一、Juniper防火墻設備:
- 采用防火墻策略,阻止protocol為tcp的目的端口的445(135/137/138/139的類似)的訪問;
- 更新IDP的入侵防御特征庫并部署特征匹配;
- 采用Sky ATP的防御機制;
- 結合軟件定義的安全網絡解決方案(SDSN)實施整體防護。
Juniper路由設備:
1、定義filter,阻止protocol tcp的445端口(135/137/138/139的類似,在discard的term里面加入即可)
set firewall family inet filterDENY_WANNACRY term deny_wannacry from destination-port 445
set firewall family inetfilter DENY_WANNACRY term deny_wannacry from protocol tcp
##set firewall family inet filterDENY_WANNACRY term deny_wannacry from destination-port 135-139 ##
set firewall family inet filterDENY_WANNACRY term deny_wannacry then discard
set firewall family inet filterDENY_WANNACRY term default then accept
2、在forwarding-options下應用
set forwarding-options family inet filter input DENY_WANNACRY
Juniper交換設備:
采用group方式在接口上批量應用filter(有大量業(yè)務接口時使用這種方法可節(jié)省工作量)
1、定義groupIFS_DENY_WANNACRY:所有ge接口的所有子接口入方向應用filter DENY_WANNACRY
set groups IFS_DENY_WANNACRY interfaces<ge-*> unit <*> family ethernet-switching filter inputDENY_WANNACRY
。ㄗⅲ河惺褂玫狡渌涌陬愋,使用上述配置方法增加)
2、定義filterDENY_WANNACRY, 阻止ip-protocol tcp的445端口(135/137/138/139的類似)
set firewall family ethernet-switchingfilter DENY_WANNACRY term deny_wannacry from destination-port 445
set firewall familyethernet-switching filter DENY_WANNACRY term deny_wannacry from ip-protocol tcp
##setfirewall family ethernet-switching filter DENY_WANNACRY term deny_wannacry fromdestination-port 135-139 ##
set firewall family ethernet-switchingfilter DENY_WANNACRY term deny_wannacry then discard
set firewall family ethernet-switchingfilter DENY_WANNACRY term default then accept
3、應用group配置
set apply-groups IFS_DENY_WANNACRY
注意事項:
1)、需要在firewall filter或者application對象定義里面加入protocol tcp(防火墻和路由設備)或者ip-protocol tcp(交換設備),才能更精確地匹配可能的惡意訪問
2)、如果接口下已有filter配置,這個接口下的group配置不會生效,要在接口已有filter配置下修改
3)、filter最后一個term要放行其他所有流量,否則會影響業(yè)務