[KEDUIT] 클라우드 컴퓨팅과 보안솔루션을 활용한 DC 엔지니어 양성교육 - Day66

1. 서론

    오늘은 Router를 활용해서 방화벽을 구성하는 몇가지 방법을 배워보았다.

2. 본론

1. Firewall

1. 형태에 의한 분류

Bastion Host

Screening Router

Multi Homed Gateway : 출처

Screened Host Gateway : 출처

2. 구성방식에 따른 분류

방화벽 종류 : 출처

3. 세대에 따른 분류

The Four Firewall Generations : 출처

2. IOS Firewall

1. Screening Router

1. Configure IP Address
//HQ
# en
# conf t
!
# hostname HQ
# no ip domain look
!
# line c 0
# logging sync
# exec-t 0
!
# int f0/0
# no sh
# ip add 100.1.1.254 255.255.255.0
!
# int f0/1
# no sh
# ip add 1.1.100.1 255.255.255.252

//IOS_FW
# en
# conf t
!
# hostname IOS_FW
# no ip domain look
!
# line c 0
# logging sync
# exec-t 0
!
# int f0/0
# no sh
# ip add 1.1.100.2 255.255.255.252
!
# int f0/1
# no sh
# ip add 1.1.100.5 255.255.255.252

//BB
# en
# conf t
!
# hostname BB
# no ip domain look
!
# line c 0
# logging sync
# exec-t 0
!
# int f0/0
# no sh
# ip add 1.1.100.6 255.255.255.252
!
# int f0/1
# no sh
# ip add 1.1.100.9 255.255.255.252
!
# int f1/0
# no sh
# mac-address

//Branch
# en
# conf t
!
# hostname Branch
# no ip domain look
!
# line c 0
# logging sync
# exec-t 0
!
# int f0/0
# no sh
# ip add 1.1.100.10 255.255.255.252
!
# int f0/1
# no sh
# ip add 200.1.1.254 255.255.255.0
!
# int f1/0
# no sh
# mac-address

2. Routing
//HQ
# router ospf 1
# net 100.1.1.254 0.0.0.0 a 0
# net 1.1.100.1 0.0.0.0 a 0

//IOS_FW
# router ospf 1
# net 1.1.100.2 0.0.0.0 a 0
# net 1.1.100.5 0.0.0.0 a 0

//BB
# router ospf 1
# net 1.1.100.6 0.0.0.0 a 0
# net 1.1.100.9 0.0.0.0 a 0
# default-information originate
!
# ip route 0.0.0.0 0.0.0.0 f1/0 10.0.0.1

//Brach
# router ospf 1
# net 1.1.100.10 0.0.0.0 a 0
# net 200.1.1.254 0.0.0.0 a 0

//HQ, IOS_FW, BB, Branch
# sh ip ospf nei

3. NAT
//BB
# ip access-list standard INGRESS
# permit 100.1.1.0 0.0.0.255
# permit 200.1.1.0 0.0.0.255
!
# ip nat inside source list INGRESS int f1/0 overload
!
# int range f0/0 - 1
# ip nat inside
!
# int f1/0
# ip nat outside

4. Screening Router
//IOS_FW
# ip access-list extended OUT_IN
# permit udp any host 100.1.1.250 eq domain
# permit tcp any host 100.1.1.250 eq 80
# 5 permit ospf host 1.1.100.6 any
# 21 permit tcp any 100.1.1.0 0.0.0.255 established
# 22 permit tcp any 100.1.1.0 0.0.0.255 eq domain
# 30 deny ip any any
!
# int f0/1
# ip access-group OUT_IN in

//Branch
# line vty 0 4
# password cisco
!
# enable password cisco

//Win7_1
> telnet 1.1.100.10

5. rACL(Router ACL)
//IOS_FW
# no ip access-list extended OUT_IN
!
# int f0/1
# no ip access-group OUT_IN in
!
# ip access-list extended RACL->OUT
# permit tcp any any reflect RACL_T
# permit udp any any reflect RACL_T
# permit icmp any any reflect RACL_T
# permit ip any any
!
# ip access-list extended RACL->IN
# permit ospf host 1.1.100.6 any
# permit udp any host 100.1.1.250 eq domain
# permit tcp any host 100.1.1.250 eq 80
# evaluate RACL_T
!
# int f0/1
# ip access-group RACL->OUT out
# ip access-group RACL->IN in

(dACL 인증 전)

(dACL 인증 후)

6. dACL(Downloadable ACL)
//IOS_FW
# clear ip access-list dynamic counters
!
# ip access-list extended RACL->IN
# 41 permit tcp any host 1.1.100.5 eq telnet
# 42 dynamic applythis permit tcp any host 1.1.100.1 eq telnet
!
# line vty 0 4
# password cisco
# login
# autocommand access-enable host timeout 10

//Win7_2
# telnet 1.1.100.5
> 연결을 잃었습니다. -> access-list에 추가됨
# telnet 100.1.1.1

(tcp session log)

7. CBAC(Context-Based ACL, SPI(Stateful Packet Inspection)지원)
//IOS_FW
# no ip access-list extended RACL->IN
# no ip access-list extended RACL->OUT
!
# int f0/1
# no ip access-group RACL->IN in
# no ip access-group RACL->OUT out //기존 acl 제거
!
# ip inspect name CBAC_T tcp
# ip inspect name CBAC_T udp
# ip inspect name CBAC_T icmp
!
# ip access-list extended OUT->IN
# permit ospf host 1.1.100.6 any
# permit udp any host 100.1.1.250 eq domain
# permit tcp any host 100.1.1.250 eq www
!
# int f0/1
# ip access-group OUT->IN in
# ip inspect CBAC_T out
!
# ip inspect name CBAC_T tcp audit-trail on

//Basic URL Filter Using CBAC
//IOS_FW
# ip urlfilter exclusive-domain deny .moon681.shop
# ip urlfilter allow-mode on
# ip urlfilter audit-trail
# ip inspect name CBAC_T http urlfilter

3. 결론

    필요에 따라 Router를 Firewall로 활용할 수 있다는 점을 배워보았다.

4. 참고자료

1. Cisco Docs

1. ARP
2. CDP / VLAN
3. Frame Relay
4. Static Routing
5. VLAN
6. VTP
7. Routed Port
8. AD
9. Route Selection
10. FHRP
11. HSRP
12. DHCP
13. DNS
14. STP
15. NAT
16. EtherChannel
17. DTP
18. RIP
19. NTP
20. Offset List
21. Password Encryption
22. ACL
23. CAR Attack
24. Broadcast
25. Port Assignments
26. IPv6 Static Routing
27. HSRP for IPv6
28. Clock Rate
29. DHCPv6 Guard
30. EIGRP
31. Express Forwarding
32. Routing and Switching
33. Load Balancing
34. Ping, Traceroute
35. Load Balancing
36. Fast Switching
37. CEF
38. DNS
39. SSH
40. Regular Expression
41. OSPF
42. EIGRP’s SIA
43. NSSA
44. AAA
45. Understand the Zone-Based Policy Firewall Design
46. The Cisco SD-WAN Solution

2. Linux

1. rhel9’s docs
2. Linux Directory Structure
3. File Types in Linux
4. fstab
5. Vim Cheat Sheet
6. Protecting GRUB with a password
7. SELinux
8. DNS
9. Samba as a server
10. DHCP
11. NFS
12. SSH
13. VNC
14. heredoc
15. docker vs podman + buildqh + skopeo
16. Docker란?
17. Linux 컨테이너란?
18. Container vs VM
19. 컨테이너화란?
20. container
21. 컨테이너 오케스트레이션이란?
22. 쿠버네티스란?
23. 쿠버네티스 아키텍처 소개
24. 쿠버네티스 기본 사항 학습
25. 쿠버네티스 클러스터란?

3. Web

1. HTML’s Elements
2. Emmet
3. JavaScript
4. Anchor Tag
5. Post, Get
6. Block, Inline Elements
7. Semantic Web
8. Semantic Elements
9. CSS
10. Viewport_meta_tag
11. Media_queries
12. JavaScript

4. DB

1. MySQL

---

클라우드 엔지니어를 꿈꾸며 공부를 시작한 초보 엔지니어입니다. 틀린점 또는 조언해주실 부분이 있으시면 친절하게 댓글 부탁드립니다. 방문해 주셔서 감사합니다 :)

---