第 10 章
of 187
-
Upload
jeremy-pitts -
Category
Documents
-
view
26 -
download
1
description
第 10 章. 安全. 本章重點. 10 - 1 外圍、防火牆、和內部路由器 10 - 2 辨識安全性威脅 10 - 3 減輕安全性威脅 10 - 4 存取清單簡介 10 - 5 標準式存取清單 10 - 6 延伸式存取清單 10 - 7 進階的存取清單. 本章重點. 10 - 8 監視存取清單 10 - 9 使用 SDM 來設定存取清單 10 - 10 摘要. 安全. 如果您是系統管理員 , 我猜您最優先的工作就是保護敏感關鍵的資料和網路資源 , 不要被人惡意的利用。 - PowerPoint PPT Presentation
Transcript of 第 10 章
-
10 - 1 10 - 2 10 - 3 10 - 4 10 - 5 10 - 6 10 - 7
-
10 - 8 10 - 9 SDM 10 - 10
-
, , Cisco , ,
-
, Cisco IOS , Cisco IOS , ,
-
(Access Control List, ACL) Cisco , , , ,
-
, , , , TCP / IP 2 MAC , ,
-
Cisco IOS , CLI , Cisco (Security Device Manager, SDM) , (Virtual Private Network, VPN) , 14
-
10 - 1 , , , 10.1
-
11 (trusted network) (untrusted network) , (secured network) , (DeMilitarized Zone, DMZ) () , HTTPDNS
-
, (VLAN), (LAN) , VLAN , Cisco IOS
-
10 - 2 , (WUI, witless user ignorance) (, ), , , , ,
-
IP , Cisco , FTPsendmail HTTP
-
, Autorooter (toolkit)
-
, (Denial of Service, DoS) (Distributed Denial of Service, DDoS) , , , (, )
-
, , TCP SYN flood TCP , SYN SYN-ACK , ACK ,
-
Ping of death TCP / IP 65, 536 ping, TFN (Tribe Flood Network) TFN2K (Tribe Flood Network 2000) DoS , IP (IP spoofing) ,
-
Stacheldraht , TFN, , , DoS IP (IP spoofing) , IP , IP
-
, (Man-in-the-middle attack) , ISP (sniffer) , (network reconnaissance) , , ,
-
DNS ping (ping sweep) (packet sniffer) , , (promiscuous mode), , ,
-
, IP , , (brute force attack) , , ()
-
, , , (port redirection attack) , () ,
-
command.com , command.com Windows , , ,
-
(trust exploitation attack) , SMTPDNS HTTP , , , , ,
-
, ,
-
10 - 3 ~ JuniperMcAfee, Cisco Cisco ASA (Adaptive Security Appliance) , , ()
-
, ASA Cisco IOS 80% Cisco IOS , Cisco IOS ,
-
, Cisco ACL , CCNA , ACL
-
Cisco IOS Cisco IOS , (stateful) IOS , , (Context-Based Access Control, CBAC), 102 ,
-
Cisco IOS (firewall voice traversal) , (call flow) (open channel) H.323v2 SIP (Session Initiation Protocol) ICMP ping traceroute ICMP , ICMP (authentication proxy) HTTPHTTPSFTP Telnet,
-
Cisco IOS RADIUS TRACACS + , URL , URL AAA (profile storage) ACL
-
Cisco IOS Cisco IOS (provisioning) (no-touch) , , Java applet Java applet
-
Cisco IOS ACL, (Lock-and-Key) ACL, , IP
-
(Network Address Translation, NAT) (, , RIPv2EIGRP OSPF)
-
Cisco IOS , , ACL ,
-
10 - 4 (access list) , , , , , WWW ,
-
, , , , ,
-
, (distribute list), , , (queuing) QOS , ISDN if-then ,
-
, , , , , , ,
-
1 , 2 , 3 , , , , "" , IP ,
-
, , 2 (standard access list) IP IP , IP , IP , WWWTelnetUDP
-
(extended access list) IP 3 4 IP , (named access list) 2 , 3
-
, 2 , , , , , , , ,
-
, , , , ,, ,
-
(Inbound access list) , , , (outbound access list) , ,
-
, IP , , ,
-
, , , permit any , ,
-
permit , , , , IP ,
-
, , IP , ,
-
, , ACL
-
ACL ACL IP IP TCP SYN , DoS TCP SYN , TCP (Intercept)DoS smurf ICMP ICMP traceroute
-
ACL , IP ACL, (127.0.0.0 / 8) IP
-
10 - 5 IP 1 - 99 1300 - 1999 () IP , , 1 - 99 1300 - 1999 , IP
-
IP (, IOS )
-
, 1 - 99 1300 - 1999 ,
-
, permit deny , deny
-
3 , any IP host any , host ,
-
172.16.30.2 host, , access-list 10 deny 172.16.30.2, 172.16.30.2 (wildcard mask), ,
-
, ,
-
, (block size) 6432168 4, , 34 , 64
-
18 , 32 2 , 4 , ,
4 0 , 0 ,
-
, 255, / 24 3 , 4
-
, , 20 , , 16 32, 20 172.16.8.0 172.16.15.0 , 8, 172.16.8.0, 0.0.7.2557.255
-
172.16.8.0 , 8 , 172.16.15.0 , , , 1 , , 8, 7 16, 15,
-
, 3 , 4
2 , 2
-
172.16.16.0 , 4, 172.16.16.0 , 172.16.19.0 172.16.16.0 , 8, 172.16.23.0
172.16.32.0 , 16, 172.16.47.0
-
172.16.64.0 , 64, 172.16.127.0
192.168.160.0 , 32, 192.168.191.0
, 2 0
-
, 8, 12 , 0 - 7, 8 - 15, 16 - 23 32, 0 - 31, 32 - 63, 64 - 95 any 0.0.0.0 255.255.255.255
-
, 10.2 , 3 , ,
-
,
any
, , any
-
, , , E0 , ,
-
E1
172.16.40.0 E1 , E1
-
E1 E0 , E0 , 10.3 2 3 1 WAN
-
Lab_B , , ,
-
, Lab_B 0 Lab_B
-
Telnet , , 10.4 4 LAN 1 WAN
-
, 4 1 IP , , ( E0 , E3 )
-
, , , CCNA ,
-
VTY (telnet) telnet , , VTY IP , IP Telnet , , , ,
-
VTY (telnet) VTY VTY , Telnet , VTY , Telnet IP
-
Telnet , show users telnet disconnect , , , ,
-
Telnet VTY , , VTY , , access-class
-
Telnet , access-class VTY , ,
-
VTY (telnet) , 1. , telnet 2. access-class VTY 172.16.10.3 telnet
-
VTY (telnet) deny any , 172.16.10.3 , telnet , IP
-
10 - 6 , , , , , ,
-
, , , , , , ,
-
, 100 199, 2000 2699 , , deny
-
,
-
TCP , TCP , TCP , IP ( any , )
-
,
IP 172.16.30.2
-
Enter , , 172.16.30.2 TCP , ,
-
,
-
, Telnet (23 ) 172.16.30.2 FTP, , log , ,
-
, deny any , , deny any ,
, 0.0.0.0 255.255.255.255 any ,
-
, ( IP )
-
1 IP 10.2 , 172.16.30.5 Telnet FTP
-
1access-list 110 tcp , tcp, 21 23 ( FTP Telnet, TCP )any , IP , host IP , E1
-
1, 172.16.30.5 FTP Telnet , E0 ,
-
1 E1 , E1 FTP Telnet
-
2 10.4 4 1 Telnet E1 E2 , , 2 , ,
-
2 CCNA , ()
-
2, , , 100 - 199, 23 (Telnet) TCP, Telnet TCP TFTP, UDP, TFTP UDP
-
2, 23, Telnet , permit ip any any , telnet , E1 E2
-
10 - 7 , Cisco , ,
-
, , , , , , , , , ,
-
, , , ,
-
, , 33 177 (), , , 177
-
, , , 10.2
-
ip access-list, access-list, ,
, BlockSales
-
, , Enter , ,
-
, ,
-
BlockSales , ,
,
-
ACL ACL 2 2 , , , IP
-
ACL, IP , MAC MAC , ACL, ACL ACL
-
ACLACL VLAN ACL (trunk port) , VLAN , ACL VLAN ACL IP IP IP MAC ,
-
ACL, ACL ACL , ACL ,
-
ACL
-
ACL, permit any any
IP , mac
-
ACL MAC , , ether-type
-
ACL
-
ACL
, ether-type , DecNet AppleTalk ,
-
ACL 1 , 0 x 800, IP IPv6, ,
-
(lock and key) ACL ( ACL) ACL Telnet ACL ACL , ACL telnet Telnet , ACL ACL,
-
ACL ACL IP , , IP ACL ACL, ACL ACL , IP ACL
-
ACL ACL ACL, , , , , , (NTP, Network Time Protocol)
-
ACL
-
ACL
time-range , , ,
-
Remark remark , IP ACL , ACL , ,
-
Remark permit deny , , permit deny ACL , ACL access-list remark , no
-
Remark remark
-
Remark
remark, show access-list , SDM ,
-
(Cisco IOS ) (Context-Based Access Control, CBAC) , Cisco IOS , ( Cisco) Cisco IOS , CBAC CBAC , TCP UDP
-
(Cisco IOS ), ip inspect , 10.5, Cisco IOS (CBAC)
-
(Cisco IOS )
-
(Cisco IOS ) Cisco IOS 1. , ACL , 2. , IP , 3. , IP , ACL , ACL , 4. SDM ,
-
(Authentication Proxy), , Cisco IOS ACL , , TACACS+ RADIUS
-
10 - 8 , 10.1
-
show running-config 2 MAC , show access-list
-
, 10 , 110 TCP , show , TCP , ()
-
show ip interface
-
BlockSales, , SDM , show running-config , 2 , show mac access-group
-
MAC , interface
-
10 - 9 SDM SDM , Cisco IOS ACL, , Next ,
-
SDM ACL SDM ACL, SDM , Configure / Firewall and ACL, Create Firewall
-
SDM ACL Edit firewall Policy / ACL
-
SDM ACL, From To s0 / 0 / 0 From , s0 / 2 / 0 To +Add, Add New
-
SDM ACL, s0 / 0 / 0 C (WHC) telnet (23), OK ,
-
SDM ACL SDM , +Add , , SDM ACL
-
SDM ACL permit ip any
OK , , ACL
-
SDM ACL
-
SDM ACL
-
SDM ACL telnet 10.1.12.2, Corp
, telnet 10.1.12.1
-
SDM ACL IP 10.1.12.2 23 s0 / 0 / 0 , telent 10.1.12.1 , SDM ,
-
SDM Cisco IOS , Configure / Firewall and ACL, , 2 , , () ,
-
SDM Basic Firewall , Launch , () , , ,
-
SDM , , Advanced Firewall, Launch Create Firewall
-
SDM , Launch the selected task
-
SDM , Next,
-
SDM , Next
-
SDM Finish,
-
SDM OK () OK ,
-
SDM ,
-
SDM
-
SDM IOS , (Context-Based Access Control, CBAC), Cisco IOS ip inspect , inspect , SDM
-
SDM
-
SDM ip inspect SDM_LOW out SDM
-
SDM
ACL 100 - 102 ACL
-
SDM ACL , SDM
-
SDM
103 , , 103 ICMP OSPF ,
-
SDM , , , , ACL ACL , , ~
-
SDM , , Firewall and ACL , Advanced firewall,
-
SDM
-
SDM DMZ , DMZ DMZ ,
-
SDM DMZ
-
SDM , SDM, SDM, GUI, SDM ACLNAT VPN
-
SDM , , ACL
-
10 - 10 , IP , Cisco , , IP , Cisco ,
-
, , , IP MAC , SDM ACL , SDM
