Thực hành an ninh mạng bài 3
4
Click here to load reader
-
Upload
nguyenvanhoang -
Category
Documents
-
view
18 -
download
6
description
Đây là file thực hành của chuyên ngành điện tử viễn thông
Transcript of Thực hành an ninh mạng bài 3
-
Thc hnh an ninh mng 2012
LAB 03
Configure IP ACL to Mitigate Attacks
IP Address Table
Gii thiu bi Lab
Router R1, R2 v R3 ch cho php PC-C ng vai tr my qun tr h thng truy cp vo, hn th PC-C cn dng kim tra kt ni n PC-A, l server cung cp cc dch v DNS, SMTP, FTP v HTTPS. Cc Access Control List s c thit lp ti cc router bin nhm hn ch tn cng t cc yu t bn ngoi v trong da trn cc a ch ngun v ch.
-
Thc hnh an ninh mng 2012 Sinh vin s tin hnh cu hnh ACL trn router bin R1 v R3 thit lp yu cu bo v. Sinh vin kim tra hot ng ca ACL t cc my trm trong v ngoi h thng.
Cc router c cu hnh a ch, password v nh tuyn:
Enable password: ciscoenpa55 Password for console: ciscoconpa55 Username for VTY lines: SSHadmin Password for VTY lines: ciscosshpa55 IP addressing Static routing
Yu cu thc hnh
Kim tra kt ni gia cc thit b Thit lp ACL ch cho php PC-C c th truy cp t xa n cc thit b Cu hnh ACL trn R1 v R3 Kim tra hot ng ACL
Task 1: Kim tra kt ni gia cc thit b
Trn PC-C ping n PC-A Trn PC-C thc hin kt ni SSH n interface Lo0 ca R2, sau ngt kt ni Trn PC-C truy cp web n PC-A, sau ng trnh duyt Trn PC-A ping n PC-C
Task 2: Thit lp hn ch truy cp cho cc router
Bc 1: Cu hnh ACL 10 block tt c cc truy cp t xa n cc router ngoi tr PC-C
Gi : trn c 3 router to ACL 10, permit duy nht host 192.168.3.3 (PC-C), sau vo line vty p dng ACL li vo
Bc 2: Kim tra li trn PC-C
Truy cp SSH n 192.168.2.1 t PC-C thnh cng, PC-A b t chi
Task 3: To ACL 100 trn R3
-
Thc hnh an ninh mng 2012 Trn R3 thit lp ACL 100 block tt c cc gi tin c a ch source t cc ngun: 127.0.0.0/8, a ch private RFC 1918, a ch multicast
Bc 1: Cu hnh ACL 100
Gi : to ACL deny tt c di a ch private RFC 1918 bao gm 10.0.0.0/8, 172.16.0.0/16, 192.168.0.0/24, a ch multicast: 224.0.0.0/15.255.255.255
R3(config)#access-list 100 deny ip 127.0.0.0 0.255.255.255 any Bc 2: p dng ACL 100 vo interface s0/0/1 trn R3
R3(config)#ip access-group 100 in Bc 3: Kim tra li ACL
T PC-C ping n PC-A Server, gi tin ICMP reply b chn bi ACL do c a ca source l 192.168.0.0/16
Task 4: To ACL 110
ACL 110 s loi b tt c cc packet bn ngoi ng mng ni b trn router R3 (packet c source address khng phi l 192.168.3.0/24 s b lc b), p dng trn Fa0/1 ca R3
R3(config)#access-list 110 permit ip 192.168.3.0 0.0.0.255 any
R3(config)#int fa0/1
R3(config-if)#ip access-group 110 in
Task 5: To ACL 120
ACL 120 cho php cc host t ngoi truy cp cc dch v DNS, SMTP v FTP trn Server PC-A, t chi truy cp dch v HTTPS v cho php PC-C truy cp R1 s dng SSH
Bc 1: Kim tra kt ni HTTPS t PC-C n PC-A Web Server
Vo Config trong PC-A, chn Tab HTTP, tt tnh nng HTTP v bt HTTPS Trn PC-C vo web browser truy cp vo https://192.168.1.3
Bc 2: Trn R1 to ACL 120 tha cc yu cu trn
Bc 3: Thit lp ACL va to vo interface S0/0/1 ca R1
anhhoangNoteRFC 1918:10.0.0.0/8172.16.0.0/12192.168.0.0/16127.0.0.0/8224.0.0.0/4
anhhoangNoteViet code theo thu tu nay :access-list 100 deny ip 10.0.0.0 0.255.255.255 any access-list 100 deny ip 172.16.0.0 0.15.255.255 anyaccess-list 100 deny ip 192.168.0.0 0.0.255.255 anyaccess-list 100 deny ip 127.0.0.0 0.255.255.255 anyaccess-list 100 deny ip 224.0.0.0 15.255.255.255 anyaccess-list 100 permit ip any any
Viet nham ko tinh diem
anhhoangNoteaccess-list 120 permit udp any host 192.168.1.3 eq 53 access-list 120 permit tcp any host 192.168.1.3 eq 25 access-list 120 permit tcp any host 192.168.1.3 eq 21 access-list 120 deny tcp any host 192.168.1.3 eq 443 access-list 120 permit tcp host 192.168.3.3 host 10.1.1.1 eq 22Vi yeu cau la host ngoai cac dich vu do nen phai de la "any" la dia chi nao cung dk,tcp hay udp la tuy giao thuc, host 192.168.1.3 la Server PC-A
-
Thc hnh an ninh mng 2012 Bc 4: Kim tra li truy cp HTTP t PC-C n PC-A
Task 6: Hiu chnh li ACL 120
Cho php ICMP echo reply v destination unreachable message t outsite network, chi cc gi tin ICMP cn li
Bc 1: Kim tra ping th t PC-A n loopback interface ca R2 (Khng ping c)
Bc 2: Hiu chnh li ACL 120 cho php gi tin icmp echo reply phn hi v
Bc 3: Ping li ln na trn PC-A n loopback interface ca R2 (Ping c)
anhhoangNote access-list 120 permit icmp any any echo-reply access-list 120 permit icmp any any unreachableaccess-list 120 deny icmp any any access-list 120 permit ip any any(v de bao tu choi ma acl phai co permit nen go cau lenh cuoi de cho phep dia chi ip di qua)
