Политики безопасности компании при работе в Интернет
Шрифт:
object-group network WebDMZServers
network-object 172.16.3.16 255.255.255.248
network-object 172.16.3.24 255.255.255.248
network-object 172.16.3.64 255.255.255.248
object-group network AdminDMZNet
network-object 70.70.70.16 255.255.255.252
network-object 172.16.1.8 255.255.255.248
object-group network AdminDMZAll
network-object 172.16.1.4 255.255.255.252
group-object AdminDMZNetobject-group network WindowsTS
group-object WebDMZServers
network-object 172.16.4.112 255.255.255.252
network-object 172.16.5.0 255.255.255.0
network-object 172.16.16.16 255.255.248.0object-group service FW1-In tcp
port-object eq 256
port-object eq 258
port-object eq 18191
port-object eq 18192
port-object eq 18211object-group service FW1-Out tcp
port-object eq 256
port-object eq 257
port-object eq 18210Списки
access-list AdminDMZ-ACL permit udp object-group AdminDMZNet host 172.16.6.25 eq514
access-list AdminDMZ-ACL permit top 172.16.1.4 255.255.255.252 host 172.16.6.13 object-group FWl-Out
access-list AdminDMZ-ACL permit udp 172.16.1.4 255.255.255.252 host 172.16.6.13 eq 259
access-list AdminDMZ-ACL permit udp object-group AdminDMZAll host 172.16.6.33 eql62
access-list AdminDMZ-ACL permit udp object-group AdminDMZAll host 172.16.6.41 eql23
access-list AdminDMZ-ACL permit top 70.70.70.16 255.255.255.252 host 172.16.6.21 eq 49
access-list AdminDMZ-ACL deny ip any any
Списки контроля доступа для интерфейса WebDMZ:
access-list WebDMZ-ACL permit top 172.16.3.64 255.255.255.248 host 172.16.5.30 eq 2002
access-list WebDMZ-ACL permit top 172.16.3.64 255.255.255.248172.16.5.32 255.255.255.252 eq 445
access-list WebDMZ-ACL permit udp object-group WebDMZServers 172.16.5.52 255.255.255.252 eq 53
access-list WebDMZ-ACL permit tcp object-group WebDMZServers 172.16.5.52 255.255.255.252 eq 53
access-list WebDMZ-ACL permit udp object-group WebDMZServers 172.16.5.48 255.255.255.252 eq 500
access-list WebDMZ-ACL permit ah object-group WebDMZServers 172.16.5.48 255.255.255.252
access-list WebDMZ-ACL permit udp object-group WebDMZServers host 172.16.6.33 eql62
access-list WebDMZ-ACL permit top 172.16.3.16 255.255.255.240 host 172.16.6.9 eq443
access-list WebDMZ-ACL permit icmp object-group WebDMZServers 172.16.5.0 255.255.255.0 source-quench
access-list WebDMZ-ACL deny ip any any
Списки контроля доступа для интерфейса ServiceDMZ:
access-list ServiceDMZ-ACL permit tcp 172.16.4.108 255.255.255.252 host 172.16.17.46 eq 25
access-list ServiceDMZ-ACL permit udp 172.16.4.104 255.255.255.252 host 172.16.6.25 eq 514
access-list ServiceDMZ-ACL permit udp host 172.16.4.117 host 172.16.6.25 eq 514
access-list ServiceDMZ-ACL permit tcp 172.16.61.0 255.255.255.0 host 172.16.17.54 eq 443
access-list ServiceDMZ-ACL permit tcp 172.16.62.0 255.255.255.248 host 172.16.17.54 eq 443
access-list ServiceDMZ-ACL permit tcp 172.16.61.0 255.255.255.0 172.16.17.32 255.255.255.248 eq 80
access-list ServiceDMZ-ACL permit tcp 172.16.62.0 255.255.255.248 172.16.17.32 255.255.255.248 eq 80
access-list ServiceDMZ-ACL permit tcp 172.16.61.0 255.255.255.0 172.16.17.32 255.255.255.248 eq 443
access-list ServiceDMZ-ACL permit tcp 172.16.62.0 255.255.255.248 172.16.17.32 255.255.255.248 eq 443
access-list ServiceDMZ-ACL permit tcp 172.16.62.0 255.255.255.248 host 172.16.6.45 eq 22
access-list ServiceDMZ-ACL permit tcp 172.16.62.0 255.255.255.248 host 172.16.6.13 eq 18190
access-list ServiceDMZ-ACL permit tcp 172.16.62.0 255.255.255.248 172.16.6.0 255.255.255.0 eq 3389
access-list ServiceDMZ-ACL permit tcp host 172.16.4.117 host 172.16.6.17 eq 389
access-list ServiceDMZ-ACL permit udp host 172.16.4.117 host 172.16.6.21 range 1645 1646
access-list ServiceDMZ-ACL permit tcp host 172.16.4.117 host 172.16.6.29 eq 5054
access-list ServiceDMZ-ACL permit udp 172.16.4.0 255.255.255.0 host 172.16.6.33 eq 162
access-list ServiceDMZ-ACL permit udp 172.16.4.0 255.255.255.0 host 172.16.6.41 eq 123
access-list ServiceDMZ-ACL deny ip any any
Списки контроля доступа для интерфейса SecureData:
access-list SecureData-ACL permit udp 172.16.5.48 255.255.255.252 object-group WebDMZServers eq 500
access-list Secure Data-ACL permit ah 172.16.5.48 255.255.255.252 object-group WebDMZServers
access-list Secure Data-ACL permit udp 172.16.5.48 255.255.255.252 host 172.16.6.41 eq 123
access-list SecureData-ACL permit udp 172.16.5.52 255.255.255.252 172.16.4.112 255.255.255.252 eq 53
access-list SecureData-ACL permit tcp 172.16.5.52 255.255.255.252 172.16.4.112 255.255.255.252 eq 53
access-list SecureData-ACL permit udp 172.16.5.0 255.255.255.0 host 172.16.6.33 eq 162
access-list WebDMZ-ACL permit icmp 172.16.5.0 255.255.255.0 172.16.3.0 255.255.255.0 source-quench
access-list SecureData-ACL deny ip any any
Списки
контроля доступа для интерфейса Management:access-list Management-ACL permit udp host 172.16.6.33 172.16.0.0 255.255.0.0 eq 161
access-list Management-ACL permit udp host 172.16.6.33 70.70.70.16 255.255.255.252 eq 161
access-list Management-ACL permit tcp 172.16.6.0 255.255.255.0 172.16.1.8 255.255.255.248 eq 22
access-list Management-ACL permit tcp 172.16.6.0 255.255.255.0 172.16.4.96 255.255.255.224 eq 22
access-list Management-ACL permit tcp 172.16.6.0 255.255.255.0 object-group WindowsTS eq 3389
access-list Management-ACL permit tcp host 172.16.6.13 172.16.1.4 255.255.255.252 object-group FWl-In
access-list Management-ACL permit udp host 172.16.6.13 172.16.1.4 255.255.255.252 eq 259
access-list Management-ACL deny ip any any
Списки контроля доступа для интерфейса Internal:
access-list Internal-ACL permit tcp 172.16.32.0 255.255.224.0 172.16.4.104 255.255.255.252 eq 8080
access-list Internal-ACL permit tcp host 172.16.17.46 172.16.4.108 255.255.255.252 eq 25
access-list Internal-ACL permit udp 172.16.17.20 255.255.255.252 172.16.4.112 255.255.255.252 eq 53
access-list Internal-ACL permit tcp 172.16.17.20 255.255.255.252 172.16.4.112 255.255.255.252 eq 53
access-list Internal-ACL permit tcp 172.16.35.0 255.255.255.248 host 172.16.5.30 eq 2002
access-list Internal-ACL permit tcp 172.16.36.0 255.255.255.248 172.16.5.32 255.255.255.252 eq 445
access-list Internal-ACL permit udp 172.16.16.16 255.255.248.0 host 172.16.6.33 eq 162
access-list Internal-ACL permit udp 172.16.17.16 255.255.255.252 host 172.16.6.41 eq 123
access-list Internal-ACL deny ip any any
Включение списков контроля доступа:
access-group AdminDMZ-ACL in interface AdminDMZ
access-group WebDMZ-ACL in interface WebDMZ
access-group ServiceDMZ-ACL in interface ServiceDMZ
access-group SecureData-ACL in interface SecureData
access-group Management-ACL in interface Management
access-group Internal-ACL in interface Internal
Настройка TACACS+. TACACS+ используется для централизованного управления аутентификацией и авторизацией доступа к межсетевым экранам. Определяем IP-адрес сервера TACACS+ и пароль для аутентификации:
aaa-server TACACS+ (Management) host 172.16.6.21 F$!19Ty timeout 5
Используемый метод аутентификации применяется для консольного доступа:
ааа authentication serial console TACACS+
Предупреждающий баннер:
banner login «This is a private computer system for authorized use only.
All access is logged and monitored. Violators could be prosecuted».
«Ежедневное» сообщение, выводимое в первую очередь при попытке получения доступа к межсетевому экрану:
banner motd «This is a private computer system for authorized use only.
All access is logged and monitored. Violators could be prosecuted».
Сообщение, выводимое при входе в непривилегированный (EXEC) режим:
banner exec «Any unauthorized access will be vigorously prosecuted».
Настройка встроенной системы IDS. Cisco PIX имеет встроенную систему обнаружения вторжений. Хотя по количеству сигнатур система уступает устройствам серии Cisco IDS 4200, все же имеет смысл сконфигурировать ее для отсылки сообщений в случае атак:
ip audit info action alarm
ip audit attack action alarm
Защита системы аутентификации. Для защиты от атак на переполнение системы аутентификации используется следующая опция: