|
DAI施工文件 - 防ARP/MAC等,安全构建网络中关键的第一步: 基础架构的安全
目录:
DHCP执行测试报告 1
1 拓扑图 1
2 使用DHCP SNOOPING 、DAI、IP SOURCE GUARD技术能解决的有关问题 2
3 实施文档 4
3560 5
2960 15
4 技术参考 21
DHCP执行测试报告
(实施文档和其他参考笔记,在本文档后面)
本报告为*****DHCP执行测试报告,目的在于测试利用思科DHCP Snooping,Dynamic ARP Inspection (DAI),IP Source Guard等技术组合运用于交换机上,从而实现防止在交换环境中实施“中间人”攻击、DHCP 攻击、地址欺骗等,更具意义的是通过上面技术的部署可以简化地址管理,直接跟踪用户 IP 和对应的交换机端口;防止 IP 地址冲突。同时对于大多数对二层网络造成很大危害的具有地址扫描、欺骗等特征的病毒可以有效的报警和隔离。
1 拓扑图
(具体施工的配置参见txt文件,本图不全)
中心3560--楼层2960
中心后面将会扩到6509的核心
2 使用DHCP Snooping 、DAI、IP Source Guard技术能解决的有关问题
1.利用DHCP Snooping防范DHCP攻击
1.1采用DHCP管理的常见问题:
采用 DHCP server 可以自动为用户设置网络 IP 地址、掩码、网关、 DNS 、 WINS 等网络参数,简化了用户网络设置,提高了管理效率。但在 DHCP 管理使用上也存在着一些另网管人员比较问题,常见的有:
• DHCP server 的冒充。
• DHCP server 的 Dos 攻击。
• 有些用户随便指定地址,造成网络地址冲突。
由于 DHCP 的运作机制,通常服务器和客户端没有认证机制,如果网络上存在多台 DHCP 服务器将会给网络照成混乱。由于用户不小心配置了 DHCP 服务器引起的网络混乱非常常见,足可见故意人为破坏的简单性。通常黑客攻击是首先将正常的 DHCP 服务器所能分配的 IP 地址耗尽,然后冒充合法的 DHCP 服务器。最为隐蔽和危险的方法是黑客利用冒充的 DHCP 服务器,为用户分配一个经过修改的 DNS server ,在用户毫无察觉的情况下被引导在预先配置好的假金融网站或电子商务网站,骗取用户帐户和密码,这种攻击是非常恶劣的。
1.2 DHCP Snooping技术概况
DHCP Snooping技术是DHCP安全特性,通过建立和维护DHCP Snooping绑定表过滤不可信任的DHCP信息,这些信息是指来自不信任区域的DHCP信息。DHCP Snooping绑定表包含不信任区域的用户MAC地址、IP地址、租用期、VLAN-ID 接口等信息,如下表所示:
S3560#sh ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
08:00:46:AC:70:B8 172.16.2.11 692092 dhcp-snooping 2 FastEthernet0/47
Total number of bindings: 1
这张表不仅解决了 DHCP用户的IP和端口跟踪定位问题,为用户管理提供方便,而且还供给动态ARP检测DAI)和IP Source Guard使用。
1.3 防范方法
定义交换机上的信任端口和不信任端口,对于不信任端口的 DHCP 报文进行截获和嗅探, DROP 掉来自这些端口的非正常 DHCP 报文。通过交换机的端口安全性设置每个 DHCP 请求指定端口上使用唯一的 MAC 地址,通常 DHCP 服务器通过 DHCP 请求的报文中的 CHADDR 段判断客户端 MAC 地址,通常这个地址和客户端的真实 IP 相同,但是如果攻击者不修改客户端的 MAC 而修改 DHCP 报文中 CHADDR ,实施 Dos 攻击, Port Security 就不起作用了, DHCP Snooping技术可以检查 DHCP 请求报文中的 CHADDR 字段,判断该字段是否和 DHCP 嗅探表相匹配,防止攻击者修改 DHCP 报文中 CHADDR。
2.利用Dynamic ARP Inspection (DAI)技术防范ARP欺骗/ MITM(Man-In-The-Middle)攻击
1.1 MITM(Man-In-The-Middle) 攻击原理
按照 ARP 协议的设计,为了减少网络上过多的 ARP 数据通信,一个主机,即使收到的 ARP 应答并非自己请求得到的,它也会将其插入到自己的 ARP 缓存表中,这样,就造成了“ ARP 欺骗”的可能。如果黑客想探听同一网络中两台主机之间的通信(即使是通过交换机相连),他会分别给这两台主机发送一个 ARP 应答包,让两台主机都“误”认为对方的 MAC 地址是第三方的黑客所在的主机,这样,双方看似“直接”的通信连接,实际上都是通过黑客所在的主机间接进行的。黑客一方面得到了想要的通信内容,另一方面,只需要更改数据包中的一些信息,成功地做好转发工作即可。在这种嗅探方式中,黑客所在主机是不需要设置网卡的混杂模式的,因为通信双方的数据包在物理上都是发送给黑客所在的中转主机的。
1.2防范方法
思科 Dynamic ARP Inspection (DAI)在交换机上提供IP地址和MAC地址的绑定, 并动态建立绑定关系。DAI 以 DHCP Snooping绑定表为基础,对于没有使用DHCP的服务器个别机器可以采用静态添加ARP access-list实现。DAI配置针对VLAN,对于同一VLAN内的接口可以开启DAI也可以关闭。通过DAI可以控制某个端口的ARP请求报文数量。通过这些技术可以防范“中间人”攻击。
1.3配置DAI后的效果:
• 在配置 DAI技术的接口上,用户端不能采用指定地址地址将接入网络。
• 由于 DAI检查 DHCP snooping绑定表中的IP和MAC对应关系,无法实施中间人攻击,攻击工具失效。
• 由于对 ARP请求报文做了速度限制,客户端无法进行认为或者病毒进行的IP扫描、探测等行为,如果发生这些行为,交换机马上报警或直接切断扫描机器。
• 用户获取 IP地址后,用户不能修改IP或MAC,如果用户同时修改IP和MAC必须是网络内部合法的IP和MAC才可,对于这种修改可以使用下面讲到的 IP Source Guard技术来防范。
3.利用IP Source Guard技术防范IP/MAC欺骗
IP Source Guard 技术配置在交换机上仅支持在 2 层端口上的配置,通过下面机制可以防范 IP/MAC 欺骗:
• IP Source Guard 使用 DHCP sooping 绑定表信息。
• 配置在交换机端口上,并对该端口生效。
• 运作机制类似 DAI,但是 IP Source Guard不仅仅检查ARP报文,所有经过定义IP Source Guard检查的端口的报文都要检测。
• IP Source Guard检查 接口 所通过的流量的IP地址和MAC地址是否在DHCP sooping绑定表,如果不在绑定表中则阻塞这些流量。注意如果需要检查MAC需要DHCP服务器支持Option 82,同时使路由器支持Option 82信息。
通过在交换机上配置 IP Source Guard:
• 可以过滤掉非法的 IP地址,包含用户故意修改的和病毒、攻击等造成的。
• 解决 IP地址冲突问题。
• 提供了动态的建立 IP+MAC+PORT的对应表和绑定关系,对于不使用DHCP的服务器和一些特殊情况机器可以采用利用全局命令静态手工添加对应关系到绑定表中。
• 配置 IP Source Guard的接口初始阻塞所有非DHCP流量。
综上所述通过配置思科交换机的上述特征,不仅解决了一些典型攻击和病毒的防范问题,也为传统 IP地址管理提供了新的思路。
通过上面的几项技术解决了传统的利用DHCP服务器管理客户端IP地址的问题:
• 故意不使用手工指定静态 IP地址和DHCP分配地址冲突
• 配置 DHCP server
• 使用静态指定 IP遇到的问题
• 不使用分配的 IP地址和服务器或其他地址冲突
• 不容易定位 IP地址和具体交换机端口对应表
使用静态地址的重要服务器和计算机,可以进行静态绑定 IP+MAC、IP+MAC+PORT,手工配置DAI和 IP Source Guard绑定表项, 来保护这些设备,同时也防止来自这些设备的攻击。
3 实施文档
2960 g0/1 trunk 到 3560
执行DHCP的用户ACCESS VLAN 29,这些接口,用户不可以改为静态IP,否则无法进入网络
DHCP server端口为trust,其他DHCP server无法接入网络
2960 access接口配置port-security和ip dhcp snooping ; trunk接口配置为ip dhcp snooping trust
3560 配置ip dhcp snooping ,配置DAI,access接口的配置同2960 ; trunk接口配置DAI
接DHCP服务器的交换机配置 DAI / IP DHCP SNOOPING ,接dhcp服务器的接口配置为ip dhcp snooping trust
3560
Building configuration...
Current configuration : 12073 bytes
!
! Last configuration change at 23:47:22 bj Fri Jul 27 2007
! NVRAM config last updated at 23:47:46 bj Fri Jul 27 2007
!
version 12.2
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
no service password-encryption
!
hostname DFXY-29F-A-S3560-1
!
enable secret 5 <removed>
!
no aaa new-model
clock timezone bj 8
ip subnet-zero
ip routing
!
ip dhcp snooping vlan 29
ip dhcp snooping information option allow-untrusted
ip dhcp snooping
ip arp inspection vlan 29
ip arp inspection validate src-mac ip
!
!
!
errdisable recovery cause udld
errdisable recovery cause bpduguard
errdisable recovery cause security-violation
errdisable recovery cause channel-misconfig
errdisable recovery cause pagp-flap
errdisable recovery cause dtp-flap
errdisable recovery cause link-flap
errdisable recovery cause sfp-config-mismatch
errdisable recovery cause gbic-invalid
errdisable recovery cause l2ptguard
errdisable recovery cause psecure-violation
errdisable recovery cause dhcp-rate-limit
errdisable recovery cause unicast-flood
errdisable recovery cause vmps
errdisable recovery cause storm-control
errdisable recovery cause arp-inspection
errdisable recovery cause loopback
errdisable recovery interval 120
no file verify auto
!
spanning-tree mode rapid-pvst
spanning-tree logging
spanning-tree extend system-id
spanning-tree uplinkfast
!
vlan internal allocation policy ascending
!
interface GigabitEthernet0/1
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet0/2
switchport access vlan 244
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/3
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/4
description for only permit DHCP client connection
switchport access vlan 29
switchport mode access
switchport port-security
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface GigabitEthernet0/5
description for only permit DHCP client connection
switchport access vlan 29
switchport mode access
switchport port-security
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface GigabitEthernet0/6
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/7
description for only permit DHCP client connection
switchport access vlan 29
switchport mode access
switchport port-security
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface GigabitEthernet0/8
description for only permit DHCP client connection
switchport access vlan 29
switchport mode access
switchport port-security
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface GigabitEthernet0/9
description for only permit DHCP client connection
switchport access vlan 29
switchport mode access
switchport port-security
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface GigabitEthernet0/10
description for only permit DHCP client connection
switchport access vlan 29
switchport mode access
switchport port-security
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface GigabitEthernet0/11
description for only permit DHCP client connection
switchport access vlan 29
switchport mode access
switchport port-security
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface GigabitEthernet0/12
description for only permit DHCP client connection
switchport access vlan 29
switchport mode access
switchport port-security
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface GigabitEthernet0/13
description for only permit DHCP client connection
switchport access vlan 29
switchport mode access
switchport port-security
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface GigabitEthernet0/14
description for only permit DHCP client connection
switchport access vlan 29
switchport mode access
switchport port-security
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface GigabitEthernet0/15
description for only permit DHCP client connection
switchport access vlan 29
switchport mode access
switchport port-security
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface GigabitEthernet0/16
description for only permit DHCP client connection
switchport access vlan 29
switchport mode access
switchport port-security
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface GigabitEthernet0/17
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/18
description for only permit DHCP client connection
switchport access vlan 29
switchport mode access
switchport port-security
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface GigabitEthernet0/19
description for only permit DHCP client connection
switchport access vlan 29
switchport mode access
switchport port-security
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface GigabitEthernet0/20
description for only permit DHCP client connection
switchport access vlan 29
switchport mode access
switchport port-security
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface GigabitEthernet0/21
description for only permit DHCP client connection
switchport access vlan 29
switchport mode access
switchport port-security
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface GigabitEthernet0/22
description for only permit DHCP client connection
switchport access vlan 29
switchport mode access
switchport port-security
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface GigabitEthernet0/23
description for only permit DHCP client connection
switchport access vlan 29
switchport mode access
switchport port-security
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface GigabitEthernet0/24
description for only permit DHCP client connection
switchport access vlan 29
switchport mode access
switchport port-security
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface GigabitEthernet0/25
description for only permit DHCP client connection
switchport access vlan 29
switchport mode access
switchport port-security
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface GigabitEthernet0/26
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/27
description for only permit DHCP client connection
switchport access vlan 29
switchport mode access
switchport port-security
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface GigabitEthernet0/28
description for only permit DHCP client connection
switchport access vlan 29
switchport mode access
switchport port-security
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface GigabitEthernet0/29
description for only permit DHCP client connection
switchport access vlan 29
switchport mode access
switchport port-security
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface GigabitEthernet0/30
description for only permit DHCP client connection
switchport access vlan 29
switchport mode access
switchport port-security
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface GigabitEthernet0/31
description for only permit DHCP client connection
switchport access vlan 29
switchport mode access
switchport port-security
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface GigabitEthernet0/32
description for only permit DHCP client connection
switchport access vlan 29
switchport mode access
switchport port-security
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface GigabitEthernet0/33
description for only permit DHCP client connection
switchport access vlan 29
switchport mode access
switchport port-security
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface GigabitEthernet0/34
switchport access vlan 244
switchport trunk encapsulation dot1q
switchport trunk native vlan 244
switchport mode trunk
switchport nonegotiate
spanning-tree portfast
!
interface GigabitEthernet0/35
switchport access vlan 244
switchport trunk encapsulation dot1q
switchport trunk native vlan 244
switchport mode trunk
switchport nonegotiate
spanning-tree portfast
!
interface GigabitEthernet0/36
switchport access vlan 244
switchport trunk encapsulation dot1q
switchport trunk native vlan 244
switchport mode trunk
switchport nonegotiate
spanning-tree portfast
!
interface GigabitEthernet0/37
switchport access vlan 244
switchport trunk encapsulation dot1q
switchport trunk native vlan 244
switchport mode trunk
switchport nonegotiate
spanning-tree portfast
!
interface GigabitEthernet0/38
description for only permit DHCP client connection
switchport access vlan 29
switchport mode access
switchport port-security
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface GigabitEthernet0/39
description for only permit DHCP client connection
switchport access vlan 29
switchport mode access
switchport port-security
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface GigabitEthernet0/40
description for only permit DHCP client connection
switchport access vlan 29
switchport mode access
switchport port-security
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface GigabitEthernet0/41
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/42
description for only permit DHCP client connection
switchport access vlan 29
switchport mode access
switchport port-security
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface GigabitEthernet0/43
description for only permit DHCP client connection
switchport access vlan 29
switchport mode access
switchport port-security
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface GigabitEthernet0/44
description for only permit DHCP client connection
switchport access vlan 29
switchport mode access
switchport port-security
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface GigabitEthernet0/45
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
!
interface GigabitEthernet0/46
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
!
interface GigabitEthernet0/47
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
ip arp inspection limit rate 100
ip dhcp snooping limit rate 100
!
interface GigabitEthernet0/48
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
ip arp inspection limit rate 100
ip dhcp snooping limit rate 100
!
interface GigabitEthernet0/49
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
!
interface GigabitEthernet0/50
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
ip dhcp snooping trust
!
interface GigabitEthernet0/51
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
!
interface GigabitEthernet0/52
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
ip dhcp snooping trust
!
interface Vlan1
ip address 10.192.1.249 255.255.255.0
!
interface Vlan29
ip address 192.168.29.254 255.255.255.0
ip helper-address 191.0.1.28
!
interface Vlan200
ip address 172.16.200.2 255.255.255.252
!
interface Vlan201
ip address 172.16.201.254 255.255.255.0
!
interface Vlan202
ip address 172.16.202.254 255.255.255.0
!
interface Vlan203
ip address 172.16.203.254 255.255.255.0
!
interface Vlan244
ip address dhcp
!
interface Vlan254
ip address 172.16.254.29 255.255.255.0
!
ip default-gateway 172.16.254.3
ip classless
ip route 0.0.0.0 0.0.0.0 172.16.254.3
ip http server
!
logging history notifications
logging trap warnings
logging source-interface Vlan254
logging 191.0.200.155
snmp-server community <removed> RO
snmp-server enable traps tty
snmp-server host 191.0.200.155 <removed> tty
!
control-plane
!
!
line con 0
line vty 0 4
password <removed>
login
line vty 5 15
no login
!
ntp clock-period 36028809
ntp server 172.16.48.34
end
2960
Building configuration...
Current configuration : 6381 bytes
!
! Last configuration change at 22:57:00 bj Fri Jul 27 2007
! NVRAM config last updated at 22:57:11 bj Fri Jul 27 2007
!
version 12.2
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
no service password-encryption
!
hostname DFXY-29F-A-S2960-1
!
enable secret 5 <removed>
enable password <removed>
!
no aaa new-model
clock timezone bj 8
ip subnet-zero
!
ip dhcp snooping vlan 29
ip dhcp snooping
!
!
!
errdisable recovery cause udld
errdisable recovery cause bpduguard
errdisable recovery cause security-violation
errdisable recovery cause channel-misconfig
errdisable recovery cause pagp-flap
errdisable recovery cause dtp-flap
errdisable recovery cause link-flap
errdisable recovery cause sfp-config-mismatch
errdisable recovery cause gbic-invalid
errdisable recovery cause psecure-violation
errdisable recovery cause dhcp-rate-limit
errdisable recovery cause unicast-flood
errdisable recovery cause vmps
errdisable recovery cause storm-control
errdisable recovery cause loopback
errdisable recovery interval 60
no file verify auto
!
spanning-tree mode rapid-pvst
spanning-tree logging
spanning-tree extend system-id
spanning-tree uplinkfast
!
vlan internal allocation policy ascending
!
interface FastEthernet0/1
switchport access vlan 29
switchport mode access
switchport port-security
load-interval 30
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface FastEthernet0/2
switchport access vlan 29
switchport mode access
switchport port-security
load-interval 30
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface FastEthernet0/3
switchport access vlan 29
switchport mode access
switchport port-security
load-interval 30
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface FastEthernet0/4
switchport access vlan 29
switchport mode access
switchport port-security
load-interval 30
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface FastEthernet0/5
switchport access vlan 29
switchport mode access
switchport port-security
load-interval 30
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface FastEthernet0/6
switchport access vlan 29
switchport mode access
switchport port-security
load-interval 30
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface FastEthernet0/7
switchport access vlan 29
switchport mode access
switchport port-security
load-interval 30
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface FastEthernet0/8
switchport access vlan 29
switchport mode access
switchport port-security
load-interval 30
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface FastEthernet0/9
switchport access vlan 29
switchport mode access
switchport port-security
load-interval 30
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface FastEthernet0/10
switchport access vlan 29
switchport mode access
switchport port-security
load-interval 30
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface FastEthernet0/11
switchport access vlan 29
switchport mode access
switchport port-security
load-interval 30
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface FastEthernet0/12
switchport access vlan 29
switchport mode access
switchport port-security
load-interval 30
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface FastEthernet0/13
switchport access vlan 29
switchport mode access
switchport port-security
load-interval 30
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface FastEthernet0/14
switchport access vlan 29
switchport mode access
switchport port-security
load-interval 30
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface FastEthernet0/15
switchport access vlan 29
switchport mode access
switchport port-security
load-interval 30
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface FastEthernet0/16
switchport access vlan 29
switchport mode access
switchport port-security
load-interval 30
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface FastEthernet0/17
switchport access vlan 29
switchport mode access
switchport port-security
load-interval 30
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface FastEthernet0/18
switchport access vlan 29
switchport mode access
switchport port-security
load-interval 30
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface FastEthernet0/19
switchport access vlan 29
switchport mode access
switchport port-security
load-interval 30
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface FastEthernet0/20
switchport access vlan 29
switchport mode access
switchport port-security
load-interval 30
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface FastEthernet0/21
switchport access vlan 29
switchport mode access
switchport port-security
load-interval 30
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface FastEthernet0/22
switchport access vlan 29
switchport mode access
switchport port-security
load-interval 30
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface FastEthernet0/23
switchport access vlan 29
switchport mode access
switchport port-security
load-interval 30
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface FastEthernet0/24
switchport access vlan 29
switchport mode access
switchport port-security
load-interval 30
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface GigabitEthernet0/1
switchport mode trunk
switchport nonegotiate
spanning-tree link-type point-to-point
ip dhcp snooping trust
!
interface GigabitEthernet0/2
switchport mode trunk
spanning-tree link-type point-to-point
!
interface Vlan1
no ip address
no ip route-cache
shutdown
!
interface Vlan254
ip address 172.16.254.51 255.255.255.0
no ip route-cache
!
ip default-gateway 172.16.254.3
ip http server
logging history notifications
logging trap warnings
logging source-interface Vlan254
logging 191.0.200.155
snmp-server community <removed> RO
snmp-server enable traps tty
snmp-server host 191.0.200.155 <removed> tty
!
control-plane
!
!
line con 0
line vty 0 4
password <removed>
login
line vty 5 15
no login
!
ntp clock-period 36028877
ntp server 172.16.254.2
ntp server 172.16.254.1
end
4 技术参考
========型号和Feature分析==========
1、2950以上型号交换机,配置port-security,限制端口的MAC数量(静态access/trunk接口)
2、2960以上型号交换机配置DHCP Snooping,一定要将将数据库保存在flash里面,数据库里保存MAC--IP--VLAN--Interface的一一对应表;port-security已经限制了MAC数量,也就更精细的规范了这个数据库
3、3550以上型号交换机配置DHCP Snooping和DAI,DAI以DHCP Snooping所建立的数据库为基础,动态建立绑定关系,在接口上,可以通过DAI控制ARP报文数量
4、2960以上型号交换机,对于使用静态地址的设备比如打印机/服务器,可以使用ARP访问控制列表,旁路检查
5、3560以上型号交换机,配置IP Source Guard(依赖于Snooping),支持access/trunk接口;2960以上交换机支持ip source 手动绑定
==================================
Dynamic ARP Inspection
Dynamic ARP Inspection is used to verify the sanity of IP to MAC address mappings specified in the ARP packets sent by connected hosts or nei***oring switches. This prevents man in the middle attacks that can be carried out by poisoning ARP caches with the help of ARP packets containing invalid IP to MAC address mappings.
3550以上???
Dynamic ARP Inspection (DAI)在交换机上提供IP地址和MAC地址的绑定, 并动态建立绑定关系。DAI 以 DHCP Snooping绑定表为基础,对于没有使用DHCP的服务器个别机器可以采用静态添加ARP access-list实现。DAI配置针对VLAN,对于同一VLAN内的接口可以开启DAI也可以关闭。通过DAI可以控制某个端口的ARP请求报文数量。通过这些技术可以防范“中间人”攻击。
MAC地址欺骗ort Security Cat2940以上;port-security只能配置与静态的ACCESS/TRUNK接口,动态access接口不支持
DAI也是配合
DHCP Server冒充:2950以上
DHCP Snooping绑定表包含不信任区域的用户MAC地址、IP地址、租用期、VLAN-ID 接口等信息,
IP/MAC欺骗的防范:IP Source Guard Cat65????
如果需要检查MAC需要DHCP服务器支持Option 82,同时使路由器支持Option 82信息
MARS的要求:2960/12.2 版本以上
对于 DHCP server 的 Dos 攻击可以利用前面将的 Port Security 和后面提到的 DAI 技术,
对于有些用户随便指定地址,造成网络地址冲突也可以利用后面提到的 DAI 和 IP Source Guard 技术
DHCP Snooping防范:
DFXY-22F-A-S3560-1#sh ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
Total number of bindings: 0
这张表不仅解决了 DHCP用户的IP和端口跟踪定位问题,为用户管理提供方便,而且还供给动态ARP检测DAI和IP Source Guard使用。
基本配置示例如下表:
IOS 全局命令:
ip dhcp snooping vlan 100,200 /* 定义哪些 VLAN 启用 DHCP 嗅探
ip dhcp snooping
接口命令
ip dhcp snooping trust
no ip dhcp snooping trust (Default)
ip dhcp snooping limit rate 10 (pps) /* 一定程度上防止 DHCP 拒绝服 /* 务攻击
手工添加 DHCP 绑定表
ip dhcp snooping binding 1.1.1 vlan 1 1.1.1.1 interface gi1/1 expiry 1000
导出 DHCP 绑定表到 TFTP 服务器
ip dhcp snooping database tftp:// 10.1.1 .1/directory/file
思科 Dynamic ARP Inspection (DAI) 3550以上支持
DAI在交换机上提供IP地址和MAC地址的绑定, 并动态建立绑定关系。DAI 以 DHCP Snooping绑定表为基础,对于没有使用DHCP的服务器个别机器可以采用静态添加ARP access-list实现。DAI配置针对VLAN,对于同一VLAN内的接口可以开启DAI也可以关闭。通过DAI可以控制某个端口的ARP请求报文数量。通过这些技术可以防范“中间人”攻击。
所有跟普通HOST相连的接口,都为untrust
3.3配置示例
IOS 全局命令:
ip dhcp snooping vlan 100,200
no ip dhcp snooping information option
ip dhcp snooping
ip arp inspection vlan 100,200 /* 定义对哪些 VLAN 进行 ARP 报文检测
ip arp inspection log-buffer entries 1024
ip arp inspection log-buffer logs 1024 interval 10
IOS 接口命令:
ip dhcp snooping trust
ip arp inspection trust /* 定义哪些接口是信任接口,通常是网络设备接口, TRUNK 接口等,信任接口,不做ARP检查
ip arp inspection limit rate 15 (pps) /* 定义接口每秒 ARP 报文数量
ip arp inspection validate {[src-mac] [dst-mac] [ip]}对于不合法的ARP报文,可以定义drop
对于没有使用 DHCP 设备可以采用下面办法:
arp access-list static-arp
对于没有使用 DHCP 设备可以采用下面办法:
arp access-list static-arp
permit ip host 10.66.227.5 mac host 0009.6b88.d387
ip arp inspection filter static-arp vlan 201
配置DAI后的效果:
a) 在配置 DAI技术的接口上,用户端不能采用指定地址地址将接入网络。
b) 由于 DAI检查 DHCP snooping绑定表中的IP和MAC对应关系,无法实施中间人攻击,攻击工具失效。下表为实施中间人攻击是交换机的警告:
3w0d: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa5/16, vlan 1.([000b.db1d.6ccd/192.168.1.200/0000.0000.0000/192.168.1.2
由于对 ARP请求报文做了速度限制,客户端无法进行认为或者病毒进行的IP扫描、探测等行为,如果发生这些行为,交换机马上报警或直接切断扫描机器。如下表所示:
3w0d: %SW_DAI-4-PACKET_RATE_EXCEEDED: 16 packets received in 184 milliseconds on Fa5/30. ******报警
3w0d: %PM-4-ERR_DISABLE: arp-inspection error detected on Fa5/30, putting Fa5/ 30 in err-disable state ******切断端口
用户获取 IP地址后,用户不能修改IP或MAC,如果用户同时修改IP和MAC必须是网络内部合法的IP和MAC才可,对于这种修改可以使用下面讲到的 IP Source Guard技术来防范。下表为手动指定IP的报警:
3w0d: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa5/30, vlan 1.([000d.6078.2d95/192.168.1.100/0000.0000.0000/192.168.1.100/01:52:28 UTC Fri Dec 29 2000 ])
IP Source Guard
依赖于DHCP Snooping绑定表数据库,一般在untrust接口配置,只有表里有的对应于这个接口的源ip数据报才可以上来
支持access和trunk接口,只有源ip/MAC对应关系在这个snooping数据库里,数据报才可以上传,其他非DHCP数据报被丢掉
如果接口配置ip source guard,但是没有配置snooping动态绑定或手动绑定,则这个接口drop所有数据报
IP Source Guard 技术配置在交换机上仅支持在 2 层端口上的配置,通过下面机制可以防范 IP/MAC 欺骗:
IP Source Guard 使用 DHCP sooping 绑定表信息。
配置在交换机端口上,并对该端口生效。
? 运作机制类似 DAI,但是 IP Source Guard不仅仅检查ARP报文,所有经过定义IP Source Guard检查的端口的报文都要检测。
? IP Source Guard检查 接口 所通过的流量的IP地址和MAC地址是否在DHCP sooping绑定表,如果不在绑定表中则阻塞这些流量。注意如果需要检查MAC需要DHCP服务器支持Option 82,同时使路由器支持Option 82信息。
通过在交换机上配置 IP Source Guard:
? 可以过滤掉非法的 IP地址,包含用户故意修改的和病毒、攻击等造成的。
? 解决 IP地址冲突问题。
? 提供了动态的建立 IP+MAC+PORT的对应表和绑定关系,对于不使用DHCP的服务器和一些特殊情况机器可以采用利用全局命令静态手工添加对应关系到绑定表中。
? 配置 IP Source Guard的接口初始阻塞所有非DHCP流量。
? 不能防止“中间人攻击”。
对于 IP欺骗在路由器上也可以使用urpf技术。
检测接口上的 IP+MAC
IOS 全局配置命令:
ip dhcp snooping vlan 12,200
ip dhcp snooping information option
ip dhcp snooping
接口配置命令:
ip verify source vlan dhcp-snooping port-security 交换机3560以上支持,access或trunk接口
switchport mode access
switchport port-security ?????????????
switchport port-security limit rate invalid-source-mac N
/* 控制端口上所能学习源 MAC 的速率,仅当 IP+MAC 同时检测时有意义。
检测接口上的 IP
IOS 全局配置命令
ip dhcp snooping vlan 12,200
no ip dhcp snooping information option
ip dhcp snooping
接口配置命令:
ip verify source vlan dhcp-snooping
不使用 DHCP 的静态配置
IOS 全局配置命令:
ip dhcp snooping vlan 12,200
ip dhcp snooping information option
ip dhcp snooping
ip source binding 0009.6b88.d387 vlan 212 10.66.227.5 interface Gi4/5 交换机2960以上支持
[/nobr] |
|