I have R1, R2, and R3, and I want to use NBAR to effectively help create a security policy that I can apply to R2.
I consider R2's fa0/1 the inside network and R2's s0/1/0 the outside network. I want to prevent inside users from accessing the bittorrent and edonkey protocols, and from downloading .exe files from HTTP sites.
To accomplish this, I'll create a class-map on R2 for matching any of the relevant traffic, create a policy-map which will call the class-map and drop the traffic, and then apply that policy-map to the outside interface of R2.
R2(config)#class-map match-any CLASS_PROTECT
R2(config-cmap)#match protocol bittorrent
R2(config-cmap)#match protocol edonkey
R2(config-cmap)#match protocol http url *.exe
I'll then create a policy-map for dropping the traffic matched in the class-map.
R2(config-cmap)#policy-map POLICY_DROP_CLASS_PROTECT
R2(config-pmap)#class CLASS_PROTECT
R2(config-pmap-c)#drop
I will now apply the policy-map to the outside interface.
R2(config-pmap)#int s0/1/0
R2(config-if)#service-policy input POLICY_DROP_CLASS_PROTECT
I won't simulate bittorrent or edonkey, but I will verify that the policy is filtering out .exe files.
I'll connect to R3 and create a file with an extension of .exe, and set the ip http path
R3#copy run slot0:/test.exe
Destination filename [test.exe]?
2278 bytes copied in 1.144 secs (1991 bytes/sec)
R3#dir slot0:
Directory of slot0:/
1 -rw- 38845972 Jun 4 2002 01:34:54 -05:00 c3725-adventerprisek9-mz.124-25c.bin
2 -rw- 2278 Sep 12 2011 18:00:24 -05:00 test.exe
257531904 bytes total (218681344 bytes free)
R3#config terminal
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#ip http path slot0:/
I'll first test that I can copy the IOS image from R3 to R1.
R1#copy http://jason:cisco@10.1.23.3/c3725-adventerprisek9-mz.124-25c.bin null:
Loading http://***********@10.1.23.3/c3725-adventerprisek9-mz.124-25c.bin !!!!!!!!!!!!!!!!!!!!
This behaves as expected.
Now I'll attempt to move the .exe file.
R1#copy http://jason:cisco@10.1.23.3/test.exe null:
%Error opening http://jason:cisco@10.1.23.3/test.exe (I/O error)
Access is not allowed as expected.
smm panel
ReplyDeleteSMM PANEL
iş ilanları
instagram takipçi satın al
hirdavatciburada.com
beyazesyateknikservisi.com.tr
servis
TİKTOK PARA HİLESİ İNDİR
özel ambulans
ReplyDeleteyurtdışı kargo
uc satın al
lisans satın al
en son çıkan perde modelleri
minecraft premium
nft nasıl alınır
en son çıkan perde modelleri