[KEDUIT] 클라우드 컴퓨팅과 보안솔루션을 활용한 DC 엔지니어 양성교육 - Day77

1. 서론

    오늘은 Object를 활용하여 ASA를 설정하는 방법을 배워보았다.

2. 본론

1. ASA(Adaptive Security Appliance)

1. 다음 IP 대역을 'Network-Object'로 설정하시오.
// 특정 Network 혹은 Service를 Object로 정의하여 사용 가능
- 200.1.1.0/24 (영업부)
- 200.2.2.0/24 (관리부)
- 200.2.3.0/24 (인사부)
- 200.2.4.0/24 (IT 지원팀)
- 100.1.1.250 (DNS)
- 100.1.1.251 (Web)
- 100.1.1.252 (FTP)
- 100.1.1.253 (Mail)

//ASA
# Object network Sales
# subnet 200.1.1.0 255.255.255.0
!
# object network MGR
# subnet 200.2.2.0 255.255.255.0
!
# object network HR
# subnet 200.2.3.0 255.255.255.0
!
# object network IT_Support
# subnet 200.2.4.0 255.255.255.0
!
# object network DNS_SVR
# host 100.1.1.250
!
# object network WEB_SVR
# host 100.1.1.251
!
# object network FTP_SVR
# host 100.1.1.252
!
# object network MAIL_SVR
# host 100.1.1.253

2. FTP, DNS Service object를 설정하시오.
# object service DNS_P
# service udp destination eq 53
!
# object service FTP_P
# service tcp destination eq 21

3. 다음 network 대역을 본사 Network 대역으로 object-group을 사용하여 정의하시오.
//다수의 Network/Protocol/Service등을 묶어서 하나의 object-group으로 정의 가능
-200.1.1.0/24(영업부)
-200.2.2.0/24(관리부)
-200.2.3.0/24(인사부)
-200.2.4.0/24(IT지원팀)

# object-group network HQ_IN_NET
# network-object object Sales
# network-object object MGR
# network-object object HR
# network-object object IT_Support

//Optional
# clear configure object
# show run object-group

4. 다음 조건에 맞도록 Service Object-group를 설정하시오.
- Web Service : HTTP, HTTPS
- Mail Service : SMTP, POP3, IMAP

# Object-group service WEB_S
# service-object tcp destination eq 80
# service-object tcp destination eq 443
!
# object-group service MAIL_S
# service-object tcp destination eq 25
# service-object tcp destination eq 110
# service-object tcp destination eq 143

//Object & Object-group을 활용한 Access-list 설정
//HQ Inside에는 영업부/관리부/인사부/IT 지원팀이 모두 포함되어 있다고 가정
- Inside -> DMZ (DNS / Web / FTP / Mail)
- Inside -> Outside (Permit ALL)
- DMZ -> Inside (Deny ALL)
- DMZ -> Outside (DNS / SMTP)
- Outside -> DMZ (DNS / WEB / Mail)
- Outside -> Inside (Deny ALL)

1. Inside -> DMZ
# access-list INSIDE_IN permit object DNS_P object-group HQ_IN_NET object DNS_SVR
# access-list INSIDE_IN permit object-group WEB_S object-group HQ_IN_NET object WEB_SVR
# access-list INSIDE_IN permit object FTP_P object-group HQ_IN_NET object FTP_SVR
# access-list INSIDE_IN permit object-group MAIL_S object-group HQ_IN_NET object MAIL_SVR
# access-list INSIDE_IN deny ip object-group HQ_IN_NET 100.1.1.0 255.255.255.0
//deny ip any any 사용 x(Inside, Outside 모두 거부됨)
# access-group INSIDE_IN in interface Inside

2. Inside -> Outside
# access-list INSIDE_IN permit ip any any
# access-group INSIDE_IN in interface Inside

4. DMZ -> Outside
# object network DMZ_NET //DMZ 네트워크를 object로 묶기
# subnet 100.1.1.0 255.255.255.0
!
# access-list DMZ_IN permit object DNS_P object DMZ_NET any //access-list DMZ_IN permit object DNS_P 100.1.1.0 255.255.255.0 any
# access-list DMZ_IN permit tcp object DMZ_NET any eq 25
# access-list DMZ_IN deny ip any any
# access-group DMZ_IN in interface DMZ

5. Outside -> DMZ
# access-list OUTSIDE_IN permit object DNS_P any object DNS_SVR
# access-list OUTSIDE_IN permit object-group WEB_S any object WEB_SVR
# access-list OUTSIDE_IN permit object-group MAIL_S any object MAIL_SVR
# access-list OUTSIDE_IN deny ip any any
# access-group OUTSIDE_IN in interface Outside

3. 결론

    ASA의 Object가 UTM의 Network Definition와 비슷한 느낌이지만, Router 명령어와 조금씩 달라서 헷갈린다.

4. 참고자료

1. Cisco Docs

1. ARP
2. CDP / VLAN
3. Frame Relay
4. Static Routing
5. VLAN
6. VTP
7. Routed Port
8. AD
9. Route Selection
10. FHRP
11. HSRP
12. DHCP
13. DNS
14. STP
15. NAT
16. EtherChannel
17. DTP
18. RIP
19. NTP
20. Offset List
21. Password Encryption
22. ACL
23. CAR Attack
24. Broadcast
25. Port Assignments
26. IPv6 Static Routing
27. HSRP for IPv6
28. Clock Rate
29. DHCPv6 Guard
30. EIGRP
31. Express Forwarding
32. Routing and Switching
33. Load Balancing
34. Ping, Traceroute
35. Load Balancing
36. Fast Switching
37. CEF
38. DNS
39. SSH
40. Regular Expression
41. OSPF
42. EIGRP’s SIA
43. NSSA
44. AAA
45. Understand the Zone-Based Policy Firewall Design
46. The Cisco SD-WAN Solution
47. Understand the Zone-Based Policy Firewall Design
48. ASA cli

2. Linux

1. rhel9’s docs
2. Linux Directory Structure
3. File Types in Linux
4. fstab
5. Vim Cheat Sheet
6. Protecting GRUB with a password
7. SELinux
8. DNS
9. Samba as a server
10. DHCP
11. NFS
12. SSH
13. VNC
14. heredoc
15. docker vs podman + buildqh + skopeo
16. Docker란?
17. Linux 컨테이너란?
18. Container vs VM
19. 컨테이너화란?
20. container
21. 컨테이너 오케스트레이션이란?
22. 쿠버네티스란?
23. 쿠버네티스 아키텍처 소개
24. 쿠버네티스 기본 사항 학습
25. 쿠버네티스 클러스터란?
26. Ansible과 Puppet: 알아야 할 사항

3. Docker / k8s

1. nextcloud
2. cadvisor
3. Dangling Image
4. Swarm
5. Install Docker Engine on Ubuntu
6. Install kubdadm
7. container-runtimes
8. kubectl cheat sheet

4. Web

1. HTML’s Elements
2. Emmet
3. JavaScript
4. Anchor Tag
5. Post, Get
6. Block, Inline Elements
7. Semantic Web
8. Semantic Elements
9. CSS
10. Viewport_meta_tag
11. Media_queries
12. JavaScript

5. DB

1. MySQL

---

클라우드 엔지니어를 꿈꾸며 공부를 시작한 초보 엔지니어입니다. 틀린점 또는 조언해주실 부분이 있으시면 친절하게 댓글 부탁드립니다. 방문해 주셔서 감사합니다 :)

---