CISP-通信與網(wǎng)絡(luò)安全基礎(chǔ)

1、通信與網(wǎng)絡(luò)安全基礎(chǔ)1議題1. OSI模型和TCP/IP協(xié)議簇2. 通信和網(wǎng)絡(luò)技術(shù)3. 互聯(lián)網(wǎng)技術(shù)與服務(wù)4. 主要網(wǎng)絡(luò)安全協(xié)議和機制2一、OSI模型和TCP/IP協(xié)議簇3OSI七層模型PhysicalNetworkTransportSessionPresentationApplicationData LinkApplication (Upper) LayersData Flow Layers4OSI七層模型 - 物理層Layer1 物理層定義物理鏈路的電氣、機械、通信規(guī)程、功能要求等；電壓，數(shù)據(jù)速率，最大傳輸距離，物理連接器；線纜，物理介質(zhì)；將比特流轉(zhuǎn)換成電壓；物理層設(shè)備Repeater, Hu

2、b, Multiplexers, NIC；物理層協(xié)議100BaseT, OC-3, OC-12, DS1, DS3, E1, E3；PhysicalNetworkTransportSessionPresentationApplicationData Link5OSI七層模型 - 數(shù)據(jù)鏈路層Layer2 數(shù)據(jù)鏈路層物理尋址，網(wǎng)絡(luò)拓撲，線路規(guī)章等；錯誤檢測和通告（但不糾錯）；將比特聚成幀進行傳輸；流量控制（可選）；數(shù)據(jù)鏈路層設(shè)備網(wǎng)橋和交換機；數(shù)據(jù)鏈路層協(xié)議PPP, HDLC, F.R, Ethernet, Token Ring, FDDI, ISDN, ARP, RARP, L2TP, PPTP.

3、PhysicalNetworkTransportSessionPresentationApplicationData Link6OSI七層模型 - 數(shù)據(jù)鏈路層兩個子層MAC（Media Access Control）物理地址；燒錄到網(wǎng)卡ROM；48比特；唯一性；LLC（Logical Link Control）為上層提供統(tǒng)一接口；使上層獨立于下層物理介質(zhì)；提供流控、排序等服務(wù)；PhysicalNetworkTransportSessionPresentationApplicationData Link7OSI七層模型 網(wǎng)絡(luò)層Layer3 網(wǎng)絡(luò)層邏輯尋址；路徑選擇；網(wǎng)絡(luò)問題管理（如擁塞）；MTU

4、；網(wǎng)絡(luò)層設(shè)備路由器，三層交換機；網(wǎng)絡(luò)層協(xié)議IP, IPX, RIP, OSPF, EIGRP, IS-IS, ICMP；PhysicalNetworkTransportSessionPresentationApplicationData Link8OSI七層模型 傳輸層Layer4 傳輸層端到端數(shù)據(jù)傳輸服務(wù)；建立邏輯連接；傳輸層協(xié)議TCP (Transmission Control Protocol)狀態(tài)協(xié)議；按序傳輸；糾錯和重傳機制；Socket；UDP (User Datagram Protocol)無狀態(tài)協(xié)議；SPXPhysicalNetworkTransportSessionPrese

5、ntationApplicationData Link9OSI七層模型 會話層Layer5 會話層不同應(yīng)用的數(shù)據(jù)隔離；會話建立，維持，終止；同步服務(wù)；名稱標識和識別；會話控制（單向或雙向）；會話層協(xié)議NFS, SQL, RPC；SSL/TLS，SSH；PhysicalNetworkTransportSessionPresentationApplicationData Link10OSI七層模型 表示層Layer6 表示層數(shù)據(jù)格式表示；協(xié)議轉(zhuǎn)換；字符轉(zhuǎn)換；數(shù)據(jù)加密/解密；數(shù)據(jù)壓縮等；表示層數(shù)據(jù)格式ASCII, MPEG, TIFF,GIF, JPEG；PhysicalNetworkTranspo

6、rtSessionPresentationApplicationData Link11OSI七層模型 應(yīng)用層Layer7 應(yīng)用層應(yīng)用接口；網(wǎng)絡(luò)訪問流處理；流控；錯誤恢復(fù)；應(yīng)用層協(xié)議FTP, Telnet, HTTP, SNMP, SMTP, DNS；PhysicalNetworkTransportSessionPresentationApplicationData Link12數(shù)據(jù)封裝PhysicalNetworkTransportSessionPresentationApplicationData LinkUpper Layer DataUpper Layer DataTCP HeaderD

7、ataIP HeaderDataLLC Header01000010DataMAC HeaderFCSFCSSegmentPacketBitsFramePDU13數(shù)據(jù)解封裝PhysicalNetworkTransportSessionPresentationApplicationData LinkUpper Layer DataLLC Hdr + IP + TCP + Upper Layer DataMAC HeaderIP + TCP + Upper Layer DataLLC HeaderTCP+ Upper Layer DataIP HeaderUpper Layer DataTCP H

8、eader0100001014OSI定義的安全服務(wù)認證；訪問控制；數(shù)據(jù)機密性；數(shù)據(jù)完整性；抗抵賴；15OSI定義的安全機制加密；數(shù)字簽名；訪問控制；數(shù)據(jù)完整性；認證；流量填充；路由控制；公證（notarization）；16TCP/IP協(xié)議簇模型PhysicalNetworkTransportSessionPresentationApplicationData LinkNetwork Access Internet Host-to-hostApplication17TCP/IP協(xié)議簇主要協(xié)議其它Token RingFDDIEthernetICMPRARPARPIPUDPTCP其它SMTPTel

9、netFTP18IP包頭VersionIHLType of ServiceTotal LengthIdentificationFlagsFragment OffsetTime to LiveProtocolHeader ChecksumSource AddressDestination AddressOptionsPadding19IP包頭版本號Reserved15Unassigned10141347TCP and UDP over Bigger Addresses (TUBA)91621P Internet Protocol (PIP)81475TP/IX71883Internet Prot

10、ocol version 6 (IPv6)6Simple Internet Protocol (SIP)61190ST Datagram Mode5791Internet Protocol version 4 (IPv4)4Unassigned13Reserved0RFC版本數(shù)值20IP包頭協(xié)議字段值Open Shortest Path First (OSPF)89Cisco Internet Gateway Routing Protocol (IGRP)88NBMA Next Hop Resolution Protocol (NHRP)54Generic Routing Encapsulat

11、ion (GRE)47Resource Reservation Protocol (RSVP)46Inter-Domain Routing Protocol (IDRP)45User Datagram Protocol (UDP)17Transmission Control Protocol (TCP)6IP in IP (encapsulation)4Internet Group Management Protocol (IGMP)2Internet Control Message Protocol (ICMP)1協(xié)議協(xié)議字段值21IP地址A類:1-126；B類:128-191；C類:192

12、-223；D類:224-239；E類:240-254；RFC1918；22TCP 和 UDP 報頭Source Port NumberDestination Port NumberUDP LengthUDP ChecksumSource Port NumberDestination Port NumberSequence NumberAcknowledgment NumberHeader LengthReservedURGACKPSHRTSSYNFINWindow SizeTCP ChecksumUrgent PointerOptions (if Any)UDP報頭TCP報頭23二、通信和網(wǎng)絡(luò)

13、技術(shù)24局域網(wǎng)（LAN）特點高數(shù)據(jù)傳輸率；短距離；低誤碼率；線纜光纖（Fiber Optic）非屏蔽雙絞線（Unshielded Twisted Pair, UTP）；屏蔽雙絞線（Shielded Twisted Pair, STP）；同軸電纜（Coaxial Cable）；介質(zhì)：以太網(wǎng)、令牌環(huán)、FDDI；拓撲：總線，星形，環(huán)形，網(wǎng)狀；25同軸電纜（Coaxial Cable）構(gòu)成Copper conductor；Shielding layer；Grounding wire；Outer jacket；類型50 ohm - 以太網(wǎng)；75 ohm - 視頻；規(guī)范10Base2（thinnet）10

14、Mbs；Baseband；185 meters；10Base5（thicknet）500 meters；26雙絞線（Twisted Pair）構(gòu)成多對銅線；Outer jacket；類型UTP（Unshielded Twisted Pair）；STP（Shielded Twisted Pair）；27主要的UTP類型需要高速傳輸?shù)木W(wǎng)絡(luò)部署；1000MbpsCat7需要高速傳輸?shù)木W(wǎng)絡(luò)部署；155MbpsCat6100BaseTX，F(xiàn)DDI100MbpsCat516Mbps Token Ring16MbpsCat410BaseT，Token Ring10Mbps（以太網(wǎng)）和4Mbps（令牌環(huán)）Ca

15、t3IBM 3270，AS/4004MbpsCat2模擬話音，不適合數(shù)據(jù)傳輸?shù)陀?MhzCat1主要用途傳輸速率UTP類型28光纖（Fiber Optics）構(gòu)成Core；Cladding；Buffer coating；Outer jacket；類型單模（9micron）；多模（62.5micron）；光源激光（Laser）；發(fā)光二極管（LED）；29以太網(wǎng)IEEE 802.3廣播介質(zhì)（“一人說，眾人聽”）載波監(jiān)聽多路訪問/沖突檢測CSMA/CD（Carrier Sense Multiple Access with Collision Detect）沖突域封裝Ethernet IEEE 802

16、.3Ethernet，F(xiàn)ast Ethernet and Gigabit Ethernet30主要的以太網(wǎng)類型PhysicalData Link(MAC layer)Ethernet100baseTX10BaseT802.310Base510Base2100baseFX802.3 Specifications for 10MB Ethernet802.3u Specifications for 100MB (Fast) Ethernet100baseT410BaseFDIX Standard1000baseT802.3ab Specifications for Gigabit Ethernet

17、31主要以太網(wǎng)類型比較10Base5100BaseTX10BaseT100BaseFXMediaMaximum Segment LengthTopologyConnector50-ohm coax (thick)500 metersBus100 metersStarStarPoint-to-PointEIA/TIA Cat3, 4, 5 UTP2 pairEIA/TIA Cat5 UTP2 pair62.5/125 micron multi-mode fiberAUIISO 8877 (RJ-45)Duplex media-interface connector (MIC) STISO 887

18、7 (RJ-45)400 meters100 meters32令牌環(huán)IEEE 802.5廣播介質(zhì)令牌One person talks at a time自愈和管理Active monitorUpstream/downstream notificationBeaconingToken Ring，F(xiàn)ast Token Ring33FDDIANSI X3T9.5廣播介質(zhì)令牌“One person talks at a time”自愈和管理Dual RingSMT34物理拓撲總線（Bus）；Ethernet；星形（Star）；Ethernet（邏輯上是總線）；Token Ring（邏輯上是環(huán)形）；環(huán)形

19、（Ring）；FDDI；網(wǎng)狀（Mesh）；Internet；35廣域網(wǎng)連接特征-Multi-Mode-Coaxial-Single Mode-Twisted PairFiberCopper介質(zhì)(Media)Transport networkEnd-to-End終止(Termination)BroadbandNarrowband數(shù)據(jù)速率(Data Rate) EmbeddedExternal同步(Synchronization)PacketCircuit交換(Switching)On DemandDedicated連接持續(xù)時間(Connection Duration)36廣域網(wǎng)連接類型專用電路交

20、換；按需電路交換；包交換（虛電路）；寬帶接入；37專用電路交換連接CSU/DSUEIA/TIA-232, EIA/TIA-449,V.35, X.21, EIA-530專線CSU/DSUCSUDS0 to T1/E1 through T3/E3TDM 電路CSU38各種串口連接器Router connectionsNetwork connections at the CSU/DSUEIA/TIA-232EIA/TIA-449EIA-530V.35X.21CSU/DSUEnd user deviceDTEDCEService provider39按需電路交換連接異步Modem撥號；ISDN BR

21、I和ISDN PRI；電路的建立、持續(xù)和拆除機制；只有流量傳輸時才建立連接；PSTN40ISDN連接41包交換建立虛鏈路；統(tǒng)計復(fù)用帶寬；42寬帶接入43廣域網(wǎng)速率E-5-4E-4 Channels565.148Mbps-4032274.176MbpsDS4-2176139.264MbpsDS4/NAE-4-2048139.264Mbps-T-3672或28 DS1s44.736MbpsDS3E-3-51234.368Mbps-E-2-1288.448Mbps-T-2966.312MbpsDS2-483.152MbpsDS1CE-1-322.048Mbps-T-1241.544MbpsDS1-1

22、64KbpsDS0E載波名稱T載波名稱使用 DS0數(shù)量電路比特率Digital Signal（DS）名稱44廣域網(wǎng)速率-40 GbpsOC-768-13.271 GbpsOC-2564032E1s或64 E4s5376DS-1或192 DS-3sSTM-6410 GbpsOC-192(STS-192)1008E1s或16 E4s1344DS-1或48 DS-3sSTM-162.488 GbpsOC-48(STS-48)252E1s或4 E4s336DS-1或12 DS-3sSTM-4622.08 MbpsOC-12(STS-12)63E1s或1 E484DS-1或3 DS-3sSTM-1155

23、.52 MbpsOC-3(STS-3)21E1s28DS-1或1 DS-3STM-051.84MbpsOC-1(STS-1)SDH 容量SONET容量SDH信號比特率SONET信號45SDLC/HDLC/PPPIBM發(fā)明SDLC；IEEE制定HDLC標準；IETF制定PPP標準；非廣播介質(zhì)點到點；點到多點；46Synchronous or AsynchronousPhysical MediaLink Control Protocol Authentication, other optionsNetwork Control Protocol PPPData LinkLayerPhysicalLa

24、yerNetworkLayerIPCPIPXCPMany OthersIPIPXLayer 3 ProtocolsPPP協(xié)議構(gòu)件PPPA data link with network-layer services47Frame Relay 非廣播介質(zhì)點到點；點到多點；擁塞避免FECN，BECN，DE；48Frame Relay 流量整形Time (Seconds)1Max BeKilobytes SentBc“DE” DomainCIRMIR (Line Rate)49ATM（Asynchronous Transfer Mode） 非廣播介質(zhì)點到點；點到多點；53字節(jié)信元；50ATM 信元GF

25、CGeneric Flow ControlUNI Cells Only!VPI/VCIIdentifies VirtualPaths and ChannelsPTIPayload Type Identifier3 Bits:1. User/Control Data2. Congestion3. Last CellCLPCell Loss Priority BitHECHeader Error Check8 Bit CRCATM NNI Cell48 BytePayloadVPI (12)VCI (16)PTICLPHECATM UNI Cell48 BytePayloadGFC (4)VPI

26、(8)VCI (16)PTICLPHEC51ISDN56/64 kbps56/64 kbps16 kbps144 kbps2BDBRIT1 1.544 Mbps orE1 2.048 Mbps (includes sync)23B (T1) or30B (E1) D64 kbpseach64 kbpsPRI52ISDN 協(xié)議層Layer 3LAPD (Q.921)D ChannelB ChannelI.430/I.431/ANSI T1.601HDLC/PPP/FR/LAPBLayer 1Layer 2DSS1 (Q.931)IP/IPX53xDSLDSL服務(wù)數(shù)據(jù)最大下行/上行速率(bps)是

27、否支持模擬話音最大距離(km-Feet)VDSLVery High Bit-RateDSL25M/1.6Mor 8M/8MYes0.9 3,000ADSLAsymmetric DSL7M/1MYes5.5 18,000HDSLHigh Bit Rate DSL1.5M 2.0M/1.5M 2.0MNo4.6 15,000SDSLSymmetric DSL784K/784KNo6.9 22,000IDSL ISDN DSL144K/144KNo5.5 18,000ISDN128K/128K銅纜對數(shù)112111No5.5 18,00054有關(guān)概念的區(qū)分模擬信號Vs.數(shù)字信號；同步通信Vs.異步通信

28、；基帶傳輸Vs.寬帶傳輸；單播、組播、廣播55ServerRouterUnicastServerRouterMulticastUnicast vs. Multicast56二、互聯(lián)網(wǎng)技術(shù)與服務(wù)57集線器（Hub）ABCD物理層設(shè)備；同一沖突域；同一廣播域；58數(shù)據(jù)鏈路層設(shè)備；每一端口單獨的沖突域；同一廣播域；網(wǎng)橋和交換機OR12312459交換機Each segment has its own collision domainBroadcasts are forwarded to all segmentsMemorySwitch60路由器網(wǎng)絡(luò)層設(shè)備；廣播控制；最優(yōu)路徑選擇；邏輯尋址；流量管理；

29、61廣播域和沖突域HubBridgeSwitchRouter沖突域:1 4 4 4 廣播域:1 1 1 4 62路由協(xié)議內(nèi)部網(wǎng)關(guān)協(xié)議（IGP）RIP，RIPv2；IGRP，EIGRP；OSPF；IS-IS；外部網(wǎng)關(guān)協(xié)議（EGP）BGP；63路由協(xié)議距離向量協(xié)議（DV）RIP，RIPv2；IGRP，EIGRP；鏈路狀態(tài)協(xié)議（LS）OSPF；IS-IS；路徑向量協(xié)議（PV）BGP；64路由協(xié)議有類路由協(xié)議（Classful）RIP；IGRP；無類路由協(xié)議（Classless）RIPv2；EIGRP；OSPF；IS-IS；BGP；65距離向量協(xié)議比較 特征 RIPv1RIPv2IGRPEIGRPCo

30、unt to infinity X X XSplit horizon X X X XHold-down timer X X XTriggered updates with route poisoning X X X XLoad balancingEqual paths X X X XLoad balancingUnequal paths X XVLSM support X XRouting algorithm B-F B-F B-F DUALMetric Hops Hops Comp CompHop count limit 16 16 100 100Scalability Med Med La

31、rge Large66鏈路狀態(tài)協(xié)議比較 特征 OSPF IS-ISEIGRPHierarchical topologyRequired X X Retains knowledge of all possible routes X X XRoute summarizationManual X X XRoute summarizationAutomatic XEvent-triggered announcements X X XLoad balancingEqual paths X X XLoad balancingUnequal paths XVLSM support X X XRouting

32、algorithm Dijkstra IS-IS DUALMetric Cost Cost CompHop count limit 200 1024 100Scalability Large VryLg Large67路由協(xié)議比較特征 RIPv1RIPv2 IGRPEIGRP OSPFDistance vector X X X XLink-state XClassful (auto route summ.) X X X XClassless (VLSM support) X X XProprietary X XScalability Small Small Med. Large LargeCo

33、nvergence time Slow Slow Slow Fast Fast* EIGRP is an advanced distance vector protocol68IPv6IPv4 HeaderIPv6 HeaderFields name kept from IPv4 to IPv6Fields not kept in IPv6Name and position changed in IPv6New field in IPv6LegendVersionTraffic ClassFlow LabelPayload LengthNext HeaderHop LimitSource Ad

34、dressDestination AddressVersionIHLType of ServiceTotal LengthIdentificationFlagsFragment OffsetTime to LiveProtocolHeader ChecksumSource AddressDestination AddressOptionsPadding69無線技術(shù)PAN(Personal Area Network)LAN(Local Area Network)WAN(Wide Area Network)MAN(Metropolitan Area Network)70IEEE 802.11匯總7

35、1Authentication 你是誰?Authorization你被允許做什么?Accounting你做了什么?認證發(fā)生在主體與認證服務(wù)器或主體與認證服務(wù)器代理之間；希望認證協(xié)議具有信任憑證易于管理；抵御竊聽和中間人攻擊；抗抵賴；認證可以單向或雙向；認證72認證協(xié)議PAPCHAPEAP802.1xKerberos73Remote Router(Santa Cruz)Central-Site Router (HQ)IOS Configuration: Hostname: Santacruz Password: BoardwalkLocal Database: Username Santacru

36、zPassword Boardwalk 2-Way Handshake“Santa Cruz, Boardwalk”PAP口令以明文方式傳輸； 由客戶端發(fā)起；一次會話只進行一次認證；Accept/Reject74Response W/MD5 HashCHAP口令從不在線路上傳輸；由Challenger發(fā)起；一次連接發(fā)生多次認證；Challenge W/key3-Way HandshakeRemote Router(Santa Cruz)Central-Site Router (HQ)IOS Configuration: Hostname: SantacruzLocal DatabaseUser

37、name Santacruz Password: Boardwalk Local Database: Username SantacruzPassword Boardwalk Accept/Reject75EAPExtensible Authentication Protocol本身并不是認證方法，而是一個較為靈活的用以承載認證信息的傳輸協(xié)議；支持challenge-response, one-time passwords, certificates, tickets；出發(fā)點是降低系統(tǒng)間的復(fù)雜關(guān)系，提供更加安全的認證方法；通常直接運行在數(shù)據(jù)鏈路層，如PPP或IEEE 802介質(zhì)；在終端和認證服

38、務(wù)器之間代理認證； 76傳統(tǒng)PPP CHAP認證NAS 翻譯功能:撥號客戶端和NAS之間運行PPP CHAP；NAS將LCP認證消息翻譯為RADIUS Access Request消息；ACS的Access Challenge消息被翻譯為CHAP challenge；客戶端的響應(yīng)再一次被翻譯為RADIUS Access Request消息；ACS向NAS發(fā)出認證通過或失敗的應(yīng)答消息。77PPP EAP-MD5認證NAS代理功能EAP 認證請求通過封裝到RADIUS消息中轉(zhuǎn)發(fā)給ACS；ACS Challenge被轉(zhuǎn)發(fā)給客戶端；響應(yīng)消息再一次被轉(zhuǎn)發(fā)給ACS；ACS向NAS發(fā)出認證通過或失敗的應(yīng)答消

39、息。78802.1x AuthenticationIEEE標準，定義在共享介質(zhì)中（如Ethernet，WLAN）提供二層認證服務(wù)；類似于 PPP 中提供認證服務(wù)的LCP；802.1x 在客戶端和認證代理（如以太網(wǎng)交換機、無線AP）之間進行EAP認證信息的封裝；RADIUS在認證代理和認證服務(wù)器之間進行EAP信息的封裝； Authentication 在客戶端和認證服務(wù)器之間進行 (EAP)；Authorization and accounting 在認證代理和認證服務(wù)器之間進行 (RADIUS)；79802.1x 端口訪問控制模型Request for Service(Connectivity

40、)Backend Authentication SupportIdentity StoreIntegrationSupplicantDesktop/laptopIP phoneWLAN APSwitchAuthenticatorSwitchRouterWLAN APAuthentication ServerIASACSAny IETF RADIUS serverIdentity Store/ManagementMS ADLDAPNDSODBC80Kerberos認證協(xié)議:口令從不在網(wǎng)絡(luò)中傳輸；SSO （Single sign-on）； 三個實體:訪問應(yīng)用服務(wù)器上運行服務(wù)的客戶端；認證服務(wù)器 ，

41、即KDC (Key Distribution Center認證服務(wù)；ticket-granting服務(wù)；應(yīng)用服務(wù)器；使用DES對所有消息（除初始化請求）進行加密；根據(jù)TGT（ Ticket-granting ticket ）向用戶提供服務(wù)Service Ticket；81Kerberos 初始化認證82Kerberos 獲取Service Ticket83Kerberos 服務(wù)驗證84認證代理協(xié)議RADIUSTACACS+85RADIUSRemote authentication dial-in user service；主要用于撥號網(wǎng)絡(luò)；IETF標準；使用UDP端口1812，1813；不足：

42、口令傳輸一般為明文；可使用MD5進行加密；授權(quán)作為認證的一部分；屬性值空間有限；最多支持255個并發(fā)請求；最多支持255個廠商定義屬性值；單向RADIUSServerPSTN/ISDNCorporateNetwork86DIAMETER新的IETF標準提案，提供向后的兼容性；解決RADIUS的不足；雙向最多可支持232個vendor-specific attributes屬性；基本上無限個并發(fā)請求；通過Acknowledgement和Keepalive機制提高彈性；提供加密保證消息的機密性和完整性；87TACACS+Terminal Access Controller Access Contr

43、ol System (enhanced)；Cisco開發(fā)；基于TCP端口49；提供比RADIUS更多的授權(quán)選項；支持Auto-command；支持多種協(xié)議；支持數(shù)據(jù)報文加密；不足：有限的廠商支持；有限的服務(wù)器選項；TACACS+ServerTACACS+ClientAlicePSTN/ISDNCorporateNetwork88RADIUS vs. TACACS+ vs. Kerberos89四. 主要網(wǎng)絡(luò)安全協(xié)議和機制90網(wǎng)絡(luò)安全“Security is only as strong as the weakest link!”Physical LinksMAC AddressesIP Add

44、ressesProtocols/PortsApplication StreamApplicationPresentationSessionTransportNetworkData LinkPhysicalApplicationPresentationSessionTransportNetworkData LinkPhysicalCompromisedInitial CompromisePOP3, IMAP, IM, SSL, SSH91數(shù)據(jù)鏈路層安全VLAN Hopping攻擊；MAC/IP欺騙攻擊；DHCP服務(wù)器攻擊；CAM表溢出攻擊；Spanning Tree攻擊；ARP攻擊；92Trun

45、k 端口定義 缺省可以對所有VLAN進行訪問；用于在同一個物理鏈路上對多個VLAN的流量進行傳輸(一般在交換機之間）；封裝方式可以為802.1q or ISL；Trunk Port93Dynamic Trunk Protocol (DTP)何謂 DTP?自動進行802.1x/ISL Trunk 的配置；在交換機之間生效；DTP在鏈路兩個端點之間協(xié)商，并同步狀態(tài)；802.1q/ISL trunk端口的DTP狀態(tài)可以是 “Auto”, “On”, “Off”, “Desirable”, 或 “Non-Negotiate”DynamicTrunkProtocol 94基本VLAN Hopping 攻

46、擊Trunk PortTrunk Port95雙重802.1q封裝VLAN Hopping攻擊Send 802.1q double encapsulated framesSwitch performs only one level of decapsulationUnidirectional traffic onlyWorks even if trunk ports are set to off802.1q,802.1qStrip Off First, and Send Back Out802.1q FrameFrameNote: Only Works if Trunk Has the Sam

47、e VLAN as the Attacker96VLAN和Trunk的最佳安全實踐為所有的trunk端口定義一個專用的VLAN ID；將不用的端口置于Disable狀態(tài)，并把它們分配到未使用的VLAN中； 不要使用VLAN1！對于連接客戶端的端口，將其DTP自動協(xié)商trunk狀態(tài)置為off；Explicitly configure trunking on infrastructure portsUse all tagged mode for the Native VLAN on trunks97數(shù)據(jù)鏈路層安全VLAN Hopping攻擊；MAC/IP欺騙攻擊；DHCP服務(wù)器攻擊；CAM表溢出攻

48、擊；Spanning Tree攻擊；ARP攻擊；98欺騙AttacksMAC spoofing IP spoofingPing of deathICMP unreachable stormSYN floodTrusted IP addresses can be spoofed99欺騙MAC地址攻擊Attacker sends packets with the incorrect source MAC address If network control is by MAC address, the attacker now looks like MAC AMAC BMAC CReceived

49、TrafficSource AddressMac BTraffic Sent with MAC B Source100欺騙IP地址攻擊Attacker sends packets with the incorrect source IP Address Whatever device the packet is sent to will never reply to the attackerMAC AMAC BMAC CReceived TrafficSource IPMac CTraffic Sent with IP Source101欺騙IP/MAC攻擊Attacker sends pac

50、kets with the incorrect source IP and MAC addressNow looks like a device that is already on the networkMAC AMAC BMAC CReceived TrafficSource IPMac BTraffic Sent with IPMAC B Source102數(shù)據(jù)鏈路層安全VLAN Hopping攻擊；MAC/IP欺騙攻擊；DHCP服務(wù)器攻擊；CAM表溢出攻擊；Spanning Tree攻擊；ARP攻擊；103Is This Is My Binding Table?NO!Non Match

51、ing Traffic DroppedSpoofing攻擊對策IP Source GuardUses the DHCP Snooping Binding Table InformationIP Source GuardOperates just like Dynamic ARP Inspection, but looks at every packet, not just ARP PacketMAC AMAC BMAC CReceived Traffic Source IP Mac BMAC CTraffic Sent withIP Mac BTraffic Sent with IP Mac

52、CDHCP Snooping Enabled Dynamic ARP Inspection Enabled IP Source Guard Enabled104DHCP服務(wù)Server dynamically assigns IP address on demandAdministrator creates pools of addresses available for assignment Address is assigned with lease timeDHCP delivers other configuration information in optionsDHCP Serve

53、rSend My Configuration InformationClientIP Address: 01Subnet Mask: Default Routers: DNS Servers: , Lease Time: 10 daysHere Is Your Configuration105DHCP 服務(wù)通信過程 DHCP defined by RFC 2131DHCP ServerClientDHCP Discover (Broadcast)DHCP Offer (Unicast)DHCP Request (Broadcast)DHCP Ack (Unicast)106DHCP攻擊類型DH

54、CP Starvation攻擊Gobbler looks at the entire DHCP scope and tries to lease all of the DHCP addresses available in the DHCP scopeThis is a Denial of Service DoS attack using DHCP leasesDHCP Discovery (Broadcast) x (Size of Scope)DHCP Offer (Unicast) x (Size of DHCPScope)DHCP Request (Broadcast) x (Size

55、 of Scope)DHCP Ack (Unicast) x (Size of Scope)ClientGobblerDHCPServerDenial of Service107DHCP Starvation攻擊對策Port SecurityGobbler uses a new MAC address to request a new DHCP lease；Restrict the number of MAC addresses on an port；Will not be able to lease more IP address than MAC addresses allowed on

56、the port；In the example the attacker would get one IP address from the DHCP serverClientGobblerDHCPServer108DHCP Attack類型Rogue DHCP Server攻擊ClientDHCPServerRogue ServerDHCP Discovery (Broadcast)DHCP Offer (Unicast) from Rogue ServerDHCP Request (Broadcast)DHCP Ack (Unicast) from Rogue Server 109DHCP

57、 Attack類型Rogue DHCP Server攻擊What can the attacker do if he is the DHCP server?IP Address: 01Subnet Mask: Default Routers: DNS Servers: , Lease Time: 10 daysHere is Your ConfigurationWhat do you see as a potential problem with incorrect information?Wrong Default GatewayAttacker is the gatewayWrong DN

58、S serverAttacker is DNS server Wrong IP AddressAttacker does DOS with incorrect IP110Rogue DHCP Server攻擊對策DHCP SnoopingBy default all ports in the VLAN are untrustedTable is built by “Snooping” the DHCP reply to the clientEntries stay in table until DHCP lease time expiresClientDHCPServerRogue Serve

59、rTrustedUntrustedUntrustedDHCP Snooping Enabled BAD DHCP Responses:offer, ack, nakOK DHCP Responses: offer, ack, nak111數(shù)據(jù)鏈路層安全VLAN Hopping攻擊；MAC/IP欺騙攻擊；DHCP服務(wù)器攻擊；CAM表溢出攻擊；Spanning Tree攻擊；ARP攻擊；1120000.0cXX.XXXXMAC地址/CAM表CAM table stands for Content Addressable MemoryThe CAM table stores information

60、such as MAC addresses available on physical ports with their associated VLAN parametersCAM tables have a fixed size48 Bit Hexadecimal Number Creates Unique Layer Two Address1234.5678.9ABCFirst 24 bits = Manufacture Code Assigned by IEEESecond 24 bits = Specific Interface, Assigned by Manufacture0000