CIS通信与网络安全基础

通信与网络安全基础议题1.OSI模型和TCP/IP协议簇2.通信和网络技术3.互联网技术与服务4.主要网络安全协议和机制一、OSI模型和TCP/IP协议簇OSI七层模型PhysicalNetworkTransportSessionPresentationApplicationDataLinkApplication(Upper)LayersDataFlowLayersOSI七层模型-物理层Layer1物理层定义物理链路的电气、机械、通信规程、功能要求等；电压，数据速率，最大传输距离，物理连接器；线缆，物理介质；将比特流转换成电压；物理层设备Repeater,Hub,Multiplexers,NIC；物理层协议100BaseT,OC-3,OC-12,DS1,DS3,E1,E3；PhysicalNetworkTransportSessionPresentationApplicationDataLinkOSI七层模型-数据链路层Layer2数据链路层物理寻址，网络拓扑，线路规章等；错误检测和通告（但不纠错）；将比特聚成帧进行传输；流量控制（可选）；数据链路层设备网桥和交换机；数据链路层协议PPP,HDLC,F.R,Ethernet,TokenRing,FDDI,ISDN,ARP,RARP,L2TP,PPTP.PhysicalNetworkTransportSessionPresentationApplicationDataLinkOSI七层模型-数据链路层两个子层MAC（MediaAccessControl）物理地址；烧录到网卡ROM；48比特；唯一性；LLC（LogicalLinkControl）为上层提供统一接口；使上层独立于下层物理介质；提供流控、排序等服务；PhysicalNetworkTransportSessionPresentationApplicationDataLinkOSI七层模型–网络层Layer3网络层逻辑寻址；路径选择；网络问题管理（如拥塞）；MTU；网络层设备路由器，三层交换机；网络层协议IP,IPX,RIP,OSPF,EIGRP,IS-IS,ICMP；PhysicalNetworkTransportSessionPresentationApplicationDataLinkOSI七层模型–传输层Layer4传输层端到端数据传输服务；建立逻辑连接；传输层协议TCP(TransmissionControlProtocol)状态协议；按序传输；纠错和重传机制；Socket；UDP(UserDatagramProtocol)无状态协议；SPXPhysicalNetworkTransportSessionPresentationApplicationDataLinkOSI七层模型–会话层Layer5会话层不同应用的数据隔离；会话建立，维持，终止；同步服务；名称标识和识别；会话控制（单向或双向）；会话层协议NFS,SQL,RPC；SSL/TLS，SSH；PhysicalNetworkTransportSessionPresentationApplicationDataLinkOSI七层模型–表示层Layer6表示层数据格式表表示；协议转换；；字符转换；；数据加密/解密；数据压缩等等；表示层数据据格式ASCII,MPEG,TIFF,GIF,JPEG；PhysicalNetworkTransportSessionPresentationApplicationDataLinkOSI七层模型–应用层Layer7应用层应用接口；；网络访问流流处理；流控；错误恢复；；应用层协议议FTP,Telnet,HTTP,SNMP,SMTP,DNS；PhysicalNetworkTransportSessionPresentationApplicationDataLink数据封装PhysicalNetworkTransportSessionPresentationApplicationDataLinkUpperLayerDataUpperLayerDataTCPHeaderDataIPHeaderDataLLCHeader0101110101001000010DataMACHeaderFCSFCSSegmentPacketBitsFramePDU数据解封装装PhysicalNetworkTransportSessionPresentationApplicationDataLinkUpperLayerDataLLCHdr+IP+TCP+UpperLayerDataMACHeaderIP+TCP+UpperLayerDataLLCHeaderTCP+UpperLayerDataIPHeaderUpperLayerDataTCPHeader0101110101001000010OSI定义义的安全服服务认证；访问控制；；数据机密性性；数据完整性性；抗抵赖；OSI定义义的安全机机制加密；数字签名；；访问控制；；数据完整性性；认证；流量填充；；路由控制；；公证（notarization）；；TCP/IP协议簇簇模型PhysicalNetworkTransportSessionPresentationApplicationDataLinkNetworkAccessInternetHost-to-hostApplicationTCP/IP协议簇簇主要协议议其它TokenRingFDDIEthernetICMPRARPARPIPUDPTCP其它SMTPTelnetFTPIP包头VersionIHLTypeofServiceTotalLengthIdentificationFlagsFragmentOffsetTimetoLiveProtocolHeaderChecksumSourceAddressDestinationAddressOptionsPaddingIP包头版版本号

Reserved15

Unassigned10141347TCPandUDPoverBiggerAddresses(TUBA)91621PInternetProtocol(PIP)81475TP/IX71883InternetProtocolversion6(IPv6)6

SimpleInternetProtocol(SIP)61190STDatagramMode5791InternetProtocolversion4(IPv4)4

Unassigned13

Reserved0RFC版本数值IP包头协协议字段值值OpenShortestPathFirst(OSPF)89CiscoInternetGatewayRoutingProtocol(IGRP)88NBMANextHopResolutionProtocol(NHRP)54GenericRoutingEncapsulation(GRE)47ResourceReservationProtocol(RSVP)46Inter-DomainRoutingProtocol(IDRP)45UserDatagramProtocol(UDP)17TransmissionControlProtocol(TCP)6IPinIP(encapsulation)4InternetGroupManagementProtocol(IGMP)2InternetControlMessageProtocol(ICMP)1协议协议字段值IP地址A类:1-126；；B类:128-191；C类:192-223；D类:224-239；E类:240-254；RFC1918；TCP和和UDP报头SourcePortNumberDestinationPortNumberUDPLengthUDPChecksumSourcePortNumberDestinationPortNumberSequenceNumberAcknowledgmentNumberHeaderLengthReservedURGACKPSHRTSSYNFINWindowSizeTCPChecksumUrgentPointerOptions(ifAny)UDP报头TCP报头二、通信和和网络技术术局域网（LAN）特点高数据传输输率；短距离；低误码率；；线缆光纤（FiberOptic）非屏蔽双绞绞线（UnshieldedTwistedPair,UTP）；屏蔽双绞线线（ShieldedTwistedPair,STP）；同轴电缆（（CoaxialCable）；介质：以太太网、令牌牌环、FDDI；拓扑：总线线，星形，，环形，网网状；同轴电缆（（CoaxialCable）构成Copperconductor；Shieldinglayer；Groundingwire；Outerjacket；类型50ohm-以太网；75ohm-视频；规范10Base2（thinnet）10Mbs；Baseband；185meters；10Base5（thicknet）500meters；双绞线（TwistedPair））构成多对铜线；；Outerjacket；类型UTP（UnshieldedTwistedPair）；STP（ShieldedTwistedPair）；主要的UTP类型需要高速传传输的网络络部署；1000MbpsCat7需要高速传传输的网络络部署；155MbpsCat6100BaseTX，FDDI100MbpsCat516MbpsTokenRing16MbpsCat410BaseT，TokenRing10Mbps（以太网））和4Mbps（令牌环））Cat3IBM3270，AS/4004MbpsCat2模拟话音，，不适合数数据传输低于1MhzCat1主要用途传输速率UTP类型光纤（FiberOptics）构成Core；Cladding；Buffercoating；Outerjacket；类型单模（9micron）；多模（62.5micron）；光源激光（Laser）；发光二极管管（LED）；以太网—IEEE802.3广播介质（（“一人说说，众人听听”）载波监听多多路访问/冲突检测CSMA/CD（CarrierSenseMultipleAccesswithCollisionDetect）冲突域封装EthernetIEEE802.3Ethernet，FastEthernetandGigabitEthernet主要的以太太网类型PhysicalDataLink(MAClayer)Ethernet100baseTX10BaseT802.310Base510Base2100baseFX802.3Specificationsfor10MBEthernet802.3uSpecificationsfor100MB(Fast)Ethernet100baseT410BaseFDIXStandard1000baseT802.3abSpecificationsforGigabitEthernet主要以太网网类型比较较10Base5100BaseTX10BaseT100BaseFXMediaMaximumSegmentLengthTopologyConnector50-ohmcoax(thick)500metersBus100metersStarStarPoint-to-PointEIA/TIACat3,4,5UTP2pairEIA/TIACat5UTP2pair62.5/125micronmulti-modefiberAUIISO8877(RJ-45)Duplexmedia-interfaceconnector(MIC)STISO8877(RJ-45)400meters100meters令牌环—IEEE802.5广播介质令牌Onepersontalksatatime自愈和管理理ActivemonitorUpstream/downstreamnotificationBeaconingTokenRing，FastTokenRingFDDI——ANSIX3T9.5广播介质令牌“Onepersontalksatatime”自愈和管理理DualRingSMT物理拓扑总线（Bus）；Ethernet；星形（Star）；Ethernet（逻辑上是是总线）；；TokenRing（逻辑上是是环形）；；环形（Ring）；FDDI；网状（Mesh）；Internet；广域网连接接特征-Multi-Mode-Coaxial-SingleMode-TwistedPairFiberCopper介质

(Media)TransportnetworkEnd-to-End终止

(Termination)BroadbandNarrowband数据速率

(DataRate)EmbeddedExternal同步

(Synchronization)PacketCircuit交换

(Switching)OnDemandDedicated连接持续时间

(ConnectionDuration)广域网连接接类型专用电路交交换；按需电路交交换；包交换（虚虚电路）；；宽带接入；；专用电路交交换连接CSU/DSU专线CSU/DSUCSUDS0toT1/E1throughT3/E3TDM电路CSU各种串口连接接器RouterconnectionsNetworkconnectionsattheCSU/DSUEIA/TIA-232EIA/TIA-449EIA-530V.35X.21CSU/DSUEnduserdeviceDTEDCEServiceprovider按需电路交换换连接异步Modem拨号；ISDNBRI和ISDNPRI；电路的建立、、持续和拆除除机制；只有流量传输输时才建立连连接；PSTNISDN连接接包交换建立虚链路；；统计复用带宽宽；宽带接入广域网速率E-5-4E-4Channels565.148Mbps---4032274.176MbpsDS4--2176139.264MbpsDS4/NAE-4-2048139.264Mbps--T-3672或28DS1s44.736MbpsDS3E-3-51234.368Mbps-E-2-1288.448Mbps--T-2966.312MbpsDS2--483.152MbpsDS1CE-1-322.048Mbps--T-1241.544MbpsDS1--164KbpsDS0E载波名称T载波名称使用

DS0数量电路比特率DigitalSignal

（DS）名称广域网速率---40GbpsOC-768---13.271GbpsOC-2564032E1s或64E4s5376DS-1或192DS-3sSTM-6410GbpsOC-192(STS-192)1008E1s或16E4s1344DS-1或48DS-3sSTM-162.488GbpsOC-48(STS-48)252E1s或4E4s336DS-1或12DS-3sSTM-4622.08MbpsOC-12(STS-12)63E1s或1E484DS-1或3DS-3sSTM-1155.52MbpsOC-3(STS-3)21E1s28DS-1或1DS-3STM-051.84MbpsOC-1(STS-1)SDH容量SONET容量SDH信号比特率SONET信号SDLC/HDLC/PPPIBM发明SDLC；IEEE制定HDLC标准；；IETF制定PPP标准；；非广播播介质质点到点点；点到多多点；；SynchronousorAsynchronousPhysicalMediaLinkControlProtocolAuthentication,otheroptionsNetworkControlProtocolPPPDataLinkLayerPhysicalLayerNetworkLayerIPCPIPXCPManyOthersIPIPXLayer3ProtocolsPPP协议构构件PPP—Adatalinkwithnetwork-layerservicesFrameRelay非广播播介质质点到点点；点到多多点；；拥塞避避免FECN，BECN，DE；FrameRelay流流量整整形Time(Seconds)1MaxBeKilobytesSentBc“DE”DomainCIRMIR(LineRate)ATM（AsynchronousTransferMode）非广播播介质质点到点点；点到多多点；；53字节信信元；；ATM信信元GFCGenericFlowControlUNICellsOnly!VPI/VCIIdentifiesVirtualPathsandChannelsPTIPayloadTypeIdentifier3Bits:1.User/ControlData2.Congestion3.LastCellCLPCellLossPriorityBitHECHeaderErrorCheck8BitCRCATMNNICell48Byte

PayloadVPI(12)VCI(16)PTICLPHECATMUNICell48Byte

PayloadGFC(4)VPI(8)VCI(16)PTICLPHECISDN56/64kbps56/64kbps16kbps144kbps2BD}{BRIT11.544MbpsorE12.04823B(T1)or30B(E1)D64kbpseach64kbps}PRIISDN协议层层Layer3LAPD(Q.921)DChannelBChannelI.430/I.431/ANSIT1.601HDLC/PPP/FR/LAPBLayer1Layer2DSS1(Q.931)IP/IPXxDSLDSL服务数据最最大下下行/上行速速率(bps)是否支支持模拟话话音最大距距离(km-Feet)VDSL——VeryHighBit-RateDSL25M/1.6Mor8M/8MYes0.9––3,000ADSL——AsymmetricDSL7M/1MYes5.5––18,000HDSL——HighBitRateDSL1.5M––2.0M/1.5M––2.0MNo4.6––15,000SDSL——SymmetricDSL784K/784KNo6.9––22,000IDSL——ISDNDSL144K/144KNo5.5––18,000ISDN128K/128K铜缆对对数112111No5.5––18,000有关概概念的的区分分模拟信信号Vs.数字字信号号；同步通通信Vs.异步步通信信；基带传传输Vs.宽带带传输输；单播、、组播播、广广播ServerRoUnicastServerRouterMulticastUnicastvs.Multicast二、互互联网网技术术与服服务集线器器（Hub）ABCD物理层层设备备；同一冲冲突域域；同一广广播域域；数据链链路层层设备备；每一端端口单单独的的冲突突域；；同一广广播域域；网桥和和交换换机OR123124交换机机EachsegmenthasitsowncollisiondomainBroadcastsareforwardedtoallsegmentsMemorySwitch路由器器网络层层设备备；广播控控制；；最优路路径选选择；；逻辑寻寻址；；流量管管理；；广播域域和冲冲突域域HubBridgeSwitchRouter冲突域域:1444广播域域:1114路由协协议内部网网关协协议（（IGP）RIP，RIPv2；IGRP，EIGRP；OSPF；IS-IS；外部网网关协协议（（EGP）BGP；路由协协议距离向向量协协议（（DV）RIP，RIPv2；IGRP，EIGRP；链路状状态协协议（（LS）OSPF；IS-IS；路径向向量协协议（（PV）BGP；路由协协议有类路路由协协议（（Classful）RIP；IGRP；无类路路由协协议（（Classless）RIPv2；EIGRP；OSPF；IS-IS；BGP；距离向向量协协议比比较特征RIPv1RIPv2IGRPEIGRPCounttoinfinityXXXSplithorizonXXXXHold-downtimerXXXTriggeredupdateswithroutepoisoningXXXXLoadbalancing——EqualpathsXXXXLoadbalancing——UnequalpathsXXVLSMsupportXXRoutingalgorithmB-FB-FB-FDUALMetricHopsHopsCompCompHopcountlimit1616100100ScalabilityMedMedLargeLarge链路路状状态态协协议议比比较较特征征OSPFIS-ISEIGRPHierarchicaltopology——Retainsknowledgeofallpossibleroutes X X XRoutesummarization—Manual X X XRoutesummarization—Automatic XEvent-triggeredannouncements X X XLoadbalancing—Equalpaths X X XLoadbalancing—Unequalpaths XVLSMsupport X X XRoutingalgorithm Dijkstra IS-IS DUALMetric Cost Cost CompHopcountlimit 200 1024 100Scalability Large VryLg Large路由由协协议议比比较较特征征RIPv1RIPv2IGRPEIGRPOSPFDistancevectorXXXXLink-stateXClassful(autoroutesumm.)XXXXClassless(VLSMsupport)XXXProprietaryXXScalabilitySmallSmallMed.LargeLargeConvergencetimeSlowSlowSlowFastFast****EIGRPisanadvanceddistancevectorprotocolIPv6IPv4HeaderIPv6HeaderField’snamekeptfromIPv4toIPv6FieldsnotkeptinIPv6NameandpositionchangedinIPv6NewfieldinIPv6LegendVersionTrafficClassFlowLabelPayloadLengthNextHeaderHopLimitSourceAddressDestinationAddressVersionIHLTypeofServiceTotalLengthIdentificationFlagsFragmentOffsetTimetoLiveProtocolHeaderChecksumSourceAddressDestinationAddressOptionsPadding无线线技技术术PAN(PersonalAreaNetwork)LAN(LocalAreaNetwork)WAN(WideAreaNetwork)MAN(MetropolitanAreaNetwork)PANLANMANWANStandardsBluetooth

802.15.3

UltraWideBand(WiMedia)802.11802.11(Wi-Fi)

802.16(Wi-Max)

802.20GSM,CDMA,SatelliteSpeed<1Mbps11to54Mbps10-100+Mbps10Kbps–2MbpsRangeShortMediumMedium-LongLongApplicationsPeer-to-Peer

Device-to-DeviceEnterpriseNetworksLastMileAccessMobileDataDevicesIEEE802.11汇汇总总802.11b802.11b802.11g802.11aRatified1999199920031999DataRates(Mbps)1,21,2,5.5,111,2,5.5,11and6,9,12,18,24,

36,48,546,9,12,18,24,

36,48,54Number

ofNon-OverlappingChannelsFrequencyHopping338Indoors/

4Outdoors(ExcludingBridging)FrequencyRange(GHz)2.402–2.4835.15–5.35,5.47–5.725*StatusObsoleteWorldwideAvailableLimitedWorldwideAvailabilityAuthentication你是是谁谁?Authorization你被被允允许许做做什什么么?Accounting你做做了了什什么么?认证证发发生生在在主主体体与与认认证证服服务务器器或或主主体体与与认认证证服服务务器器代代理理之之间间；；希望望认认证证协协议议具具有有信任任凭凭证证易易于于管管理理；；抵御御窃窃听听和和中中间间人人攻攻击击；；抗抵抵赖赖；；认证证可可以以单单向向或或双双向向；；认证证认证证协协议议PAPCHAPEAP802.1xKerberosRemoteRouter(SantaCruz)Central-SiteRouter(HQ)IOSConfiguration:Hostname:SantacruzPassword:BoardwalkLocalDatabase:UsernameSantacruzPasswordBoardwalk2-WayHandshake“SantaCruz,Boardwalk””PAP口令以以明文文方式式传输输；由客户户端发发起；；一次会会话只只进行行一次次认证证；Accept/RejectAccessBootcamp74ResponseW/MD5HashCHAP口令从从不在在线路路上传传输；；由Challenger发起起；一次连连接发发生多多次认认证；；ChallengeW/key3-WayHandshakeRemoteRouter(SantaCruz)Central-SiteRouter(HQ)IOSConfiguration:Hostname:SantacruzLocalDatabaseUsernameSantacruzPassword:BoardwalkLocalDatabase:UsernameSantacruzPasswordBoardwalkAccept/RejectAccessBootcamp75EAPExtensibleAuthenticationProtocol本身并并不是是认证证方法法，而而是一一个较较为灵灵活的的用以以承载载认证证信息息的传传输协协议；；支持challenge-response,one-timepasswords,certificates,tickets；出发点点是降降低系系统间间的复复杂关关系，，提供供更加加安全全的认认证方方法；；通常直直接运运行在在数据据链路路层，，如PPP或IEEE802介质；；在终端端和认认证服服务器器之间间代理理认证证；传统PPPCHAP认认证NAS翻译功功能:拨号客客户端端和NAS之间运运行PPPCHAP；NAS将LCP认证消消息翻翻译为为RADIUSAccessRequest消息；；ACS的AccessChallenge消息被被翻译译为CHAPchallenge；客户端端的响响应再再一次次被翻翻译为为RADIUSAccessRequest消息；；ACS向NAS发出认认证通通过或或失败败的应应答消消息。。PPPEAP-MD5认证证NAS代理功功能EAP认证请请求通通过封封装到到RADIUS消息中中转发发给ACS；ACSChallenge被转发发给客客户端端；响应消消息再再一次次被转转发给给ACS；ACS向NAS发出认认证通通过或或失败败的应应答消消息。。802.1xAuthenticationIEEE标准，，定义义在共共享介介质中中（如如Ethernet，WLAN）提供供二层层认证证服务务；类似于于PPP中提供供认证证服务务的LCP；802.1x在客户户端和和认证证代理理（如如以太太网交交换机机、无无线AP）之间间进行行EAP认证信信息的的封装装；RADIUS在认证证代理理和认认证服服务器器之间间进行行EAP信息的的封装装；Authentication在客户户端和和认证证服务务器之之间进进行(EAP)；Authorizationandaccounting在认证证代理理和认认证服服务器器之间间进行行(RADIUS)；802.1x端端口口访问问控制制模型型RequestforService(Connectivity)BackendAuthenticationSupportIdentityStoreIntegrationSupplicantDesktop/laptopIPphoneWLANAPSwitchAuthenticatorSwitchRouterWLANAPAuthenticationServerIASACSAnyIETFRADIUSserverIdentityStore/ManagementMSADLDAPNDSODBCKerberos认证协议:口令从不在在网络中传传输；SSO（Singlesign-on）；三个实体:访问应用服服务器上运运行服务的的客户端；；认证服务器器，即KDC(KeyDistributionCenter认证服务；；ticket-granting服务；应用服务器器；使用DES对所有消息息（除初始始化请求））进行加密密；根据TGT（Ticket-grantingticket）向用户提提供服务ServiceTicket；Kerberos––初始始化认证Kerberos––获取取ServiceTicketKerberos––服务务验证认证代理协协议RADIUSTACACS+RADIUSRemoteauthenticationdial-inuserservice；主要用于拨拨号网络；；IETF标准；使用UDP端口1812，1813；不足：口令传输一一般为明文文；可使用用MD5进行加密；；授权作为认认证的一部部分；属性值空间间有限；最多支持255个并发请求求；最多支持255个厂商定义义属性值；；单向RADIUSServerPSTN/ISDNCorporateNetworkDIAMETER新的IETF标准提案，，提供向后后的兼容性性；解决RADIUS的不足；双向最多可支持持232个vendor-specificattributes属性；基本上无限限个并发请请求；通过Acknowledgement和Keepalive机制提高弹弹性；提供加密保保证消息的的机密性和和完整性；；TACACS+TerminalAccessControllerAccessControlSystem(enhanced)；Cisco开发；基于TCP端口49；提供比RADIUS更多的授权权选项；支持Auto-command；支持多种协协议；支持数据报报文加密；；不足：有限的厂商商支持；有限的服务务器选项；；TACACS+ServerTACACS+ClientAlicePSTN/ISDNCorporateNetworkRADIUSvs.TACACS+vs.KerberosRADIUSTACACS+KERBEROSUsesUDPXUsesTCPXXEncryptionPasswordOnlyAllButHeaderAllButHeaderMultiprotocolSupportXRouterMgtAcctControlXXRouterMgtAuthControlXXLEAPSupportXXAUTHSupportXXX四.主要网络安安全协议和和机制网络安全“Securityisonlyasstrongastheweakestlink!””PhysicalLinksMACAddressesIPAddressesProtocols/PortsApplicationStreamApplicationPresentationSessionTransportNetworkDataLinkPhysicalApplicationPresentationSessionTransportNetworkDataLinkPhysicalCompromisedInitialCompromisePOP3,IMAP,IM,SSL,SSH数据链路层层安全VLANHopping攻击；MAC/IP欺骗攻击；；DHCP服务器攻击击；CAM表溢出攻击击；SpanningTree攻击；ARP攻击；Trunk端口定定义缺省可以对对所有VLAN进行访问；；用于在同一一个物理链链路上对多多个VLAN的流量进行行传输(一般在交换换机之间））；封装方式可可以为802.1qorISL；TrunkPortDynamicTrunkProtocol(DTP)何谓DTP?自动进行802.1x/ISLTrunk的配置；在交换机之之间生效；；DTP在链路两个个端点之间间协商，并并同步状态态；802.1q/ISLtrunk端口的DTP状态可以是是“Auto”,““On”,“Off”,““Desirable”,或“Non-Negotiate”DynamicTrunk

Protocol基本VLANHopping攻击击TrunkPortTrunkPort双重802.1q封封装VLANHopping攻击Send802.1qdoubleencapsulatedframesSwitchperformsonlyonelevelofdecapsulationUnidirectionaltrafficonlyWorkseveniftrunkportsaresettooff802.1q,802.1qStripOffFirst,andSendBackOut802.1qFrameFrameNote:OnlyWorksifTrunkHastheSameVLANastheAttackerVLAN和和Trunk的最佳佳安全实践践为所有的trunk端口定义一一个专用的的VLANID；将不用的端端口置于Disable状态，并把把它们分配配到未使用用的VLAN中；不要使用VLAN1！对于连接客客户端的端端口，将其其DTP自动协商trunk状态置为off；ExplicitlyconfiguretrunkingoninfrastructureportsUsealltaggedmodefortheNativeVLANontrunks数据链路层层安全VLANHopping攻击；MAC/IP欺骗攻击；；DHCP服务器攻击击；CAM表溢出攻击击；SpanningTree攻击；ARP攻击；欺骗AttacksMACspoofingIPspoofingPingofdeathICMPunreachablestormSYNfloodTrustedIPaddressescanbespoofed欺骗MAC地址攻击击AttackersendspacketswiththeincorrectsourceMACaddressIfnetworkcontrolisbyMACaddress,theattackernowlookslikeMACAMACBMACCReceivedTrafficSourceAddressMacBTrafficSentwithMACBSource欺骗骗IP地地址址攻攻击击AttackersendspacketswiththeincorrectsourceIPAddressWhateverdevicethepacketissenttowillneverreplytotheattackerMACAMACBMACCReceivedTrafficSourceIPMacCTrafficSentwithIPSource欺骗骗IP/MAC攻攻击击AttackersendspacketswiththeincorrectsourceIPandMACaddressNowlookslikeadevicethatisalreadyonthenetworkMACAMACBMACCReceivedTrafficSourceIPMacBTrafficSentwithIPMACBSource数据据链链路路层层安安全全VLANHopping攻击击；；MAC/IP欺骗骗攻攻击击；；DHCP服务务器器攻攻击击；；CAM表溢溢出出攻攻击击；；SpanningTree攻击击；；ARP攻击击；；IsThisIsMyBindingTable?NO!NonMatchingTrafficDroppedSpoofing攻击对策策IPSourceGuardUsestheDHCPSnoopingBindingTableInformationIPSourceGuardOperatesjustlikeDynamicARPInspection,butlooksateverypacket,notjustARPPacketMACAMACBMACCReceivedTrafficSourceIPMacBMACCTrafficSentwithIPMacBTrafficSentwithIPMacCDHCPSnoopingEnabledDynamicARPInspectionEnabledIPSourceGuardEnabledDHCP服务ServerdynamicallyassignsIPaddressondemandAdministratorcreatespoolsofaddressesavailableforassignmentAddressisassignedwithleasetimeDHCPdeliversotherconfigurationinformationinoptionsDHCPServerSendMyConfigurationInformationClientIPAddress:01

SubnetMask:

DefaultRouters:

DNSServers:,

LeaseTime:10daysHereIsYourConfigurationDHCP服务务—通信信过程DHCPdefinedbyRFC2131DHCPServerClientDHCPDiscover(Broadcast)DHCPOffer(Unicast)DHCPRequest(Broadcast)DHCPAck(Unicast)DHCP攻击类型型DHCPStarvation攻击GobblerlooksattheentireDHCPscopeandtriestoleasealloftheDHCPaddressesavailableintheDHCPscopeThisisaDenialofServiceDoSattackusingDHCPleasesDHCPDiscovery(Broadcast)x(SizeofScope)DHCPOffer(Unicast)x(SizeofDHCPScope)DHCPRequest(Broadcast)x(SizeofScope)DHCPAck(Unicast)x(SizeofScope)ClientGobblerDHCPServerDenialofServiceDHCPStarvation攻击对策策PortSecurityGobblerusesanewMACaddresstorequestanewDHCPlease；RestrictthenumberofMACaddressesonanport；WillnotbeabletoleasemoreIPaddressthanMACaddressesallowedontheport；IntheexampletheattackerwouldgetoneIPaddressfromtheDHCPserverClientGobblerDHCPServerDHCPAttack类型RogueDHCPServer攻击ClientDHCPServerRogueServerDHCPDiscovery(Broadcast)DHCPOffer(Unicast)fromRogueServerDHCPRequest(Broadcast)DHCPAck(Unicast)fromRogueServer

DHCPAttack类型RogueDHCPServer攻击WhatcantheattackerdoifheistheDHCPserver?IPAddress:01

SubnetMask:

DefaultRouters:

DNSServers:,

LeaseTime:10daysHereisYourConfigurationWhatdoyouseeasapotentialproblemwithincorrectinformation?WrongDefaultGateway—AttackeristhegatewayWrongDNSserver—AttackerisDNSserverWrongIPAddress—AttackerdoesDOSwithincorrectIPRogueDHCPServer攻击对策DHCPSnoopingBydefaultallportsintheVLANareuntrustedTableisbuiltby“Snooping”theDHCPreplytotheclientEntriesstayintableuntilDHCPleasetimeexpiresClientDHCPServerRogueServerTrustedUntrustedUntrustedDHCPSnoopingEnabledBADDHCPResponses:offer,ack,nakOKDHCPResponses:offer,ack,nak数据链路层安安全VLANHopping攻击；MAC/IP欺骗攻击；DHCP服务器攻击；；CAM表溢出攻击；；SpanningTree攻击；ARP攻击；0000.0cXX.XXXXMAC地址/CAM表CAMtablestandsforContentAddressableMemoryTheCAMtablestoresinformationsuchasMACaddressesavailableonphysicalportswiththeirassociatedVLANparametersCAMtableshaveafixedsize48BitHexadecimalNumberCreatesUniqueLayerTwoAddress1234.5678.9ABCFirst24bits=ManufactureCodeAssignedbyIEEESecond24bits=SpecificInterface,AssignedbyManufacture0000.0cXX.XXXXAllF’’s=BroadcastFFFF.FFFF.FFFFCAM表正常常通信-1/3MACAMACBMACCPort1Port2Port3MAC PortA 1C 3ARPforBARPforB

ARPforBBIsUnknown—FloodtheFrameCAM表正常常通信-2/3MACAMACBMACCPort1Port2Port3AIsonPort1Learn:BIsonPort2IAmMACBIAmMACBMAC PortA 1C 3B 2CAM表正常常通信-3/3MACAMACBMACCPort1Port2Port3TrafficA->BBIsonPort2DoesNotSeeTraffictoBTrafficA->BMAC PortA 1B 2C 3CAM表溢出出-1/3Macoftoolsince1999About100linesofperlIncludedin“dsniff”AttacksuccessfulbyexploitingthesizelimitonCAMtablesCAM表溢出出-2/3IAmMACYMACAMACBMACCPort1Port2Port3MAC PortA 1B 2C 3YIsonPort3ZIsonPort3Y 3Z 3TrafficA->BISeeTraffictoB!AssumeCAMTableNowFullIAmMACZTrafficA->B

TrafficA->BMacof洪洪流MacofsendsrandomsourceMACandIPaddressesMuchmoreaggressiveifyourunthecommand“macof-ieth12>/dev/null”macof(partofdsniff)—/~dugsong/dsniff/macof––ieth136:a1:48:63:81:7015:26:8d:4d:28:f.26413>.49492:S1094191437:1094191437(0)win51216:e8:8:0:4d:9cda:4d:bc:7c:ef:be.61376>.47523:S446486755:446486755(0)win51218:2a:de:56:38:7133:af:9b:5:a6:9.20086>.6728:S105051945:105051945(0)win512e7:5c:97:42:ec:183:73:1a:32:20:9.45282>.24898:S1838062028:1838062028(0)win51262:69:d3:1c:79:ef80:13:35:4:cb:d0.11587>.7723:S1792413296:1792413296(0)win512c5:a:b7:3e:3c:7a3a:ee:c0:23:4a:fe.19784>.57433:S1018924173:1018924173(0)win51288:43:ee:51:c7:68b4:8d:ec:3e:14:bb.283>.11466:S727776406:727776406(0)win512b8:7a:7a:2d:2c:aec2:fa:2d:7d:e7:bf.32650>.11324:S605528173:605528173(0)win512e0:d8:1e:74:1:e57:98:b6:5a:fa:de.36346>.55700:S2128143986:2128143986(0)win512CAM表满了了!EachswitchhasalimitonCAMtables；OncetheCAMtableontheswitchisfull,trafficwithoutaCAMentryisfloodedouteveryportonthatVLANThiswillturnaVLANonaswitchbasicallyintoahub；ThisattackwillalsofilltheCAMtablesofadjacentswitches；2->(broadcast)ARPCWhois,?2->(broadcast)ARPCWhois9,9?6->5ICMPEchorequest(ID:256Sequencenumber:7424)OOPS5->6ICMPEchoreply(ID:256Sequencenumber:7424)

OOPSMAC攻击对对策PortsecuritylimitsMACfloodingattackandlocksdownportandsendsanSNMPtrap00:0e:00:aa:aa:aa00:0e:00:bb:bb:bb132,000BogusMACsOnlyThreeMACAddressesAllowedonthePort:ShutdownSolution:PortSecurityLimitstheAmountofMAC’sonanInterface数据链路层安安全VLANHopping攻击；MAC/IP欺骗攻击；DHCP服务器攻击；；CAM表溢出攻击；；SpanningTree攻击；ARP攻击；SpanningTree协议回回顾STPPurpose:Tomaintainloop-freetopologiesinaredundantLayer2infrastructureA‘Tree-Like’Loop-FreeTopologyIsEstablishedfromthePerspectiveoftheRootBridgeASwitchIs

ElectedasRootRootSelectionIsBasedontheLowestConfiguredPriorityofAnySwitch0–65535XRootSTPisverysimple;messagesaresentusingBridgeProtocolDataUnits(BPDUs);basicmessagesinclude:configuration,topologychangenotification/acknowledgment(TCN/TCA);mosthaveno“payload””AvoidingloopsensuresbroadcasttrafficdoesnotbecomestormsSpanningTree攻击举举例AccessSwitchesRootRootXSTPSTPBlockedSendBPDUmessagestobecomerootbridgeSpanningTree攻击举举例SendBPDUmessagestobecomerootbridgeTheattackerthenseesframesheshouldn’’tMITM,DoS,etc.allpossibleAnyattackisverysensitiveto

theoriginaltopology,trunking,PVST,etc.AlthoughSTPtakeslinkspeedintoconsideration,itisalwaysdonefromtheperspectiveoftherootbridge;takingaGbbackbonetohalf-duplex10MbwasverifiedRequiresattackerisdualhomedtotwodifferentswitches(withahub,itcanbedonewithjustoneinterfaceontheattackinghost)AccessSwitchesRootRootRootXBlockedSTP攻击击对策Trytodesignloop-freetopologieswhereeverpossible,soyoudonotneedSTP；Don’tdisableSTP,introducingaloopwouldbecomeanotherattack；BPDUGuardShouldberunonalluserfacingportsandinfrastructurefacingportsDisablesportsusingportfastupondetectionofaBPDUmessageontheportGloballyenabledonallportsrunningportfastRootGuardDisablesportswhowouldbecometherootbridgeduetotheirBPDUadvertisementConfiguredonaperportbasis；数据链路层层安全VLANHopping攻击；MAC/IP欺骗攻击；；DHCP服务器攻击击；CAM表溢出攻击击；SpanningTree攻击；ARP攻击；ARP功能能回顾BeforeastationcantalktoanotherstationitmustdoanARPrequesttomaptheIPaddresstotheMACaddress；ThisARPrequestisbroadcastusingprotocol0806；AllcomputersonthesubnetwillreceiveandprocesstheARPrequest;thestationthatmatchestheIPaddressintherequestwillsendanARPreplyWhoIs?IAmMACAARP功能能回顾AccordingtotheARPRFC,aclientisallowedtosendanunsolicitedARPreply;thisiscalledagratuitousARP;otherhostsonthesamesubnetcanstorethisinformationintheirARPtables；AnyonecanclaimtobetheownerofanyIP/MACaddresstheylike；ARPattacksusethistoredirecttraffic；IAmMACAYouAreMACAYouAreMACAYouAreMACAARP攻击击工具ARPman-in-the-middle攻击dsniff—/~dugsong/dsniff/ettercap——/index.phpettercapisthesecondgenerationofARPattacktoolsettercaphasaniceGUI,andisalmostpointandclickInterestingfeaturesofettercapPacketI