[KEDUIT] 클라우드 컴퓨팅과 보안솔루션을 활용한 DC 엔지니어 양성교육 - Day78

1. 서론

    오늘은 ASA를 사용하여 DOS Attack을 방어하는 방법과 NAT를 설정하는 방법을 배워보았다.

2. 본론

1. TCP Syn Flooding

//Kali
# hping3 --rand-source www.kedu.edu -p 80 -S

//CentOS
# netstat -an | grep SYN

//ASA
# class-map HTTP_C
# match port tcp eq www
!
# policy-map Deny_Syn_Flood
# class HTTP_C
# set connection embryonic-conn-max 10
!
# service-policy Deny_Syn_Flood interface Outside
!
# show service-policy interface Outside

2. 방화벽 우회

//ISP
# line vty 0 4
# password cisco

//DSW
# telnet 1.1.100.6 //ISP telnet 연결 안되는것 확인

//CE
# ip nat inside source static tcp 1.1.100.6 23 1.1.100.2 80
!
# int f0/0
# ip nat outside
!
# int f0/1
# ip nat inside

//DSW
# telnet 1.1.100.2 80

3. NAT on ASA

//ASA
# int g 0/0
# no sh
# nameif Inside
# ip add 10.1.1.254 255.255.255.0
# security-level 100
# desc ##Inside##
!
# int g0/1
# no sh
# nameif Outside
# ip add 1.1.100.1 255.255.255.252
# security-level 0
# desc ##Outside##
!
# int g0/2
# no sh
# nameif DMZ
# ip add 10.1.2.254 255.255.255.0
# security-level 50
# desc ##DMZ##
!
# int management 0/0
# no sh
# nameif Management
# ip add 192.168.1.254 255.255.255.0
# security-level 100
# desc ##Management##
!
# route Outside 0 0 1.1.100.2

//CE
# ip route 211.100.1.0 255.255.255.0 f0/0 1.1.100.1

//ISP
# ip route 211.100.1.0 255.255.255.0 f0/0 1.1.100.5
!
# ip access-list standard INGRESS
# permit 211.100.1.0 0.0.0.255
# permit 2.2.2.0 0.0.0.255
!
# ip nat inside source list INGRESS int f0/1 overload
!
# int f0/0
# ip nat inside
!
# int f1/0
# ip nat inside
!
# int f0/1
# ip nat outside

//Dynamic NAT / Static NAT / PAT / PAR(Static PAT)
//우선순위 1. Twice NAT(Manual NAT) 2. Object NAT(Auto NAT) 3. Manual NAT after Auto

//Dynamic NAT
//ASA
# object network Global_IP
# range 211.100.1.1. 211.100.1.254
!
# object network Inside_NET
# subnet 10.1.1.0 255.255.255.0
# nat (Inside,Outside) dynamic Global_IP
!
# show nat detail

//PAT
//ASA
# clear configure object
!
# object network Inside_NET
# subnet 10.1.1.0 255.255.255.0
# nat (Inside,Outside) dynamic interface

//Static NAT
//ASA
# object network DNS_SVR
# host 10.1.2.250
# nat (DMZ,Outside) static 211.100.1.250
!
# object network WEB_SVR
# host 10.1.2.251
# nat (DMZ,Outside) static 211.100.1.251
!
# access-list OUT->DMZ permit udp any host 10.1.2.250 eq domain
# access-list OUT->DMZ permit tcp any host 10.1.2.251 eq www
# access-list OUT->DMZ permit icmp any 10.1.2.248 255.255.255.248 echo
# access-list OUT->DMZ deny ip any any
# access-group OUT->DMZ in interface Outside
!
# object network DNS-RE
# host 10.1.2.251
# nat (DMZ,Outside) Static 211.100.1.251 dns

//Kali
# vim /etc/network/interfaces
DNS : 211.100.1.250
# vim /etc/resolv.conf
nameserver : 211.100.1.250

//If you remove a dynamic NAT or PAT rule, and then add a new rule with mapped addresses that overlap the addresses in the removed rule, then the new rule will not be used until all connections associated with the removed rule time out or are cleared using the clear xlate command. This safeguard ensures that the same address is not assigned to multiple hosts.

3. 결론

    같은 설정을 하더라도 Cisco Router와 ASA의 명령어가 조금씩 달라 헷갈리는 부분이 많았다.

4. 참고자료

1. Cisco Docs

1. ARP
2. CDP / VLAN
3. Frame Relay
4. Static Routing
5. VLAN
6. VTP
7. Routed Port
8. AD
9. Route Selection
10. FHRP
11. HSRP
12. DHCP
13. DNS
14. STP
15. NAT
16. EtherChannel
17. DTP
18. RIP
19. NTP
20. Offset List
21. Password Encryption
22. ACL
23. CAR Attack
24. Broadcast
25. Port Assignments
26. IPv6 Static Routing
27. HSRP for IPv6
28. Clock Rate
29. DHCPv6 Guard
30. EIGRP
31. Express Forwarding
32. Routing and Switching
33. Load Balancing
34. Ping, Traceroute
35. Load Balancing
36. Fast Switching
37. CEF
38. DNS
39. SSH
40. Regular Expression
41. OSPF
42. EIGRP’s SIA
43. NSSA
44. AAA
45. Understand the Zone-Based Policy Firewall Design
46. The Cisco SD-WAN Solution
47. Understand the Zone-Based Policy Firewall Design
48. ASA cli
49. Defining Strategies to Protect Against TCP SYN Denial of Service Attacks
50. Configuring Firewall TCP SYN Cookie
51. ASA 방화벽에서 NAT 및 ACL 구성
52. Configuring Network Object NAT
53. Configuring Twice NAT

2. Linux

1. rhel9’s docs
2. Linux Directory Structure
3. File Types in Linux
4. fstab
5. Vim Cheat Sheet
6. Protecting GRUB with a password
7. SELinux
8. DNS
9. Samba as a server
10. DHCP
11. NFS
12. SSH
13. VNC
14. heredoc
15. docker vs podman + buildqh + skopeo
16. Docker란?
17. Linux 컨테이너란?
18. Container vs VM
19. 컨테이너화란?
20. container
21. 컨테이너 오케스트레이션이란?
22. 쿠버네티스란?
23. 쿠버네티스 아키텍처 소개
24. 쿠버네티스 기본 사항 학습
25. 쿠버네티스 클러스터란?
26. Ansible과 Puppet: 알아야 할 사항

3. Docker / k8s

1. nextcloud
2. cadvisor
3. Dangling Image
4. Swarm
5. Install Docker Engine on Ubuntu
6. Install kubdadm
7. container-runtimes
8. kubectl cheat sheet

4. Web

1. HTML’s Elements
2. Emmet
3. JavaScript
4. Anchor Tag
5. Post, Get
6. Block, Inline Elements
7. Semantic Web
8. Semantic Elements
9. CSS
10. Viewport_meta_tag
11. Media_queries
12. JavaScript

5. DB

1. MySQL

---

클라우드 엔지니어를 꿈꾸며 공부를 시작한 초보 엔지니어입니다. 틀린점 또는 조언해주실 부분이 있으시면 친절하게 댓글 부탁드립니다. 방문해 주셔서 감사합니다 :)

---