Вы находитесь на странице: 1из 64

681

. , ., ... ______________
.. ___ ________ 2006 .

,
.

. .

,
1411

. .

-2006


, 64 , 26 , 2 , 19 .

,
, ,
, CISCO SAFE, ,
, CAM OVERFLOW,
MAC ADDRESS MANIPULATION, PACKET SNIFFER SDK


.
, Cisco,

.
,
, ,

-
-
.

,
2- .

1.
1.1.
1.2.
1.2.1.
1.2.2.
1.2.3. 2-
1.3.
1.3.1.
1.3.2.
1.3.3. VPN
1.4. Cisco SAFE
1.4.1.
1.4.2.
1.4.3.
2.
2.1. . .
2.2.
2.3. 2
2.4. 3
2.5.
2.6.
3.
3.1. Packet Sniffer SDK
3.2.
3.3.


1.
2.

4
5
5
7
7
8
14
15
15
18
21
22
22
22
26
32
32
34
38
43
49
50
52
52
53
54
57
58
59
62

.
.
, , ,
ISP, .
,
.
.
, ( )
, ,
,
.
,
, .

.
(
) . ,
, ,
.
,
Cisco, ,
2- .

1. .
1.1 .
, ! [1] Cisco (Cisco
Security Wheel) (. . 1).

. 1 Cisco Security Wheel



(Corporate Security Policy), : Secure
( ), Monitor (), Test (), Improve (
).
[4], ,
, :
1.
2.
3.
4.
5.
6. , , , ,
7.
,
, [4],
,
, , , ,
[8].

, , , :
1. (Remote Access Policy)
2. (Authentication Policy)
5

3. (Antivirus Policy)
4. (Password Policy) .
, , ()
. , ([11])
Cisco SAP ,
.
(.
), .
, ,
, .
Secure ,
.
Monitor
,
.
Test ,
.
, .
Improve , ,
, .
:
, , , , IP ..
,
.
, .
, ,
.
. , .
3 .
TCP/IP
. ,
. ,
.

, ,
.

, .

1.2 .
1.2.1. .

- .

. ,
. ,
. ,
(MTBF mean time between fail) 99.999% [12]. 1
11 .
-
.
:
(unstructured threats)
(structured threats)
(internal threats)
(external threats)
,
.
, , .

,
.
, .
.
, ,
( ).
,
, ,
. [1]
.
, (
, ).
:
(reconnaissance attack)
(access attack)
(DoS attack)
(data manipulation attack)
. ,
, L0pht
7

Crack, PWLVIEW, Pwlhack, PWL_Key, ntPassword; : NMAP, SATAN,


Portscanner, Strobe.
(,
SNMP , ).
1.2.2.
.
.
,
, promiscuous mode ( ,
,
). ,
.
. .
,
(Telnet, FTP, SMTP, POP3 ..), ,
(, ).
,
.
.
/,
,
.
:
.
. (OTP One-Time
Passwords). ,
, , , .
, , -,
, -, -.
- .
(token) , (
) .
, ,
. ,
.
, (,
), .
.
. ,
, Ethernet,
, , (
). , ,
, (ARP-, ).
-.
, , .
, ,
8

, . ,
. , L0pht
Heavy Industries, AntiSniff.
.
. Cisco
IPSec. IPSec
IP.
SSH (Secure Shell) SSL (Secure Socket Layer).
IP-.
IP- , , ,
. . , IP-,
IP-, ,
. IP-
. DoS,
, . IP-
,
.
, IP-.
, ,
.
( ) :
IP-.
.
IP-, ,
, .
, .
RFC 2827.
( ).
,
IP- . ,
RFC 2827, (ISP). ,
, .
. IP- ,
IP-.
.
(Denial of Service DoS).
DoS .
. ,
. DoS :
TCP SYN Flood
Ping of Death
Tribe Flood Network (TFN) Tribe Flood Network 2000 (TFN2K)
9

Trinco
Stacheldracht
Trinity

DoS .
- . DoS

, .
( web- FTP-) DoS
, , ,
, . DoS
-, TCP ICMP.
DoS ,
.
,
.
: DDoS (distributed denial of service)
DRDoS (distributed deflection denial of service)
.
DDoS ,
, - (Zombie),
(Zombie-master), .
() ( ,
). ,
( ).
DRDoS
TCP . (
) - (ping) TCP
() , .
,
.

)
)
. 2. DoS, ) DDoS, ) DRDoS

10

DoS :
-. -
DoS. ,
, RFC 2827.
, .
-DoS. -DoS
.
.
(traffic rate limiting). ,
, ,
, .
ICMP.
(SLA service level agreement),
(CAR committed access rate). [2]
.
,
(brute force attack), , IP- .
, , ,
, ,
.
, ,
. /
. , ,
.
, .
.
, (#, %, $ ..).
,
. L0phtCrack,
Windows NT.
, , .
.
.

(sendmail, HTTP, FTP). ,
, .
,
().
, , .
,
, . ,
, web-,
80. web- web-,
. ,
.
11

.
.
. ,
, :
1. - -,
.
2.
: Bugtrad (http://www.securityfocus.com) CERT (http://www.cert.com).
3.
().
4. - (IDS).
.

. - , ,
.
DNS, - (ping sweep) . DNS
,
. - (ping sweep) , DNS,
, . ,
, ,
. , , ,
. ,
.
. , ,
ICMP , -,
, . ,
-. ,
IP-. IDS

,
(ISP), , .
.
, .
,
.
.
DNS, SMTP HTTP.
, ,
.
,
, , .

, .

. ,
12

,
[4].
, , IP, .
.
,
,
.
, .
(DMZ), ,
.
, . ,
, .
, ,
.
, , netcat.

. ,
- IDS (HIDS).
.

. elnet, elnet
. elnet
authorization required to use this resource (
). ,
. ,
.
.

.
,
.
.

.
, , , .

.
.
.
IAS (Intelligent
Application Switching) [10]. .
IAS , .
13

, [10], ,
IAS, 20% .
.
, ,
.
, .
, , ,
- .

, .
1.2.3 .
2- . ,
.
APR- -.
,
. .
, .
(, angst) .
man-in-the-middle. arp, arp forwanding , , arp , mac- ip- .
MAC .
() , (hub).
,
.
STP.

STP (BPDU bridge protocol data unit)
VLAN .
2- , STP,
.
,
, DoS.
STP- Cisco
:
BPDU (bpdu filter)
.

. - STP.
14

HSRP.
HSRP (Hot Standby Router Protocol)
, IP .
(multicast) (224.0.0.2).
, .
HSRP- ,
:
a) ,
DoS
b)
IPSec
HSRP. IOS 12.3(2) MD5 .
HSRP STP Irpas.
DTP VTP.
.
DTP. ,
, ,
.

VTP. , VLAN VTP-,


.
DTP . ,
, . :
a)

( , OSPF EIGRP)
b)
VTP, VLAN
c)
ARP
,
.

1.3 .
1.3.1 .
S/Key
S/Key, RFC 1760,
MD4 MD5.
.
S/Key /,
, . ,
.
15

S/Key, ,
(seed).
, :



,
, .
, , -
64- .
- ,
.
-.
64-
.
.
Token Password Authentication.

: - .
,
(PIN).
,
, .
. ,
, ,
. , .

,

. ,
. PIN
, ,
. .
PPP.
PPP ,
. :

Link Control Protocol (LCP), ,

Network Control Protocols (NCP)

16

,
LCP
. ,
, PPP .
PAP (Password Authentication Protocol)
. ,
, . ,

.
CHAP (Challenge Handshake Authentication Protocol)

.
, .
CHAP ,
. .
,
(ID), (
) ( ).
-,
, .
,
.
.
, .
, ,
, LCP .
PPP EAP (Extensible Authentication Protocol)
PPP, (MD5, S/Key,
..).
.
TACACS+.
TACACS+ TCP.
49, RFC
UDP TCP.
TACACS+ /,
NAS (Network Access Server), .
TACACS+ ,
(AAA Authentication, Authorization, Accounting).
, ,
, TACACS+ ,
PPP PAP, PPP CHAP, Kerberos.
. , .

, .
. TACACS+
.
17

RADIUS.
RADIUS (RFC 2058, 2059) /.
NAS, .
RADIUS,
. RADIUS ,
,
.
(Access Request),
NAS RADIUS,
. , ,
.
().
RADIUS
.
RADIUS
, . ,
,
.
1.3.2 .
SSL.
SSL (Secure Socket Layer) ,
Netscape. (HTTP,
Telnet, NNTP, FTP,) TCP/IP,
, , ( )
TCP/IP.
,
. SSL
: TCP
SSL Record Protocol.
, SSL Handshake Protocol,

.
SSL , :

, .
(, DES, RC4 ..).
,
(, RSA, DSS ..).

,
- (SHA, MD5 ..).
SSL HTTP.
, .
18

SSH.
Secure Shell (SSH)
. ,
TCP/IP X11. SSH
, .
.
SSH
,
(DNSSEC, X.509 .).
SSH :
, ,
,
, .
,
.
, ,
.
IDEA, 3DES, DES, RC4-128,
Blowfish, AES. RSA, ,
, ( ).
S-HTTP.
S-HTTP
.
. S-HTTP
,
.
S-HTTP (end-to-end) ,
HTTP, ,
,
.
S-HTTP ,
RSA Digital Signature Standard [DSA] , DES RC2
..
.
SOCKS.
SOCKS v4
/, TCP, Telnet, FTP
, HTTP, Wide Area Information Server
(WAIS) GOPHER. SOCKS v5, RFC 1928, UDP (
[4]), ,

19

,
, IP v6.
SOCKS
, SOCKS (
), (
1080/TCP). SOCKS
, . SOCKS
,
.
, SOCKS.
SOCKS , -
SOCKS (
SOCKS- ). ,
(Telnet, FTP, finger, whois) SOCKS-,
SOCKS .
IPSec.
IP.
IPSec , RFC
2401 2412.
IPSec :
ESP (Encrypting Security Payload), , IKE (Internet Key Exchange),
.
IPSec: .
IP-,
. ,
, .

.
VPN. (,
)
.
X.509
X.509

CA (Certificate Authority).
: ,
. , ,
, , (
).
, ,
. ,
CA .
-. , ,
20

CA.
.
CRL .
CA .
CRL .
- (,
),
,
CRL, , .
1.3.3 VPN.
L2F.
(Layer 2 Forwarding L2F)
Cisco Systems.
( HDLC, async HDLC SLIP)
, , IP.
,
, , ,
(SLIP, PPP),
.
L2F ,
IP, IPX AppleTalk
SLIP/PPP .
PPTP.
Point-to-Point Tunneling Protocol (PPTP)
Microsoft. PPP,
. /,
, NAS (Network
Access Server), (VPN). PPTP (PNS
PPTP Network Server)
, , PPTP (PAC PPTP
Access Concentrator), .
PPTP ,

(PSTN) ISDN
. PPTP GRE (Generic
Routing Encapsulation) PPP,
. PPTP
IPSec.
L2TP.
L2F PPTP . Cisco
Microsoft ( IETF) ,
(Layer 2 Tunneling Protocol
21

L2TP).
(L2F PPTP), L2TP.

1.4 Cisco SAFE


1.4.1
SAFE ,
.
.
,
.
,
. [1,4,5] .

. 3. SAFE.
1.4.2 .
.

SAFE.
- .
22

:
1. SNMP
SNMP
2. NIDS NIDS
3. () Syslog NIDS
4.

5. ,

6.

7. NIDS

8. 2
.

. 4. .
,
,
VPN. , , ,
. , ,
, .
,
IPSec .
.
.
,
.
, ,
IPSec, .
23


, .
,
.
,
. , HIDS NIDS,
.
,
.
, private
VLAN .

(syslog). Syslog
.

.

.
3.

. 5. ( , ).
SAFE .
,
.
.
,
, QoS .
().
.
3 .

, .

24


.
.
.
:
1. 2
2.
3. IP-

. 6. .
.
2- (port-security,
..).
.

. IDS,
3.
:
1. 3
2. CallManager IP, .
3.
, DNS.
4. SMTP
POP3.
HIDS, NIDS,
(PVLAN),
(
).

25

. 7. .
NIDS ,
,
. , , ,
SMTP, Telnet, FTP WWW.
.

. .
:
3
.

.
,

.
3,
,
.
,
.
,
.
1.4.3 .
.
-
, .
VPN .
26

:
1. SMTP ,
.
2. DNS DNS ,
.
3. FTP/HTTP .
4.
.
5. NIDS
47.
6. URL URL,
.
,
.
.
ISP, CAR (
), (D)DoS. ,
ISP RFC 1918 2827,
.

, IP- .
IPSec, VPN/ , .

. 8. .
NIDS, ,
, 47
27

. ISP
, NIDS
. NIDS
, ,
. , ,
, .

.
TCP_SYN
.
URL-
WWW ( ).

URL, URL-
,

(HTTP, FTP, SMTP ..).
VPN .

: VPN ,
VPN .
:
1. VPN
XAUTH IPSec.
2. VPN
GRE/IPSec.
3.
TACACS+ .
4.
.
5. NIDS
47.
VPN
VPN ,
-.
IP- , VPN.

(IPSec, PPTP, L2TP). VPN
IKE. XAUTH,
IKE, ,
- IP. VPN

.
.
28

.
IP- MODCFG, IKE.
VPN ,
VPN.


, .
1
CHAP.
. IP-,
IP- .

. 9. VPN .
VPN
VPN, , GRE,
IPSec ESP
(Encapsulated Security Payload).
ESP IKE.

GRE

, .
.
VPN ,

3DES SHAHMAC.
VPN IPSec.

29


,
. ,
.
NIDS
, VPN.
IPSec (IKE/ESP).
WAN.
.

. 10. WAN
, -
.
IOS. ,
, .
.

3 .
:
1. Web-
.
2. ,
web-.
3. ,
.
4. .
5. NIDS
.
6. 3 ISP
.

30

. 11. .
VPN.
.
.

31

2.
.
2.1 . . .
- - :
1. 30
2.
3. (WiFi)
4.
802.11.
5.
6.

. 12. - .
32

,
12.
VLAN-,
,
.
, (
IP-), , QoS,
.
( IP), QoS .

:
Cisco 2811 Integrated Services Router
Cisco 2960 Catalyst Switch
Cisco Aironet 1231 Access Point
Cisco 2811 Router[19]:
( )


90
2 10/100 Fast Ethernet
PoE (Power over Ethernet - Ethernet)

SDM (Security Device Manager)
1500 VPN AIM-EPII-PLUS
NAC (Network Admission Control)
IPS (Intrusion
Preventing System)
(IOS Firewall)


Cisco CME (CallManager Express)
( 36 IP-)
SRST (Survivable Remote Site Telephony)
( 36 IP-)
Cisco 2960 Catalyst Switch[20]:
, NAC (Network Admission Control)
QoS
48 10/100 Fast Ethernet
2 Gigabit Ethernet
Cisco Aironet 1231 Access Point[21]:
IEEE 802.11a/b/g
Ethernet
33

VLAN 1

Management

192.168.0.0/24

VLAN 10 Data

192.168.10.0/24

VLAN 20 Voice

192.168.20.0/24

VLAN 30 HotSpot

192.168.30.0/24

VLAN 40 Unused

VLAN 50 DMZ

217.80.159.0/29

Management VLAN,
RADIUS .


(
IP-)


VLAN
(

)
(
, Proxy-).

2.2 .
,
.
:
1. ACS (access control server) ,
.
2. (, , )
ACS , .
3. .
.
[1]:
1.
2. (,
, ).
3. .
4. .
Router#conf terminal
Router(config)#aaa new-model
Router(config)#username test privilege 15 secret test
Router(config)#aaa authentication login logina1 local
Router(config)#aaa authorization exec execa2 local
Router(config)#line vty 0 4
34

Router(config-line)#login authentication logina1


Router(config-line)#authorization exec execa2
ACS .
1.
2.
3.
4.
5.
6.

[1]:
ACS .
.
.
ACS (, ).
.
.

Router#conf terminal
Router(config)#aaa new-model
Router(config)#radius-server host 192.168.5.100 key test
Router(config)#username test privilege 15 secret test
Router(config)#aaa authentication login logina1 group radius
Router(config)#aaa authorization exec execa2 group radius
Router(config)#aaa accounting exec execa3 wait-start group radius
Router(config)#line vty 0 4
Router(config-line)#login authentication logina1
(Router(config-line)#authorization exec execa2
ACS , (,
).
[15, 18]:
1. RADIUS .
2. NAS (Network Access Server),
.
3. ().
4. , .
5. NAS ,
ACS .
6. .
7. .
AP1# configure terminal
AP1(config)# radius-server local
AP1(config-radsrv)# nas 192.168.0.252 key test
AP1(config-radsrv)# nas 192.168.0.251 key test
AP1(config-radsrv)# nas 192.168.0.250 key test
AP1(config-radsrv)# group voicegroup
AP1(config-radsrv-group)# vlan 20
AP1(config-radsrv-group)# ssid voice
AP1(config-radsrv-group)# reauthentication time 1800
35

AP1(config-radsrv-group)# group hotspotgroup


AP1(config-radsrv-group)# vlan 30
AP1(config-radsrv-group)# ssid hotspot
AP1(config-radsrv-group)# reauthentication time 1800
AP1(config-radsrv-group)# exit
AP1(config-radsrv)# user test password test group voicegroup
AP1(config)# radius-server host 192.168.0.252 key test
.
ACS , .
, , ACS

.


.

.
(
)
802.1.

. ,
802.1
.
.
[6, 16]:
1. 802.1
2. , ,
.
3. 802.1
Switch(config)# aaa authentication dot1x dot1xa1 group radius
Switch(config)# dot1x system-auth-control
Switch(config-if)# dot1x port-control auto
Switch(config-if)# dot1x multi-hosts
Switch(config-if)# dot1x reauthentication
Switch(config-if)# dot1x timeout reauth-period 60
Switch(config-if)# dot1x timeout quiet-period 60
Switch(config-if)# dot1x max-reauth-req 5

36



.
Management .
, http telnet.
http :
Router#conf terminal
Router(config)#no ip http server
S-HTTP.
.
Router(config)#ip http secure-server
Router(config)#ip http authentication local
telnet ssh.
ssh, telnet .
.
Router(config)#line vty 0 4
Router(config-line)#transport input ssh
Router(config-line)#login authentication logina1
.
, .
:
Router(config)#access-list 101 permit ip 192.168.0.0 0.0.0.255 192.168.0.0 0.0.0.255
Router(config)#access-list 101 deny ip 192.168.0.0 0.0.0.255 any
Router(config)#access-list 101 deny ip any 192.168.0.0 0.0.0.255
: (, ,
) . VLAN
( ).
(
2 ), .

.
.
,

.
.

37

2.3 2 .
2- ,
2- 3- .
-, -, ..
. ,
(. . 13).

. 13. .
,
. 2 ,
. 1 ,
, -. 2

- .
, - ,
2, 1,
. , .
-.
, . ,
, .
, , ,
.
,
port-security, Cisco.
,
,
, .
38

:
1. errdisable,
, errdisable recovery.
2. , -,
, .
- .
3. -.

-, .. errdisable .
. ,
.
-,

.
Switch(config-if)#switchport port-security
Switch (config-if)#switchport port-security maximum 1
Switch(config-if)#switchport port-security violation protect
Switch (config-if)#switchport port-security aging static
Switch (config-if)#switchport port-security aging type inactivity
Switch (config-if)#switchport port-security aging time 1
. port-security
.
-, VTP.
VLAN-,
VTP-. VTP
.
Switch#vlan database
Switch(vlan-data)#vtp password test
Switch(vlan-data)#apply
VTP 3 :
, , VLAN-,
, .
, VLAN-,
.
, ,
VLAN-, VTP ,
.
VTP,
transparent () VLAN
.

39

Switch#vlan database
Switch(vlan-data)#vtp mode transparent
, ()
(. 1.2.3 DTP). ,
DTP
802.1q. , , ,
VLAN, VTP .
2 ( , 1.2.3),
VLAN-.
,
2 802.1q (. . 14).

. 14. 802.1q.
, ,
.
, . ,
802.1q VLAN, , .

.
( ), VLAN
unused, (access).
Switch(config-if)#switchport mode access
Switch(config-if)#switchport access vlan 40
Switch(config-if)#shut
access
VLAN. DTP.
Switch(config-if)#switchport mode access
Switch(config-if)#switchport access vlan 10
Switch(config-if)#switchport nonegotiate

40

, ,
VLAN.
, VLAN .
Switch(config-if)#switchport access vlan 40
2- CDP,
.
#show cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater
Device ID
Local Intrfce
device1.cisco.com Eth 0/1
device2.cisco.com Eth 0/1
device3.cisco.com Eth 0/1
device4.cisco.com Eth 0/1

Holdtme Capability
122
TS
179
R
155
R
155
R

Platform
WS-C2900
4500
2500
2509

Port ID
2/11
Eth 0
Eth 0
Eth 0

#show cdp neighbors detail:


Device ID: device2.cisco.com
Entry address(es):
IP address: 171.68.162.134
Platform: cisco 4500, Capabilities: Router
Interface: Ethernet0/1, Port ID (outgoing port): Ethernet0
Holdtime : 156 sec
Version :
Cisco Internetwork Operating System Software
IOS(tm) 4500 Software(C4500-J-M),Version 11.1(10.4),MAINTENANCE INTERIM SOFTWARE
Copyright (c) 1986-1997 by Cisco Systems, Inc.
Compiled Mon 07-Apr-97 19:51 by dschwart
, .
CDP .
Switch(config)#no cdp run
.
. STP
.

.
BPDU (Bridge Protocol Data Unit),
(. 1.2.3). STP
, , ,
STP, (DoS ).
STP
VLAN-.
41

Switch(config)#no spanning-tree vlan 10


Switch(config)#no spanning-tree vlan 20
Switch(config)#no spanning-tree vlan 30
Switch(config)#no spanning-tree vlan 40
Switch(config)#no spanning-tree vlan 50
, STP bpdufilter.
, ..
, , ,
BPDU.
Switch(config-if)#spanning-tree bpdufilter enable
DHCP
HotSpot, Data, Voice.
, DHCP.
, .
DHCP .
, ,
DHCP request, .
- DHCP .
DHCP .
DHCP
Snooping. DHCP ,
, , .. ,
DHCP .
[14]:
1. DHCP snooping .
2. VLAN-, .
3. (, , -)
4. .
5. DHCP .
ip dhcp snooping
ip dhcp snooping vlan 20
ip dhcp snooping information option
ip dhcp snooping verify mac-address
! fast 0/1, , DHCP .
ip dhcp snooping trust
ip dhcp snooping limit rate 200
!
ip dhcp snooping limit rate 20

(private VLAN).
[6]:
1. Private VLANs.
42

2. VLAN .
3. , .
Switch(config)# vlan 51
Switch(config-vlan)# private-vlan isolated
Switch(config)# vlan 50
Switch(config-vlan)# private-vlan primary
Switch(config-vlan)# private-vlan association 51
Switch(config-if)# switchport mode private-vlan host
Switch(config-if)# switchport private-vlan host-association 50 51
3- ( Cisco
Catalyst Switch 2960 ),
.
- -
, ,
.
stormcontrol, .

5 % .
. ,
, ,
errdisable .
Switch(config-if)# storm-control broadcast level 5

2.4 3 .
3-
IPS (Intrusion Preventing System).
Cisco IOS IPS , ,
.
, - SDEE
(Security Device Event Exchange).
IPS :
1. syslog
2.
3.
4. IP
.
SDF (Signature Detection File).
XML. :

43

<entry nda="false" dontDelete="true">


<var name="SigName" default="HTTP 1.1 Chunked Encoding Transfer"
protected="true"></var>
<var name="SIGID" default="5245" protected="true"></var>
<var name="SubSig" default="0" protected="true"></var>
<var name="AlarmSeverity" default="medium"></var>
<var name="Enabled" default="True"></var>
<var name="EventAction" default="alarm|drop|reset"></var>
<var name="SigVersion" default="S21"></var>
<var name="SigStringInfo" default="Transfer-Encoding: chunked"></var>
<var name="AlarmThrottle" default="Summarize"></var>
<var name="MinHits" default="1"></var>
<var name="Protocol" default="TCP"></var>
<var name="StorageKey" default="STREAM"></var>
<var name="SummaryKey" default="AaBb"></var>
<var name="ThrottleInterval" default="15"></var>
<var name="DeObfuscate" default="True" protected="true"></var>
<var name="HeaderRegex" default="[Tt][Rr][Aa][Nn][Ss][Ff][Ee][Rr][Ee][Nn][Cc][Oo][Dd][Ii][Nn][Gg][:][ /t]?[Cc][Hh][Uu][Nn][Kk][Ee][Dd]"
protected="true"></var>
<var name="ServicePorts" default="80,3128,8000,8010,8080,8888,24326"></var>
</entry>
sdf ,
IPS , EventAction.
. reset drop , , ..
.
, ,
tftp. tftp-server . :
copy flash tftp sdf
copy tftp flash
1.
2.
3.
4.

IPS [17,22]:
IPS sdf
IPS
SDEE .
IPS .

Router(config)#ip ips sdf location flash:128MB.sdf


Router(config)#ip ips name testIPS
Router(config)#ip ips notify SDEE
Router(config)#ip sdee messages 111
Router(config)#ip sdee alerts 555
Router(config)#interface fast 0/1
Router(config-if)#ip ips testIPS in
44

Router(config-if)#ip ips testIPS out


web-
TCP TCP intercept.
DoS TCP SYN FLOOD.
2 TCP intercept:
(intercept) ,
, .
, , .
.
, .
(watch)
, .
[17, 23]:
1. ,
, .
2. ACL TCP Intercept.
3. (intercept watch)
4. ( )
5. .
Router(config)#ip access-list 125 permit tcp any host 217.80.159.1
Router(config)#ip tcp intercept list 125
Router(config)#ip tcp intercept mode intercept
Router(config)#ip tcp intercept drop-mode old
! , .
Router(config)#ip tcp intercept watch-timeout 30
!
ip tcp intercept connection-timeout 10
! ,
!
ip tcp intercept max-incomplete high 100
! ,
!
ip tcp intercept max-incomplete low 20
! ,
!
ip tcp intercept one-minute high 50
! ,
!
ip tcp intercept one-minute low 10
45


Reflexive ACL. .
Reflexive ACL .
Reflexive ACL ,
. ,
, . Reflexive
ACL .
,
:
1. permit-
2. , .
3. , .
4. , ( TCP UDP).
ICMP .
5. .
6. , .
, , ,
.
[17, 24]:
1. ACL , ,
.
2. ACL ,
, 1.
3. .
4. .
ip access-list extended OutBoundFilter
permit tcp any any reflect TCPtrafic
ip access-list extended InBoundFilter
evaluate TCPtrafic
! /
deny ip any any
ip reflexive-list timeout 180
CBAC (Context-Based Access
Control). CBAC TCP UDP ,
. Java,
SMTP, ,
,
( ).
CBAC .
(. 15.)

46

. 15. .
Reflexive ACL .
, :
1. .
2. , .
3. , .
3 DoS :
1. TCP UDP .
2. .
3. TCP-, .

, TCP
SYN.
TCP, UDP, FTP,
Java-
.
[17, 25]:
1. .
2. ,
.
3. .
4. .
5. .
ip inspect max-incomplete low 200
ip inspect max-incomplete high 400
ip inspect one-minute low 100
ip inspect one-minute high 400
ip inspect udp idle-time 20
ip inspect dns-timeout 6
ip inspect tcp idle-time 600
ip inspect tcp finwait-time 6
ip inspect tcp synwait-time 18
ip inspect tcp max-incomplete host 20 block-time 0
47

ip inspect name testinspect ftp timeout 20


ip inspect name testinspect http java-list FriendlySites
ip inspect name testinspect tcp
ip inspect name testinspect udp
ip inspect name testinspect fragment maximum 20
ip access-list standart FriendlySites
! permit trafic from friendlySites
permit 213.213.213.213
permit 217.80.217.40
! create an ACL to permit inspecting trafic to leave inside network
access-list 101 permit tcp 192.168.0.0 0.0.255.255 any
access-list 101 permit udp 192.168.0.0 0.0.255.255 any
access-list 101 permit icmp any any
access-list 101 deny ip any any
! create an ACL to deny inspecting trafic to enter inside network from outside
access-list 111 deny tcp any 192.168.0.0 0.0.255.255
access-list 111 deny udp any 192.168.0.0 0.0.255.255
access-list 111 permit ip any any

! on outside interface
ip access-group 111 in
ip access-group 101 out
ip inspect testinspect in
, , Reflexive ACL.

48

2.5 .
- .
TCP UDP , finger, bootp, snmp, ..
.
no service finger
no service pad
no service tcp-small-servers
no service udp-small-servers
no snmp-server
no ip bootp server
.
no ip source-route
:
1. .
2. TCP keepalive .
3. ( -).
4. sequence number .
5. cef (Cisco express forwarding).
service password encryption
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debuf datetime localtime show-timezone msec
service timestamps log datetime localtime show-timezone msec
service sequence-numbers
ip cef
, .
banner # <message> #
banner motd # <message> #
banner login # <message> #
, ,
: Authorized access only! This system is the property of <company name> Enterprise.
Disconnect IMMEDIATELY as you are not an authorized user! Contact <administrator email
address> <administrator phone number>.

.
security passwords min-length 8
security authentication failure rate 3 log
49

-.
logging on
logging 192.168.5.100 ! log-server
logging console critical
logging trap debugging
logging buffered 32000
:
1. .
2. proxy-arp.
3. .
4. (RPF reverse pass forwarding).
no ip directed-broadcast
no ip proxy-arp
no ip redirects
ip verify unicast reachable-via rx
RPF , ..
IP . ,
, , IP ,
.
,
.
, .. ,
, CEF.

2.6 .
,
.
(, IDS Snort),
( , VLAN).
,
.
.
, , .
, ,
. .
.
16.

50

. 16. .
SPAN [6]:
1. .
2. .
Switch(config)# monitor session 1 source vlan 50 both
Switch(config)# monitor session 1 destination interface fast 0/44
,
.
Switch(config)# monitor session 2 source interface fast 0/23 both
Switch(config)# monitor session 2 destination interface fast 0/44
.

51

3. .
3.1 Packet Sniffer SDK.
,
.
.
,
.

MicroOLAP () Packet Sniffer SDK[26]. Packet Sniffer SDK
Win32.
,
. ,
.
, (Promiscuous mode).
.

.
.
PSSDK (Packet Sniffer SDK) .
,
,
. PSSDK
, .
Packet Sniffer SDK :
1GBit;
,
;
(SMP) ;
FastBPF,
6 BPF
;
BPF BPF/FastBPF .

..
.

Sniffer, ,
CAM-overflow FloodNetwork.
.
:
.
- , .. .
.

52

3.2 .

.
:
1.
2.
,
, 3 :
1.
2. DoS ,
3.
CAM-overflow .
:
( )

, [ ,
], .

. , ,
.
-
.
. ,
. ,
, , .
.
.

. , .
, DoS
, . . -,
.
storm-control . -,
.
storm-control .
4 :
Random Dynamic
. DoS .
Random Static
, .
storm-control.
Broadcast
FFFF.FFFF.FFFF.
DoS .
Defined Static , .
storm-control.
53

2 :
Random Dynamic
.
Defined Static , .
port-security DoS .
,
, 2 ,
1 .

3.3 .
, , 17.

. 17. .
172.23.40.101
Cisco 805. NIC 172.23.40.102 100 / ,
10 /. . Fast
Ethernet ,
.. (full duplex, half duplex) (10/100
/.).
172.23.40.102 .
172.23.40.101 .
, ..
.
DLink DES1024D(C1/C2), :
1. 24 10/100Base-TX Fast Etherent.
2. 4.8 /.
54

3.
4.
5.
6.
7.

RoHS.
MAC- 8.
RAM 160
MTBF 32274 .
Store and Forward.

100%
100 / :
100
50000-100000
, , 10
/ 21% :
100
10000
FloodNetwork

, .
- .
10 .
73%,
5-15 ( 21% 100,10000).
10 ,
55-157 .
.
,
1-2 , ,
- .
, :
1. ,
.
2. , ..
( ).
. -,
, ,
. -
, - PSSDK,
. -,
. , ,
, .
Cisco Catalyst Switch 2960 (
2.1) . storm-control
. port-security
.
.

55

( ), , ,
.
, - :
1. .
2. , (
).
3. .
, ,
95-97%.
CAR.
1
,
. storm-control,
, .

56

.

.
.
SAFE Cisco Systems.
:

2-
3-
- .
. ,
, .
.
-
.
,
, DLink Cisco.

57

.
1. CCSP: Cisco Certified Security Professional Certification All-in-One Exam Guide, Robert
E. Larson, Lance Cockcroft, Osborn/McGraw-Hill, 2003
2. CCDP: Cisco Internetwork Design Study Guide, unknown author.
3. Routing TCP/IP (CCIE Professional Development, a detailed examination of interior routing
protocols), Jeff Doyle, Cisco Press, 1998
4. Cisco Systems ,
. , Cisco Press, 2004
5. Cisco ( 4),
. , Cisco Press, 2005
6. CCNP BCMSN Exam Certification Guide, David Hucaby (Building Cisco Multilayer
Switching Networks), Osborne/McGraw-Hill, 2000
7. CCNP BCRAN Remote Access Study Guide, Osborne/McGraw-Hill, 2000
8. Best Damn Cisco Internetworking Book Period, Michael E. Flannagan, Ron Fuller, Umer
Khan, Wayne A. Lowson II, Keith O`Brien, Martin Walshaw, Syngress, 2003
9. --, 2005.
10. LAN, 2005.
11. - , . . ,
, 2004
12. (VPN) MPLS,
. , Cisco Press, 2004
13. , , . .
14. SAFE Layer 2 Security In-Depth, Ido Dubrawsky, 2004,
www.cisco.com.
15. Cisco IOS Software Configuration Guide for Cisco Aironet Access Points, 2005,
www.cisco.com.
16. Catalyst 2960 Switch Configuration Guide, 2005,
www.cisco.com.
17. Cisco IOS Security Configuration Guide, 2005, www.cisco.com.
18. Cisco IOS Wireless LAN Configuration Guide, 2005,
www.cisco.com.
19. Cisco 2811 Integrated Services Router, www.cisco.com.
20. Cisco Catalyst 2960 Series Switches, www.cisco.com.
21. Cisco Aironet 1200 Series Access Points, www.cisco.com.
22. Cisco IOS IPS Configuration, www.cisco.com.
23. Cisco IOS TCP Intercept , www.cisco.com.
24. IP Session Filtering , www.cisco.com.
25. Context-Based Access Control, www.cisco.com.
26. , ,
.., .

58

1.
Sniffer , .

. 18. Sniffer.
- "Initialize
Manager", .
,
/ .
,
,
, .

59

,
"Open".
:
"Dump to file" ,
. .

, ,
;
"Dump Ext" ,
.
.
.
"Use dump limit"
, ;
"Dump to file"
;
"Dump to console"
;
"Use fast bpf" FastBPF
"Dump Ext"
,
.
, .
[26] .

Send. , 18.
.
Send counter ,
, .
Sync send Async send
.
:
1. Interval.
2. Count.
3. ,
.
4. .
5. .
4- :
Random Dynamic
. DoS .
Random Static
, .
storm-control.
Broadcast
FFFF.FFFF.FFFF.
DoS .
60

Defined Static , .
storm-control.
:
CAM overflow Random Dynamic
.
Flood Network Defined Static , .
port-security DoS
.
Attack. Stop.

. 19.

61

2.
SendUnit.h.
#ifndef SendUnitH
#define SendUnitH
//--------------------------------------------------------------------------#include <Classes.hpp>
#include <Controls.hpp>
#include <StdCtrls.hpp>
#include <Forms.hpp>
#include "HNAdapter.hpp"
#include <ExtCtrls.hpp>
#include <ComCtrls.hpp>
#include <stdlib.h>
//
#define DM_RANDOMDYNAMIC 0
//,
#define DM_RANDOMSTATIC 1
//
#define DM_BROADCAST
2
// - FFFF.FFFF.FFFF
#define DM_DEFINEDSTATIC
3
//
//
#define SM_CAMOVERFLOW 0 //,
#define SM_FLOODNETWORK 1 //
//--------------------------------------------------------------------------class TSendForm : public TForm
{
__published: // IDE-managed Components
//
TButton *SyncSend_Btn;
//
TButton *AsyncSend_Btn;
//
TMemo *PacketsContent_Edit;
//VCL-,
THNAdapter *HNAdapter;
//
TLabeledEdit *SendCount_Edit;
//
TButton *Button1;
//
TButton *Button2;
//,
TTimer *Timer1;
//
TStatusBar *StatusBar1;
62

//,
TCheckBox *CheckBox2;
//
TEdit *Edit1;
TLabel *Label1;
//
TEdit *Edit2;
TLabel *Label2;
//
TRadioGroup *RadioGroup1;
//
TMaskEdit *MaskEdit1;
TLabel *Label3;
//
TRadioGroup *RadioGroup2;
//
TMaskEdit *MaskEdit2;
TLabel *Label4;
TLabel *Label5;
//
void __fastcall SyncSend_BtnClick(TObject *Sender);
//
void __fastcall AsyncSend_BtnClick(TObject *Sender);
//
void __fastcall OnTimerEvent(TObject *Sender);
//
void __fastcall Button1Click(TObject *Sender);
//
void __fastcall Button2Click(TObject *Sender);
//, /
//
void __fastcall OnRadioClick(TObject *Sender);
private:
// User declarations
public:
// User declarations
//
__fastcall TSendForm(TComponent* Owner);
// ,
AnsiString DestMAC;
// ,
AnsiString SrcMAC;
// ,
int sendcnt;
};
//--------------------------------------------------------------------------extern PACKAGE TSendForm *SendForm;
//--------------------------------------------------------------------------#endif

63


. 2
:
Interval
Count
Interval TTimer.
, ,
.

. 4:
Random Dynamic (DM_RANDOMDYNAMIC)
.
DoS .
Random Static (DM_RANDOMSTATIC)
,
. storm-control.
Broadcast (DM_BROADCAST)
FFFF.FFFF.FFFF.
DoS .
Defined Static (DM_DEFINEDSTATIC) ,
. storm-control
2- :
CAM overflow (SM_CAMOVERFLOW) Random Dynamic
.
Flood Network (SM_FLOODNETWORK) Defined Static ,
. portsecurity DoS .

64