一、Juniper防火墻設(shè)備:
- 采用防火墻策略,阻止protocol為tcp的目的端口的445(135/137/138/139的類似)的訪問(wèn);
- 更新IDP的入侵防御特征庫(kù)并部署特征匹配;
- 采用Sky ATP的防御機(jī)制;
- 結(jié)合軟件定義的安全網(wǎng)絡(luò)解決方案(SDSN)實(shí)施整體防護(hù)。
Juniper路由設(shè)備:
1、定義filter,阻止protocol tcp的445端口(135/137/138/139的類似,在discard的term里面加入即可)
set firewall family inet filterDENY_WANNACRY term deny_wannacry from destination-port 445
set firewall family inetfilter DENY_WANNACRY term deny_wannacry from protocol tcp
##set firewall family inet filterDENY_WANNACRY term deny_wannacry from destination-port 135-139 ##
set firewall family inet filterDENY_WANNACRY term deny_wannacry then discard
set firewall family inet filterDENY_WANNACRY term default then accept
2、在forwarding-options下應(yīng)用
set forwarding-options family inet filter input DENY_WANNACRY
Juniper交換設(shè)備:
采用group方式在接口上批量應(yīng)用filter(有大量業(yè)務(wù)接口時(shí)使用這種方法可節(jié)省工作量)
1、定義groupIFS_DENY_WANNACRY:所有g(shù)e接口的所有子接口入方向應(yīng)用filter DENY_WANNACRY
set groups IFS_DENY_WANNACRY interfaces<ge-*> unit <*> family ethernet-switching filter inputDENY_WANNACRY
(注:有使用到其他接口類型,使用上述配置方法增加)
2、定義filterDENY_WANNACRY, 阻止ip-protocol tcp的445端口(135/137/138/139的類似)
set firewall family ethernet-switchingfilter DENY_WANNACRY term deny_wannacry from destination-port 445
set firewall familyethernet-switching filter DENY_WANNACRY term deny_wannacry from ip-protocol tcp
##setfirewall family ethernet-switching filter DENY_WANNACRY term deny_wannacry fromdestination-port 135-139 ##
set firewall family ethernet-switchingfilter DENY_WANNACRY term deny_wannacry then discard
set firewall family ethernet-switchingfilter DENY_WANNACRY term default then accept
3、應(yīng)用group配置
set apply-groups IFS_DENY_WANNACRY
注意事項(xiàng):
1)、需要在firewall filter或者application對(duì)象定義里面加入protocol tcp(防火墻和路由設(shè)備)或者ip-protocol tcp(交換設(shè)備),才能更精確地匹配可能的惡意訪問(wèn)
2)、如果接口下已有filter配置,這個(gè)接口下的group配置不會(huì)生效,要在接口已有filter配置下修改
3)、filter最后一個(gè)term要放行其他所有流量,否則會(huì)影響業(yè)務(wù)
