【文章內(nèi)容簡介】 nicast RP forwarding SP Filtering Specific Filtering VMPS VLANs 2502 1335_06_2022_c2 35 169。 2022, Cisco Systems, Inc. A new study by Cisco Secure Consulting Services offers some insight into where many mon vulnerabilities exist in IT work systems. The study, which analyzed 33 midsize and large customer sites over a period of six months, found vulnerabilities in all the customer sites, but almost all the vulnerabilities could be traced to outdated software or lax system administration maintenance, not to inherent flaws in the systems. While the need for careful system administration and continual system security analysis has been wellunderstood, Cisco39。s study indicates that most businesses, especially those that are conducting Emerce activities over the Inter, aren39。t being careful enough. Good System Administration “ ” Information Week February 21, 2022, Issue: 774 2502 1335_06_2022_c2 36 169。 2022, Cisco Systems, Inc. Good System Administration ? Mailing lists ? Patches ? Logging ? Basics Strong or onetime passwords Encryption Switched infrastructure ? Firewalls or sysadmins? ? After you log it, read or analyze it! Fundamentals Tips 2502 1335_06_2022_c2 37 169。 2022, Cisco Systems, Inc. Intrusion Detection Systems ? Host and work both have their place ? False positives ? Placement ? Alarm or enforce? SiAttacker Public Services Internal Services Internal Users 2502 1335_06_2022_c2 38 169。 2022, Cisco Systems, Inc. Proper Trust Model Public Host A Public Host B Admin Host C Database Server Host D ok ok x x Si2502 1335_06_2022_c2 39 169。 2022, Cisco Systems, Inc. Committed Access Rate Traffic Matching Specification Traffic Measurement Instrumentation Action Policy Next Policy Excess Traffic Conforming Traffic Burst Limit Tokens ? Rate limiting ? Several ways to filter ? “Token bucket” implementation 2502 1335_06_2022_c2 40 169。 2022, Cisco Systems, Inc. CAR Rate Limiting Limit outbound ping to 256 Kbps Limit inbound TCP SYN packets to 8 Kbps interface xy ratelimit output accessgroup 102 256000 8000 8000 conformaction transmit exceedaction drop ! accesslist 102 permit icmp any any echo accesslist 102 permit icmp any any echoreply interface xy ratelimit input accessgroup 103 8000 8000 8000 conformaction transmit exceedaction drop ! accesslist 103 deny tcp any host established accesslist 103 permit tcp any host 2502 1335_06_2022_c2 41 169。 2022, Cisco Systems, Inc. RFC 1918 Filtering interface Serial n ip accessgroup 101 in ! accesslist 101 deny ip any accesslist 101 deny ip any accesslist 101 deny ip any accesslist 101 permit ip any any ISP Network Customer Network Ingress to Inter 2502 1335_06_2022_c2 42 169。 2022, Cisco Systems, Inc. RFC 2827 Filtering interface Serial n ip accessgroup 101 in ! accesslist 101 permit any accesslist 101 deny ip any any ISP Network Customer Network: Ingress to Inter ? Ingress packets must be from customer addresses interface Serial n ip accessgroup 120 in ip accessgroup 130 out ! accesslist 120 deny ip any accesslist 120 permit ip any any ! accesslist 130 permit any accesslist 130 deny ip any any Egress from Inter ? Egress packets cannot be from and to customer ? Ensure ingress packets are valid 2502 1335_06_2022_c2 43 169。 2022, Cisco Systems, Inc. Verify Unicast ReversePath ? Mitigates source address spoofing by checking that a packets? return path uses the same interface it arrives on ? Best Implemented at your ISP ? Requires CEF ? Not appropriate where asymmetric paths exist ip cef distributed ! interface Serial n ip verify unicast reversepath 2502 1335_06_2022_c2 44 169。 2022, Cisco Systems, Inc. Service Provider Filtering ? Best in emerce environments ? DDoS mitigation ? Bandwidth optimization SiAttacker Public Services Internal Services Internal Users Customer DDoS Agent ok Ports: 80 443 x Source: DDoS Agent Destination: Public Services Port: UDP Flood Source: Attacker Destination: Public Services Port: 23(Tel) 2502 1335_06_2022_c2 45 169。 2022, Cisco Systems, Inc. Private VLANs Promiscuous Port Promiscuous Port Community ?A? Community ?B? Isolated Ports Primary VLAN Community VLAN Community VLAN Isolated VLAN Only One Sub! x x x 2502 1335_06_2022_c2 46 169。 2022, Cisco Systems, Inc. VMPS VLANs ? Associates VLAN assignment with MAC address ? VMPS server simplifies management ? Consider User Registration Tool VLANs via NT and Novell usernames 2502 1335_06_2022_c2 47 169。 2022, Cisco Systems, Inc. Network Audit Fundamentals ? Syslog Least mon denominator for most work equipment Nearly all Cisco products support output to a syslog system ? IP accounting Adds additional visibility into ACL violations ? Network vulnerability analysis Allows an ex