Академический Документы
Профессиональный Документы
Культура Документы
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5
- . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7
- . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11
S/KEY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11
(TOKEN PASSWORD AUTHENTICATION) . . . .13
PPP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13
PPP PAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
PPP CHAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
PPP EAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16
TACACS+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17
RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20
SSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21
SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21
S-HTTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22
SOCKS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23
IPSEC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23
X.509 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27
. . . . . . . . . . . . . . . . . . .30
L2F . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30
PPTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30
L2TP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31
LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32
DNSSEC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35
SAFE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .49
- . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50
(VPN) . . . . . . . . . . . . . . . . . . . . . . . . . . .53
(WAN) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .56
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .56
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .60
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .60
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .64
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .64
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .66
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .66
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .67
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .67
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .68
- . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .69
VPN/ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .71
(WAN) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .73
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .74
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .74
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .74
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .74
IP- . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .75
(Denial of Service DoS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .76
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .76
Man-in-the-Middle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .78
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .78
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .78
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .78
? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .80
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .80
CISCO . . . . . . . . . . . . . .
. . . . . .80
- (RFC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .80
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .80
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .80
.
- ,
, . ,
, Cisco
.
(White Papers) Cisco , , .
, . , . Cisco Systems .
, (Internet
Engineering Task Force IETF) IP. , ,
, IP. , , Cisco
.
, , . :
: ,
( , , , ..).
: .
: ,
.
: , , , .
: .
: , ,
.
: , /
; ; .
: , /
; ;
.
: , .
: ,
.
-: , ( ). , , .
: , -.
(Message digest): , - ( ,
).
: .
: , ( ), .
AAA Authentication, Authorization, Accounting: , Cisco Systems.
: .
NAS Network Access Server: .
, . ,
: , -. , . - .
. , , . . , , , , . ( )
(). . . .
, , , .
, , . :
, .
,
: , .
, , . 1 , , .
,
. , ( ), /.
1.
, 2. , , .
.
.
2.
, -
( ),
, , , . ,
, .
, Data Encryption Standard (DES),
3DES ( DES) International Data Encryption Algorithm (IDEA). 64 . 64 ( ), 64 , - .
, , : (ECB), (CBC), x- (CFB-x)
(OFB).
(firmware).
, ( ) . :
, .
.
- (Diffie-Hellman), .
, , . : .
,
: (. 3).
.
3.
.
, , . , / . .
4 ,
. ( ,
, , , ), , . , . , , , , , . .
4. ,
5 ,
. , , ,
. ,
. ,
. , , .
5.
, . , , , , , .
/ , , , . ,
, . /
. - . , .
RSA (, , )
ElGamal.
-
- , ,
. (-),
. ( ). (. 6.) . , ,
. - . , , , , .
6. -
-
. - :
,
. .
-
- , ,
, ,
, .
. 7 - DES . , p ( ) g (, p, ),
. , ( ) . ( )
. -. , .
Z. Z DES . , p g, Z -
.
7. - DES
1: p g
2: ,
3: Z
, ,
, , . - ,
. .
, . .
- . 8 .
(, Digital Signature Standard DSS), /
. , . , MD5. MD5, 128 . ( ).
.
, .
8.
, , . 9 , . . ,
. .
, . ,
, .
9.
,
. 10 X.509. X.509
:
;
;
;
;
;
;
.
10. X.509
:
,
0000123
SHA, DH, 3837829
1/1/93 to 12/31/99
Alice Smith, Acme Corp.
DH, 3813710
Acme Corporation Security Dept.
SHA, DH, 239702317 ...
, CA, ,
. 11 , , , CA. , CA. . CA .
CA , , , . , .
11.
,
CA . ,
(PKI), , , ,
. , , CA, CA. .
10
,
12.
12.
/ . ,
CA X.509 . , CA . , ,
,
, :
1. CA .
2. CA , .
3. CA .
4. CA .
5. CA , .
6. CA .
7. - .
8. , -,
.
, : , . (, , , , ..) .
, , . ,
, . , , Cisco,
. , ,
. IETF, ,
web- IETF : http://www.ietf.org.
, , , . , . - .
S/Key
(token password authentication). Point-toPoint Protocol (PPP)
Password Authentication Protocol (PAP), Challenge Handshake Protocol (CHAP) Extensible Authentication
Protocol (EAP). EAP , PPP. TACACS+ Remote Access Dial-In User Service (RADIUS) , .
S/Key
S/Key, RFC 1760, MD4 MD5. , , .
S/Key /,
, . , -
11
. S/Key, , ,
(seed). , :
, .
( ). , .
( ) , .
, , - 64-
. - , .
-.
64- .
:
-, ;
(cut and paste);
.
( ). ,
2048 . , 11 , . S/Key
.
12
13. S/Key
PPP
PPP (), . :
;
Link Control Protocol (LCP), ,
;
13
, LCP .
, , PPP ( ) .
. , ,
. , , , PPP ,
, . .
PAP CHAP PPP. EAP PPP, .
, PPP. LCP IP Control Protocol (IPCP), IP.
- PPP. PAP CHAP , (login)
. CHAP , PPP. PAP . .
IETF PPP (pppext) :
http://www.ietf.org/html.charters/pppext-charter.html.
PPP PAP
14
14 PAP.
14. PPP PAP
(NAS) . -
- NAS , .
PAP . PAP
, , . ,
.
.
PPP CHAP
CHAP . , .
15 CHAP.
15
- .
, .
CHAP . ,
. .
: - CHAP MD5,
. Microsoft CHAP (MS-CHAP),
( ) . MS-CHAP : CHAP, .
PPP EAP
PPP EAP PPP, . EAP
, . . , ,
, PPP .
16 , PPP EAP.
16. PPP EAP
16
(NAS) . . ,
, . , , , MD5, S/Key, .. MD5 CHAP. ,
. , -
( , ..).
. ,
, . , , .
TACACS+
TACACS+ TACACS. TACACS
, User Datagram Protocol (UDP) Bolt, Beranek and Newman, Inc. (BBN) Military Network (MILNET). Cisco TACACS,
TACACS, TACACS+.
TACACS+ TCP. 49, IP, TACACS. RFC UDP TCP. TACACS
49.
TACACS+ /, TACACS+
NAS, TACACS+, , (, UNIX
NT). TACACS+ , (AAA Authentication, Authorization, Accounting). , , , TACACS+ , PPP PAP, PPP CHAP,
Kerberos. . , . ,
.
, .
, . , ( ).
, , , . TACACS+ , . , ,
PPP PPP IP IP. TACACS+ , IP PPP.
.
. TACACS+ . -, (, ). -, . TACACS+
. , . ,
. (update)
, .
TACACS+ , , ,
( ) .
TACACS+ TACACS+ , .
. TACACS+ , TACACS+
TACACS+.
17 ,
, TACACS+, .
17
17. TACACS+
1.
.
2. .
3. .
4. TACACS+
TACACS+.
5. TACACS+ .
6.
.
7. TACACS+ ,
.
18
19. TACACS+
RADIUS
RADIUS Livingston Enterprises, Inc. . 1996 RADIUS
IETF. RADIUS (RFC 2058) RADIUS (RFC 2059) .
NAS RADIUS UDP. , RADIUS . , ,
, , RADIUS, .
RADIUS /. RADIUS NAS, RADIUS , UNIX NT. RADIUS,
. RADIUS , , ,
. RADIUS RADIUS - (proxy).
20 , ,
RADIUS, .
20. RADIUS
1.
.
2. .
3. .
4. RADIUS
RADIUS.
5. RADIUS Accept, Reject
Challenge.
6. RADIUS ,
, Accept, Reject Challenge.
RADIUS .
, PPP PAP CHAP,
UNIX login .
19
(Access Request), NAS RADIUS, ( ), . Access Request , , IP- NAS . . , - , , (Service-Type = Exec-User), PPP, (Service Type = Framed
User Framed Type = PPP).
RADIUS NAS Access Request, . , ,
, .
, .
RADIUS . , RADIUS ,
.
(shell framed), , IP, ( ), ,
NAS. RADIUS ,
NAS. 21
RADIUS.
21. RADIUS
20
RADIUS
. RADIUS
( , , ..), . (ISP)
RADIUS .
RADIUS , . , RADIUS , .
RADIUS IETF : http://www.ietf.org/html.charters/radius-charter.html.
, . SSL Secure Shell
Protocol (SSH), .
IETF (Transport Layer
Security TLS). (S-HTTP) web-, SSL. SOCKS , / TCP
UDP . IP
(IPSec)
( IP). X.509 , -
.
. X.509 (PKI).
SSL
SSL , Netscape. SSL ( Hypertext Transfer
Protocol [HTTP], Telnet, Network News Transfer Protocol [NNTP] File Transfer Protocol [FTP]) TCP/IP. , , ( ) TCP/IP. SSL W3 (W3C) Web- .
SSL , . .
, (, TCP), SSL Record Protocol. SSL Record Protocol . , SSL Handshake Protocol, ,
. SSL
, . SSL. SSL ,
:
. .
(, DES, RC4 ..).
, (, RSA, DSS ..).
.
(MAC).
- (, - [SHA], MD5 ..).
SSL . , . SSL , ,
, ( ), MAC, . , , , .
SSL HTTP.
SSL, .
SSH
Secure Shell (SSH) . ,
TCP/IP X11. SSH
, . SSH
.
, (,
DNSSEC, [SPKI], X.509).
SSH :
. , . .
.
, .
IDEA
( DES , DES, RC4-128, Blowfish). -
21
S-HTTP
22
SOCKS
SOCKS , / TCP UDP
.
, . SOCKS :
(, Telnet Netscape) (-)
.
SOCKS (Dave Koblas) SGI,
. , . SOCKS 4
/, TCP, Telnet, FTP ,
HTTP, Wide Area Information Server (WAIS) GOPHER. SOCKS 5, RFC 1928,
SOCKS. UDP, , ,
, IP v6.
IP, . SOCKS V.5, TCP UDP. ,
UDP SOCKS V.5 ( , ), : UDP UDP.
SOCKS . -
SOCKS ( ), ( 1080/TCP). SOCKS , . SOCKS , . , SOCKS.
SOCKS , - SOCKS ( SOCKS- ). , (Telnet, FTP, finger, whois) SOCKS, SOCKS .
, SOCKS V.5 : (, Solaris) SOCKS- ,
SOCKS shared libc (
LD_LIBRARY_PATH Solaris).
IETF, , :
http://www.ietf.org/html.charters/aft-charter.html.
IPSec
IP (IPSec) ,
IP. IPSec , RFC.
RFC, , , .
23
RFC 2405 (The ESP DES-CBC Cipher Algorithm With Explicit IV) DES.
RFC 2406 (IP Encapsulating Security Payload (ESP)) .
RFC 2407 (The Internet IP Security Domain of Interpretation for ISAKMP) .
RFC 2408 (Internet Security Association and Key Management Protocol (ISAKMP)) .
RFC 2409 (The Internet Key Exchange (IKE)) .
RFC 2410 (The NULL Encryption Algorithm and Its Use With IPsec)
.
RFC 2411 (IP Security Document Roadmap) .
RFC 2412 (The OAKLEY Key Determination Protocol) .
, .
, , , .
IPSec ,
. (Internet Security Association Key Management Protocol ISAKMP)
. ,
, (, Oakley), .
24
, , , .
(SA), . SA :
;
;
;
.
SA ,
SA, . , ,
. SA ISAKMP. , SA . 23 ISAKMP, , , .
23. SA ISAKMP
SA , ,
. , -, MD5 128- . -, AH,
24.
24: IP
25
, IP , . ,
, -, SA, -. 25,
, AH. , (
).
25.
26
, , . AH
.
, , , SA , ,
, .
. ESP , : , 26 27.
26. ESP
27. ESP
,
(end-to-end);
(VPN) ;
, , TCP (, UDP);
, ,
;
AH
,
(, TCP SYN).
IETF IP (IPSEC) :
http://www.ietf.org/html.charters/ipsec-charter.html.
X.509
, , . PKI. X.509 . , (CA). RFC 1422 PKI X.509, , (PEM). RFC 1422 PKI . X.509. web-,
IPSec. X.509 3
(CRL) 2.
, ,
( ), . , , . CA . , . -
27
,
, - . PKI.
X.509 v3 (. 28).
28. X.509 v3
28
: ,
. , , ,
, ( ). ,
, . , CA .
-. , -, CA. (. 29).
29. X.509 v3
,
. , .
,
CA (, , ),
.
CA .
CRL
. CA . CRL
. - (, ),
,
CRL, , .
,
CRL. CA CRL (, , ).
CRL. .
30 CA .
30.
29
CA / . CA X.509 v3. ,
CA. ,
- , :
1. - CA .
2. CA , .
3. - CA
.
4. CA -
.
5. CA - , .
6. CA - .
, ,
. -, , , .
.
( CA?), - ( FTP Lightweight Directory
Access Protocol [LDAP] ) ( ).
IETF (PKIX) :
http://www.ietf.org/html.charters/pkix-charter.html.
30
L2F
(Layer 2 Forwarding L2F)
Cisco Systems. ( HighLevel Data Link Control [HDLC], async HDLC Serial Line Internet Protocol [SLIP] ) , , IP. , , , , (SLIP, PPP), .
, IP, IPX AppleTalk
SLIP/PPP . , . , , , IP, .
PPTP
Point-to-Point Tunneling Protocol (PPTP) Microsoft.
PPP, . /, , NAS, (VPN). PPTP
(PNS) , ,
PPTP (PAC), . PPTP -
L2TP
, L2F PPTP . Cisco Microsoft ( IETF) ,
(Layer 2 Tunneling Protocol L2TP).
(L2F PPTP), L2TP.
, , L2TP.
31.
31.
31
IETF (pppext) :
http://www.ietf.org/html.charters/pppext-charter.html.
, . . LDAP DNSSEC.
LDAP
Lightweight Directory Access Protocol (LDAP) . LDAP . 1995 . .500. X.500
,
. LDAP , /.
, .500,
X.500 Directory
Access Protocol (DAP). RFC 1777 2 LDAP.
3, . LDAP TCP
LDAP, , .500.
:
, ;
, , ;
, , ( 3).
, LDAP, , . , , .
. , -
. 32.
32. LDAP
32
1 2 LDAP .
LDAP , ,
. ,
.
. LDAP , , DIT. , : RDN,
. RDN
, . - , , ,
, .
LDAP :
.
, 1 2, 3.
- .
RDN
.
, .
3, , - ; , .
. LDAP 2 , ( ), Kerberos 4.
3 SASL . SASL . , .
ASID
(, ) IETF LDAP, , :
http://www.ietf.org/html.charters/asid-charter.html http://www.ietf.org/html.charters/ldapext-charter.html.
DNSSEC
DNS .
. DSN
.
.
DNS , . DSN.
, DNS. ,
. , DNS, . .
DSN.
IETF Domain Name System Security (dnssec)
:
http://www.ietf.org/html.charters/dnssec-charter.html.
33
Cisco SAFE:
34
, . Cisco
Systems .
.
, . . , , ,
, .
. , , . , . , ,
, ,
. , .
(VPN) , .
, , VPN. VPN, ( ,
(certificate authorities CA)). . (, ,
). , , SAFE, .
SAFE Cisco . . ,
. SAFE , .
.
, . , .
SAFE .
. , :
;
( );
;
;
;
.
- ( ), SAFE ,
. , , , , .
, . , . SAFE . .
, SAFE . , , ,
- , .
, ,
,
, .
,
.
. , , . .
,
. ,
Cisco IOS ,
. , . , .
- , SAFE .
. -, , . -,
35
, ,
.
33 SAFE.
. - (ISP) , ,
- .
33.
, 34,
.
.
. , ,
,
, 80 %
. , , ..
.
34. - SAFE.
36
,
. , , SAFE. , , .
SAFE
. ,
. . .
, , . ,
. :
SNMP;
TACACS+;
;
;
.
, ,
: http://www.cisco.com/warp/customer/707/21.html
( , ), , . , . ,
, . ,
:
,
auto, (off). , .
, VLAN ( ), . , , VLAN 3. :
http://www.sans.org/newlook/resources/IDFAQ/vlan.htm
VLAN, 3. , , .
.
VLAN . , ,
VLAN VLAN ,
. - VLAN , , .
VLAN
(private VLAN). ,
,
VLAN. , , (promiscuous ports).
. . , web-, FTP (DNS).
DNS, .
,
, .
, .
. , . , , ,
. ,
. , http://www.whitehouse.gov ( ),
- s2-0.whitehouse.net ( ). , .
. web-
, , , . , web- , . , -
37
, . , - . : , .
.
, . , ,
.
, . , (denial of service DoS).
, .
(distributed denial of service
DDoS). , IP-. , , . DS3 (45 /),
web-. . , , . , DDoS.
, . DS1
(1,5 /). , DS3 .
1 / ( , DDoS
Unix 50 M/), . , , . , , . .
.
38
-. ,
. .
.
DDoS ICMP, TCP SYN UDP. .
TCP SYN 80 (http)
.
, .
80 ,
web-. , ,
, .
RFC 1918
RFC 2827. RFC 1918 , ,
. RFC 2827 IP- . RFC 1918 2827 , , . -
WAN DDoS, , . - RFC 2827,
. DDoS, , .
, , .
(, , )
( , , -
, FTP ).
, ,
(intrusion detection system IDS), . IDS - ,
, . . , (host-based IDS HIDS), . , -. ,
. - (HIDS)
NIDS (network IDS), .
- , NIDS. Cisco HIDS
, NIDS . .
,
. , ,
. , . IDS . ,
HIDS , HIDS .
NIDS, :
( ) , . NIDS , - ,
, .
, , , . , . NIDS , , ,
. , NIDS , . IP- -
HTTP, .
DoS.
,
, , UDP. . . RFC 2827 , . ,
, ,
. , , , (stateful filtering), .
IDS, .
NIDS TCP (TCP reset).
, . TCP reset .
, , .
. NIDS .
NIDS,
, NIDS . NIDS, ,
. , NIDS,
. , IDS, ,
39
, . ,
, IDS , .
? . , ?
. , , .
? ?
? ,
? , ? , ? (-) .
. ? , ?
, ?
,
(out-of-band OOB). , , ,
. , .
( ), .
, .
, , . , (OOB)
. .
40
- . (syslog data), .
,
. , ,
- . , , , . , , 2,
, , (IDS). , IDS,
. , .
. - , . NTP
(Network Time Protocol), .
, .
, , , -, .
, - , , . , , SSL (secure socket layer) SSH (secure
shell), . SNMP , .
, SNMP . SNMP (SNMP community string) , Unix-.
. ,
. . , FTP TFTP.
: . , , , .
. .
, , , , . , . , , .
. ,
, . , , , . , .
. DoS.
, , , , / war-dialer.
, . , . , , , .
.
, .
35.
41
, SAFE. -
,
.
36.
42
SNMP SNMP;
NIDS NIDS ;
() Syslog NIDS;
( ) , ;
NIDS ;
2 ( ) IOS.
37. :
IOS ;
Man-in-the-Middle , , , ;
, ,
, , -;
IP- IOS ( ) , ;
, .
38. :
43
, SAFE , IOS, (VPN). ,
, , . ,
, IOS, . , IPSec . Cisco,
. IOS , syslog , Telnet, SSH SNMP,
.
, . .
, , .
: Cisco IOS,
, , .
reverse-telnet Cisco . -
( , , -
, SNMP) . ( ) IPSec, .
,
. , .
.
, . - , , .
, ,
IOS, . , . , HIDS NIDS,
. , .
SNMP .
SNMP ,
. SAFE SNMP , . SNMP .
44
, . , . ,
. IPSec, SSH SSL , . , , , community strings, , .
. IDS,
.
, , .
SAFE .
.
3 .
39. :
.
,
Cisco ,
.
SAFE
,
, ,
.
. ,
(QoS) . .
.
3 2 .
40. :
3.
41. ,
, , .
, , , - (,
, ..).
, .
.
, , ,
(VLAN) , -
45
- .
, ,
.
, 3. RFC 2827 . ,
IP (VoIP) CallManager IP. VoIP
, . (QoS).
,
, .
SAFE , , 2. , .
2 2 .
IP- IP-.
42. :
VLAN .
,
.
46
43.
,
.
,
, -
, . , 2, , , 3. , ,
, .
.
. IDS,
3.
3 3 NIDS.
CallManager IP-, .
, DNS.
SMTP POP3.
44. :
.
,
,
.
, HIDS.
45.
. ,
, ,
.
.
HIDS,
NIDS, (VLAN),
( ).
NIDS ,
, .
, , , SMTP, Telnet, FTP WWW. NIDS, , , VLAN. .
, .
, , ,
. -
47
3 .
46. :
48
,
.
, ,
.
.
47.
.
,
.
3,
,
. , .
, .
,
, , SAFE. NIDS, IDS, 3.
NIDS , . -
( SAFE) ,
.
, .
48. 1
49
49. 2
-
- - , . (VPN) ,
VPN. . .
50. -
50
SMTP - .
DNS DNS , .
FTP/HTTP .
NIDS 47.
URL URL,
.
51. -:
(ISP), .
IDS .
HIDS.
, IDS.
HIDS
.
IDS , .
VLAN.
HIDS.
52. -
51
, . , , . , 2 3, , .
, ISP,
, ,
(D)DoS. , ISP
RFC 1918 2827,
.
, ( IP-) .
. RFC 1918
2827 , ISP. , ,
, , . ,
, . , IPSec, -
VPN/ , . ,
VPN IPSec,
. VPN IP- , , , , , .
NIDS, , , 47 . ISP
, NIDS .
NIDS , , . , ,
, .
. TCP
SYN .
,
, . ( HIDS NIDS), . , ,
. , web- , , .
. xterm web- . , VLAN , . , VLAN .
52
, URL,
, URL. ,
URL- - . URL-
WWW.
URL, URL-. , WWW, . URL ,
IP- web- ,
. HIDS , - .
NIDS.
, .
, , , . NIDS NIDS, , , . ,
(HTTP, FTP, SMTP ..).
DNS .
, .
(zone-transfers), , DNS. SMTP , ,
. SMTP
7 .
NIDS, ,
. , -
, . , . ,
SMTP, ,
TCP- 25, .
, , , - .
( reset), , , SMTP.
. , , , NIDS . , . , , NIDS
, . , , ,
, . , . , , NIDS, ,
. ,
(ISP) , .
, .
,
, -. , . , 2,
, -.
(VPN)
, : VPN, , , . , , ,
.
53. VPN /
VPN
XAUTH IPSec.
VPN GRE/IPSec.
TACACS+ .
NIDS
47.
53
54. VPN / :
54
Internet Key
Exchange (IKE) Encapsulated Security Payload (ESP).
() .
, ,
.
Man-in-the-Middle .
.
55. VPN /
,
. ,
. .
VPN
VPN , -. IP- , -
VPN. .
IPSec, , PPTP L2TP, .
SAFE IPSec, , , , , .
VPN IKE (UDP 500). IKE , .
XAUTH, IKE (draft RFC), , -
IP. VPN .
.
. IP- MODCFG, IKE. IP-
(DNS WINS), MODCFG . , SAFE .
. IPSec, 3DES ( ) SHA-HMAC ( ). ,
VPN, VPN . VPN
, VPN.
IPSec . ,
.
, .
1 CHAP. VPN , . IP-, IP- .
VPN
VPN, , GRE, IPSec ESP (Encapsulated Security Payload).
, , -,
VPN. .
ESP (IP 50) IKE (UDP 500).
GRE , .
(multicast).
( EIGRP Enhanced Interior
Gateway Routing Protocol), GRE ,
GRE ( VPN).
VPN , 3DES SHAHMAC. VPN IPSec.
, . -
55
, . NIDS ,
VPN. IPSec (IKE/ESP). NIDS IPSec, .
.
NIDS , . . , , ,
(shunning) (TCP reset) .
VPN , . ,
.
- / .
L2TP / PPTP VPN.
Certificate Authorities (CA).
IKE (IKE keep-alive resilience mechanism).
VPN (MPLS).
(WAN)
.
Frame Relay.
IOS , (QoS).
56
56. :
IP- 3.
, .
57.
,
-
. IOS.
, ,
.
, , ,
. , IPSec.
,
. -
.
58.
Web-
.
,
web-.
,
.
NIDS .
3 ISP .
59. :
57
(ACL)
.
(IDS).
(DoS) (ISP)
(D)DoS.
HIDS .
; ICMP .
HIDS .
60.
, : web-, .
(ISP) . ,
.
58
, , HTTP web-
IP- DNS, ISP. DNS , , .
.
, web- . , , web-.
web- , web- , .
.
web-, web-
. HTTP SSL .
- . web- , SSL.
. , SQL,
, . . , (backend), .
, , , , , .
. web, .
web- ().
,
(HIDS). , root kit.
, .
,
, ISP. , ,
ISP , ,
web-. ,
( BGP Border Gateway Protocol). . (D)DoS (ISP) , SAFE. ISP RFC 1918 RFC 2827.
(ISP). 3, . 3 BGP,
, (ISP) . -, 3 , ISP, . -, 3 (IDS).
IDS, web-, IDS . 10 % ,
- , , ,
. NIDS, , , ,
. , , web- , , HIDS, . -, ,
.
,
(NIDS).
, (web, , ) , .
,
(SSH, FTP, Telnet ..), . .
2, , , VLAN, ,
, ,
. , , web-
web-.
( )
(out-of-band).
(ISP).
( ) . -,
ISP LAN . , , , . , (D)DoS. -, - . .
.
. . .
. : web-
.
.
, . .
59
. , , . ,
. .
(IDS) , .
. , ,
. , .
. 3.
,
.
VPN/
-. : NIDS. , , , . , .
VPN/ . , ,
. -
(D)DoS ISP.
60
NIDS.
, . ,
HIDS, (NIDS). (, ) , .
, .
. . , , , ,
.
SAFE .
, , , . , .
.
. , , , .
, , SAFE . , VPN/ , ,
. , VPN , . VPN
, , .
SAFE . , , , . . ,
. .
SAFE , .
SAFE . , , , . :
;
;
, , (, ) (certificate authority);
VPN (WAN).
.
SAFE,
, . . , , . , .
, SAFE.
! turn off unnecessary services
!
no ip domain-lookup
no cdp run
no ip http server
no ip source-route
no service finger
no ip bootp server
no service udp-small-s
no service tcp-small-s
!
!turn on logging and snmp
!
service timestamp log datetime localtime
logging 192.168.253.56
logging 192.168.253.51
snmp-server community Txo~QbW3XM ro 98
!
!set passwords and access restrictions
!
service password-encryption
enable secret %Z<)|z9~zq
no enable password
no access-list 99
access-list 99 permit 192.168.253.0 0.0.0.255
access-list 99 deny any log
no access-list 98
access-list 98 permit host 192.168.253.51
access-list 98 deny any log
line vty 0 4
access-class 99 in
61
login
password 0 X)[^j+#T98
exec-timeout 2 0
line con 0
login
password 0 X)[^j+#T98
exec-timeout 2 0
line aux 0
transport input none
password 0 X)[^j+#T98
no exec
exit
banner motd #
This is a private system operated for and by Cisco VSEC BU.
Authorization from Cisco VSEC management is required to use this system.
Use by unauthorized persons is prohibited.
#
!
!Turn on NTP
!
clock timezone PST -8
clock summer-time PST recurring
62
ntp authenticate
ntp authentication-key 1 md5 -UN&/6[oh6
ntp trusted-key 1
ntp access-group peer 96
ntp server 192.168.254.57 key 1
access-l 96 permit host 192.168.254.57
access-l 96 deny any log
!
!Turn on AAA
!
aaa new-model
aaa authentication login default tacacs+
aaa authentication login no_tacacs line
aaa authorization exec tacacs+
aaa authorization network tacacs+
aaa accounting network start-stop tacacs+
aaa accounting exec start-stop tacacs+
tacacs-server host 192.168.253.54 single
tacacs-server key SJj)j~t]6line con 0
login authentication no_tacacs
OSPF
OSPF . , MD5 , (OOB).
interface Vlan13
ip address 10.1.13.3 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 7 024D105641521F0A7E
ip ospf priority 3
!
router ospf 1
area 0 authentication message-digest
network 10.1.0.0 0.0.255.255 area 0
distribute-list 1 out
distribute-list 1 in
!
access-list 1 deny 192.168.0.0 0.0.255.255
access-list 1 permit any
. , VLAN,
IP- .
interface FastEthernet1/0
ip address 192.168.254.15 255.255.255.0
ip access-group 101 in
ip access-group 102 out
no cdp enable
!
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
101
101
101
101
101
101
101
101
102
, CAT OS
SAFE. IOS , .
!
!Turn on NTP
!
set timezone PST -8
set summertime PST
set summertime recurring
set ntp authentication enable
set ntp key 1 trusted md5 -UN&/6[oh6
set ntp server 192.168.254.57 key 1
set ntp client enable
!
! turn off un-needed services
!
set cdp disable
set ip http server disable
!
!turn on logging and snmp
!
set logging server 192.168.253.56
set logging server 192.168.253.51
set logging timestamp enable
set snmp community read-only Txo~QbW3XM
set ip permit enable snmp
set ip permit 192.168.253.51 snmp
!
!Turn on AAA
!
set tacacs server 192.168.253.54 primary
set tacacs key SJj)j~t]6set authentication login tacacs enable telnet
set authentication login local disable telnet
set authorization exec enable tacacs+ deny telnet
set accounting exec enable start-stop tacacs+
set accounting connect enable start-stop tacacs+
!
!set passwords and access restrictions
!
set banner motd <c>
This is a private system operated for and by Cisco VSEC BU.
Authorization from Cisco VSEC management is required to use this system.
Use by unauthorized persons is prohibited.
<c>
!console password is set by set password
!enter old password followed by new password
!console password = X)[^j+#T98
!
!enable password is set by set enable
!enter old password followed by new password
!enable password = %Z<)|z9~zq
!
!the following password configuration only works the first time
!
set password
X)[^j+#T98
X)[^j+#T98
set enable
63
cisco
%Z<)|z9~zq
%Z<)|z9~zq
!
!the above password configuration only works the first time
!
set logout 2
set ip permit enable telnet
set ip permit 192.168.253.0 255.255.255.0 telnet
61. :
2 Cisco Catalyst 3500XL (
)
Cisco 3640 IOS (eIOS-21)
Cisco 2511 IOS (
)
Cisco Secure Intrusion
Detection System (CSIDS)
RSA SecureID OTP Server
Cisco Secure Access
Control Server
CiscoWorks 2000
Cisco Secure Policy Manager
netForensics syslog analysis tool
ClickNet Entercept HIDS
64
EIOS-21
IOS Firewall, :
ip
ip
ip
ip
ip
ip
ip
ip
ip
ip
ip
ip
ip
ip
ip
ip
ip
ip
inspect audit-trail
inspect max-incomplete low 150
inspect max-incomplete high 250
inspect one-minute low 100
inspect one-minute high 200
inspect udp idle-time 20
inspect dns-timeout 3
inspect tcp idle-time 1800
inspect tcp finwait-time 3
inspect tcp synwait-time 15
inspect tcp max-incomplete host 40 block-time 0
inspect name mgmt_fw tcp timeout 300
inspect name mgmt_fw udp
inspect name mgmt_fw tftp
inspect name mgmt_fw http
inspect name mgmt_fw fragment maximum 256 timeout 1
audit notify log
audit po max-events 100
:
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key A%Xr)7,_) address 172.16.224.24
crypto isakmp key A%Xr)7,_) address 172.16.224.23
!
, ,
IDS. 45000 CSIDS, 5000
ClickNet HIDS.
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
114
114
114
114
114
114
114
114
114
114
114
, :
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
113
113
113
113
113
113
113
113
113
113
113
113
113
113
113
113
113
113
113
, . , .
. , , .
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
112
112
112
112
112
112
112
112
112
112
112
112
permit
permit
permit
permit
permit
permit
permit
permit
permit
permit
permit
permit
esp
esp
udp
udp
udp
udp
udp
udp
udp
udp
udp
udp
host
host
host
host
host
host
host
host
host
host
host
host
172.16.224.23
172.16.224.24
172.16.224.24
172.16.224.23
172.16.224.24
172.16.224.23
172.16.224.24
172.16.224.23
172.16.224.24
172.16.224.23
172.16.224.24
172.16.224.23
host
host
host
host
host
host
host
host
host
host
host
host
10.1.20.57
10.1.20.57
10.1.20.57 eq isakmp
10.1.20.57 eq isakmp
192.168.253.56 eq syslog
192.168.253.56 eq syslog
192.168.253.51 eq syslog
192.168.253.51 eq syslog
192.168.253.53 eq tftp
192.168.253.53 eq tftp
192.168.253.57 eq ntp
192.168.253.57 eq ntp
65
access-list
access-list
access-list
access-list
access-list
112
112
112
112
112
62. :
3 Cisco Catalyst 6500 Layer 3
Switches
63. :
66
3 Cisco Catalyst 6500 Layer 3
Switches
EL3SW-5
3 . VLAN 5 , VLAN 6 (R&D),
VLAN 7 IP- , VLAN 8 IP- .
interface Vlan5
ip address 10.1.5.5 255.255.255.0
ip access-group 105 in
!
interface Vlan6
ip address 10.1.6.5 255.255.255.0
ip access-group 106 in
!
interface Vlan7
ip address 10.1.7.5 255.255.255.0
ip access-group 107 in
!
interface Vlan8
ip address 10.1.8.5 255.255.255.0
ip access-group 108 in
!
access-list 105 deny ip 10.1.5.0 0.0.0.255 10.1.6.0 0.0.0.255
access-list 105 deny ip 10.1.5.0 0.0.0.255 10.1.7.0 0.0.0.255
access-list 105 deny ip 10.1.5.0 0.0.0.255 10.1.8.0 0.0.0.255
access-list 105 deny ip 10.1.5.0 0.0.0.255 10.1.16.0 0.0.0.255
access-list 105 permit ip 10.1.5.0 0.0.0.255 any
access-list 105 deny ip any any log
access-list 106 deny ip 10.1.6.0 0.0.0.255 10.1.5.0 0.0.0.255
access-list 106 deny ip 10.1.6.0 0.0.0.255 10.1.7.0 0.0.0.255
access-list 106 deny ip 10.1.6.0 0.0.0.255 10.1.8.0 0.0.0.255
access-list 106 deny ip 10.1.6.0 0.0.0.255 10.1.15.0 0.0.0.255
access-list 106 deny ip 10.1.6.0 0.0.0.255 10.1.16.0 0.0.0.255
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
106
106
107
107
107
107
108
108
108
108
any
10.1.8.0 0.0.0.255
10.1.16.0 0.0.0.255
host 10.1.11.50
10.1.7.0 0.0.0.255
10.1.16.0 0.0.0.255
host 10.1.11.50
64. :
2 Cisco Catalyst 4003 Layer 2 Switches
IP- Cisco IP Phone
EL2SW-11 12
VLAN 2, . ,
VLAN. , , IP-.
VLAN IP- .
set
set
set
set
set
set
set
vlan 5 2/5,2/17
vlan 6 2/6,2/18
vlan 99 2/34
vlan 999 2/1-3,2/7-16,2/19-33
port disable 2/7-33
trunk 2/1-34 off
trunk 2/4 on dot1q 1,5-8
67
65. :
3 Cisco Catalyst 6500 Layer 3
Switch
Cisco Catalyst 6500
Intrusion Detection Module
Cisco CallManager
ClickNet Entercept HIDS
EL3SW-1 2
VLAN
VLAN. .
! CAT OS Config
!
#private vlans
set pvlan 11 437
set pvlan 11 437 3/3-4,3/14
set pvlan mapping 11 437 15/1
!
! MSFC Config
!
interface Vlan11
ip address 10.1.11.1 255.255.255.0
ip access-group 111 in
no ip redirects
,
RFC 2827.
interface Vlan11
ip address 10.1.11.1 255.255.255.0
ip access-group 111 in
!
interface Vlan15
ip address 10.1.15.1 255.255.255.0
ip access-group 115 in
!
interface Vlan16
ip address 10.1.16.1 255.255.255.0
ip access-group 116 in
ip access-group 126 out
!
access-list 111 permit ip 10.1.11.0 0.0.0.255 any
access-list 111 deny ip any any log
access-list 115 permit ip 10.1.15.0 0.0.0.255 any
access-list 115 deny ip any any log
access-list 116 permit ip 10.1.16.0 0.0.0.255 10.1.7.0 0.0.0.255
access-list 116 permit ip 10.1.16.0 0.0.0.255 10.1.8.0 0.0.0.255
access-list 116 permit ip 10.1.16.0 0.0.0.255 10.1.11.0 0.0.0.255
access-list 116 deny ip any any log
access-list 126 permit ip 10.1.7.0 0.0.0.255 10.1.16.0 0.0.0.255
access-list 126 permit ip 10.1.8.0 0.0.0.255 10.1.16.0 0.0.0.255
access-list 126 permit ip 10.1.11.0 0.0.0.255 10.1.16.0 0.0.0.255
68
66. :
3 Cisco Catalyst 6500
Layer 3 Switch
-
67. -:
Cisco
Secure PIX Firewall
CSIDS
2
Catalyst 3500 Layer 2 switches
Cisco 7100
IOS Router
ClickNet Entercept HIDS
URL
Websense URL Filtering
Server
EPIX-31 33
PIX.
ACL. In , Out ,
pss (DMZ), url , mgmt .
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
69
EIOS-23 24
HSRP (hot standby router protocol) , HSRP .
interface FastEthernet0/0
ip address 172.16.226.23 255.255.255.0
standby 2 timers 5 15
standby 2 priority 110 preempt delay 2
standby 2 authentication k&>9NG@6
standby 2 ip 172.16.226.100
standby 2 track ATM4/0 50
:
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key A%Xr)7,_) address 172.16.224.57
!
crypto ipsec transform-set vpn_module_mgmt esp-3des esp-sha-hmac
!
crypto map mgmt1 100 ipsec-isakmp
set peer 172.16.224.57
set transform-set vpn_module_mgmt
match address 103
access-list 103 permit ip host 172.16.224.23 192.168.253.0 0.0.0.255
access-list 103 permit udp host 172.16.224.23 192.168.254.0 0.0.0.255
ACL , :
70
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
112
112
112
112
112
112
112
112
112
112
112
112
112
150
150
150
150
150
150
150
150
160
160
160
160
160
160
160
172.16.226.27
172.16.226.28
172.16.226.48
172.16.226.27 eq isakmp
172.16.226.28 eq isakmp
172.16.226.48 eq isakmp
VPN/
68. VPN / :
71
M Cisco Secure PIX Firewall
CSIDS
2 Catalyst 3500 Layer 2 switches
Cisco 7100 IOS Router
Cisco VPN 3060 Concentrator
Cisco IOS Access Server
ClickNet Entercept HIDS
Websense URL Filtering Server
EPIX-32 34
PIX.
ACL. In , Out VPN, dun , ra VPN , mgmt
.
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
72
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
NAT, VPN
- :
static
static
static
static
static
static
static
static
(inside,ravpn)
(inside,ravpn)
(inside,ravpn)
(inside,ravpn)
(inside,ravpn)
(inside,ravpn)
(inside,ravpn)
(inside,ravpn)
0 0
0
0
0
EIOS-27 28
(VPN), :
!
! Basic Crypto Information
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key 7Q!r$y$+xE address 172.16.132.2
crypto isakmp key 52TH^m&^qu address 172.16.131.2
!
!
crypto ipsec transform-set smbranch esp-3des esp-sha-hmac
mode transport
!
crypto map secure1 100 ipsec-isakmp
set peer 172.16.132.2
(WAN)
69. :
Cisco 3640 IOS Router
EIOS-61
:
!
! Inbound from the WAN
!
access-list 110 deny ip any 192.168.253.0 0.0.0.255 log
access-list 110 deny ip any 192.168.254.0 0.0.0.255 log
access-list 110 permit ospf any any
access-list 110 permit ip 10.2.0.0 0.0.255.255 10.1.0.0 0.0.255.255
access-list 110 permit ip 10.2.0.0 0.0.255.255 10.3.0.0 0.0.255.255
access-list 110 permit ip 10.2.0.0 0.0.255.255 10.4.0.0 0.0.255.255
73
74
, , , .
( , ,
..), , . ,
. web-, , .
.
,
, .. , . , , . .
-, . .
. . , . , , hack, crack
phreak , .
-, . , . , . , , IP- , .
, , .
. , , . , TPC/IP. . , . - (IP) . IP . , (RFC Request for Comments), , , IP. ,
IP , , , , . , IP, .
, , promiscuous mode ( , , ). , . . . ,
(Telnet, FTP, SMTP, POP3 ..), , (, ).
, . . /,
,
. ( ). ,
, , ,
. , .
:
. .
, . (OTP One-Time Passwords). , , , , . , , -,
, -, -. -
. (token) ,
( ) . , , . ,
. , (, ),
.
. . , ,
Ethernet, , , .
, .
-.
, , . , , , . - ,
. , LOpht Heavy Industries, AntiSniff. http://www.l0pht.com/antisniff/
. , . , , , ( ). Cisco IPSec. IPSec
IP.
SSH (Secure Shell) SSL (Secure Socket Layer).
IP-
IP- , , ,
. . -, IP-,
IP-, , . IP- . DoS, , .
IP- ,
.
, IP-. , , . , .
IP-, , .
( ) :
. IP-
. IP-, , , . ,
IP-, . , .
RFC 2827. ( ). ,
IP- . ,
RFC 2827, (ISP). ,
, . , ISP IP- 15.1.1.0/24, , ISP , 15.1.1.0/24. , ,
, . ,
, . , , RFC 2827 (10.0.0.0/8), ( ) ( 10.1.5.0/24).
IP- , :
. IP- ,
75
IP-. . . , .
76
DoS .
- . DoS , .
( web- FTP-) DoS , , , , . DoS -, TCP ICMP (Internet Control Message Protocol). DoS
, . , . , . , , ,
, . , DoS (DDoS distributed DoS).
DoS :
, (brute force attack),
, IP- . IP-
, ,
. (brute force attack).
, (, ). ,
, . , , ,
.
, ( ) : , . , , , ,
.
, , .
/ . , , .
, . -
. , (#, %, $ ..). , . ,
. , , ,
, .
, . , . L0phtCrack, Windows NT.
, , .
http://www.l0phtcrack.com/
Man-in-the-Middle
Man-in-the-Middle , . ,
, , , . , . , , , DoS,
.
Man-in-the-Middle .
, , . , (, ), Man-in-the-Middle .
. (sendmail, HTTP, FTP).
, , (
, ). , (). , , .
, ,
. , , web-, 80. web- web-, . ,
80.
.
. .
, , :
- - / .
:
Bugtrad (http://www.securityfocus.com) CERT (http://www.cert.com)
().
, (IDS). IDS:
o IDS (NIDS) , . NIDS
, , / ;
o - IDS (HIDS) .
.
IDS ,
. , . IDS . IDS .
IDS , .
. - , , . DNS, - (ping sweep) . DNS , . - (ping
sweep) , DNS, , .
, , ,
77
. , , . , .
. , , ICMP - , -, , . , -.
, IP-. IDS , (ISP), ,
.
, . , . . DNS, SMTP HTTP. , ,
. ,
, , . ,
.
.
, , . , , IP-, .
78
, , . , .
(DMZ), , . , .
, , . , , . ,
, netcat. http://www.avian.org
(. ). , - IDS
(HIDS).
.
. elnet, elnet . elnet authorization required to use this
resource ( ). ,
. , .
.
. Telnet ,
web- . , . , .
. ,
. , command.com ( Windows) , command.com. , , , . , , . ,
, . , .
,
, , . . . .
?
,
, . RFC 2196 (
) :
, ,
.
. RFC 2196
. , web-:
, . ,
. ,
. , , .
.
. , . : , .
( ). . , IP. , ,
.
HIDS. . ,
.
, -, .
NIDS. . , , . , . ( )
(), 7.
IOS. . Cisco IOS.
IOS. , .
.
2. (VLAN) Ethernet. Ethernet
10/100 Gigabit Ethernet, VLAN 2.
3. , 2, , (QoS) . 3 .
. .
, .
SMTP. , SMTP. ( ).
: , ,
.
URL. , . URL, , , . , , .
VPN. IPSec,
79
VPN . , (WAN) , .
. , . , IP-,
..
Cisco
80
- (RFC)
RFC 2196 Site Security Handbook ( ) http://www.ietf.org/rfc/rfc2196.txt
RFC 1918 Address Allocation for Private Internets ( )
http://www.ietf.org/rfc/rfc1918.txt
RFC 2827 Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing ( : DoS, ) http://www.ietf.org/rfc/rfc2827.txt
VLAN Security Test Report ( VLAN) http://www.sans.org/newlook/resources/IDFAQ/vlan.htm
AntiSniff () http://www.l0pht.com/antisniff/
L0phtCrack http://www.l0pht.com/l0phtcrack/
Denial of Service Attacks ( DoS) http://www.cert.org/tech_tips/denial_of_service.html
Computer Emergency Response Team (CERT )
http://www.cert.org
Security Focus (Bugtraq) http://www.securityfocus.com
Avian Research (netcat) http://www.avian.org
University of Illinois Security Policy ( )
http://www.aits.uillinois.edu/security/securestandards.html
Design and Implementation of the Corporate Security Policy ( ) http://www.knowcisco.com/content/1578700434/ch06.shtml
ClickNet Entercept Host-Based IDS http://www.clicknet.com
RSA SecureID OTP System http://www.rsasecurity.com/products/securid/
Content Technologies MIMESweeper Email Filtering System
http://www.contenttechnologies.com
URL Websense URL Filtering http://www.websense.com/products/integrations/ciscopix.cfm
(Syslog) netForensics Syslog Analysis http://www.netforensics.com/
: .
Cisco Systems, Inc.
113054 ,
., 52
. 1, 4-
.: +7 (095) 961 14 10
: +7 (095) 961 14 69
World Wide Web: www.cisco.com
World Wide Web: www.cisco.ru
Cisco Systems, Inc.
252004, ,
. , 42-44
.: +380 (44) 490-12-06/46
: +380 (44) 490-12-00
www.cisco.ua
Cisco Systems has more than 200 offices in the following countries. Addresses, phone numbers, and fax numbers are listed on the
Cisco Connection Online Web site at http://www.cisco.com.
//www.cisco.ru.
Argentina Australia Austria Belgium Brazil Canada Chile China (PRC) Colombia Costa Rica Czech Republic Denmark
England Finland France Germany Greece Hungary India Indonesia Ireland Israel Italy Japan Korea Luxemburg Malaysia
Mexico The Netherlands New Zealand Norway Peru Philippines Poland Portugal Russia Saudi Arabia Scotland Singapore
South Africa Spain Sweden Switzerland Taiwan, ROC Thailand Turkey United Arab Emirates United States Venezuela
Copyright 2001 Cisco Systems Inc. All rights reserved. Printed in Russia. Cisco IOS is the trademark; and Cisco, Cisco Systems, and the Cisco Systems logo are registered trademarks
of Cisco Systems, Inc. in the U.S. and certain other countries. All other trademarks mentioned in this document are the property of their respective owners.