
exit
ip access-list extended SDM_SSH
remark SDM_ACL Category=1
permit tcp any any eq 22
exit
enable secret level 15 0 *******
line vty 0 4
login authentication local_authen
authorization exec local_author
access-class 102 in
transport input telnet ssh
exit
line con 0
login authentication local_authen
transport output telnet
exit
line aux 0
login authentication local_authen
transport output telnet
exit
ip name-server 172.16.254.254
no service pad
service password-encryption
service tcp-keepalives-in
service tcp-keepalives-out
no ip bootp server
no ip source-route
service sequence-numbers
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
scheduler allocate 4000 1000
ip tcp synwait-time 10
no cdp run
security authentication failure rate 3 log
security passwords min-length 6
ip ssh time-out 60
ip ssh authentication-retries 2
banner login ~A rendszer vedett. Csak jogosult felhasznalok lephetnek be!!~
logging console critical
logging trap debugging
logging buffered 51200 debugging
parameter-map type protocol-info msn-servers
server name messenger.hotmail.com
server name gateway.messenger.hotmail.com
server name webmessenger.msn.com
exit
parameter-map type protocol-info aol-servers
server name login.oscar.aol.com
server name toc.oscar.aol.com
server name oam-d09a.blue.aol.com
exit
parameter-map type protocol-info yahoo-servers
server name scs.msg.yahoo.com
server name scsa.msg.yahoo.com
server name scsb.msg.yahoo.com
server name scsc.msg.yahoo.com
server name scsd.msg.yahoo.com
server name cs16.msg.dcn.yahoo.com
server name cs19.msg.dcn.yahoo.com
server name cs42.msg.dcn.yahoo.com
server name cs53.msg.dcn.yahoo.com
server name cs54.msg.dcn.yahoo.com
server name ads1.vip.scd.yahoo.com
server name radio1.launch.vip.dal.yahoo.com
server name in1.msg.vip.re2.yahoo.com
server name data1.my.vip.sc5.yahoo.com
server name address1.pim.vip.mud.yahoo.com
server name edit.messenger.yahoo.com
server name messenger.yahoo.com
server name http.pager.yahoo.com
server name privacy.yahoo.com
server name csa.yahoo.com
server name csb.yahoo.com
server name csc.yahoo.com
exit
parameter-map type regex sdm-regex-nonascii
pattern “[^\x00-\x80]”
exit
class-map type inspect imap match-any sdm-app-imap
match invalid-command
exit
class-map type inspect match-any sdm-cls-protocol-p2p
match protocol edonkey signature
match protocol gnutella signature
match protocol kazaa2 signature
match protocol fasttrack signature
match protocol bittorrent signature
exit
class-map type inspect match-all sdm-protocol-p2p
match class-map sdm-cls-protocol-p2p
exit
class-map type inspect match-any SDM_SSH
match access-group name SDM_SSH
exit
class-map type inspect match-any SDM_HTTPS
match access-group name SDM_HTTPS
exit
class-map type inspect match-any SDM_SHELL
match access-group name SDM_SHELL
exit
class-map type inspect match-any sdm-cls-access
match class-map SDM_HTTPS
match class-map SDM_SSH
match class-map SDM_SHELL
exit
class-map type inspect match-any sdm-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
exit
class-map type inspect match-any SDM-Voice-permit
match protocol h323
match protocol skinny
match protocol sip
exit
class-map type inspect match-all sdm-protocol-smtp
match protocol smtp
exit
class-map type inspect http match-any sdm-app-nonascii
match req-resp header regex sdm-regex-nonascii
exit
class-map type inspect match-all sdm-access
match class-map sdm-cls-access
match access-group 101
exit
class-map type inspect match-all sdm-protocol-imap
match protocol imap
exit
class-map type inspect match-any sdm-cls-protocol-im
match protocol ymsgr yahoo-servers
match protocol msnmsgr msn-servers
match protocol aol aol-servers
exit
class-map type inspect match-any sdm-cls-insp-traffic
match protocol dns
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol tcp
match protocol udp
exit
class-map type inspect match-all sdm-protocol-im
match class-map sdm-cls-protocol-im
exit
class-map type inspect pop3 match-any sdm-app-pop3
match invalid-command
exit
class-map type inspect match-all sdm-protocol-http
match protocol http
exit
class-map type inspect match-all sdm-icmp-access
match class-map sdm-cls-icmp-access
exit
class-map type inspect http match-any sdm-app-httpmethods
match request method bcopy
match request method bdelete
match request method bmove
match request method bpropfind
match request method bproppatch
match request method connect
match request method copy
match request method delete
match request method edit
match request method getattribute
match request method getattributenames
match request method getproperties
match request method index
match request method lock
match request method mkcol
match request method mkdir
match request method move
match request method notify
match request method options
match request method poll
match request method post
match request method propfind
match request method proppatch
match request method put
match request method revadd
match request method revlabel
match request method revlog
match request method revnum
match request method save
match request method search
match request method setattribute
match request method startrev
match request method stoprev
match request method subscribe
match request method trace
match request method unedit
match request method unlock
match request method unsubscribe
exit
class-map type inspect http match-any sdm-http-blockparam
match request port-misuse im
match request port-misuse p2p
match request port-misuse tunneling
match req-resp protocol-violation
exit
class-map type inspect match-all sdm-invalid-src
match access-group 100
exit
class-map type inspect match-any SDM-Voice
match protocol h323
exit
class-map type inspect match-all sdm-insp-traffic
match class-map sdm-cls-insp-traffic
exit
class-map type inspect match-all sdm-protocol-pop3
match protocol pop3
exit
class-map type inspect smtp match-any sdm-app-smtp
match data-length gt 5000000
exit
policy-map type inspect http sdm-action-app-http
class type inspect http sdm-http-blockparam
log
reset
exit
class type inspect http sdm-app-httpmethods
log
reset
exit
class type inspect http sdm-app-nonascii
log
reset
exit
exit
policy-map type inspect pop3 sdm-action-pop3
class type inspect pop3 sdm-app-pop3
log
reset
exit
exit
policy-map type inspect smtp sdm-action-smtp
class type inspect smtp sdm-app-smtp
reset
exit
exit
policy-map type inspect imap sdm-action-imap
class type inspect imap sdm-app-imap
log
reset
exit
exit
policy-map type inspect sdm-permit-icmpreply
class type inspect sdm-icmp-access
no drop
inspect
exit
class type inspect SDM-Voice
no drop
inspect
exit
class class-default
no drop
pass
exit
exit
policy-map type inspect sdm-permit
class type inspect sdm-access
no drop
inspect
exit
class type inspect SDM-Voice
no drop
inspect
exit
class class-default
drop log
exit
exit
policy-map type inspect sdm-inspect
class type inspect sdm-invalid-src
drop log
exit
class type inspect sdm-protocol-http
no drop
inspect
service-policy http sdm-action-app-http
exit
class type inspect sdm-protocol-smtp
no drop
inspect
service-policy smtp sdm-action-smtp
exit
class type inspect sdm-protocol-imap
no drop
inspect
service-policy imap sdm-action-imap
exit
class type inspect sdm-protocol-pop3
no drop
inspect
service-policy pop3 sdm-action-pop3
exit
class type inspect sdm-protocol-p2p
drop log
exit
class type inspect sdm-protocol-im
drop log
exit
class type inspect sdm-insp-traffic
no drop
inspect
exit
class type inspect SDM-Voice-permit
no drop
inspect
exit
class class-default
no drop
pass
exit
exit
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-self-out source self destination out-zone
service-policy type inspect sdm-permit-icmpreply
exit
zone-pair security sdm-zp-out-self source out-zone destination self
service-policy type inspect sdm-permit
exit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
service-policy type inspect sdm-inspect
exit
interface FastEthernet1/1
description $ETH-LAN$$FW_INSIDE$
no ip proxy-arp
no ip redirects
no ip unreachables
ip route-cache flow
no mop enabled
zone-member security in-zone
exit
interface Null0
exit
default interface Null0
interface Null0
no ip unreachables
exit
interface FastEthernet1/0
description $FW_OUTSIDE$
no ip proxy-arp
no ip redirects
no ip unreachables
ip route-cache flow
no mop enabled
zone-member security out-zone
exit
interface FastEthernet0/0
no ip proxy-arp
no ip redirects
no ip unreachables
ip route-cache flow
exit

Magamtól kiadnám ezeket a parancsokat? Nem hinném. Jó tudni viszont, hogy van egy eszközünk melyre támaszkodni lehet. Az SDM-el amúgy gyakorlatilag mindent be lehet állítani a QoS-től elkezdve a VPN-eken keresztül a FW-ig. Az ASDM (Cisco ASA-hoz) még ennél is fejlettebb..
Természetesen én is CLI fan vagyok, de kiegészítő eszközként mostantól biztosan alkalmazni fogom az SDM-t, illetve az ASDM-et.

Néhány kép:

Popularity: 22% [?]

Related posts:

1. CCNA sec study notes #2 L2 security Miért is fontos a L2 security? Nos, mert lehet tökéletes...
2. DMZ network cisco PIX/ASA- val A következőkben röviden leírom hogy, lehet létrehozni DMZ network-öt...
3. CCNA security na sikerült végre letennem a CCNA security-t, jöhet köv CCSP...
4. CCIE study blueprint Az IE blogon találtam egy vázlatot, mely lefedi a Routing...
5. IPsec VPN Cisco PIX-el         Először egy egyszerűbb kisvállalati topológiával kezdeném,...