博威---云架构决胜云计算

 找回密码
 注册

QQ登录

只需一步,快速开始

搜索
查看: 42312|回复: 33

DAI施工文件 - 防ARP/MAC等,安全构建网络中关键的第一步: 基础架构的安全

[复制链接]
发表于 2007-11-19 20:56:47 | 显示全部楼层 |阅读模式
DAI施工文件 - 防ARP/MAC等,安全构建网络中关键的第一步: 基础架构的安全




目录:
DHCP执行测试报告 1
1 拓扑图 1
2 使用DHCP SNOOPING 、DAI、IP SOURCE GUARD技术能解决的有关问题 2
3 实施文档 4
3560 5
2960 15
4 技术参考 21



DHCP执行测试报告
(实施文档和其他参考笔记,在本文档后面)



本报告为*****DHCP执行测试报告,目的在于测试利用思科DHCP Snooping,Dynamic ARP Inspection (DAI),IP Source Guard等技术组合运用于交换机上,从而实现防止在交换环境中实施“中间人”攻击、DHCP 攻击、地址欺骗等,更具意义的是通过上面技术的部署可以简化地址管理,直接跟踪用户 IP 和对应的交换机端口;防止 IP 地址冲突。同时对于大多数对二层网络造成很大危害的具有地址扫描、欺骗等特征的病毒可以有效的报警和隔离。
1 拓扑图
(具体施工的配置参见txt文件,本图不全)

20071115_7e6103a4b7a64eeee495TXdNdxFooyH8.jpg



中心3560--楼层2960



中心后面将会扩到6509的核心




2 使用DHCP Snooping 、DAI、IP Source Guard技术能解决的有关问题
1.利用DHCP Snooping防范DHCP攻击
1.1采用DHCP管理的常见问题:
  采用 DHCP server 可以自动为用户设置网络 IP 地址、掩码、网关、 DNS 、 WINS 等网络参数,简化了用户网络设置,提高了管理效率。但在 DHCP 管理使用上也存在着一些另网管人员比较问题,常见的有:
  • DHCP server 的冒充。
  • DHCP server 的 Dos 攻击。
  • 有些用户随便指定地址,造成网络地址冲突。
  由于 DHCP 的运作机制,通常服务器和客户端没有认证机制,如果网络上存在多台 DHCP 服务器将会给网络照成混乱。由于用户不小心配置了 DHCP 服务器引起的网络混乱非常常见,足可见故意人为破坏的简单性。通常黑客攻击是首先将正常的 DHCP 服务器所能分配的 IP 地址耗尽,然后冒充合法的 DHCP 服务器。最为隐蔽和危险的方法是黑客利用冒充的 DHCP 服务器,为用户分配一个经过修改的 DNS server ,在用户毫无察觉的情况下被引导在预先配置好的假金融网站或电子商务网站,骗取用户帐户和密码,这种攻击是非常恶劣的。
   1.2 DHCP Snooping技术概况
  DHCP Snooping技术是DHCP安全特性,通过建立和维护DHCP Snooping绑定表过滤不可信任的DHCP信息,这些信息是指来自不信任区域的DHCP信息。DHCP Snooping绑定表包含不信任区域的用户MAC地址、IP地址、租用期、VLAN-ID 接口等信息,如下表所示:
S3560#sh ip dhcp snooping binding
MacAddress       IpAddress    Lease(sec)  Type       VLAN  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
08:00:46:AC:70:B8 172.16.2.11   692092    dhcp-snooping  2     FastEthernet0/47
Total number of bindings: 1
这张表不仅解决了 DHCP用户的IP和端口跟踪定位问题,为用户管理提供方便,而且还供给动态ARP检测DAI)和IP Source Guard使用。



1.3 防范方法
定义交换机上的信任端口和不信任端口,对于不信任端口的 DHCP 报文进行截获和嗅探, DROP 掉来自这些端口的非正常 DHCP 报文。通过交换机的端口安全性设置每个 DHCP 请求指定端口上使用唯一的 MAC 地址,通常 DHCP 服务器通过 DHCP 请求的报文中的 CHADDR 段判断客户端 MAC 地址,通常这个地址和客户端的真实 IP 相同,但是如果攻击者不修改客户端的 MAC 而修改 DHCP 报文中 CHADDR ,实施 Dos 攻击, Port Security 就不起作用了, DHCP Snooping技术可以检查 DHCP 请求报文中的 CHADDR 字段,判断该字段是否和 DHCP 嗅探表相匹配,防止攻击者修改 DHCP 报文中 CHADDR。
2.利用Dynamic ARP Inspection (DAI)技术防范ARP欺骗/ MITM(Man-In-The-Middle)攻击
  1.1 MITM(Man-In-The-Middle) 攻击原理
  按照 ARP 协议的设计,为了减少网络上过多的 ARP 数据通信,一个主机,即使收到的 ARP 应答并非自己请求得到的,它也会将其插入到自己的 ARP 缓存表中,这样,就造成了“ ARP 欺骗”的可能。如果黑客想探听同一网络中两台主机之间的通信(即使是通过交换机相连),他会分别给这两台主机发送一个 ARP 应答包,让两台主机都“误”认为对方的 MAC 地址是第三方的黑客所在的主机,这样,双方看似“直接”的通信连接,实际上都是通过黑客所在的主机间接进行的。黑客一方面得到了想要的通信内容,另一方面,只需要更改数据包中的一些信息,成功地做好转发工作即可。在这种嗅探方式中,黑客所在主机是不需要设置网卡的混杂模式的,因为通信双方的数据包在物理上都是发送给黑客所在的中转主机的。
1.2防范方法
  思科 Dynamic ARP Inspection (DAI)在交换机上提供IP地址和MAC地址的绑定, 并动态建立绑定关系。DAI 以 DHCP Snooping绑定表为基础,对于没有使用DHCP的服务器个别机器可以采用静态添加ARP access-list实现。DAI配置针对VLAN,对于同一VLAN内的接口可以开启DAI也可以关闭。通过DAI可以控制某个端口的ARP请求报文数量。通过这些技术可以防范“中间人”攻击。
1.3配置DAI后的效果:
• 在配置 DAI技术的接口上,用户端不能采用指定地址地址将接入网络。
• 由于 DAI检查 DHCP snooping绑定表中的IP和MAC对应关系,无法实施中间人攻击,攻击工具失效。
• 由于对 ARP请求报文做了速度限制,客户端无法进行认为或者病毒进行的IP扫描、探测等行为,如果发生这些行为,交换机马上报警或直接切断扫描机器。
• 用户获取 IP地址后,用户不能修改IP或MAC,如果用户同时修改IP和MAC必须是网络内部合法的IP和MAC才可,对于这种修改可以使用下面讲到的 IP Source Guard技术来防范。



3.利用IP Source Guard技术防范IP/MAC欺骗
   IP Source Guard 技术配置在交换机上仅支持在 2 层端口上的配置,通过下面机制可以防范 IP/MAC 欺骗:
• IP Source Guard 使用 DHCP sooping 绑定表信息。
• 配置在交换机端口上,并对该端口生效。
• 运作机制类似 DAI,但是 IP Source Guard不仅仅检查ARP报文,所有经过定义IP Source Guard检查的端口的报文都要检测。
• IP Source Guard检查 接口 所通过的流量的IP地址和MAC地址是否在DHCP sooping绑定表,如果不在绑定表中则阻塞这些流量。注意如果需要检查MAC需要DHCP服务器支持Option 82,同时使路由器支持Option 82信息。
通过在交换机上配置 IP Source Guard:
• 可以过滤掉非法的 IP地址,包含用户故意修改的和病毒、攻击等造成的。
• 解决 IP地址冲突问题。
• 提供了动态的建立 IP+MAC+PORT的对应表和绑定关系,对于不使用DHCP的服务器和一些特殊情况机器可以采用利用全局命令静态手工添加对应关系到绑定表中。
• 配置 IP Source Guard的接口初始阻塞所有非DHCP流量。
     综上所述通过配置思科交换机的上述特征,不仅解决了一些典型攻击和病毒的防范问题,也为传统 IP地址管理提供了新的思路。
通过上面的几项技术解决了传统的利用DHCP服务器管理客户端IP地址的问题:
• 故意不使用手工指定静态 IP地址和DHCP分配地址冲突
• 配置 DHCP server
• 使用静态指定 IP遇到的问题
• 不使用分配的 IP地址和服务器或其他地址冲突
• 不容易定位 IP地址和具体交换机端口对应表
使用静态地址的重要服务器和计算机,可以进行静态绑定 IP+MAC、IP+MAC+PORT,手工配置DAI和 IP Source Guard绑定表项, 来保护这些设备,同时也防止来自这些设备的攻击。
3 实施文档
2960  g0/1  trunk 到 3560



执行DHCP的用户ACCESS VLAN 29,这些接口,用户不可以改为静态IP,否则无法进入网络
DHCP server端口为trust,其他DHCP server无法接入网络



2960 access接口配置port-security和ip dhcp snooping ; trunk接口配置为ip dhcp snooping trust



3560 配置ip dhcp snooping ,配置DAI,access接口的配置同2960 ; trunk接口配置DAI



接DHCP服务器的交换机配置 DAI / IP DHCP SNOOPING ,接dhcp服务器的接口配置为ip dhcp snooping trust
3560




Building configuration...



Current configuration : 12073 bytes
!
! Last configuration change at 23:47:22 bj Fri Jul 27 2007
! NVRAM config last updated at 23:47:46 bj Fri Jul 27 2007
!
version 12.2
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
no service password-encryption
!
hostname DFXY-29F-A-S3560-1
!
enable secret 5 <removed>
!
no aaa new-model
clock timezone bj 8
ip subnet-zero
ip routing
!
ip dhcp snooping vlan 29
ip dhcp snooping information option allow-untrusted
ip dhcp snooping
ip arp inspection vlan 29
ip arp inspection validate src-mac ip
!
!
!
errdisable recovery cause udld
errdisable recovery cause bpduguard
errdisable recovery cause security-violation
errdisable recovery cause channel-misconfig
errdisable recovery cause pagp-flap
errdisable recovery cause dtp-flap
errdisable recovery cause link-flap
errdisable recovery cause sfp-config-mismatch
errdisable recovery cause gbic-invalid
errdisable recovery cause l2ptguard
errdisable recovery cause psecure-violation
errdisable recovery cause dhcp-rate-limit
errdisable recovery cause unicast-flood
errdisable recovery cause vmps
errdisable recovery cause storm-control
errdisable recovery cause arp-inspection
errdisable recovery cause loopback
errdisable recovery interval 120
no file verify auto
!
spanning-tree mode rapid-pvst
spanning-tree logging
spanning-tree extend system-id
spanning-tree uplinkfast
!
vlan internal allocation policy ascending
!
interface GigabitEthernet0/1
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet0/2
switchport access vlan 244
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/3
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/4
description for only permit DHCP client connection
switchport access vlan 29
switchport mode access
switchport port-security
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface GigabitEthernet0/5
description for only permit DHCP client connection
switchport access vlan 29
switchport mode access
switchport port-security
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface GigabitEthernet0/6
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/7
description for only permit DHCP client connection
switchport access vlan 29
switchport mode access
switchport port-security
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface GigabitEthernet0/8
description for only permit DHCP client connection
switchport access vlan 29
switchport mode access
switchport port-security
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface GigabitEthernet0/9
description for only permit DHCP client connection
switchport access vlan 29
switchport mode access
switchport port-security
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface GigabitEthernet0/10
description for only permit DHCP client connection
switchport access vlan 29
switchport mode access
switchport port-security
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface GigabitEthernet0/11
description for only permit DHCP client connection
switchport access vlan 29
switchport mode access
switchport port-security
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface GigabitEthernet0/12
description for only permit DHCP client connection
switchport access vlan 29
switchport mode access
switchport port-security
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface GigabitEthernet0/13
description for only permit DHCP client connection
switchport access vlan 29
switchport mode access
switchport port-security
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface GigabitEthernet0/14
description for only permit DHCP client connection
switchport access vlan 29
switchport mode access
switchport port-security
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface GigabitEthernet0/15
description for only permit DHCP client connection
switchport access vlan 29
switchport mode access
switchport port-security
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface GigabitEthernet0/16
description for only permit DHCP client connection
switchport access vlan 29
switchport mode access
switchport port-security
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface GigabitEthernet0/17
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/18
description for only permit DHCP client connection
switchport access vlan 29
switchport mode access
switchport port-security
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface GigabitEthernet0/19
description for only permit DHCP client connection
switchport access vlan 29
switchport mode access
switchport port-security
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface GigabitEthernet0/20
description for only permit DHCP client connection
switchport access vlan 29
switchport mode access
switchport port-security
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface GigabitEthernet0/21
description for only permit DHCP client connection
switchport access vlan 29
switchport mode access
switchport port-security
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface GigabitEthernet0/22
description for only permit DHCP client connection
switchport access vlan 29
switchport mode access
switchport port-security
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface GigabitEthernet0/23
description for only permit DHCP client connection
switchport access vlan 29
switchport mode access
switchport port-security
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface GigabitEthernet0/24
description for only permit DHCP client connection
switchport access vlan 29
switchport mode access
switchport port-security
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface GigabitEthernet0/25
description for only permit DHCP client connection
switchport access vlan 29
switchport mode access
switchport port-security
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface GigabitEthernet0/26
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/27
description for only permit DHCP client connection
switchport access vlan 29
switchport mode access
switchport port-security
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface GigabitEthernet0/28
description for only permit DHCP client connection
switchport access vlan 29
switchport mode access
switchport port-security
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface GigabitEthernet0/29
description for only permit DHCP client connection
switchport access vlan 29
switchport mode access
switchport port-security
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface GigabitEthernet0/30
description for only permit DHCP client connection
switchport access vlan 29
switchport mode access
switchport port-security
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface GigabitEthernet0/31
description for only permit DHCP client connection
switchport access vlan 29
switchport mode access
switchport port-security
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface GigabitEthernet0/32
description for only permit DHCP client connection
switchport access vlan 29
switchport mode access
switchport port-security
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface GigabitEthernet0/33
description for only permit DHCP client connection
switchport access vlan 29
switchport mode access
switchport port-security
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface GigabitEthernet0/34
switchport access vlan 244
switchport trunk encapsulation dot1q
switchport trunk native vlan 244
switchport mode trunk
switchport nonegotiate
spanning-tree portfast
!
interface GigabitEthernet0/35
switchport access vlan 244
switchport trunk encapsulation dot1q
switchport trunk native vlan 244
switchport mode trunk
switchport nonegotiate
spanning-tree portfast
!
interface GigabitEthernet0/36
switchport access vlan 244
switchport trunk encapsulation dot1q
switchport trunk native vlan 244
switchport mode trunk
switchport nonegotiate
spanning-tree portfast
!
interface GigabitEthernet0/37
switchport access vlan 244
switchport trunk encapsulation dot1q
switchport trunk native vlan 244
switchport mode trunk
switchport nonegotiate
spanning-tree portfast
!
interface GigabitEthernet0/38
description for only permit DHCP client connection
switchport access vlan 29
switchport mode access
switchport port-security
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface GigabitEthernet0/39
description for only permit DHCP client connection
switchport access vlan 29
switchport mode access
switchport port-security
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface GigabitEthernet0/40
description for only permit DHCP client connection
switchport access vlan 29
switchport mode access
switchport port-security
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface GigabitEthernet0/41
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/42
description for only permit DHCP client connection
switchport access vlan 29
switchport mode access
switchport port-security
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface GigabitEthernet0/43
description for only permit DHCP client connection
switchport access vlan 29
switchport mode access
switchport port-security
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface GigabitEthernet0/44
description for only permit DHCP client connection
switchport access vlan 29
switchport mode access
switchport port-security
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface GigabitEthernet0/45
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
!
interface GigabitEthernet0/46
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
!
interface GigabitEthernet0/47
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
ip arp inspection limit rate 100
ip dhcp snooping limit rate 100
!
interface GigabitEthernet0/48
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
ip arp inspection limit rate 100
ip dhcp snooping limit rate 100
!
interface GigabitEthernet0/49
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
!
interface GigabitEthernet0/50
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
ip dhcp snooping trust
!
interface GigabitEthernet0/51
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
!
interface GigabitEthernet0/52
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
ip dhcp snooping trust
!
interface Vlan1
ip address 10.192.1.249 255.255.255.0
!
interface Vlan29
ip address 192.168.29.254 255.255.255.0
ip helper-address 191.0.1.28
!
interface Vlan200
ip address 172.16.200.2 255.255.255.252
!
interface Vlan201
ip address 172.16.201.254 255.255.255.0
!
interface Vlan202
ip address 172.16.202.254 255.255.255.0
!
interface Vlan203
ip address 172.16.203.254 255.255.255.0
!
interface Vlan244
ip address dhcp
!
interface Vlan254
ip address 172.16.254.29 255.255.255.0
!
ip default-gateway 172.16.254.3
ip classless
ip route 0.0.0.0 0.0.0.0 172.16.254.3
ip http server
!
logging history notifications
logging trap warnings
logging source-interface Vlan254
logging 191.0.200.155
snmp-server community <removed> RO
snmp-server enable traps tty
snmp-server host 191.0.200.155 <removed>  tty
!
control-plane
!
!
line con 0
line vty 0 4
password <removed>
login
line vty 5 15
no login
!
ntp clock-period 36028809
ntp server 172.16.48.34
end
2960




Building configuration...



Current configuration : 6381 bytes
!
! Last configuration change at 22:57:00 bj Fri Jul 27 2007
! NVRAM config last updated at 22:57:11 bj Fri Jul 27 2007
!
version 12.2
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
no service password-encryption
!
hostname DFXY-29F-A-S2960-1
!
enable secret 5 <removed>
enable password <removed>
!
no aaa new-model
clock timezone bj 8
ip subnet-zero
!
ip dhcp snooping vlan 29
ip dhcp snooping
!
!
!
errdisable recovery cause udld
errdisable recovery cause bpduguard
errdisable recovery cause security-violation
errdisable recovery cause channel-misconfig
errdisable recovery cause pagp-flap
errdisable recovery cause dtp-flap
errdisable recovery cause link-flap
errdisable recovery cause sfp-config-mismatch
errdisable recovery cause gbic-invalid
errdisable recovery cause psecure-violation
errdisable recovery cause dhcp-rate-limit
errdisable recovery cause unicast-flood
errdisable recovery cause vmps
errdisable recovery cause storm-control
errdisable recovery cause loopback
errdisable recovery interval 60
no file verify auto
!
spanning-tree mode rapid-pvst
spanning-tree logging
spanning-tree extend system-id
spanning-tree uplinkfast
!
vlan internal allocation policy ascending
!
interface FastEthernet0/1
switchport access vlan 29
switchport mode access
switchport port-security
load-interval 30
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface FastEthernet0/2
switchport access vlan 29
switchport mode access
switchport port-security
load-interval 30
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface FastEthernet0/3
switchport access vlan 29
switchport mode access
switchport port-security
load-interval 30
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface FastEthernet0/4
switchport access vlan 29
switchport mode access
switchport port-security
load-interval 30
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface FastEthernet0/5
switchport access vlan 29
switchport mode access
switchport port-security
load-interval 30
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface FastEthernet0/6
switchport access vlan 29
switchport mode access
switchport port-security
load-interval 30
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface FastEthernet0/7
switchport access vlan 29
switchport mode access
switchport port-security
load-interval 30
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface FastEthernet0/8
switchport access vlan 29
switchport mode access
switchport port-security
load-interval 30
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface FastEthernet0/9
switchport access vlan 29
switchport mode access
switchport port-security
load-interval 30
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface FastEthernet0/10
switchport access vlan 29
switchport mode access
switchport port-security
load-interval 30
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface FastEthernet0/11
switchport access vlan 29
switchport mode access
switchport port-security
load-interval 30
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface FastEthernet0/12
switchport access vlan 29
switchport mode access
switchport port-security
load-interval 30
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface FastEthernet0/13
switchport access vlan 29
switchport mode access
switchport port-security
load-interval 30
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface FastEthernet0/14
switchport access vlan 29
switchport mode access
switchport port-security
load-interval 30
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface FastEthernet0/15
switchport access vlan 29
switchport mode access
switchport port-security
load-interval 30
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface FastEthernet0/16
switchport access vlan 29
switchport mode access
switchport port-security
load-interval 30
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface FastEthernet0/17
switchport access vlan 29
switchport mode access
switchport port-security
load-interval 30
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface FastEthernet0/18
switchport access vlan 29
switchport mode access
switchport port-security
load-interval 30
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface FastEthernet0/19
switchport access vlan 29
switchport mode access
switchport port-security
load-interval 30
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface FastEthernet0/20
switchport access vlan 29
switchport mode access
switchport port-security
load-interval 30
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface FastEthernet0/21
switchport access vlan 29
switchport mode access
switchport port-security
load-interval 30
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface FastEthernet0/22
switchport access vlan 29
switchport mode access
switchport port-security
load-interval 30
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface FastEthernet0/23
switchport access vlan 29
switchport mode access
switchport port-security
load-interval 30
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface FastEthernet0/24
switchport access vlan 29
switchport mode access
switchport port-security
load-interval 30
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface GigabitEthernet0/1
switchport mode trunk
switchport nonegotiate
spanning-tree link-type point-to-point
ip dhcp snooping trust
!
interface GigabitEthernet0/2
switchport mode trunk
spanning-tree link-type point-to-point
!
interface Vlan1
no ip address
no ip route-cache
shutdown
!
interface Vlan254
ip address 172.16.254.51 255.255.255.0
no ip route-cache
!
ip default-gateway 172.16.254.3
ip http server
logging history notifications
logging trap warnings
logging source-interface Vlan254
logging 191.0.200.155
snmp-server community <removed> RO
snmp-server enable traps tty
snmp-server host 191.0.200.155 <removed>  tty
!
control-plane
!
!
line con 0
line vty 0 4
password <removed>
login
line vty 5 15
no login
!
ntp clock-period 36028877
ntp server 172.16.254.2
ntp server 172.16.254.1
end
4 技术参考
========型号和Feature分析==========



1、2950以上型号交换机,配置port-security,限制端口的MAC数量(静态access/trunk接口)



2、2960以上型号交换机配置DHCP Snooping,一定要将将数据库保存在flash里面,数据库里保存MAC--IP--VLAN--Interface的一一对应表;port-security已经限制了MAC数量,也就更精细的规范了这个数据库



3、3550以上型号交换机配置DHCP Snooping和DAI,DAI以DHCP Snooping所建立的数据库为基础,动态建立绑定关系,在接口上,可以通过DAI控制ARP报文数量



4、2960以上型号交换机,对于使用静态地址的设备比如打印机/服务器,可以使用ARP访问控制列表,旁路检查



5、3560以上型号交换机,配置IP Source Guard(依赖于Snooping),支持access/trunk接口;2960以上交换机支持ip source 手动绑定



==================================
Dynamic ARP Inspection



Dynamic ARP Inspection is used to verify the sanity of IP to MAC address mappings specified in the ARP packets sent by connected hosts or nei***oring switches. This prevents man in the middle attacks that can be carried out by poisoning ARP caches with the help of ARP packets containing invalid IP to MAC address mappings.



3550以上???
Dynamic ARP Inspection (DAI)在交换机上提供IP地址和MAC地址的绑定, 并动态建立绑定关系。DAI 以 DHCP Snooping绑定表为基础,对于没有使用DHCP的服务器个别机器可以采用静态添加ARP access-list实现。DAI配置针对VLAN,对于同一VLAN内的接口可以开启DAI也可以关闭。通过DAI可以控制某个端口的ARP请求报文数量。通过这些技术可以防范“中间人”攻击。







MAC地址欺骗ort Security  Cat2940以上;port-security只能配置与静态的ACCESS/TRUNK接口,动态access接口不支持
DAI也是配合







DHCP Server冒充:2950以上
DHCP Snooping绑定表包含不信任区域的用户MAC地址、IP地址、租用期、VLAN-ID 接口等信息,







IP/MAC欺骗的防范:IP Source Guard   Cat65????
如果需要检查MAC需要DHCP服务器支持Option 82,同时使路由器支持Option 82信息




MARS的要求:2960/12.2 版本以上




对于 DHCP server 的 Dos 攻击可以利用前面将的 Port Security 和后面提到的 DAI 技术,
对于有些用户随便指定地址,造成网络地址冲突也可以利用后面提到的 DAI 和 IP Source Guard 技术




DHCP Snooping防范:
DFXY-22F-A-S3560-1#sh ip dhcp snooping binding
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
Total number of bindings: 0
这张表不仅解决了 DHCP用户的IP和端口跟踪定位问题,为用户管理提供方便,而且还供给动态ARP检测DAI和IP Source Guard使用。



  基本配置示例如下表:
  IOS 全局命令:
  ip dhcp snooping vlan 100,200 /* 定义哪些 VLAN 启用 DHCP 嗅探
  ip dhcp snooping
  接口命令
  ip dhcp snooping trust
  no ip dhcp snooping trust (Default)
  ip dhcp snooping limit rate 10 (pps) /* 一定程度上防止 DHCP 拒绝服 /* 务攻击
  手工添加 DHCP 绑定表
  ip dhcp snooping binding 1.1.1 vlan 1 1.1.1.1 interface gi1/1 expiry 1000
  导出 DHCP 绑定表到 TFTP 服务器
  ip dhcp snooping database tftp:// 10.1.1 .1/directory/file




思科 Dynamic ARP Inspection (DAI)  3550以上支持
DAI在交换机上提供IP地址和MAC地址的绑定, 并动态建立绑定关系。DAI 以 DHCP Snooping绑定表为基础,对于没有使用DHCP的服务器个别机器可以采用静态添加ARP access-list实现。DAI配置针对VLAN,对于同一VLAN内的接口可以开启DAI也可以关闭。通过DAI可以控制某个端口的ARP请求报文数量。通过这些技术可以防范“中间人”攻击。
所有跟普通HOST相连的接口,都为untrust
  3.3配置示例
  IOS 全局命令:
  ip dhcp snooping vlan 100,200
  no ip dhcp snooping information option
  ip dhcp snooping
  ip arp inspection vlan 100,200 /* 定义对哪些 VLAN 进行 ARP 报文检测
  ip arp inspection log-buffer entries 1024
  ip arp inspection log-buffer logs 1024 interval 10
  
    IOS 接口命令:
  ip dhcp snooping trust
  ip arp inspection trust /* 定义哪些接口是信任接口,通常是网络设备接口, TRUNK 接口等,信任接口,不做ARP检查
  ip arp inspection limit rate 15 (pps) /* 定义接口每秒 ARP 报文数量
    ip arp inspection validate {[src-mac] [dst-mac] [ip]}对于不合法的ARP报文,可以定义drop



  对于没有使用 DHCP 设备可以采用下面办法:
  arp access-list static-arp
对于没有使用 DHCP 设备可以采用下面办法:
  arp access-list static-arp
  permit ip host 10.66.227.5 mac host 0009.6b88.d387
  ip arp inspection filter static-arp vlan 201



配置DAI后的效果:
  a) 在配置 DAI技术的接口上,用户端不能采用指定地址地址将接入网络。
  b) 由于 DAI检查 DHCP snooping绑定表中的IP和MAC对应关系,无法实施中间人攻击,攻击工具失效。下表为实施中间人攻击是交换机的警告:
  3w0d: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa5/16, vlan 1.([000b.db1d.6ccd/192.168.1.200/0000.0000.0000/192.168.1.2
  由于对 ARP请求报文做了速度限制,客户端无法进行认为或者病毒进行的IP扫描、探测等行为,如果发生这些行为,交换机马上报警或直接切断扫描机器。如下表所示:
  3w0d: %SW_DAI-4-PACKET_RATE_EXCEEDED: 16 packets received in 184 milliseconds on Fa5/30. ******报警
  3w0d: %PM-4-ERR_DISABLE: arp-inspection error detected on Fa5/30, putting Fa5/ 30 in err-disable state ******切断端口
   用户获取 IP地址后,用户不能修改IP或MAC,如果用户同时修改IP和MAC必须是网络内部合法的IP和MAC才可,对于这种修改可以使用下面讲到的 IP Source Guard技术来防范。下表为手动指定IP的报警:
  3w0d: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa5/30, vlan 1.([000d.6078.2d95/192.168.1.100/0000.0000.0000/192.168.1.100/01:52:28 UTC Fri Dec 29 2000 ])








IP Source Guard
依赖于DHCP Snooping绑定表数据库,一般在untrust接口配置,只有表里有的对应于这个接口的源ip数据报才可以上来
支持access和trunk接口,只有源ip/MAC对应关系在这个snooping数据库里,数据报才可以上传,其他非DHCP数据报被丢掉
如果接口配置ip source guard,但是没有配置snooping动态绑定或手动绑定,则这个接口drop所有数据报



IP Source Guard 技术配置在交换机上仅支持在 2 层端口上的配置,通过下面机制可以防范 IP/MAC 欺骗:
  IP Source Guard 使用 DHCP sooping 绑定表信息。
    配置在交换机端口上,并对该端口生效。



  ? 运作机制类似 DAI,但是 IP Source Guard不仅仅检查ARP报文,所有经过定义IP Source Guard检查的端口的报文都要检测。



  ? IP Source Guard检查 接口 所通过的流量的IP地址和MAC地址是否在DHCP sooping绑定表,如果不在绑定表中则阻塞这些流量。注意如果需要检查MAC需要DHCP服务器支持Option 82,同时使路由器支持Option 82信息。



通过在交换机上配置 IP Source Guard:



  ? 可以过滤掉非法的 IP地址,包含用户故意修改的和病毒、攻击等造成的。
  ? 解决 IP地址冲突问题。
  ? 提供了动态的建立 IP+MAC+PORT的对应表和绑定关系,对于不使用DHCP的服务器和一些特殊情况机器可以采用利用全局命令静态手工添加对应关系到绑定表中。
  ? 配置 IP Source Guard的接口初始阻塞所有非DHCP流量。
  ? 不能防止“中间人攻击”。



  对于 IP欺骗在路由器上也可以使用urpf技术。



检测接口上的 IP+MAC
  IOS 全局配置命令:
  ip dhcp snooping vlan 12,200
  ip dhcp snooping information option
  ip dhcp snooping



  接口配置命令:
  ip verify source vlan dhcp-snooping port-security  交换机3560以上支持,access或trunk接口
  switchport mode access
  switchport port-security   ?????????????
  switchport port-security limit rate invalid-source-mac N
  /* 控制端口上所能学习源 MAC 的速率,仅当 IP+MAC 同时检测时有意义。



  检测接口上的 IP
  IOS 全局配置命令
  ip dhcp snooping vlan 12,200
  no ip dhcp snooping information option
  ip dhcp snooping



  接口配置命令:
  ip verify source vlan dhcp-snooping



  不使用 DHCP 的静态配置
  IOS 全局配置命令:
  ip dhcp snooping vlan 12,200
  ip dhcp snooping information option
  ip dhcp snooping
  ip source binding 0009.6b88.d387 vlan 212 10.66.227.5 interface Gi4/5 交换机2960以上支持






[/nobr]

DHCP执行-简要-共享版.pdf

423.28 KB, 下载次数: 24

各交换机端口配置.pdf

72.81 KB, 下载次数: 21

 楼主| 发表于 2007-11-19 20:57:53 | 显示全部楼层
在建设基础架构的安全后,

可以推荐用户走如下的安全路线:

外洗:自己实现或购买ISP的抗DDoS服务

内控:CCA+CSA

中隔离:安全域的划分
 楼主| 发表于 2007-11-19 21:31:12 | 显示全部楼层

DAI施工文件.rar

14.05 KB, 下载次数: 4

 楼主| 发表于 2007-11-20 15:11:24 | 显示全部楼层
精确掌握
 楼主| 发表于 2007-12-19 06:21:09 | 显示全部楼层
要研究一下华为交换机有无这样功能。
 楼主| 发表于 2007-12-19 11:01:06 | 显示全部楼层
DHCP SNOOPING/DAI/IP SOURCE检查 部署的思考


为了减少静态IP的麻烦,用到DHCP给客户机自动分配IP,但如果存在非法的DHCP服务器会出现冲突,使用DHCP SNOOPING技术可以确何DHCP的合法性。
使用的方法是采用DHCP方式为用户分配IP,然后限定这些用户只能使用动态IP的方式,如果改成静态IP的方式则不能连接上网络;也就是使用了DHCP SNOOPING功能。
例子:
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
service compress-config
!
hostname C4-2_4506
!
enable password xxxxxxx!
clock timezone GMT 8
ip subnet-zero


no ip domain-lookup
!
ip dhcp snooping vlan 180-181 // 对哪些VLAN 进行限制
ip dhcp snooping
ip arp inspection vlan 180-181
ip arp inspection validate src-mac dst-mac ip


errdisable recovery cause udld
errdisable recovery cause bpduguard
errdisable recovery cause security-violation
errdisable recovery cause channel-misconfig
errdisable recovery cause pagp-flap
errdisable recovery cause dtp-flap
errdisable recovery cause link-flap
errdisable recovery cause l2ptguard
errdisable recovery cause psecure-violation
errdisable recovery cause gbic-invalid
errdisable recovery cause dhcp-rate-limit
errdisable recovery cause unicast-flood
errdisable recovery cause vmps
errdisable recovery cause arp-inspection
errdisable recovery interval 30
spanning-tree extend system-id
!
!

interface GigabitEthernet2/1 // 对该端口接入的用户进行限制,可以下联交换机
ip arp inspection limit rate 100
arp timeout 2
ip dhcp snooping limit rate 100
!


interface GigabitEthernet2/2
ip arp inspection limit rate 100
arp timeout 2
ip dhcp snooping limit rate 100
!
interface GigabitEthernet2/3
ip arp inspection limit rate 100
arp timeout 2
ip dhcp snooping limit rate 100
!
interface GigabitEthernet2/4
ip arp inspection limit rate 100
arp timeout 2
ip dhcp snooping limit rate 100
--More--

编者注:对不需要明确地址的所有人的时候是一个很好的解决办法。另外,可以查看www.cisco.com
IP Source Guard
Similar to DHCP snooping, this feature is enabled on a DHCP snooping untrusted Layer 2 port. Initially, all IP traffic on the port is blocked except for DHCP packets that are captured by the DHCP snooping process. When a client receives a valid IP address from the DHCP server, or when a static IP source binding is configured by the user, a per-port and VLAN Access Control List (PACL) is installed on the port. This process restricts the client IP traffic to those source IP addresses configured in the binding; any IP traffic with a source IP address other than that in the IP source binding will be filtered out. This filtering limits a host's ability to attack the network by claiming neighbor host's IP address.
 楼主| 发表于 2007-12-19 11:01:36 | 显示全部楼层
DHCP Snooping (防止DHCP服务器欺骗攻击)


DHCP Snooping (防止DHCP服务器欺骗攻击)
实现方法:
IOS全局命令:
ip dhcp snooping vlan 100,200 /*定义哪些VLAN启用DHCP嗅探
ip dhcp snooping
接口命令:
ip dhcp snooping trust
no ip dhcp snooping trust (Default)
ip dhcp snooping limit rate 10 (pps) /*一定程度上防止DHCP拒绝服务攻击*/


Dynamic ARP Inspection (DAI) (防止ARP欺骗地址冲突)
实现方法:
该方法只适合内部核心交换机采用cisco三层交换机:
采用静态分配Ip地址的网络做 Ip+mac绑定的配置如下:

ip dhcp snooping vlan 10,20
ip dhcp snooping
ip arp inspection vlan 10,20
ip arp inspection vlan 10,20 logging dhcp-bindings all
ip arp inspection validate src-mac dst-mac ip
ip arp inspection filter PERMIT_HOST vlan 10,20
!
arp access-list PERMIT_HOST
permit ip host 192.168.10.10 mac host 0015.c57b.faac
permit ip host 192.168.10.11 mac host 0015.c57b.abcd


采用dhcp pool的配置只需要增加
ip dhcp snooping database flash:dhcp_snooping_data

注:以上IP 和 MAC绑定的方法比以前使用 arp 0000.1111.1111 192.168.1.1 需要全部把 255个ip全部绑定要简单的多

这些是我们公司用的方案,你参考一下。
 楼主| 发表于 2007-12-19 11:01:53 | 显示全部楼层
dhcp snooping + dai测试问题

配置DHCP SNOOPING
C6509上配置:
enable
ip dhcp snooping vlan 100,200  /*定义哪些VLAN启用DHCP嗅探
no ip dhcp snooping information option
ip dhcp snooping
conf t
int gi8/3
ip dhcp snooping trust
ip dhcp snooping limit rate 10 (pps) /*后来发现加了这一条并发用户一多会造成一部分人上不了网,获取不到IP地址,最后去掉,默认是unlimit*/
int gi8/1
ip dhcp snooping trust

c2960上配置:
int gi0/1
ip dhcp snooping trust

目前网络运行正常。


配置DHCP SNOOPING+DAI
    由于C2960不支持DAI,但想将DAI移至C6509上面,做测试,配置如下:
C6509上配置:
enable
ip dhcp snooping vlan 100,200  
no ip dhcp snooping information option
ip dhcp snooping
ip arp inspection vlan 100,200 /*定义对哪些VLAN进行ARP报文检测*/
ip arp inspection log-buffer entries 1024
ip arp inspection log-buffer logs 1024 interval 10
conf t
int gi8/3
ip dhcp snooping trust
ip arp inspection trust
ip arp inspection limit rate 15 (pps) /*定义接口每秒ARP报文数量:此为默认值*/
int gi8/1
ip dhcp snooping trust

c2960上配置:
int gi0/1
ip dhcp snooping trust
测试结果:
在2960上接测试PC,获取IP地址,然后手动改IP地址,发现手动改的IP地址上不了网,DAI测试结果达到,以为大功告成,没想到第二天用户一上班,此时并发用户一多,出现大面积上不了网,获取不到IP地址。Show ip arp inspection发现有很多的DROP包。
如果在C6509上接C2960的GI8/1口上加以下配置:
ip arp inspection trust
测试发现show ip arp inspection就没有drop包了,基乎都是forwarded,但加上去了后,测试PC手动改IP还是可以上网,达不到DAI的效果*/

现情况:向CISCO开CASE,得到答复是C2960不支持DAI,无法做到效果。但为什么在并发用户数少的情况下(大约十来个),DAI还是起作用了呢。纳闷,现咨询一下大家,有没有办法在现在的网络环境中实现DAI的效果。每个端口做ACL客户已否定这种做法。
因几次测试给客户造成了一些影响,客户要求有把握时再安排测试。


图片附件: [结构图] 结构图.jpg (2007-2-6 12:06 PM, 12.21 K)
 楼主| 发表于 2007-12-19 11:02:09 | 显示全部楼层
静态配置VLAN/端口/MAC/IP地址绑定的功能


虽然这个功能是DAI的一个子集,文档上面写着必须要用DHCP SNOOPING,但我觉得可以不需要DHCP 服务器,可以单独使用,因此,在某些特定的小规模的场合还是有用的,共享一下

Switch(config)# ip dhcp snooping
Switch(config)# ip dhcp snooping vlan 180
Switch(config)# ip dhcp snooping information option
Switch(config)# interface gigabitethernet0/1
Switch(config-if)# ip dhcp snooping limit rate 100
Switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# interface gigabitethernet0/2
Switch(config-if)# ip verify source port-security
Switch(config-if)# exit
Switch(config)# ip source binding 0100.0022.0010 vlan 180 10.35.180.2 interface gigabitethernet0/2
Switch(config)# ip source binding 0100.0558.493e vlan 180 10.35.180.3 interface gigbitethernet0/3
Switch(config)# end
 楼主| 发表于 2007-12-22 07:02:18 | 显示全部楼层
您需要登录后才可以回帖 登录 | 注册

本版积分规则

小黑屋|手机版|Archiver|boway Inc. ( 冀ICP备10011147号 )

GMT+8, 2024-11-1 08:04 , Processed in 0.108685 second(s), 19 queries .

Powered by Discuz! X3.4

Copyright © 2001-2021, Tencent Cloud.

快速回复 返回顶部 返回列表