基于身份隐藏的访问控制
路由器作为运营商网络的基础设施,并不需要向公众展示其物理存在。因此,在安全要求较高的场合,或者安全威胁较大的位置(例如:运营商网络边缘),可以让路由器隐藏自身,不响应来自外界的探测消息。
当前路由器通常使用ICMP消息来表明身份可达,因此,在路由器上禁用Ping和ICMP消息的响应,能够有效的防御攻击者在攻击前奏阶段进行可达性探测的企图。
配置禁止响应ICMP报文操作示例
组网需求
如图7-8所示,Device处于网络的边缘,网络攻击者经常利用ICMP报文非法探测网络内部结构。为了保证Device的安全,避免非法用户对该Device进行攻击,需要该Device禁止响应ICMP报文以隐藏自身。
设备名称 | 接口 | IP地址 |
Device |
GE0/1/1 | 10.137.217.221/16 |
配置思路
采用如下的思路配置禁止响应ICMP操作:
- 在PC上执行Ping操作,在Device上查看是否响应ICMP报文。
- 禁止Device响应ICMP报文。
- 重新执行Ping操作,查看Device是否禁止响应ICMP报文。
数据准备
无
操作步骤
- 在PC执行Ping操作,在Device上查看是否响应ICMP报文。
# 执行Ping操作前查看ICMP流量统计信息。
<HUAWEI> display icmp statistics Input: bad format 0 bad checksum 0 echo 0 destination unreachable 0 source quench 0 redirects 0 echo reply 0 parameter problem 0 timestamp request 0 information request 0 mask requests 0 mask replies 0 time exceeded 0 timestamp reply 0 Mping request 0 Mping reply 0 Output: echo 0 destination unreachable 0 source quench 0 redirects 0 echo reply 0 parameter problem 0 timestamp request 0 information reply 0 mask requests 0 mask replies 0 time exceeded 0 timestamp reply 0 Mping request 0 Mping reply 0
# 执行Ping操作后查看ICMP流量统计信息。
<HUAWEI> display icmp statistics Input: bad format 0 bad checksum 0 echo 2 destination unreachable 0 source quench 0 redirects 0 echo reply 0 parameter problem 0 timestamp request 0 information request 0 mask requests 0 mask replies 0 time exceeded 0 timestamp reply 0 Mping request 0 Mping reply 0 Output: echo 0 destination unreachable 0 source quench 0 redirects 0 echo reply 2 parameter problem 0 timestamp request 0 information reply 0 mask requests 0 mask replies 0 time exceeded 0 timestamp reply 0 Mping request 0 Mping reply 0
看出Device响应了Ping类型的ICMP报文。
- 禁止Device响应ICMP报文
<HUAWEI> system-view [~HUAWEI] undo icmp name echo receive [*HUAWEI] commit [~HUAWEI] quit
以上是禁止响应echo类型的ICMP报文,其他类型的ICMP报文如下:
[~HUAWEI] undo icmp name ? echo Echo request(Type=8, Code=0) echo-reply Echo Reply(Type=0, Code=0) fragmentneed-dfset Fragmentation needed but no frag bit set(Type=3, Code=4) host-redirect Redirect for host(Type=5, Code=1) host-tos-redirect Redirect for TOS and host(Type=5, Code=3) host-unreachable Host Unreachable(Type=3, Code=1) information-reply Information reply(Type=16, Code=0) information-request Information request(Type=15, Code=0) net-redirect Redirect for network(Type=5, Code=0) net-tos-redirect Redirect for TOS and network(Type=5, Code=2) net-unreachable Network Unreachable(Type=3, Code=0) parameter-problem IP header bad (catchall error)(Type=12, Code=0) port-unreachable Port Unreachable(Type=3, Code=3) protocol-unreachable Protocol Unreachable(Type=3, Code=2) reassembly-timeout TTL equals 0 during reassembly(Type=11, Code=1) source-quench Source quench(Type=4, Code=0) source-route-failed Source routing failed(Type=3, Code=5) timestamp-reply Timestamp reply(Type=14, Code=0) timestamp-request Timestamp request(Type=13, Code=0) ttl-exceeded TTL equals 0 during transit(Type=11, Code=0)
- 重新执行Ping操作,查看设备是否禁止响应ICMP报文。
# 清除ICMP流量统计信息。
<HUAWEI> reset ip statistics
# 执行Ping操作前查看ICMP流量统计信息。
<HUAWEI> display icmp statistics Input: bad format 0 bad checksum 0 echo 0 destination unreachable 0 source quench 0 redirects 0 echo reply 0 parameter problem 0 timestamp request 0 information request 0 mask requests 0 mask replies 0 time exceeded 0 timestamp reply 0 Mping request 0 Mping reply 0 Output: echo 0 destination unreachable 0 source quench 0 redirects 0 echo reply 0 parameter problem 0 timestamp request 0 information reply 0 mask requests 0 mask replies 0 time exceeded 0 timestamp reply 0 Mping request 0 Mping reply 0
# 执行Ping操作后查看ICMP流量统计信息。
<HUAWEI> display icmp statistics Input: bad format 0 bad checksum 0 echo 0 destination unreachable 0 source quench 0 redirects 0 echo reply 0 parameter problem 0 timestamp request 0 information request 0 mask requests 0 mask replies 0 time exceeded 0 timestamp reply 0 Mping request 0 Mping reply 0 Output: echo 0 destination unreachable 0 source quench 0 redirects 0 echo reply 0 parameter problem 0 timestamp request 0 information reply 0 mask requests 0 mask replies 0 time exceeded 0 timestamp reply 0 Mping request 0 Mping reply 0
看出Device禁止响应ICMP报文。
配置文件
- Device的配置文件
# aaa authentication-scheme default # authorization-scheme default # accounting-scheme default # domain default # # interface GigabitEthernet0/1/1 undo shutdown ip address 10.137.217.221 255.255.0.0 # interface NULL0 # undo icmp echo receive undo icmp echo-reply receive # return