集訓營walls rs123cciers123學習計劃

模塊《網(wǎng)絡(luò)安全》課程模塊《網(wǎng)絡(luò)安全》課程內(nèi)????Zone-?2009CiscoSystems,Inc.AllrightsAccess-?2009Access-?2009CiscoSystems,Inc.AllrightsTestingPacketswithTestingPacketswithStandard?2009CiscoSystems,Inc.AllrightsTestingPacketswithTestingPacketswithExtended?2009CiscoSystems,Inc.AllrightsACLConfigurationACLConfigurationACLnumbersindicatewhichprotocolisOneACLperinterface,perprotocol,perdirectionisTheorderofACLstatementscontrolsThemostrestrictivestatementsgoatthetopoftheThelastACLtestisalwaysanimplicitdenyanystatement,soeverylistneedsatleastonepermitstatement.ACLsmustbecreatedbeforeapplyingthemtoACLsfiltertrafficgoingthroughtherouter.ACLsdonotfiltertrafficoriginatingfromtherouter.?2009CiscoSystems,Inc.Allrights標準編IPv4ACL的配使用標準編IPv4ACL的配使用19913001999作為access-list-number第一個條目分配的序列號10，后續(xù)條目以10為增量遞增。默認通配符掩碼是（僅針對標準ACL）noaccess-listaccess-list-number命令可刪除整個ACL。remark用于向ACL添加說明。RouterX(config-noipaccess-groupaccess-list-number{in|out}ACL?2009CiscoSystems,Inc.Allrights用標ACL控vty訪RouterX(config-限制特定用標ACL控vty訪RouterX(config-限制特定地址之間的入站或出站連示例僅允許網(wǎng)vty線中的主機連接到路由器?2009CiscoSystems,Inc.Allrights擴展編IPv4ACL的配設(shè)擴展編IPv4ACL的配設(shè)置此列表條目的參RouterX(config-激活接口上的擴展列?2009CiscoSystems,Inc.Allrights字母數(shù)字命名的字符串字母數(shù)字命名的字符串必須是唯一RouterX(config{std-|ext-如果未配置，則從10開始自動生成序列號，并以10為增量遞增中刪除指定測RouterX(config-激活接口上的命IP?2009CiscoSystems,Inc.AllrightsACL語顯示所有訪ACL語顯示所有訪問列?2009CiscoSystems,Inc.Allrights?2009Cisco?2009CiscoSystems,Inc.Allrights?2009?2009CiscoSystems,Inc.AllrightsCiscoIOSStandardAccessControlListsWhenusedfortrafficfiltering,IPv6standardCiscoIOSStandardAccessControlListsWhenusedfortrafficfiltering,IPv6standardaccesscontrollists(ACLs)offerthefollowingfunctions:FiltertrafficbasedonsourceanddestinationFiltertrafficinboundoroutboundtoaspecificImplicit"denyall"attheendofaccess?2002,CiscoSystems,Inc.AllrightsCiscoIOSAccessControlLists?FilteroutgoingtrafficCiscoIOSAccessControlLists?Filteroutgoingtrafficfromsite-localsourceGlobalSite-localprefix:?2009CiscoSystems,Inc.AllrightsCiscoIOSExtendedAccessControlLists?IPv6extendedCiscoIOSExtendedAccessControlLists?IPv6extendedaccesscontrollistsSimilarfilteringfeaturesasIPaddress,trafficclass,upper-layerNewIPv6Flowlabel,extensionheaders,Usedfortrafficfilteringonly.Routingprotocolprefixesfilteringuses"ipv6prefix-list"?2009CiscoSystems,Inc.AllrightsCiscoIOSAccessControlCiscoIOSAccessControlLists?IPv6extendedaccesscontrollistsImplicitIPv6rulesattheendofeachPermiticmpanyanynd-Permiticmpanyanynd-Denyipv6any?2009CiscoSystems,Inc.AllrightsCiscoIOSIPv6ExtendedACLCommandSyntaxEnteraccesscontrollistCiscoIOSIPv6ExtendedACLCommandSyntaxEnteraccesscontrollistrouter(config-ipv6-{permit|{<src-prefix>{<dst-prefix>any|host<addr>}any|host[dscp<value>][flow-[fragments][reflect<reflexive-acl-name>[timeout<val>]][time-range<time-range-name>][log|log-Accesscontrol?2009CiscoSystems,Inc.AllrightsCiscoIOSIPv6ExtendedACLInterfaceCommandsCiscoIOSIPv6ExtendedACLInterfaceCommandsrouter(config-Filterincomingoroutgoingtrafficaccordingtothespecifiedaccesslist?2009CiscoSystems,Inc.AllrightsCiscoIOSIPv6ExtendedACLConfigurationExample?FilterincomingtrafficfromtheIPv6InternettowebsiteandDNSserver?2009CiscoSystems,CiscoIOSIPv6ExtendedACLConfigurationExample?FilterincomingtrafficfromtheIPv6InternettowebsiteandDNSserver?2009CiscoSystems,Inc.AllrightsCiscoIOSACLshow,clear,anddebugCommands?show,clearandCiscoIOSACLshow,clear,anddebugCommands?show,clearanddebugcommandsareavailabletodisplayandverifydefinedIPv6extendedACLs:?2009CiscoSystems,Inc.AllrightsZone-?2009Zone-?2009CiscoSystems,Inc.AllrightsBasicTheprivatezonemustreachtheInternet,withaccessBasicTheprivatezonemustreachtheInternet,withaccesstoHTTP,SMTP,andDNSservices.TheInternetshouldnothaveanyinbound ?2009CiscoSystems,Inc.AllrightsDMZ?NetworkconsistsofthreeInternetzone:InternetDMZzone:/24Privatezone:Privatenetwork,DMZ?NetworkconsistsofthreeInternetzone:InternetDMZzone:/24Privatezone:Privatenetwork,InternalNetwork?2009CiscoSystems,Inc.AllrightsSecurityZoneZone?2009CiscoSystems,Inc.AllrightsSecurityZoneZone?2009CiscoSystems,Inc.AllrightsZoningRulesIftwoZoningRulesIftwointerfacesareinsamezones,trafficflowsfreelybetweenIfoneinterfaceisinazone,andanotherinterfaceisnotinazone,trafficmayneverflowbetweenthem.Iftwointerfacesareintwodifferentzones,trafficwillnotflowbetweentheinterfacesuntilapolicyisdefinedtoallowthetraffic.?2009CiscoSystems,Inc.AllrightsSecurityZoneZoneZone?2009CiscoSystems,Inc.AllrightsSecurityZoneZoneZone?2009CiscoSystems,Inc.AllrightsSpecifyingAppliesCiscoSpecifyingAppliesCiscoPolicyLanguageBasedonexistingMQCframeworkinCiscoIOSSoftwareOnlythreeconstructs:Policy-mapassociatesactionswiththeabove-specifiedParameter-mapspecifiesoperatingparametersfortheclassificationandactionapplication.?2009CiscoSystems,Inc.AllrightsThe“inspect”typeclass-The“inspect”typeclass-Applieslogicalqualifiersmatch-allandmatch-any.DeterminesthewayapacketismatchedagainstfiltersinaclassmapAppliesthreetypesofmatchstatementsmatchprotocol<protocol-matchaccess-group<number|matchclass<class-map-?2009CiscoSystems,Inc.Allrightsclass-maptypeSpecifieswebtrafficthatalsomatchesclass-maptypeSpecifieswebtrafficthatalsomatchesACLSpecifiestrafficthatisboundforanyofthethreeprotocolsSpecifiestrafficthatisboundforanyofthethreeprotocolsinc2andthatalsomatchesACL199?2009CiscoSystems,Inc.AllrightsZBFPolicy??ZBFPolicy??NostatefulMonitoroutboundtrafficaccordingtopermitordenyAnticipatereturntrafficaccordingtosessiontableDropanytrafficthatisnotspecificallyinspected(class-defaulttraffic)??2009CiscoSystems,Inc.AllrightsLayers3,4,and7Layers3,4,and7PolicyLayer3/Layer4policyisatoplevelpolicy-whichisattachedtothezonepair.Aggregatetrafficusingmatchprotocol/ACLsselections,applyhigh-levelactionslikedrop,inspect,urlfilteranddeep-Layer7orapplicationpolicyisoptionalandistypicallyappliedtocontrolthefinerdetailsofanapplication(e.g.,HTTP,SMTPetc).ItiscontainedinaLayer3/Layer4policyandcannotbedirectlyattachedtoatarget.Layer3/Layer4policysufficesforbasicinspection.Finerapplication-levelinspectioncallsforcreationofanLayer7policywhichisnested(hierarchical)intheLayer3/Layer4policy.?2009CiscoSystems,Inc.AllrightsLayers3,4,and7PolicyLayers3,4,and7PolicyTypesLayer7class/policy-mapsareprotocolspecific.Theoptionsappearingunderthemdependontheprotocolandthecapabilitiesoftheexistingapplicationinspectionmodule.Asofnow,Layer7policiescanbeconfiguredforthefollowingprotocols:HTTP,SMTP,POP3,IMAP,andRPC.TheLayer7policymapisattachedtothetop-levelpolicyusingtheservice-policyinspect<http|smtp|…><policy-name>Theclassinthetop-levelpolicyforwhichanLayer7policy-mapisconfiguredmusthaveamatchprotocolfilter.ThisprotocolandtheLayer7Policymapprotocolmustbethesame.Ifonly‘matchaccess-group’filtersarepresentintheclassmap,aLayer7policycannotbeconfiguredforthatclass.AsingleLayer7policymapmaybeusedinmultiple?2009CiscoSystems,Inc.AllrightsApplytoplevelpolicyon?2009CiscoApplytoplevelpolicyon?2009CiscoSystems,Inc.Allrightsclass-maptypeinspecthttplong- HTTPmatchrequesturilengthgt withURLpolicy-maptypeinspecthttphttp-classtypeinspecthttplong- Layer7action:class-maptypeinspectmatch-allhttp-matchprotocolhttpmatchaccess-group199policy-maptypeinspectclasstypeinspecthttp-traffic HTTPinspectionservice-policyinspecthttphttp-zone-pairsecurityin-outsourcein-zonedestout-service-policytypeinspectParameterSpecifyparameterssuchParameterSpecifyparameterssuchasoldinspect?2009CiscoSystems,Inc.AllrightsConfiguringaCiscoIOSZone-BasedPolicyFirewallIdentifyConfiguringaCiscoIOSZone-BasedPolicyFirewallIdentifyinterfacesthatsharethesamefunctionsecurityandgroupthemintothesamesecurityzones.Determinetherequiredtrafficflowbetweenzonesinbothdirections.Setupzones.Setupzonepairsforanypolicyotherthandenyall.Defineclassmapstodescribetrafficbetweenzones.Associateclassmapswithpolicymapstodefineactionsappliedtospecificpolicies.Assignpolicymapstozone?2009CiscoSystems,Inc.AllrightsTwo-InterfaceCiscoIOSZone-BasedPolicyFirewallConfigurationListzoCTwo-InterfaceCiscoIOSZone-BasedPolicyFirewallConfigurationListzoCRS-?2009CiscoSystems,Inc.Allrightsclass-maptypeinspectmatch-anysnrsprotocolsmatchprotocolhttpmatchprotocol definedinfirewallmatchprotocolmatchaccessgroup!policy-maptypeinspect Applyaction(inspectclasstypeinspect stateful!zonesecurity Zoneszonesecurity!interfacefastethernet Interfacesassignedzone-membersecurity !interfacefastethernet0/1zone-membersecurityinternet!zone-pairsecuritypriv-to-internetsourceprivatedestinationinternetservice-policytypeinspectsnrsfwpolicy InspectionfromprivateVerificationshowzonesecurityshowVerificationshowzonesecurityshowzone-pairsecurityshowpolicy-maptypeshowpolicy-maptypeinspectzone-pair–Examinesthefirewallstatetableshowclass-maptypeinspect?2009CiscoSystems,Inc.Allrights?2009?2009CiscoSystems,Inc.AllrightsAAAWhoareAAAWhoareyou?WhatcanyouWhatdidyoudoandhowlongdidyoudo?2009CiscoSystems,Inc.AllrightsCiscoSecureACSCiscoSecureACSProvidesauthentication,authorization,andaccounting(AAA)fornetworks?2009CiscoSystems,Inc.AllrightsCiscoSecureACSCiscoSecureACS?2009CiscoSystems,Inc.AllrightsGUIClient?GUIClient?2009CiscoSystems,Inc.AllrightsAAAOverviewandAAAOverviewandAAAdefinitionAAARouteraccess?2009CiscoSystems,Inc.AllrightsRouterAccess?RouterAccess?2009CiscoSystems,Inc.AllrightsAAA?2009AAA?2009CiscoSystems,Inc.AllrightsEnablingAAAandIdentifyingtheServer?TACACS+EnablingAAAandIdentifyingtheServer?TACACS+or?2009CiscoSystems,Inc.Allrights定義aaaserver定義aaaserver?2009CiscoSystems,Inc.AllrightsConfiguringLoginAuthenticationConfiguringLoginAuthenticationUsing?2009CiscoSystems,Inc.AllrightsConfiguringPPPAuthenticationUsingConfiguringPPPAuthenticationUsing?2009CiscoSystems,Inc.AllrightsConfiguringAAAAuthorizationConfiguringAAAAuthorizationUsingNamedMethodLists?2009CiscoSystems,Inc.AllrightsAAAAuthorization?AAAAuthorization?2009CiscoSystems,Inc.AllrightsConfiguringAAAAccountingConfiguringAAAAccountingUsingNamedMethodLists?2009CiscoSystems,Inc.AllrightsAccounting?2009Accounting?2009CiscoSystems,Inc.Allrights??2009CiscoSystems,Inc.AllrightsCharacterModeLoginCharacterModeLogin?2009CiscoSystems,Inc.AllrightsAAAAuthorization?AAAAuthorization?2009CiscoSystems,Inc.AllrightsCharacterModewith?CharacterModewith?2009CiscoSystems,Inc.AllrightsPacketMode?PacketMode?2009CiscoSystems,Inc.AllrightsIf-needed解?2009If-needed解?2009CiscoSystems,Inc.AllrightsIf-authenticated解?2009If-authenticated解?2009CiscoSystems,Inc.Allrights?2009?2009CiscoSystems,Inc.AllrightsNAT?2009NAT?2009CiscoSystems,Inc.AllrightsNAT地址類?內(nèi)部本地（insidelocal）：內(nèi)部主機的內(nèi)網(wǎng)地址，NAT地址類?內(nèi)部本地（insidelocal）：內(nèi)部主機的內(nèi)網(wǎng)地址，內(nèi)部全局（insideglobal）：內(nèi)部主機與外網(wǎng)通信外部全局（outsideglobal）：外網(wǎng)主機的地址，一外部本地（outsidelocal）：在內(nèi)網(wǎng)為外網(wǎng)主機定????2009CiscoSystems,Inc.AllrightsNAT轉(zhuǎn)換類型NAT轉(zhuǎn)換類型擴展轉(zhuǎn)換條?2009CiscoSystems,Inc.AllrightsNAT對內(nèi)網(wǎng)源地址的轉(zhuǎn)換（訪NAT對內(nèi)網(wǎng)源地址的轉(zhuǎn)換（訪問Internet或者地址隱藏對外網(wǎng)源地址的轉(zhuǎn)換（解決地址沖突對內(nèi)網(wǎng)目的地址的轉(zhuǎn)換（tcp負載均衡，內(nèi)網(wǎng)多鏡像服務(wù)器對內(nèi)網(wǎng)源地址靜態(tài)擴展轉(zhuǎn)換（基于服務(wù)端口的內(nèi)部全局地址復(fù)用端口地址轉(zhuǎn)換（復(fù)用內(nèi)部全局地址，訪問互聯(lián)網(wǎng)?2009CiscoSystems,Inc.Allrights1、TranslatingInside1、TranslatingInsideSource?2009CiscoSystems,Inc.AllrightsStaticInsideSourceNATConfigurationExampleStaticInsideSourceNATConfigurationExample?2009CiscoSystems,Inc.AllrightsDynamicNAT?DynamicNAT?2009CiscoSystems,Inc.Allrights2、TranslatingOutside2、TranslatingOutsideSource?2009CiscoSystems,Inc.Allrights