博威---云架构决胜云计算

 找回密码
 注册

QQ登录

只需一步,快速开始

搜索
楼主: network

DAI施工文件 - 防ARP/MAC等,安全构建网络中关键的第一步: 基础架构的安全

[复制链接]
 楼主| 发表于 2008-10-26 20:09:24 | 显示全部楼层
ARP攻击测试报告 [DHCP snooping && DAI Implement Report]



附件
2008-10-25 15:13
  下载次数: 0
arp.pdf (1.44 MB)
 楼主| 发表于 2008-12-21 07:21:26 | 显示全部楼层
在3560/3750+2950T-24环境下部署DHCP Snooping+DAI

前几年卖了很多校园网,一般都是3560G/3750G+2950T-24模式。

ARP攻击爆发,客户电话频频,用DHCP Snooping+DAI是个不错的解决方法,但仔细看下,发现2950T-24不支持DAI,Faint一把

经某人思路提醒,能否在2950T-24上启用PVLAN实现端口隔离,在3560G/3750G上启用DAI功能,这样ARP攻击就没问题了,测试,确实没问题,但本地二层端口不通,search一下手册,发现命令
ip local-proxy-arp,在interface vlan接口下启用,OK。配置如下:


Current configuration : 2345 bytes
!
! Last configuration change at 14:30:26 GMT Wed Nov 5 2008
! NVRAM config last updated at 14:28:34 GMT Wed Nov 5 2008
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname SW3750
!
enable secret 5 $1$sxfr$4l6Wm6DsHk3m6p/olRN260
!
no aaa new-model
clock timezone GMT 8
switch 1 provision ws-c3750g-24ts
ip subnet-zero
ip routing
no ip dhcp conflict logging
!
ip dhcp pool client

network 192.168.3.0 255.255.255.0


default-router 192.168.3.1

!
ip dhcp snooping vlan 3
ip dhcp snooping information option allow-untrusted
ip dhcp snooping
ip arp inspection vlan 3
ip arp inspection validate ip

!
!
!
errdisable recovery cause dhcp-rate-limit
errdisable recovery cause arp-inspection
errdisable recovery interval 30
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!

interface GigabitEthernet1/0/1

switchport trunk encapsulation dot1q


switchport mode trunk

ip arp inspection limit none
!
interface GigabitEthernet1/0/2
!
interface GigabitEthernet1/0/3
!
interface GigabitEthernet1/0/4
!
interface GigabitEthernet1/0/5
!
interface GigabitEthernet1/0/6
!
interface GigabitEthernet1/0/7
!
interface GigabitEthernet1/0/8
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
!

interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
!
interface GigabitEthernet1/0/13
!
interface GigabitEthernet1/0/14
!
interface GigabitEthernet1/0/15
!
interface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20
!
interface GigabitEthernet1/0/21
!
interface GigabitEthernet1/0/22
!
interface GigabitEthernet1/0/23
!
interface GigabitEthernet1/0/24
!
interface GigabitEthernet1/0/25
!
interface GigabitEthernet1/0/26
!
interface GigabitEthernet1/0/27
!
interface GigabitEthernet1/0/28
!
interface Vlan1

no ip address


shutdown

!
interface Vlan3

ip address 192.168.3.1 255.255.255.0


no ip redirects


ip local-proxy-arp


ip route-cache same-interface

!

interface Vlan108

ip address 192.168.108.1 255.255.255.0

!
ip classless
ip http server
ip http secure-server
!
!
control-plane
!
!
line con 0
line vty 0 4

password cisco


no login

line vty 5 15

no login

!
!
end

 楼主| 发表于 2008-12-21 07:21:41 | 显示全部楼层
2950T配置

Current configuration : 4418 bytes
!
version 12.1
no service pad
service timestamps debug datetime localtime
service timestamps log datetime localtime
no service password-encryption
!
hostname C2950
!
enable password cisco
!
errdisable recovery cause dhcp-rate-limit
ip subnet-zero
!
ip dhcp snooping vlan 3
ip dhcp snooping
!
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
no spanning-tree vlan 361
no spanning-tree vlan 368
no spanning-tree vlan 369
no spanning-tree vlan 500
!
!
interface FastEthernet0/1
switchport access vlan 3
switchport protected
no ip address
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface FastEthernet0/2
switchport access vlan 3
switchport protected
no ip address
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface FastEthernet0/3
switchport access vlan 3
switchport protected
no ip address
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface FastEthernet0/4
switchport access vlan 3
switchport protected
no ip address
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface FastEthernet0/5
switchport access vlan 3
switchport protected
no ip address
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface FastEthernet0/6
switchport access vlan 3
switchport protected
no ip address
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface FastEthernet0/7
switchport access vlan 3
switchport protected
no ip address
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface FastEthernet0/8
switchport access vlan 3
switchport protected
no ip address
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface FastEthernet0/9
switchport access vlan 3
switchport protected
no ip address
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface FastEthernet0/10
switchport access vlan 3
switchport protected
no ip address
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface FastEthernet0/11
switchport access vlan 3
switchport protected
no ip address
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface FastEthernet0/12
switchport access vlan 3
switchport protected
no ip address
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface FastEthernet0/13
switchport access vlan 3
switchport protected
no ip address
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface FastEthernet0/14
switchport access vlan 3
switchport protected
no ip address
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface FastEthernet0/15
switchport access vlan 3
switchport protected
no ip address
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface FastEthernet0/16
switchport access vlan 3
switchport protected
no ip address
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface FastEthernet0/17
switchport access vlan 3
switchport protected
no ip address
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface FastEthernet0/18
switchport access vlan 3
switchport protected
no ip address
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface FastEthernet0/19
switchport access vlan 3
switchport protected
no ip address
spanning-tree portfast
ip dhcp snooping limit rate 10
!         
interface FastEthernet0/20
switchport access vlan 3
switchport protected
no ip address
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface FastEthernet0/21
switchport access vlan 3
switchport protected
no ip address
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface FastEthernet0/22
switchport access vlan 3
switchport protected
no ip address
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface FastEthernet0/23
switchport access vlan 3
switchport protected
no ip address
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface FastEthernet0/24
switchport access vlan 3
switchport protected
no ip address
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface GigabitEthernet0/1
switchport mode trunk
no ip address
ip dhcp snooping trust
!
interface GigabitEthernet0/2
no ip address
!
interface Vlan1
no ip address
no ip route-cache
shutdown
!
interface Vlan108
ip address 192.168.108.2 255.255.255.0
no ip route-cache
!
ip http server
!
!
line con 0
line vty 0 4
password cisco
login
line vty 5 15
login
!
end
 楼主| 发表于 2008-12-21 07:24:01 | 显示全部楼层
DHCP SNOOPING/DAI/IP SOURCE检查 部署的思考


1.DHCP SNOOPING是根据DHCP信息构成一张表格里面包括端口号/VLAN ID/MAC地址/原地址的对应关系表格,这张表格是根据DHCP数据包动态生成的,可以为DAI提供基础数据。

2.DAI,动态ARP地址检查,针对非信任端口进行ARP数据包检查,所有非信任端口上接受到的ARP数据包都要和DHCP SNOOPING数据表进行核对,如果符合则通过,如果不符合则扔包。

3.IP SOURCE GUARD,原IP地址检查,所有的IP数据流都会检查其原IP地址、VLAN、端口信息与DHCP SNOOPING生成表格进行核对,如果符合则通过,如果不通过则drop。

注:DAI和IP SOURCE GUARD的区别是,DAI只针对ARP流量进行检查,而IP SOURCE GUARD是针对IP流量做检查,二者需要结合使用,才能很好的防止ARP地址欺骗攻击和原IP地址攻击。

典型的配置如下,供参考。

Switch#show run
Building configuration...

Current configuration : 5543 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Switch
!
enable secret 5 $1$ii9B$JEMQimaQ3Sli/LlPdPr8R0
!
no aaa new-model
switch 1 provision ws-c3750g-48ts
system mtu routing 1500
ip subnet-zero
no ip domain-lookup
!
ip dhcp snooping vlan 201
ip dhcp snooping information option allow-untrusted
ip dhcp snooping
ip arp inspection vlan 201
!         
!
!
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
interface GigabitEthernet1/0/1
switchport trunk encapsulation dot1q
switchport mode trunk
ip arp inspection trust
ip dhcp snooping trust
!
interface GigabitEthernet1/0/2
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/3
switchport access vlan 200
switchport mode access
ip dhcp snooping trust
!
interface GigabitEthernet1/0/4
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/5
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/6
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/7
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/8
switchport access vlan 201
switchport mode access
!         
interface GigabitEthernet1/0/9
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/10
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/11
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/12
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/13
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/14
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/15
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/16
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/17
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/18
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/19
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/20
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/21
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/22
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/23
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/24
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/25
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/26
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/27
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/28
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/29
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/30
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/31
switchport access vlan 201
switchport mode access
!         
interface GigabitEthernet1/0/32
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/33
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/34
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/35
switchport access vlan 201
switchport mode access
ip verify source port-security
!
interface GigabitEthernet1/0/36
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/37
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/38
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/39
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/40
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/41
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/42
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/43
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/44
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/45
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/46
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/47
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/48
switchport access vlan 201
switchport mode access
!         
interface GigabitEthernet1/0/49
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/50
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/51
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/52
switchport access vlan 201
switchport mode access
!
interface Vlan1
ip address 10.128.0.201 255.255.255.0
!
interface Vlan200
ip address 10.200.128.254 255.255.255.0
!
interface Vlan201
ip address 10.200.160.254 255.255.255.0
ip helper-address 10.200.128.1
!
ip classless
ip http server
ip http secure-server
!
!
!
control-plane
!
!
line con 0
password tcs54321
line vty 0 4
password tcs54321
no login
line vty 5 15
password tcs54321
no login
!
end
         
Switch#
发表于 2009-4-18 00:01:31 | 显示全部楼层
好东西!!!!!!!!!
发表于 2009-8-19 16:02:43 | 显示全部楼层
好东西,学习了!!!!!!!!!!!!!!!!!!!!!!!!!!!
发表于 2009-8-19 17:11:24 | 显示全部楼层
好东西,学习啊!!!!!!!!!!!!!!!!!!!!!!!!!
发表于 2009-8-19 17:13:08 | 显示全部楼层
好东西啊,学习!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
发表于 2009-10-3 17:24:32 | 显示全部楼层
:) :)
发表于 2009-10-3 17:24:54 | 显示全部楼层
good......thanks for sharing
您需要登录后才可以回帖 登录 | 注册

本版积分规则

小黑屋|手机版|Archiver|boway Inc. ( 冀ICP备10011147号 )

GMT+8, 2024-11-1 08:03 , Processed in 0.094567 second(s), 14 queries .

Powered by Discuz! X3.4

Copyright © 2001-2021, Tencent Cloud.

快速回复 返回顶部 返回列表