Cisco Secure PIX Firewall
-
Upload
mandra-supraba-widya -
Category
Documents
-
view
230 -
download
0
Transcript of Cisco Secure PIX Firewall
-
8/9/2019 Cisco Secure PIX Firewall
1/10
Cisco Secure PIX Firewall
Network Diagram
KONFIGURASI:Konfgurasi yang ditampilkan pertama kali disini adalah PIX Firewall karenakonfgurasi router harus sudah mengerti sebelumnya dalam hubungannya denganFirewall.
PIX Firewall
!— Sets the outside address of the PIX Firewall:
ip address outside 131.1.23.2
!— Sets the inside address of the PIX Firewall:
ip address inside 10.10.2!.1
!— Sets the global pool for hosts inside therewall:
-
8/9/2019 Cisco Secure PIX Firewall
2/10
global "outside# 1 131.1.23.12$131.1.23.2!
!— Allows hosts in the 10.0.0.0 networ to be!— translated through the PIX:
nat "inside# 1 10.0.0.0
!— ongures a stati" translation for an ad#inworstation!— with lo"al address 10.1$.%.&0:
stati% "inside&outside# 131.1.23.11 10.1!.'.0
!— Allows s'slog pa"ets to pass through the PIXfro# ()(A.!— *ou "an use "onduits +( a""ess,lists to per#ittra-".
!— onduits has been added to show the use ofthe "o##and!— howe/er the' are "o##ented in thedo"u#ent sin"e the!— re"o##endation is to use a""ess,list.!— )o the ad#in worstation s'slog ser/er:!— 2sing "onduit:!— "onduit per#it udp host 131.1.43.11 e5 &1$host 131.1.43.1
!— 2sing a""ess,list:
(%%ess$list 101 permit udp host 131.1.23.1 host131.1.23.11 2.2.2.0 e) 1!(%%ess$group 101 in inter*a%e outside
!— Per#its in"o#ing #ail "onne"tions to131.1.43.10:
stati% "inside& outside# 131.1.23.10 10.10.2!.3
!— 2sing "onduits
!— "onduit per#it )P host 131.1.43.10 e5 s#tpan' !— 2sing A""ess,lists we use a""ess,list 101!— whi"h is alread' applied to interfa"e outside.
(%%ess$list 101 permit t%p any host 131.1.23.10 e)smtp
-
8/9/2019 Cisco Secure PIX Firewall
3/10
!— PIX needs stati" routes or the use of routing proto"ols!— to now about networs not dire"tl'"onne"ted.!— Add a route to networ 10.1$.%.674$.
route inside 10.1!.'.0 2.2.2.0 10.10.2!.2
!— Add a default route to the rest of the tra-"!— that goes to the internet.
+oute outside 0.0.0.0 0.0.0.0 131.1.23.1
!— 8nables the 9ail uard feature!— to a""ept onl' se/en S9)P "o##ands!— ;8
-
8/9/2019 Cisco Secure PIX Firewall
4/10
RRA
no ser/i%e t%p small$ser/ers
!— Pre/ents so#e atta"s against the routeritself.
logging trap debugging
!— For"es the router to send a #essage!— to the s'slog ser/er for ea"h and e/er' !— e/ent on the router. )his in"ludes pa"etsdenied!— a""ess through a""ess lists and!— "onguration "hanges. )his a"ts as an earl'warning s'ste# to the s'ste#!— ad#inistrator that so#eone is tr'ing to breain or has broen in and is
!— tr'ing to "reate a BholeC in their rewall.
logging 131.1.23.11
!— )he router logs all e/ents to this!— host whi"h in this "ase is the!— BoutsideC or BtranslatedC address of thes'ste#!— ad#inistratorDs worstation.
enable se%ret ,,,,,,,,,,,
inter*a%e 4thernet 0ip address 131.1.23.1 2.2.2.0inter*a%e 5erial 0ip unnumbered ethernet 0ip a%%ess$group 110 in
!— Shields the PIX Firewall and the ;))P7F)P!— ser/er fro# atta"s and guards!— against spoong atta"s.
a%%ess$list 110 deny ip 131.1.23.0 0.0.0.2 anylog
!— ()(A and the PIX Firewall.!— )his is to pre/ent spoong atta"s.
a%%ess$list 110 deny ip any host 131.1.23.2 log
-
8/9/2019 Cisco Secure PIX Firewall
5/10
!— Pre/ents dire"t atta"s against the!— outside interfa"e of the PIX Firewall and!— logs an' atte#pts to "onne"t to the!— outside interfa"e of the PIX to the s'slogser/er.
a%%ess$list 110 permit t%p any 131.1.23.00.0.0.2 established
!— Per#its pa"ets whi"h are part !— of an established )P session.
a%%ess$list 110 permit t%p any host 131.1.23.3 e)*tp
!— Allows F)P "onne"tions into the F)P7;))Pser/er.
a%%ess$list 110 permit t%p any host 131.1.23.3 e)*tp$data
!— Allows ftp,data "onne"tions into the F)P7;))Pser/er.
a%%ess$list 110 permit t%p any host 131.1.23.3 e)www
!— Allows ;))P "onne"tions into the F)P7;))Pser/er.
a%%ess$list 110 deny ip any host 131.1.23.3 log
!— =isallows all other "onne"tions to!— the F)P7;))P ser/er and logs an' atte#pt !— to "onne"t this ser/er to the s'slog ser/er.
a%%ess$list 110 permit ip any 131.1.23.0 0.0.0.2
!— Per#its other tra-" destined to the!— networ between the PIX Firewall and ()(A.
line /ty 0 !loginpassword ,,,,,,,,,,a%%ess$%lass 10 in
!— (estri"ts )elnet a""ess to the router !— to those IP addresses listed in
-
8/9/2019 Cisco Secure PIX Firewall
6/10
!— a""ess list 10.
a%%ess$list 10 permit ip 131.1.23.11
!— Per#its onl' the worstation of thead#inistrator !— to )elnet into the router. )his!— a""ess list #a' need to be "hanged to per#it !— a""ess fro# the Internet for !— #aintenan"e but should "ontain as few!— entries as possible.
Catatan: ++6 adalah router pertahanan bagian dalam. ++6 adalah garispertahanan terakhir dalam frewall anda& dan merupakan pintu masuk ke dalam
7aringan internal anda.
RR!
logging trap debugginglogging 10.1!.'.0
!—
-
8/9/2019 Cisco Secure PIX Firewall
7/10
a%%ess$list 110 permit t%p host 10.10.2!.310.0.0.0 0.2.2.2 e) smtp
!— Per#its S9)P #ail "onne"tions fro# the!— #ail host to internal #ail ser/ers.
a%%ess$list 110 deny ip host 10.10.2!.3 10.0.0.00.2.2.2
!— =enies all other tra-" sour"ed!— fro# the #ail ser/er.
a%%ess$list 110 deny ip 10.10.20.0 0.0.0.2 any
!— Pre/ents spoong of trusted addresses!— on the internal networ.
a%%ess$list 110 permit ip 10.10.2!.0 0.0.0.210.10.20.0 0.2.2.2
!— Per#its all other tra-" sour"ed fro#!— the networ between the PIX Firewall and()(.
line /ty 0 !loginpassword ,,,,,,,,,,a%%ess$%lass 10 in
!— (estri"ts )elnet a""ess to the router !— to those IP addresses listed in!— a""ess list 10.
a%%ess$list 10 permit ip 10.1!.'.0
!— Per#its onl' the worstation of thead#inistrator !— to )elnet into the router. )his!— a""ess list #a' need to be "hanged to per#it
!— a""ess fro# the Internet for !— #aintenan"e but should "ontain as fewentries as possible.
!— A stati" route or routing proto"ol #ust beutiliGed!— to #ae the router aware of networ 10.1$.%.6 whi"h is
-
8/9/2019 Cisco Secure PIX Firewall
8/10
!— inside the "orporate networ. )his is be"ause!— it is not a dire"tl' "onne"ted networ.
KONS"P
u7uan dari Firewall adalah untuk men%egah masuknya trafk yang tidak
diinginkan "unauthori8edillegal# ke dalam 7aringan anda bersamaan dengan trafk
yang anda inginkan "authori8edlegal#. al ini akan men7adi lebih mudah dimulai
dengan menganalisa dan membreakdown ob7ek ob7ek yang penting kemudian
mempertimbangkan bagaimana membuat pertahanan dari kriminalha%ker yang
selalu mengintai untuk memasuki 7aringan anda. 9isal seorang kriminal mengin%ar
ser/er anda yang berisi in*ormasi penting dan bisa di7ual ke kompetitor anda. :ia
mulai mempela7ari ser/er anda& misal alamat ser/er anda 10.10.20.100
5ang kriminal menemukan beberapa masalah serius; alamat IP ser/er anda
tidak bisa di%apai melalui Internet& 7adi tidak ada satupun organisasi yang
-
8/9/2019 Cisco Secure PIX Firewall
9/10
mengirimkan paket ke alamat network 10. al ini menyebabkan sang kriminal
men%ari tahu alamat ip berapa yang digunakan untuk mentranslate ip ini ke
internet. (sumsikan bahwa sang kriminal tidak dapat menemukan %ara untuk
memasukimenyerang ser/er anda se%ara langsung dari internet& kemudian
men%ari akal dengan 7alan masuk ke 7aringan dan menyerang ser/er dari dalam
7aringan anda.
+intangan pertama yang ditemuinya adalah
-
8/9/2019 Cisco Secure PIX Firewall
10/10
Konsepnya adalah buatlah pertahanan berlapis lapis bukan satu