[KEDUIT] 클라우드 컴퓨팅과 보안솔루션을 활용한 DC 엔지니어 양성교육 - Day69

1. 서론

    오늘은 Router를 활용하여 Zone-based Firewall를 설정하는 방법을 배워보았다.

2. 본론

1. Firewall

1. IP Addr
//FW
# int f0/1
# no sh
# ip add 1.1.100.6 255.255.255.252
!
# int f0/0
# no sh
# ip add 200.1.2.254 255.255.255.0
!
# int f2/0
# no sh
# ip add 200.1.1.254 255.255.255.0
!
# int f1/0
# no sh
# ip add 1.1.100.1 255.255.255.252

//CE
# int f0/0
# no sh
# ip add 1.1.100.2 255.255.255.252
!
# int f0/1
# no sh
# ip add dhcp
!
# int f1/0
# no sh
# ip add 2.2.2.254 255.255.255.0

//DMZ
# int f0/0
# no sh
# ip add 1.1.100.5 255.255.255.252
!
# int f0/1
# no sh
# ip add 100.1.1.254 255.255.255.0

//FW
# p 1.1.100.2
# p 1.1.100.5

2. Routing
//FW
# ip route 100.1.1.0 255.255.255.0 f0/1 1.1.100.5
# ip route 0.0.0.0 0.0.0.0 f1/0 1.1.100.2

//DMZ
# ip route 0.0.0.0 0.0.0.0 f0/0 1.1.100.6

//CE
# ip route 1.1.100.4 255.255.255.252 f0/0 1.1.100.1
# ip route 100.1.1.0 255.255.255.0 f0/0 1.1.100.1
# ip route 200.1.1.0 255.255.255.0 f0/0 1.1.100.1
# ip route 200.1.2.0 255.255.255.0 f0/0 1.1.100.1
# ip route 0.0.0.0 0.0.0.0 f0/1 10.0.0.1

3. NAT
//CE
# ip access-list standard INGRESS
# permit 100.1.1.0 0.0.0.255
# permit 200.1.1.0 0.0.0.255
# permit 200.1.2.0 0.0.0.255
# permit 2.2.2.0 0.0.0.255
!
# ip nat inside source list INGRESS int f0/1 overload
!
# int f0/1
# ip nat outside
!
# int f0/0
# ip nat insdie
!
# int f1/0
# ip nat inside

4. Zone-Based Policy Firewall
//FW
# zone security Inside
!
# zone security DMZ
!
# zone security Outside
!
# int f0/0
# zone-member security Inside
!
# int f2/0
# zone-member security Inside
!
# int f0/1
# zone-member security DMZ
!
# int f1/0
# zone-member security Outside
!
# show zone security

//IN -> OUT
# access-list 100 permit ip any any
# class-map type inspect IN->OUT_C
# match access-group 100
!
# policy-map type inspect IN->OUT_P
# class type inspect IN->OUT_C
# inspect
!
# zone-pair security Inside source Inside destination Outside //Inside(Name of Zone-Pair), Inside(Source), Outside(Destination)
# service-policy type inspect IN->OUT_P

//IN -> DMZ
# class-map type inspect match-any WEB
# match protocol http
# match protocol https
!
# access-list 101 permit ip any host 100.1.1.251 //web
# access-list 102 permit ip any host 100.1.1.250 //dns
!
# class-map type inspect WEB_SER
# match access-group 101
# match class-map WEB
!
# class-map type inspect DNS_SER
# match access-group 102
# match protocol dns
!
# class-map type inspect match-any MAIL_SER
# match protocol smtp
# match protocol imap
# match protocol pop3
!
# class-map type inspect FTP_C
# match protocol ftp
!
# policy-map type inspect IN->DMZ_P
# class type inspect WEB_SER
# inspect
!
# class type inspect DNS_SER
# inspect
!
# class type inspect MAIL_SER
# inspect
!
# class type inspect FTP_C
# inspect
!
# zone-pair security IN->DMZ source Inside destination DMZ
# service-policy type inspect IN->DMZ_P

//DMZ->OUT
# class-map type inspect DNS_C
# match protocol dns
!
# class-map type inspect SMTP_C
# match protocol smtp
!
# policy-map type inspect DMZ->OUT_P
# class type inspect DNS_C
# inspect
!
# clas type inspect SMTP_C
# inspect
!
# zone-pair security DMZ->OUT source DMZ destination Outside
# service-policy type inspect DMZ->OUT_P

//OUT->DMZ
# policy-map type inspect OUT->DMZ_P
# class type inspect WEB_SER
# inspect
!
# class type inspect DNS_SER
# inspect
!
# class type inspect FTP_C
# inspect
!
# class type inspect SMTP_C
# inspect
!
# zone-pair security OUT->DMZ source Outside destination DMZ
# service-policy type inspect OUT->DMZ_P
!
# sh zone-pair security

3. 결론

    CLI로 방화벽 정책을 적용하다 보니 GUI의 소중함이 느껴진다.

4. 참고자료

1. Cisco Docs

1. ARP
2. CDP / VLAN
3. Frame Relay
4. Static Routing
5. VLAN
6. VTP
7. Routed Port
8. AD
9. Route Selection
10. FHRP
11. HSRP
12. DHCP
13. DNS
14. STP
15. NAT
16. EtherChannel
17. DTP
18. RIP
19. NTP
20. Offset List
21. Password Encryption
22. ACL
23. CAR Attack
24. Broadcast
25. Port Assignments
26. IPv6 Static Routing
27. HSRP for IPv6
28. Clock Rate
29. DHCPv6 Guard
30. EIGRP
31. Express Forwarding
32. Routing and Switching
33. Load Balancing
34. Ping, Traceroute
35. Load Balancing
36. Fast Switching
37. CEF
38. DNS
39. SSH
40. Regular Expression
41. OSPF
42. EIGRP’s SIA
43. NSSA
44. AAA
45. Understand the Zone-Based Policy Firewall Design
46. The Cisco SD-WAN Solution
47. Understand the Zone-Based Policy Firewall Design

2. Linux

1. rhel9’s docs
2. Linux Directory Structure
3. File Types in Linux
4. fstab
5. Vim Cheat Sheet
6. Protecting GRUB with a password
7. SELinux
8. DNS
9. Samba as a server
10. DHCP
11. NFS
12. SSH
13. VNC
14. heredoc
15. docker vs podman + buildqh + skopeo
16. Docker란?
17. Linux 컨테이너란?
18. Container vs VM
19. 컨테이너화란?
20. container
21. 컨테이너 오케스트레이션이란?
22. 쿠버네티스란?
23. 쿠버네티스 아키텍처 소개
24. 쿠버네티스 기본 사항 학습
25. 쿠버네티스 클러스터란?
26. Ansible과 Puppet: 알아야 할 사항

3. Docker

1. nextcloud

4. Web

1. HTML’s Elements
2. Emmet
3. JavaScript
4. Anchor Tag
5. Post, Get
6. Block, Inline Elements
7. Semantic Web
8. Semantic Elements
9. CSS
10. Viewport_meta_tag
11. Media_queries
12. JavaScript

5. DB

1. MySQL

---

클라우드 엔지니어를 꿈꾸며 공부를 시작한 초보 엔지니어입니다. 틀린점 또는 조언해주실 부분이 있으시면 친절하게 댓글 부탁드립니다. 방문해 주셔서 감사합니다 :)

---