一、Juniper防火墙设备:
- 采用防火墙策略,阻止protocol为tcp的目的端口的445(135/137/138/139的类似)的访问;
- 更新IDP的入侵防御特征库并部署特征匹配;
- 采用Sky ATP的防御机制;
- 结合软件定义的安全网络解决方案(SDSN)实施整体防护。
Juniper路由设备:
1、定义filter,阻止protocol tcp的445端口(135/137/138/139的类似,在discard的term里面加入即可)
set firewall family inet filterDENY_WANNACRY term deny_wannacry from destination-port 445
set firewall family inetfilter DENY_WANNACRY term deny_wannacry from protocol tcp
##set firewall family inet filterDENY_WANNACRY term deny_wannacry from destination-port 135-139 ##
set firewall family inet filterDENY_WANNACRY term deny_wannacry then discard
set firewall family inet filterDENY_WANNACRY term default then accept
2、在forwarding-options下应用
set forwarding-options family inet filter input DENY_WANNACRY
Juniper交换设备:
采用group方式在接口上批量应用filter(有大量业务接口时使用这种方法可节省工作量)
1、定义groupIFS_DENY_WANNACRY:所有ge接口的所有子接口入方向应用filter DENY_WANNACRY
set groups IFS_DENY_WANNACRY interfaces<ge-*> unit <*> family ethernet-switching filter inputDENY_WANNACRY
(注:有使用到其他接口类型,使用上述配置方法增加)
2、定义filterDENY_WANNACRY, 阻止ip-protocol tcp的445端口(135/137/138/139的类似)
set firewall family ethernet-switchingfilter DENY_WANNACRY term deny_wannacry from destination-port 445
set firewall familyethernet-switching filter DENY_WANNACRY term deny_wannacry from ip-protocol tcp
##setfirewall family ethernet-switching filter DENY_WANNACRY term deny_wannacry fromdestination-port 135-139 ##
set firewall family ethernet-switchingfilter DENY_WANNACRY term deny_wannacry then discard
set firewall family ethernet-switchingfilter DENY_WANNACRY term default then accept
3、应用group配置
set apply-groups IFS_DENY_WANNACRY
注意事项:
1)、需要在firewall filter或者application对象定义里面加入protocol tcp(防火墙和路由设备)或者ip-protocol tcp(交换设备),才能更精确地匹配可能的恶意访问
2)、如果接口下已有filter配置,这个接口下的group配置不会生效,要在接口已有filter配置下修改
3)、filter最后一个term要放行其他所有流量,否则会影响业务
