Not long ago extortion virus run amok, a lot of people have caught from company to personal, very heavy losses. Some companies on the Internet to do a controlled entrance, but not entirely so, if someone put poison in the U-disk is inserted into the net on the equipment? That our internal network is likely to move in the collective (except fought related patches).
Today we will talk about how to achieve the appropriate access controls on routing, switches, block the relevant ports to prevent the spread of the virus within the network. Huawei and H3C equipment as the case.
what? Why did not Cisco? To what bike, we need to support domestic!
**************************************
Huawei
# Acl 3100 // Create a Number The ALC control rules rule 5 deny tcp destination-port eq 445 // prohibit TCP 445 port data rule 10 deny tcp Where do you want Port EQ-135 rule 15 deny tcp Where do you want Port EQ-137 rule deny tcp destination-20 Port EQ 138 rule 25 the deny TCP Where do you want-Port EQ 139 rule 30 the deny UDP Where do you want-Port EQ 445 rule 35 the deny UDP Where do you want-Port EQ 135 rule 40 the deny UDP Where do you want-Port EQ 137 rule 45 the deny UDP Where do you want-Port EQ 138 rule 50 Where do you want udp Port-EQ deny 139 # traffic classifier anti_wana operator precedence or 5 // create a class if-match acl 3100 // traffic class is associated with the ACL # // create a traffic traffic behavior anti_wana deny // action is prohibited statistic enable // The traffic statistics (optional) # traffic Policy anti_wana match the Order-config // Create a traffic policy classifier anti_wana behavior anti_wana // traffic classifiers and traffic behaviors associated
[Global view]
traffic-policy anti_wana global inbound // global application traffic policy to the inbound direction of traffic-policy anti_wana global outbound // apply an overall traffic policy
[View Interface] // related stream may be applied according to the policy to the interface using an interface
traffic-policy anti_wana inbound traffic-policy anti_wana outbound
****************************************
H3C
Most of the same configuration, after all, this is the same root ah.
# acl number 3100 rule 5 deny tcp destination-port eq 445 rule 10 deny tcp destination-port eq 135 rule 15 deny tcp destination-port eq 137 rule 20 deny tcp destination-port eq 138 rule 25 deny tcp destination-port eq 139 rule 30 deny udp destination-port eq 445 rule 35 deny udp destination-port eq 135 rule 40 deny udp destination-port eq 137 rule 45 deny udp destination-port eq 138 rule 50 deny udp destination-port eq 139 # traffic classifier anti_wana operator and if-match acl 3100 # traffic behavior anti_wana filter deny # qos policy anti_wana classifier anti_wana behavior anti_wana #
[View Interface]
qos apply policy anti_wana inbound qos apply policy anti_wana outbound
[Global view] // apply QoS policy based on the global and the board SPC effect only MPE board (inbound only); portion of the device can not use this command can only be applied to the interface.
qos apply policy anti_wana global inbound qos apply policy anti_wana global outbound
==========================================
recent extortion virus mutated, 3389 port also attacked the column, please add the relevant rules in the ACL, in case of emergency!
rule 55 deny udp destination-port eq 3389 rule 60 deny tcp destination-port eq 3389