1  Access Policy 는 Network Access 에 대한 회사의 문서화된 표준이다. Device 접근 Network 에의 접근 Definition of Access Policy Core 나 다른 Switch Block 에 대한 루트나 서비스 업데이트를 금지.

Slides:



Advertisements
Similar presentations
DMZ (De-Militarized Zone)
Advertisements

CCNA2-1 Chapter 1 Introduction to Routing and Packet Forwarding CLI Configuration and Addressing.
CCNA2 Module 4. Discovering and Connecting to Neighbors Enable and disable CDP Use the show cdp neighbors command Determine which neighboring devices.
1 Semester 2 Module 4 Learning about Other Devices Yuda college of business James Chen
Basic IP Traffic Management with Access Lists
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Configuring IP ACLs.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Access Control Lists Accessing the WAN – Chapter 5.
Cisco Router. Overview Understanding and configuring the Cisco Internetwork Operating System (IOS) Connecting to a router Bringing up a router Logging.
NESCOT CATC1 Access Control Lists CCNA 2 v3 – Module 11.
WXES2106 Network Technology Semester /2005 Chapter 10 Access Control Lists CCNA2: Module 11.
1 CCNA 2 v3.1 Module 4. 2 CCNA 2 Module 4 Learning about Devices.
Introduction to the Cisco IOS
Access Lists 1 Network traffic flow and security influence the design and management of computer networks Access lists are permit or deny statements that.
Implementing Standard and Extended Access Control List (ACL) in Cisco Routers.
CCNA2 Routing Perrine modified by Brierley Page 18/6/2015 Module 11 Access Control Non e0e1 s server.
1 Semester 2 Module 11 Access Control Lists (ACLs) Yuda college of business James Chen
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Securing Network Services.
Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Initial Switch Configuration Internetworking Fundamentals Instructor: Abdirahman I. Abdi.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
Router Hardening Nancy Grover, CISSP ISC2/ISSA Security Conference November 2004.
Switch Concepts and Configuration and Configuration Part II Advanced Computer Networks.
NAT 강사 김성훈.
© 2002, Cisco Systems, Inc. All rights reserved..
© 1999, Cisco Systems, Inc Chapter 10 Controlling Campus Device Access Chapter 11 Controlling Access to the Campus Network © 1999, Cisco Systems,
Cisco PIX firewall Set up 3 security zones ***CS580*** John Trafecanty Jules R. Nya Baweu August 23, 2005.
Chapter 2: Basic Router Configuration
© Wiley Inc All Rights Reserved. CHAPTER 4: Introduction to the Cisco IOS CCNA: Cisco Certified Network Associate Study Guide.
Cisco 2 - Routers Perrine. J Page 110/5/2015 Chapter 4 Cisco Discovery Protocol (CDP) CDP is a layer 2 protocol. CDP is used to: obtain information about.
Access Control Lists (ACLs)
Sybex CCNA Chapter 12: Security Instructor & Todd Lammle.
1 © 2004 Cisco Systems, Inc. All rights reserved. CCNA 2 v3.1 Module 11 Access Control Lists (ACLs)
Access Control List (ACL)
Basic Router Configuration 1.1 Global configuration Cisco allows us to configure the router to support various protocols and interfaces. The router stores.
User Access to Router Securing Access.
Instructor & Todd Lammle
Access-Lists Securing Your Router and Protecting Your Network.
Page 1 Access Lists Lecture 7 Hassan Shuja 04/25/2006.
Access Control List ACL’s 5/26/ What Is an ACL? An ACL is a sequential collection of permit or deny statements that apply to addresses or upper-layer.
1 What Are Access Lists? –Standard –Checks Source address –Generally permits or denies entire protocol suite –Extended –Checks Source and Destination address.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Filtering Traffic Using Access Control Lists Introducing Routing and Switching.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Filtering Traffic Using Access Control Lists Introducing Routing and Switching.
Page 1 Chapter 11 CCNA2 Chapter 11 Access Control Lists : Creating ACLs, using Wildcard Mask Bits, Standard and Extended ACLs.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 6 City College.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
Chapter 10 Security. A typical secured network Recognizing Security Threats 1- Application-layer attacks Ex: companyname.com/scripts/..%5c../winnt/system32/cmd.exe?/c+dir+c:\
Verify that timestamps for debugging and logging messages has been enabled. Verify the severity level of events that are being captured. Verify that the.
Module 3 Configuring a Router.
Managing Networks and Network Devices
Sybex CCNA Chapter 6: Cisco’s IOS Instructor & Todd Lammle.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Basic Switch Configurations.
ACCESS CONTROL LIST.
Jose Luis Flores / Amel Walkinshaw
Chapter 3 Managing IP Traffic. Objectives Upon completion of this chapter you will be able to perform the following tasks: Configure IP standard access.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Filtering Traffic Using Access Control Lists Introducing Routing and Switching.
1 Pertemuan 8 Getting Information about Remote Devices.
In 60 Days – ICND2 Configuring Access Lists Standard IP ACLs Source network or Source host IP Source: Destination: Port 80.
Sybex CCNA Chapter 10: Security Instructor & Todd Lammle.
CCNA4 Perrine / Brierley Page 12/20/2016 Chapter 05 Access Control Non e0e1 s server.
Access Control List (ACL) W.lilakiatsakun. Transport Layer Review (1) TCP (Transmission Control Protocol) – HTTP (Web) – SMTP (Mail) UDP (User Datagram.
Cisco S2 C6 Router Configuration 1. Router Boot Up Router uses following from config-startup when it boots –Cisco IOS software version –Router identification.
 Router Configurations part1 2 nd semester
Configuring a Router Module 3 Semester 2. Router Configuration Tasks Name a router Set passwords Examine show commands Configure a serial interface Configure.
What are the two types of routes used by network administrators? Static Dynamic.
What are the two types of routes used by network administrators?
Switch Commands Exec Commands Switch#? exec Commands
Instructor & Todd Lammle
Switch Concepts and Configuration Part II
Access Control Lists CCNA 2 v3 – Module 11
Introduction to Cisco IOS -(Internetwork Operating System)
Presentation transcript:

1  Access Policy 는 Network Access 에 대한 회사의 문서화된 표준이다. Device 접근 Network 에의 접근 Definition of Access Policy Core 나 다른 Switch Block 에 대한 루트나 서비스 업데이트를 금지 Core 경유해서 오는 Packet 에 대한 Filtering

 Device 에 대한 Physical Access 는 그 Device 에 대한 총체적인 Control 을 의미한다. Controlling Physical Access 적절한 물리적 환경의 제공 : 시건장치 (locking the room), 적절한 통풍장치, 온도 조절, 백업 전원 확보 Device 에 대한 직접접근의 통제 : Rack 의 시건장치, Console 및 Auxiliary Port 에 대한 Password 설정, 사용하지 않는 경우 Auxiliary Port 를 Disable 시킨다. Network link(Cable, Wiring closet ) 에 대한 접근 통제  Control Policy 의 설치와 설정

ASW41(config)#enable password level 1 Cisco 1=User Level 15=Privilege Exec Level Cisco IOS Command-Based Switch Set Command-Based Switch DSW141 (enable) set password Enter old password: Enter new password: Cisco Retype new password:Cisco Password changed.  모든 네트워크 디바이스에는 Password 가 설정되어야 한다. dsw141 (enable) set enablepass Enter old password: Enter new password: san-fran Retype new password:san-fran Password changed. Cisco IOS Command-Based Router RSM143(config)#line console 0 RSM143(config-line)#login RSM143(config-line)#password cisco RSM143(config)#enable password san-fran Password Configuration  login local 명령은 “ username student password cisco ” 등의 설정에 따라 local user database 에 의해 Login 하도록 강제한다.

 Session Timeout 은 Idle 상태의 Console 이나 Session 의 추가적인 Security 를 제공한다. RSM143(config)#line console 0 RSM143(config-line)#exec-timeout 5 30 RSM143(config)#line vty 0 4 RSM143(config-line)#exec-timeout 5 30 DSW141 (enable) set logout 5 ASW41(config)#line console ASW41(config-line)#time-out 300 Cisco IOS Command-Based Switch Set Command-Based Switch IOS Command-Based Router Controlling Session Timeouts

configuration : Global configuration controller :Controller configuration Exec : EXEC hub :Hub configuration interface :Interface configuration ipx-router :IPX router configuration line: Line configuration map-class :Map class configuration map-list :Map list configuration route-map :Route map configuration router : Router configuration Privilege Levels  privilege 명령을 사용하여 특정 Privilege Level 에서 사용할 수 있는 명령들을 정의한다. Router (config)#privilege mode level level command  enable secret level level password 명령을 사용하여 특정 privilege level 에 대 한 password 를 설정한다.  Mode 의 종류

Trying x.x.x.x... Open Username: student Password: cisco Router>enable 3 (Restricted ENABLE privileges) Password: san-jose Router#show privilege (Displays current privilege level) Current privilege level is 3 Privilege Levels Router(config)#privilege exec level 3 show ip route Router(config)#privilege exec level 3 ping Router(config)#privilege exec level 3 trace Router(config)#enable secret level 3 san-jose Router(config)#enable secret san-fran Router(config)#username student password cisco  previlege exec level 3 show ip route 설정을 해제하기 위해서는 privilege exec reset show ip route 명령을 입력해야 한다.

Unauthorized access will be prosecuted.  Banner Message 설정을 하여 보안침해가 중대한 사실이라는 것을 공지한다. DSW141(enable)set banner motd 'Unauthorized access will be prosecuted' Banner Messages

Virtual Ports (vty 0 through 4) RSM143(config)#access-list 1 permit RSM143(config)#line vty 0 4 RSM143(config-line)#access-class 1 in RSM143(config)#access-list 1 permit RSM143(config)#line vty 0 4 RSM143(config-line)#access-class 1 in Telnet Controlling Virtual Terminal Access

RSM143(config)#access-list 1 permit RSM143(config)#ip http server RSM143(config)#ip http access-class 1 RSM143(config)#ip http authentication local RSM143(config)#username student password cisco RSM143(config)#access-list 1 permit RSM143(config)#ip http server RSM143(config)#ip http access-class 1 RSM143(config)#ip http authentication local RSM143(config)#username student password cisco HTTP Management Station Controlling HTTP Access

Switch(config)#ip http authentication [aaa | enable | local | tacacs] Controlling HTTP Access  http Server 로 설정된 라우터에 Web Browser 로 접근할 때 Defualt 로 Enable Password 가 사용된다.ip http authentication local 로 규정하면 Local User Database 를 사용하여 인증하고, AAA,TACACS 를 사용하는 경우는 AAA,TACACS Server 의 Database 에 의해 서 인증된다.

 Port security — 권한없는 사용자가 네트워크에 Access 하는 것을 방지하기 위 해 Media Access Control (MAC) addresse 를 제한한다.  VLAN management — 모든 포트는 Default 로 VLAN1 에 소속된다. VLAN1 는 통상 management VLAN 이다. Cisco 에서는 특별히 설정되지 낳으면 모두가 속하게 되는 VLAN1 에 management VLAN 을 두지 말고 다른 VLAN 을 Management VLAN 으로 사용하는 것을 권장한다. Access Layer Policy Access

DSW111 (enable) set port security enable 2/ c DSW111 (enable) show port 2/4 Port Security Secure Src-address Last Src-address Shutdown Trap IF-index /4 enabled c c no 270 Enable Port Security Enabling and Verifying Port Security on Cisco IOS command-based switches. Switch(config-if)#port secure Switch(config-if)#port secure [ max-mac-count maximum-MAC-count] Switch#show mac-address-table security [type module/port]  port secure max-mac-count 명령은 특정 포트에 연결 가능한 최대 MAC Address 를 제한한다. 범위는 이며 Default 는 132 이다.

 Interface 에 access list 를 사용, Packet 을 Filtering 하여 사용자 트래픽이 VLAN 간에, 또는 Core 를 통과할지를 결정한다.  distribution list 를 사용, Route Filtering 을 하여 어떤 Route 가 Core Block 을 통 하여 다른 Switch Block(Server Block 및 WAN Block 을 포함하여 ) 에 전파 (Advertising) 될 지를 결정한다.  각각의 switch block 에서 Dynamic Host Control Protocol (DHCP), Domain Name System (DNS) 등 어떤 서비스를 네트워크에 Advertise 할 지를 결정한 다.Server Block 의 서버 서비스들을 다른 네트워크에서 인지하는 방법 및 어떤 서비스들을 Advertise 할 지를 결정한다. Distribution-Layer Policy

Destination Address Source Address Packet Filtering with IP Standard Access Lists Router(config)#access-list 1 permit Router(config)#access-list 1 deny any Router(config)#interface fastethernet 1/0 Router(config-if)#ip access-group 1 out Fa 1/0

access-list 104 permit tcp any access-list 104 permit tcp any host eq smtp access-list 104 permit udp any eq domain any access-list 104 permit icmp any any echo access-list 104 permit icmp any any echo-reply ! interface gigabit0/0 ip access-group 104 out Packet Filtering with IP Extended Access Lists G0/0

router eigrp 1 network distribute-list 7 out g0/0 ! access-list 7 permit B G0/0 IP Route Filtering Configuration  Route Filtering 을 사용하여 Route 에 대한 G0/0 를 통한 Outbound Update 가 금지된다.  특정 Route 를 permit 또는 deny 하기 위하여 standard access list 를 사용한 다.  Access list 는 transmitted (outbound) 또는 or received (inbound) routing update 를 통제할 수 있다.

 Core Block 은 Data 를 가능한 한 빠르게 전송할 책임이 있다. 따라서 Core Block 의 모든 Device 는 이러한 기능이 최적화 되도록 Design 되어야 한다.  Core Block 은 이러한 목적을 위해 최소한의 정책을 갖게 되는데 혼잡상황 회피와 통제를 위한 최소한의 Quality of Service (QoS) 명령만이 사용되어 Policy 적용으로 인한 Overhead 를 최대한 줄여야 한다. Core Layer Policy

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.