はじめに
NEC の設定例などにある設定方法をベースとしてルーターを育ててきたが、セキュリティ面に不安が残る感じだったので、ChatGPT と壁打ちして不正なパケット、お外に出るとダメなパケットを ACL でブロックするようにしてみた。
IPv4 の ACL 追加分
ip access-list invalid-in option optimize
ip access-list invalid-in deny ip src 0.0.0.0/8 dest any
ip access-list invalid-in deny ip src 10.0.0.0/8 dest any
ip access-list invalid-in deny ip src 100.64.0.0/10 dest any
ip access-list invalid-in deny ip src 127.0.0.0/8 dest any
ip access-list invalid-in deny ip src 169.254.0.0/16 dest any
ip access-list invalid-in deny ip src 172.16.0.0/12 dest any
ip access-list invalid-in deny ip src 192.168.0.0/16 dest any
ip access-list invalid-in deny ip src 198.18.0.0/15 dest any
ip access-list invalid-in deny ip src 224.0.0.0/4 dest any
ip access-list invalid-in deny ip src 240.0.0.0/4 dest any
ip access-list invalid-out option optimize
ip access-list invalid-out deny ip src any dest 0.0.0.0/8
ip access-list invalid-out deny ip src any dest 10.0.0.0/8
ip access-list invalid-out deny ip src any dest 100.64.0.0/10
ip access-list invalid-out deny ip src any dest 127.0.0.0/8
ip access-list invalid-out deny ip src any dest 169.254.0.0/16
ip access-list invalid-out deny ip src any dest 172.16.0.0/12
ip access-list invalid-out deny ip src any dest 192.168.0.0/16
ip access-list invalid-out deny ip src any dest 198.18.0.0/15
ip access-list invalid-out deny ip src any dest 224.0.0.0/4
ip access-list invalid-out deny ip src any dest 240.0.0.0/4
ip access-list basic-out deny udp src any sport any dest any dport range 137 139
ip access-list basic-out deny tcp src any sport any dest any dport range 137 139
ip access-list basic-out deny udp src any sport any dest any dport eq 445
ip access-list basic-out deny tcp src any sport any dest any dport eq 445 送信元若しくは送信先の IP アドレスがローカルの物だったりしたら不正なパケットとして BLOCK させる。
また、NetBIOS 関連のパケットもお外に出ちゃうとアレなので BLOCK させる。
IPv6 の ACL 追加分
ipv6 access-list invalid-in option optimize
ipv6 access-list invalid-in deny ip src ::/96 dest any
ipv6 access-list invalid-in deny ip src ::ffff:0:0/96 dest any
ipv6 access-list invalid-in deny ip src 2001:db8::/32 dest any
ipv6 access-list invalid-in deny ip src fc00::/7 dest any
ipv6 access-list invalid-in deny ip src fe80::/10 dest any
ipv6 access-list invalid-in deny ip src fec0::/10 dest any
ipv6 access-list invalid-in deny ip src ff00::/8 dest any
ipv6 access-list invalid-out option optimize
ipv6 access-list invalid-out deny ip src any dest ::/96
ipv6 access-list invalid-out deny ip src any dest ::ffff:0:0/96
ipv6 access-list invalid-out deny ip src any dest 2001:db8::/32
ipv6 access-list invalid-out deny ip src any dest fc00::/7
ipv6 access-list invalid-out deny ip src any dest fe80::/10
ipv6 access-list invalid-out deny ip src any dest fec0::/10
ipv6 access-list invalid-out deny ip src any dest ff00::/8
ipv6 access-list basic-out deny udp src any sport any dest any dport range 137 139
ipv6 access-list basic-out deny tcp src any sport any dest any dport range 137 139
ipv6 access-list basic-out deny udp src any sport any dest any dport eq 445
ipv6 access-list basic-out deny tcp src any sport any dest any dport eq 445
こちらも IPv4 と考え方は一緒で、LLA や ULA、射影アドレスなどから出入りするようなパケットはアレだよねってことで BLOCK させる。
フィルタの適用順
今回追加した ACL に関しては次のような優先順位で適用してみた。
IPv4 の場合はインターネットに接続している interface 以下に書く。
interface GigaEthernet0.0
! 中略
ipv6 filter dhcpv6-list 10 in
ipv6 filter icmpv6-list 20 in
ipv6 filter tunnel-list 30 in
ipv6 filter web-list 40 in
ipv6 filter invalid-in 90 in
ipv6 filter block-list 100 in
ipv6 filter dhcpv6-list 10 out
ipv6 filter icmpv6-list 20 out
ipv6 filter tunnel-list 30 out
ipv6 filter basic-out 80 out
ipv6 filter invalid-out 90 out
ipv6 filter dflt-list 100 out
!
interface Tunnel0.0
! 中略
ip filter serv 10 in
ip filter serv-mail 20 in
ip filter serv-web 30 in
ip filter serv-vpn 40 in
ip filter invalid-in 90 in
ip filter block-list4 100 in
ip filter basic-out 80 out
ip filter invalid-out 90 out
ip filter dflt-list4 100 out
おわりに
今回行った設定で、ルーターとしての設定はほぼやることが無くなった感じかなというのが ChatGPT の見解なので、あとはログでも見ながら暫く監視かな。
自身としても大分良い感じにルーターが育ってきたなと言う実感があるんで満足度は高い。
コメント