《CISP通信与网络安全基础》由会员分享,可在线阅读,更多相关《CISP通信与网络安全基础(153页珍藏版)》请在金锄头文库上搜索。
1、通信与网络安全基础通信与网络安全基础1议题议题1. OSI模型和模型和TCP/IP协议簇协议簇2. 通信和网络技术通信和网络技术3. 互联网技术与服务互联网技术与服务4. 主要网络安全协议和机制主要网络安全协议和机制2一、一、OSI模型和模型和TCP/IP协议簇协议簇3OSI七层模型七层模型PhysicalPhysicalNetworkNetworkTransportTransportSessionSessionPresentationApplicationApplicationData LinkData LinkApplication (Upper) LayersData Flow Laye
2、rs4OSI七层模型七层模型 - 物理层物理层Layer1 物理层定义物理链路的电气、机械、通信规程、功能要求等;电压,数据速率,最大传输距离,物理连接器;线缆,物理介质;将比特流转换成电压;物理层设备Repeater, Hub, Multiplexers, NIC;物理层协议100BaseT, OC-3, OC-12, DS1, DS3, E1, E3;PhysicalPhysicalNetworkNetworkTransportTransportSessionSessionPresentationApplicationApplicationData LinkData Link5OSI七层模
3、型七层模型 - 数据链路层数据链路层Layer2 数据链路层物理寻址,网络拓扑,线路规章等;错误检测和通告(但不纠错);将比特聚成帧进行传输;流量控制(可选);数据链路层设备网桥和交换机;数据链路层协议PPP, HDLC, F.R, Ethernet, Token Ring, FDDI, ISDN, ARP, RARP, L2TP, PPTP.PhysicalPhysicalNetworkNetworkTransportTransportSessionSessionPresentationApplicationApplicationData LinkData Link6OSI七层模型七层模型
4、- 数据链路层数据链路层两个子层MAC(Media Access Control)物理地址;烧录到网卡ROM;48比特;唯一性;LLC(Logical Link Control)为上层提供统一接口;使上层独立于下层物理介质;提供流控、排序等服务;PhysicalPhysicalNetworkNetworkTransportTransportSessionSessionPresentationApplicationApplicationData LinkData Link7OSI七层模型七层模型 网络层网络层Layer3 网络层逻辑寻址;路径选择;网络问题管理(如拥塞);MTU;网络层设备路由器
5、,三层交换机;网络层协议IP, IPX, RIP, OSPF, EIGRP, IS-IS, ICMP;PhysicalPhysicalNetworkNetworkTransportTransportSessionSessionPresentationApplicationApplicationData LinkData Link8OSI七层模型七层模型 传输层传输层Layer4 传输层端到端数据传输服务;建立逻辑连接;传输层协议TCP (Transmission Control Protocol)状态协议;按序传输;纠错和重传机制;Socket;UDP (User Datagram Proto
6、col)无状态协议;SPXPhysicalPhysicalNetworkNetworkTransportTransportSessionSessionPresentationApplicationApplicationData LinkData Link9OSI七层模型七层模型 会话层会话层Layer5 会话层不同应用的数据隔离;会话建立,维持,终止;同步服务;名称标识和识别;会话控制(单向或双向);会话层协议NFS, SQL, RPC;SSL/TLS,SSH;PhysicalPhysicalNetworkNetworkTransportTransportSessionSessionPrese
7、ntationApplicationApplicationData LinkData Link10OSI七层模型七层模型 表示层表示层Layer6 表示层数据格式表示;协议转换;字符转换;数据加密/解密;数据压缩等;表示层数据格式ASCII, MPEG, TIFF,GIF, JPEG;PhysicalPhysicalNetworkNetworkTransportTransportSessionSessionPresentationApplicationApplicationData LinkData Link11OSI七层模型七层模型 应用层应用层Layer7 应用层应用接口;网络访问流处理;
8、流控;错误恢复;应用层协议FTP, Telnet, HTTP, SNMP, SMTP, DNS;PhysicalPhysicalNetworkNetworkTransportTransportSessionSessionPresentationApplicationApplicationData LinkData Link12数据封装数据封装PhysicalPhysicalNetworkNetworkTransportTransportSessionSessionPresentationApplicationApplicationData LinkData LinkUpper Layer Da
9、taUpper Layer DataTCP HeaderDataIP HeaderDataLLC Header01000010DataMAC HeaderFCSFCSSegmentPacketBitsFramePDU13数据解封装数据解封装PhysicalPhysicalNetworkNetworkTransportTransportSessionSessionPresentationApplicationApplicationData LinkData LinkUpper Layer DataLLC Hdr + IP + TCP + Upper Layer DataMAC HeaderIP
10、+ TCP + Upper Layer DataLLC HeaderTCP+ Upper Layer DataIP HeaderUpper Layer DataTCP Header0100001014OSI定义的安全服务定义的安全服务认证;访问控制;数据机密性;数据完整性;抗抵赖;15OSI定义的安全机制定义的安全机制加密;数字签名;访问控制;数据完整性;认证;流量填充;路由控制;公证(notarization);16TCP/IP协议簇模型协议簇模型PhysicalPhysicalNetworkNetworkTransportTransportSessionSessionPresentatio
11、nApplicationApplicationData LinkData LinkNetwork Access Network Access Internet Internet Host-to-hostHost-to-hostApplicationApplication17TCP/IP协议簇主要协议协议簇主要协议其它Token RingFDDIEthernetICMPRARPARPIPUDPTCP其它SMTPTelnetFTP18IP包头包头VersionIHLType of ServiceTotal LengthIdentificationFlagsFragment OffsetTime t
12、o LiveProtocolHeader ChecksumSource AddressDestination AddressOptionsPadding19IP包头版本号包头版本号Reserved15Unassigned10141347TCP and UDP over Bigger Addresses (TUBA)91621P Internet Protocol (PIP)81475TP/IX71883Internet Protocol version 6 (IPv6)6Simple Internet Protocol (SIP)61190ST Datagram Mode5791Interne
13、t Protocol version 4 (IPv4)4Unassigned13Reserved0RFC版本数值20IP包头协议字段值包头协议字段值Open Shortest Path First (OSPF)89Cisco Internet Gateway Routing Protocol (IGRP)88NBMA Next Hop Resolution Protocol (NHRP)54Generic Routing Encapsulation (GRE)47Resource Reservation Protocol (RSVP)46Inter-Domain Routing Protoco
14、l (IDRP)45User Datagram Protocol (UDP)17Transmission Control Protocol (TCP)6IP in IP (encapsulation)4Internet Group Management Protocol (IGMP)2Internet Control Message Protocol (ICMP)1协议协议字段值21IP地址地址A类:1-126;B类:128-191;C类:192-223;D类:224-239;E类:240-254;RFC1918;22TCP 和和 UDP 报头报头Source Port NumberDesti
15、nation Port NumberUDP LengthUDP ChecksumSource Port NumberDestination Port NumberSequence NumberAcknowledgment NumberHeader LengthReservedURGACKPSHRTSSYNFINWindow SizeTCP ChecksumUrgent PointerOptions (if Any)UDP报头报头TCP报头报头23二、通信和网络技术二、通信和网络技术24局域网(局域网(LAN)特点高数据传输率;短距离;低误码率;线缆光纤(Fiber Optic)非屏蔽双绞线(U
16、nshielded Twisted Pair, UTP);屏蔽双绞线(Shielded Twisted Pair, STP);同轴电缆(Coaxial Cable);介质:以太网、令牌环、FDDI;拓扑:总线,星形,环形,网状;25同轴电缆(同轴电缆(Coaxial Cable)构成Copper conductor;Shielding layer;Grounding wire;Outer jacket;类型50 ohm - 以太网;75 ohm - 视频;规范10Base2(thinnet)10Mbs;Baseband;185 meters;10Base5(thicknet)500 meter
17、s;26双绞线(双绞线(Twisted Pair)构成多对铜线;Outer jacket;类型UTP(Unshielded Twisted Pair);STP(Shielded Twisted Pair);27主要的主要的UTP类型类型需要高速传输的网络部署;1000MbpsCat7需要高速传输的网络部署;155MbpsCat6100BaseTX,FDDI100MbpsCat516Mbps Token Ring16MbpsCat410BaseT,Token Ring10Mbps(以太网)和4Mbps(令牌环)Cat3IBM 3270,AS/4004MbpsCat2模拟话音,不适合数据传输低于1
18、MhzCat1主要用途传输速率UTP类型28光纤(光纤(Fiber Optics)构成Core;Cladding;Buffer coating;Outer jacket;类型单模(9micron);多模(62.5micron);光源激光(Laser);发光二极管(LED);29以太网以太网IEEE 802.3广播介质(“一人说,众人听”)载波监听多路访问/冲突检测CSMA/CD(Carrier Sense Multiple Access with Collision Detect)冲突域封装Ethernet IEEE 802.3Ethernet,Fast Ethernet and Gigabi
19、t Ethernet30主要的以太网类型主要的以太网类型PhysicalData Link(MAC layer)Ethernet100baseTX10BaseT802.310Base510Base2100baseFX802.3 Specifications for 10MB Ethernet802.3u Specifications for 100MB (Fast) Ethernet100baseT410BaseFDIX Standard1000baseT802.3ab Specifications for Gigabit Ethernet31主要以太网类型比较主要以太网类型比较10Base5
20、100BaseTX10BaseT100BaseFXMediaMaximum Segment LengthTopologyConnector50-ohm coax (thick)500 metersBus100 metersStarStarPoint-to-PointEIA/TIA Cat3, 4, 5 UTP2 pairEIA/TIA Cat5 UTP2 pair62.5/125 micron multi-mode fiberAUIISO 8877 (RJ-45)Duplex media-interface connector (MIC) STISO 8877 (RJ-45)400 meter
21、s100 meters32令牌环令牌环IEEE 802.5广播介质令牌One person talks at a time自愈和管理Active monitorUpstream/downstream notificationBeaconingToken Ring,Fast Token Ring33FDDIANSI X3T9.5广播介质令牌“One person talks at a time”自愈和管理Dual RingSMT34物理拓扑物理拓扑总线(Bus);Ethernet;星形(Star);Ethernet(逻辑上是总线);Token Ring(逻辑上是环形);环形(Ring);FDDI
22、;网状(Mesh);Internet;35广域网连接特征广域网连接特征-Multi-Mode-Coaxial-Single Mode-Twisted PairFiberCopper介质(Media)Transport networkEnd-to-End终止(Termination)BroadbandNarrowband数据速率(Data Rate) EmbeddedExternal同步(Synchronization)PacketCircuit交换(Switching)On DemandDedicated连接持续时间(Connection Duration)36广域网连接类型广域网连接类型专用
23、电路交换;按需电路交换;包交换(虚电路);宽带接入;37专用电路交换连接专用电路交换连接CSU/DSUEIA/TIA-232, EIA/TIA-449,V.35, X.21, EIA-530专线专线CSU/DSUCSUDS0 to T1/E1 through T3/E3TDM 电路电路CSU38各种串口连接器各种串口连接器Router connectionsNetwork connections at the CSU/DSUEIA/TIA-232EIA/TIA-449EIA-530V.35X.21CSU/DSUEnd user deviceDTEDCEService provider39按需电
24、路交换连接按需电路交换连接异步Modem拨号;ISDN BRI和ISDN PRI;电路的建立、持续和拆除机制;只有流量传输时才建立连接;PSTN40ISDN连接连接41包交换包交换建立虚链路;统计复用带宽;42宽带接入宽带接入43广域网速率广域网速率E-5-4E-4 Channels565.148Mbps-4032274.176MbpsDS4-2176139.264MbpsDS4/NAE-4-2048139.264Mbps-T-3672或28 DS1s44.736MbpsDS3E-3-51234.368Mbps-E-2-1288.448Mbps-T-2966.312MbpsDS2-483.15
25、2MbpsDS1CE-1-322.048Mbps-T-1241.544MbpsDS1-164KbpsDS0E载波名称T载波名称使用 DS0数量电路比特率Digital Signal(DS)名称44广域网速率广域网速率-40 GbpsOC-768-13.271 GbpsOC-2564032E1s或64 E4s5376DS-1或192 DS-3sSTM-6410 GbpsOC-192(STS-192)1008E1s或16 E4s1344DS-1或48 DS-3sSTM-162.488 GbpsOC-48(STS-48)252E1s或4 E4s336DS-1或12 DS-3sSTM-4622.08
26、MbpsOC-12(STS-12)63E1s或1 E484DS-1或3 DS-3sSTM-1155.52 MbpsOC-3(STS-3)21E1s28DS-1或1 DS-3STM-051.84MbpsOC-1(STS-1)SDH 容量SONET容量SDH信号比特率SONET信号45SDLC/HDLC/PPPIBM发明SDLC;IEEE制定HDLC标准;IETF制定PPP标准;非广播介质点到点;点到多点;46Synchronous or AsynchronousPhysical MediaLink Control Protocol Authentication, other optionsNet
27、work Control Protocol PPPData LinkLayerPhysicalLayerNetworkLayerIPCPIPXCPMany OthersIPIPXLayer 3 ProtocolsPPP协议构件协议构件PPPA data link with network-layer services47Frame Relay 非广播介质点到点;点到多点;拥塞避免FECN,BECN,DE;48Frame Relay 流量整形流量整形Time (Seconds)1Max BeKilobytes SentBc“DE” Domain“DE” DomainCIRCIRMIR (Line
28、 Rate)49ATM(Asynchronous Transfer Mode) 非广播介质点到点;点到多点;53字节信元;50ATM 信元信元GFCGeneric Flow ControlUNI Cells Only!VPI/VCI Identifies VirtualPaths and ChannelsPTIPayload Type Identifier3 Bits:1. User/Control Data2. Congestion3. Last CellCLPCell Loss Priority BitHECHeader Error Check8 Bit CRCATM NNINNI Cel
29、l48 Byte48 BytePayloadPayloadVPI (12)VPI (12)VCI (16)VCI (16)PTIPTICLPCLPHECHECATM UNI UNI Cell48 Byte48 BytePayloadPayloadGFC (4)GFC (4)VPI (8)VPI (8)VCI (16)VCI (16)PTIPTICLPCLPHECHEC51ISDN56/64 kbps56/64 kbps16 kbps144 kbps2BDBRIT1 1.544 Mbps orE1 2.048 Mbps (includes sync)23B (T1) or30B (E1) D64
30、 kbpseach64 kbpsPRI52ISDN 协议层协议层Layer 3LAPD (Q.921)D ChannelB ChannelI.430/I.431/ANSI T1.601I.430/I.431/ANSI T1.601HDLC/PPP/FR/LAPBLayer 1Layer 2DSS1 (Q.931)IP/IPX53xDSLDSL服务服务数据最大下行数据最大下行/上行速率上行速率(bps)是否支持是否支持模拟话音模拟话音最大距离最大距离(km-Feet)VDSLVery High Bit-RateDSL25M/1.6Mor 8M/8MYes0.9 3,000ADSLAsymmetr
31、ic DSL7M/1MYes5.5 18,000HDSLHigh Bit Rate DSL1.5M 2.0M/1.5M 2.0MNo4.6 15,000SDSLSymmetric DSL784K/784KNo6.9 22,000IDSL ISDN DSL144K/144KNo5.5 18,000ISDN128K/128K铜缆对数铜缆对数112111No5.5 18,00054有关概念的区分有关概念的区分模拟信号Vs.数字信号;同步通信Vs.异步通信;基带传输Vs.宽带传输;单播、组播、广播55ServerRouterUnicastServerRouterMulticastUnicast vs.
32、 Multicast56二、互联网技术与服务二、互联网技术与服务57集线器(集线器(Hub)ABCD物理层设备;物理层设备;同一冲突域;同一冲突域;同一广播域;同一广播域;58数据链路层设备;数据链路层设备;每一端口单独的冲突域;每一端口单独的冲突域;同一广播域;同一广播域;网桥和交换机网桥和交换机OR12312459交换机交换机Each segment has its own collision domainBroadcasts are forwarded to all segmentsMemorySwitch60路由器路由器网络层设备;广播控制;最优路径选择;逻辑寻址;流量管理;61广播域
33、和冲突域广播域和冲突域HubBridgeSwitchRouter冲突域冲突域:1 4 4 4 广播域广播域:1 1 1 4 62路由协议路由协议内部网关协议(IGP)RIP,RIPv2;IGRP,EIGRP;OSPF;IS-IS;外部网关协议(EGP)BGP;63路由协议路由协议距离向量协议(DV)RIP,RIPv2;IGRP,EIGRP;链路状态协议(LS)OSPF;IS-IS;路径向量协议(PV)BGP;64路由协议路由协议有类路由协议(Classful)RIP;IGRP;无类路由协议(Classless)RIPv2;EIGRP;OSPF;IS-IS;BGP;65距离向量协议比较距离向量协
34、议比较 特征特征 RIPv1RIPv2IGRPEIGRPCount to infinity X X XSplit horizon X X X XHold-down timer X X XTriggered updates with route poisoning X X X XLoad balancingEqual paths X X X XLoad balancingUnequal paths X XVLSM support X XRouting algorithm B-F B-F B-F DUALMetric Hops Hops Comp CompHop count limit 16 16
35、 100 100Scalability Med Med Large Large66链路状态协议比较链路状态协议比较 特征特征 OSPF IS-ISEIGRPHierarchical topologyRequired X X Retains knowledge of all possible routes X X XRoute summarizationManual X X XRoute summarizationAutomatic XEvent-triggered announcements X X XLoad balancingEqual paths X X XLoad balancingU
36、nequal paths XVLSM support X X XRouting algorithm Dijkstra IS-IS DUALMetric Cost Cost CompHop count limit 200 1024 100Scalability Large VryLg Large67路由协议比较路由协议比较特征特征 RIPv1 RIPv2 IGRPEIGRP OSPFDistance vector X X X XLink-state XClassful (auto route summ.) X X X XClassless (VLSM support) X X XPropriet
37、ary X XScalability Small Small Med. Large LargeConvergence time Slow Slow Slow Fast Fast* EIGRP is an advanced distance vector protocol68IPv6IPv4 HeaderIPv6 HeaderFields name kept from IPv4 to IPv6Fields not kept in IPv6Name and position changed in IPv6New field in IPv6LegendVersionTraffic ClassFlow
38、 LabelPayload LengthNext HeaderHop LimitSource AddressDestination AddressVersionIHLType of ServiceTotal LengthIdentificationFlagsFragment OffsetTime to LiveProtocolHeader ChecksumSource AddressDestination AddressOptionsPadding69无线技术无线技术PAN(Personal Area Network)LAN(Local Area Network)WAN(Wide Area N
39、etwork)MAN(Metropolitan Area Network)70IEEE 802.11汇总汇总71Authentication 你是谁?Authorization你被允许做什么?Accounting你做了什么?认证发生在主体与认证服务器或主体与认证服务器代理之间;希望认证协议具有信任凭证易于管理;抵御窃听和中间人攻击;抗抵赖;认证可以单向或双向;认证认证72认证协议认证协议PAPCHAPEAP802.1xKerberos73Remote Router(Santa Cruz)Central-Site Router Central-Site Router (HQ)(HQ)IOS Co
40、nfiguration: Hostname: Santacruz Password: BoardwalkLocal Database: Local Database: Username SantacruzUsername SantacruzPassword Boardwalk Password Boardwalk 2-Way Handshake“Santa Cruz, Boardwalk”“Santa Cruz, Boardwalk”PAP口令以明文方式传输; 由客户端发起;一次会话只进行一次认证;Accept/RejectAccept/Reject74Response W/MD5 HashR
41、esponse W/MD5 HashCHAP口令从不在线路上传输;由Challenger发起;一次连接发生多次认证;Challenge W/keyChallenge W/key3-Way HandshakeRemote Router(Santa Cruz)Central-Site Router (HQ)IOS Configuration: Hostname: SantacruzLocal DatabaseUsername Santacruz Password: Boardwalk Local Database: Username SantacruzPassword Boardwalk Acce
42、pt/RejectAccept/Reject75EAPExtensible Authentication Protocol本身并不是认证方法,而是一个较为灵活的用以承载认证信息的传输协议;支持challenge-response, one-time passwords, certificates, tickets;出发点是降低系统间的复杂关系,提供更加安全的认证方法;通常直接运行在数据链路层,如PPP或IEEE 802介质;在终端和认证服务器之间代理认证; 76传统传统PPP CHAP认证认证NAS 翻译功能:拨号客户端和NAS之间运行PPP CHAP;NAS将LCP认证消息翻译为RADIUS
43、 Access Request消息;ACS的Access Challenge消息被翻译为CHAP challenge;客户端的响应再一次被翻译为RADIUS Access Request消息;ACS向NAS发出认证通过或失败的应答消息。77PPP EAP-MD5认证认证NAS代理功能EAP 认证请求通过封装到RADIUS消息中转发给ACS;ACS Challenge被转发给客户端;响应消息再一次被转发给ACS;ACS向NAS发出认证通过或失败的应答消息。78802.1x AuthenticationIEEE标准,定义在共享介质中(如Ethernet,WLAN)提供二层认证服务;类似于 PPP
44、中提供认证服务的LCP;802.1x 在客户端和认证代理(如以太网交换机、无线AP)之间进行EAP认证信息的封装;RADIUS在认证代理和认证服务器之间进行EAP信息的封装; Authentication 在客户端和认证服务器之间进行 (EAP);Authorization and accounting 在认证代理和认证服务器之间进行 (RADIUS);79802.1x 端口访问控制模型端口访问控制模型Request for Service(Connectivity)Backend Authentication SupportIdentity StoreIntegrationSupplican
45、tDesktop/laptopIP phoneWLAN APSwitchAuthenticatorSwitchRouterWLAN APAuthentication ServerIASACSAny IETF RADIUS serverIdentity Store/ManagementMS ADLDAPNDSODBC80Kerberos认证协议:口令从不在网络中传输;SSO (Single sign-on); 三个实体:访问应用服务器上运行服务的客户端;认证服务器 ,即KDC (Key Distribution Center认证服务;ticket-granting服务;应用服务器;使用DES对所
46、有消息(除初始化请求)进行加密;根据TGT( Ticket-granting ticket )向用户提供服务Service Ticket;81Kerberos 初始化认证初始化认证82Kerberos 获取获取Service Ticket83Kerberos 服务验证服务验证84认证代理协议认证代理协议RADIUSTACACS+85RADIUSRemote authentication dial-in user service;主要用于拨号网络;IETF标准;使用UDP端口1812,1813;不足:口令传输一般为明文;可使用MD5进行加密;授权作为认证的一部分;属性值空间有限;最多支持255个
47、并发请求;最多支持255个厂商定义属性值;单向RADIUSServerPSTN/ISDNCorporateNetwork86DIAMETER新的IETF标准提案,提供向后的兼容性;解决RADIUS的不足;双向最多可支持232个vendor-specific attributes属性;基本上无限个并发请求;通过Acknowledgement和Keepalive机制提高弹性;提供加密保证消息的机密性和完整性;87TACACS+Terminal Access Controller Access Control System (enhanced);Cisco开发;基于TCP端口49;提供比RADIUS
48、更多的授权选项;支持Auto-command;支持多种协议;支持数据报文加密;不足:有限的厂商支持;有限的服务器选项;TACACS+ServerTACACS+ClientAlicePSTN/ISDNCorporateNetwork88RADIUS vs. TACACS+ vs. Kerberos89四. 主要网络安全协议和机制主要网络安全协议和机制90网络安全网络安全“Security is only as strong as the weakest link!”Physical LinksMAC AddressesIP AddressesProtocols/PortsApplication
49、StreamApplicationPresentationSessionTransportNetworkData LinkPhysicalApplicationPresentationSessionTransportNetworkData LinkPhysicalCompromisedInitial CompromisePOP3, IMAP, IM, SSL, SSH91数据链路层安全数据链路层安全VLAN Hopping攻击;MAC/IP欺骗攻击;DHCP服务器攻击;CAM表溢出攻击;Spanning Tree攻击;ARP攻击;92Trunk 端口定义端口定义 缺省可以对所有VLAN进行访问
50、;用于在同一个物理链路上对多个VLAN的流量进行传输(一般在交换机之间);封装方式可以为802.1q or ISL;Trunk Port93Dynamic Trunk Protocol (DTP)何谓 DTP?自动进行802.1x/ISL Trunk 的配置;在交换机之间生效;DTP在链路两个端点之间协商,并同步状态;802.1q/ISL trunk端口的DTP状态可以是 “Auto”, “On”, “Off”, “Desirable”, 或 “Non-Negotiate”DynamicTrunkProtocol 94基本基本VLAN Hopping 攻击攻击Trunk PortTrunk P
51、ort95双重双重802.1q封装封装VLAN Hopping攻击攻击Send 802.1q double encapsulated framesSwitch performs only one level of decapsulationUnidirectional traffic onlyWorks even if trunk ports are set to off802.1q,802.1qStrip Off First, and Send Back Out802.1q FrameFrameNote: Only Works if Trunk Has the Same VLAN as th
52、e Attacker96VLAN和和Trunk的最佳安全实践的最佳安全实践为所有的trunk端口定义一个专用的VLAN ID;将不用的端口置于Disable状态,并把它们分配到未使用的VLAN中; 不要使用VLAN1!对于连接客户端的端口,将其DTP自动协商trunk状态置为off;Explicitly configure trunking on infrastructure portsUse all tagged mode for the Native VLAN on trunks97数据链路层安全数据链路层安全VLAN Hopping攻击;MAC/IP欺骗攻击;DHCP服务器攻击;CAM表
53、溢出攻击;Spanning Tree攻击;ARP攻击;98欺骗欺骗AttacksMAC spoofing IP spoofingPing of deathICMP unreachable stormSYN floodTrusted IP addresses can be spoofed99欺骗欺骗MAC地址攻击地址攻击Attacker sends packets with the incorrect source MAC address If network control is by MAC address, the attacker now looks like 10.1.1.210.1.
54、1.1MAC A10.1.1.2MAC B10.1.1.3MAC CReceived TrafficSource Address10.1.1.3Mac BTraffic Sent with MAC B Source100欺骗欺骗IP地址攻击地址攻击Attacker sends packets with the incorrect source IP Address Whatever device the packet is sent to will never reply to the attacker10.1.1.1MAC A10.1.1.2MAC B10.1.1.3MAC CReceive
55、d TrafficSource IP10.1.1.2Mac CTraffic Sent with IP 10.1.1.2Source101欺骗欺骗IP/MAC攻击攻击Attacker sends packets with the incorrect source IP and MAC addressNow looks like a device that is already on the network10.1.1.1MAC A10.1.1.2MAC B10.1.1.3MAC CReceived TrafficSource IP10.1.1.2Mac BTraffic Sent with I
56、P10.1.1.2MAC B Source102数据链路层安全数据链路层安全VLAN Hopping攻击;MAC/IP欺骗攻击;DHCP服务器攻击;CAM表溢出攻击;Spanning Tree攻击;ARP攻击;103Is This Is My Binding Table?NO!Non Matching Traffic DroppedSpoofing攻击对策攻击对策IP Source GuardUses the DHCP Snooping Binding Table InformationIP Source GuardOperates just like Dynamic ARP Inspecti
57、on, but looks at every packet, not just ARP Packet10.1.1.1MAC A10.1.1.2MAC B10.1.1.3MAC CReceived Traffic Source IP 10.1.1.2Mac B10.1.1.3MAC CTraffic Sent withIP 10.1.1.3Mac BTraffic Sent with IP 10.1.1.2 Mac CDHCP Snooping Enabled Dynamic ARP Inspection Enabled IP Source Guard Enabled104DHCP服务服务Ser
58、ver dynamically assigns IP address on demandAdministrator creates pools of addresses available for assignment Address is assigned with lease timeDHCP delivers other configuration information in optionsDHCP ServerSend My Configuration InformationClientIP Address: 10.10.10.101Subnet Mask: 255.255.255.
59、0Default Routers: 10.10.10.1DNS Servers: 192.168.10.4, 192.168.10.5Lease Time: 10 daysHere Is Your Configuration105DHCP 服务服务通信过程通信过程 DHCP defined by RFC 2131DHCP ServerClientDHCP Discover (Broadcast)DHCP Offer (Unicast)DHCP Request (Broadcast)DHCP Ack (Unicast)106DHCP攻击类型攻击类型DHCP Starvation攻击攻击Gobbl
60、er looks at the entire DHCP scope and tries to lease all of the DHCP addresses available in the DHCP scopeThis is a Denial of Service DoS attack using DHCP leasesDHCP Discovery (Broadcast) x (Size of Scope)DHCP Offer (Unicast) x (Size of DHCPScope)DHCP Request (Broadcast) x (Size of Scope)DHCP Ack (
61、Unicast) x (Size of Scope)ClientGobblerDHCPServerDenial of Service107DHCP Starvation攻击对策攻击对策Port SecurityGobbler uses a new MAC address to request a new DHCP lease;Restrict the number of MAC addresses on an port;Will not be able to lease more IP address than MAC addresses allowed on the port;In the
62、example the attacker would get one IP address from the DHCP serverClientGobblerDHCPServer108DHCP Attack类型类型Rogue DHCP Server攻击攻击ClientDHCPServerRogue ServerDHCP Discovery (Broadcast)DHCP Offer (Unicast) from Rogue ServerDHCP Request (Broadcast)DHCP Ack (Unicast) from Rogue Server 109DHCP Attack类型类型R
63、ogue DHCP Server攻击攻击What can the attacker do if he is the DHCP server?IP Address: 10.10.10.101Subnet Mask: 255.255.255.0Default Routers: 10.10.10.1DNS Servers: 192.168.10.4, 192.168.10.5Lease Time: 10 daysHere is Your ConfigurationWhat do you see as a potential problem with incorrect information?Wro
64、ng Default GatewayAttacker is the gatewayWrong DNS serverAttacker is DNS server Wrong IP AddressAttacker does DOS with incorrect IP110Rogue DHCP Server攻击对策攻击对策DHCP SnoopingBy default all ports in the VLAN are untrustedTable is built by “Snooping” the DHCP reply to the clientEntries stay in table unt
65、il DHCP lease time expiresClientDHCPServerRogue ServerTrustedUntrustedUntrustedDHCP Snooping Enabled BAD DHCP Responses:offer, ack, nakOK DHCP Responses: offer, ack, nak111数据链路层安全数据链路层安全VLAN Hopping攻击;MAC/IP欺骗攻击;DHCP服务器攻击;CAM表溢出攻击;Spanning Tree攻击;ARP攻击;1120000.0cXX.XXXXMAC地址地址/CAM表表CAM table stands
66、for Content Addressable MemoryThe CAM table stores information such as MAC addresses available on physical ports with their associated VLAN parametersCAM tables have a fixed size48 Bit Hexadecimal Number Creates Unique Layer Two Address1234.5678.9ABCFirst 24 bits = Manufacture Code Assigned by IEEES
67、econd 24 bits = Specific Interface, Assigned by Manufacture0000.0cXX.XXXXAll Fs = BroadcastFFFF.FFFF.FFFF113CAM表正常通信表正常通信-1/3MAC AMAC BMAC CPort 1Port 2Port 3MACPortA1C3ARP for BARP for B ARP for BB Is Unknown Flood the Frame114CAM表正常通信表正常通信-2/3MAC AMAC BMAC CPort 1Port 2Port 3A Is on Port 1Learn:B
68、Is on Port 2I Am MAC BI Am MAC BMACPortA1C3B2115CAM表正常通信表正常通信-3/3MAC AMAC BMAC CPort 1Port 2Port 3Traffic A - BB Is on Port 2Does Not See Traffic to BTraffic A - BMACPortA1B2C3116CAM表溢出表溢出-1/3Macof tool since 1999About 100 lines of perlIncluded in “dsniff”Attack successful by exploiting the size lim
69、it on CAM tables117CAM表溢出表溢出-2/3I Am MAC YMAC AMAC BMAC CPort 1Port 2Port 3MACPortA1B2C3Y Is on Port 3Z Is on Port 3Y3Z3Traffic A - BI See Traffic to B!Assume CAM Table Now FullI Am MAC ZTraffic A - B Traffic A - B118Macof洪流洪流Macof sends random source MAC and IP addressesMuch more aggressive if you
70、run the command“macof -i eth1 2 /dev/null” macof (part of dsniff)macof i eth136:a1:48:63:81:70 15:26:8d:4d:28:f8 0.0.0.0.26413 0.0.0.0.49492: S 1094191437:1094191437(0) win 51216:e8:8:0:4d:9c da:4d:bc:7c:ef:be 0.0.0.0.61376 0.0.0.0.47523: S 446486755:446486755(0) win 51218:2a:de:56:38:71 33:af:9b:5:
71、a6:97 0.0.0.0.20086 0.0.0.0.6728: S 105051945:105051945(0) win 512e7:5c:97:42:ec:1 83:73:1a:32:20:93 0.0.0.0.45282 0.0.0.0.24898: S 1838062028:1838062028(0) win 51262:69:d3:1c:79:ef 80:13:35:4:cb:d0 0.0.0.0.11587 0.0.0.0.7723: S 1792413296:1792413296(0) win 512c5:a:b7:3e:3c:7a 3a:ee:c0:23:4a:fe 0.0.
72、0.0.19784 0.0.0.0.57433: S 1018924173:1018924173(0) win 51288:43:ee:51:c7:68 b4:8d:ec:3e:14:bb 0.0.0.0.283 0.0.0.0.11466: S 727776406:727776406(0) win 512b8:7a:7a:2d:2c:ae c2:fa:2d:7d:e7:bf 0.0.0.0.32650 0.0.0.0.11324: S 605528173:605528173(0) win 512e0:d8:1e:74:1:e 57:98:b6:5a:fa:de 0.0.0.0.36346 0
73、.0.0.0.55700: S 2128143986:2128143986(0) win 512119CAM表满了表满了!Each switch has a limit on CAM tables;Once the CAM table on the switch is full, traffic without a CAM entry is flooded out every port on that VLANThis will turn a VLAN on a switch basically into a hub;This attack will also fill the CAM tab
74、les of adjacent switches;10.1.1.22 - (broadcast) ARP C Who is 10.1.1.1, 10.1.1.1 ?10.1.1.22 - (broadcast) ARP C Who is 10.1.1.19, 10.1.1.19 ?10.1.1.26 - 10.1.1.25 ICMP Echo request (ID: 256 Sequence number: 7424) OOPS10.1.1.25 - 10.1.1.26 ICMP Echo reply (ID: 256 Sequence number: 7424) OOPS120MAC攻击对
75、策攻击对策Port security limits MAC flooding attack and locks down port and sends an SNMP trap00:0e:00:aa:aa:aa00:0e:00:bb:bb:bb132,000 Bogus MACsOnly Three MAC Addresses Allowed on the Port: ShutdownSolution:Port Security Limits the Amount of MACs on an Interface121数据链路层安全数据链路层安全VLAN Hopping攻击;MAC/IP欺骗攻击
76、;DHCP服务器攻击;CAM表溢出攻击;Spanning Tree攻击;ARP攻击;122Spanning Tree协议回顾协议回顾STP Purpose: To maintain loop-free topologies in a redundant Layer 2 infrastructureA Tree-Like Loop-Free Topology Is Established from the Perspective of the Root BridgeA Switch Is Elected as RootRoot Selection Is Based on the Lowest C
77、onfigured Priority of Any Switch 065535X XRootSTP is very simple; messages are sent using Bridge Protocol Data Units (BPDUs); basic messages include: configuration, topology change notification/acknowledgment (TCN/TCA); most have no “payload”Avoiding loops ensures broadcast traffic does not become s
78、torms123Spanning Tree攻击举例攻击举例Access SwitchesRootRootRootXSTPSTPBlockedSend BPDU messages to become root bridge124Spanning Tree攻击举例攻击举例Send BPDU messages to become root bridgeThe attacker then sees frames he shouldntMITM, DoS, etc. all possibleAny attack is very sensitive to the original topology, tr
79、unking, PVST, etc.Although STP takes link speed into consideration, it is always done from the perspective of the root bridge; taking a Gb backbone to half-duplex 10 Mb was verified Requires attacker is dual homed to two different switches (with a hub, it can be done with just one interface on the a
80、ttacking host)Access SwitchesRootRootRootRootXBlocked125STP攻击对策攻击对策Try to design loop-free topologies where ever possible, so you do not need STP;Dont disable STP, introducing a loop would become another attack;BPDU GuardShould be run on all user facing ports and infrastructure facing portsDisables
81、ports using portfast upon detection of a BPDU message on the portGlobally enabled on all ports running portfastRoot GuardDisables ports who would become the root bridge due to their BPDU advertisementConfigured on a per port basis;126数据链路层安全数据链路层安全VLAN Hopping攻击;MAC/IP欺骗攻击;DHCP服务器攻击;CAM表溢出攻击;Spannin
82、g Tree攻击;ARP攻击;127ARP功能回顾功能回顾Before a station can talk to another station it must do an ARP request to map the IP address to the MAC address;This ARP request is broadcast using protocol 0806;All computers on the subnet will receive and process the ARP request; the station that matches the IP address
83、 in the request will send an ARP replyWho Is 10.1.1.4?I Am 10.1.1.4MAC A128ARP功能回顾功能回顾According to the ARP RFC, a client is allowed to send an unsolicited ARP reply; this is called a gratuitous ARP; other hosts on the same subnet can store this information in their ARP tables;Anyone can claim to be
84、the owner of any IP/MAC address they like;ARP attacks use this to redirect traffic ;I Am 10.1.1.1MAC AYou Are 10.1.1.1MAC AYou Are 10.1.1.1MAC AYou Are 10.1.1.1MAC A129ARP攻击工具攻击工具ARP man-in-the-middle攻击dsniffettercapettercap is the second generation of ARP attack toolsettercap has a nice GUI, and is
85、 almost point and clickInteresting features of ettercapPacket Insertion, many to many ARP attackBoth capture the traffic/passwords of applications (over 30)FTP, Telnet, SMTP, HTTP, POP, NNTP, IMAP, SNMP, LDAP, RIP, OSPF, PPTP, MS-CHAP, SOCKS, X11, IRC, ICQ, AIM, SMB, Microsoft SQL130ARP攻击工具攻击工具-Ette
86、rcapEttercap in actionAs you can see runs in Window, Linux, MacDecodes passwords on the flyThis example, telnet username/ password is captured131ARP攻击工具攻击工具- 针对针对SSH/SSLUsing these tools SSL/SSH sessions can be intercepted and bogus certificate credentials can be presentedOnce you have excepted the
87、certificate, all SSL/SSH traffic for all SSL/SSH sites can flow through the attacker132ARP攻击攻击1/3Attacker “poisons” the ARP tables 10.1.1.1MAC A10.1.1.2MAC B10.1.1.3MAC C10.1.1.2 Is Now MAC C10.1.1.1 Is Now MAC CARP 10.1.1.1 Saying 10.1.1.2 is MAC CARP 10.1.1.2 Saying 10.1.1.1 is MAC C133ARP攻击攻击2/3A
88、ll traffic flows through the attacker10.1.1.3 Is Now MAC C10.1.1.1 Is Now MAC C10.1.1.1MAC A10.1.1.2MAC B10.1.1.3MAC CTransmit/ReceiveTraffic to10.1.1.1 MAC CTransmit/Receive Traffic to 10.1.1.2 MAC C134ARP攻击攻击3/3Attacker corrects ARP tables entriesTraffic flows return to normal10.1.1.1MAC A10.1.1.2
89、MAC B10.1.1.3MAC C10.1.1.2 Is Now MAC B10.1.1.1 Is Now MAC AARP 10.1.1.1 Saying 10.1.1.2 Is MAC BARP 10.1.1.2 Saying 10.1.1.1 Is MAC A135Is This Is My Binding Table?NO!None Matching ARPs in the Bit BucketARP攻击对策攻击对策-动态动态ARP检查检查Uses the DHCP Snooping Binding table informationDynamic ARP InspectionAll
90、 ARP packets must match the IP/MAC Binding table entriesIf the entries do not match, throw them in the bit bucket10.1.1.1MAC A10.1.1.2MAC B10.1.1.3MAC CARP 10.1.1.1 Saying 10.1.1.2 is MAC CARP 10.1.1.2 Saying 10.1.1.1 is MAC CDHCP Snooping Enabled Dynamic ARP Inspection Enabled136二层安全最佳实践二层安全最佳实践 1
91、of 2采取尽可能安全的方式管理交换机 (SSH, OOB, permit lists, etc.)为所有trunk端口分配一个专用VLAN ID;不要使用VLAN1!建议将所有连接用户的端口trunk协商状态关闭; 对连接用户的端口尽可能部署Port-security;有选择的使用SNMP,注意community字符串值!制定对抗ARP安全的对策 (ARP Inspection, IDS, etc.)137二层安全最佳实践二层安全最佳实践 2 of 2使用对抗STP攻击的机制 (BPDU Guard, Root Guard);关注DHCP攻击 (DHCP Snooping, VACLs);使
92、用VTP MD5验证机制;禁用所用未使用的端口,并将其置于未使用的VLAN中;138网络层安全网络层安全IPsec(略);PPTP (略);L2TP (略);路由协议安全;NAT;139路由协议安全路由协议安全主要攻击行为traffic redirection, traffic black hole, router/routing protocol DoS, unauthorized prefix origination破坏最大的攻击是由攻击者操控路由器造成;加固至关重要!使用Prefix filtering 预防虚假路由信息;至少,应使用路由消息的MD5验证机制 (available for
93、 RIPv2, OSPF, BGP, EIGRP, IS-IS)140网络地址翻译(网络地址翻译(NAT)Why?缓和全球互联网络地址紧缺;保护组织内部地址规划;使用RFC 1918定义的私有网络IP地址;另,通过隐藏内部网络拓扑结构增强安全性;141传输层安全传输层安全SSL;TLS;SSH;142SSL由由Netscape 通信公司于通信公司于1994年开发,以保年开发,以保护互联网上的安全交易护互联网上的安全交易 ;包括包括SSL Record Protocol;SSL Handshake Protocol;提供提供Private;Authentication;Reliable;143T
94、LSIETF在在SSL 3.0基础上开发;基础上开发;Transport Layer Security (TLS) protocol;包括两层;包括两层;TLS Record Protocol;Private;Reliable;TLS Handshake Protocol;The peers identity can be authenticated using asymmetric cryptography;The negotiation of a shared secret is secure;The negotiation is reliable;144SSH用于远程登录,执行命令,迁移
95、文件;目的在于替代 telnet, ftp, rexec, rlogin, rsh, and rcp;使用TCP port 22;支持authentication, compression, confidentiality, and integrity;SSH使用RSA用于证书交换,使用3DES用于会话加密;145应用层安全应用层安全SETPEMS-HTTP Vs HTTPSMIMES/MIMEPGP146SETSecure Electronic Transaction由 Visa and MasterCard开发;对发送方和接收方进行验证;确保信用卡号码的私密性;使用数字证书和签名;主要由三
96、部分组成:electronic wallet;digital certificate;software running on the merchants server at its web site, and the payment server that is located at the merchants bank.147PEMPrivacy Enhanced Mail作为保护电子邮件的文本信息的最初标准之一;messages are confidential;messages are from an authentic source;messages have not been alt
97、ered or corrupted;the sender cannot repudiate or disown the message.指定PKI用于密钥交换;只支持文本(7-bit messages),对于基于图片方式的电子邮件而言是远远不够的;由 S/MIME替代;148S-HTTP Vs HTTPSS-HTTP使用会话密钥对消息进行加密;提供完整性和发送方验证; 支持多种加密模式和类型;使用公钥技术和对称加密;HTTPS由 Netscape开发;在系统间传输加密信息;SSL/TLS over HTTP;https:/ URL;HTTPS用于在两个系统之间建立安全连接;用于在两个系统之间建
98、立安全连接;S-HTTP则用于保护单独消息的安全传输;则用于保护单独消息的安全传输;149S/MIMEMultipurpose Internet Mail Extensions;使各种异构系统能够显示text, audio, 和graphic文件;只需对电子邮件阅读程序进行一次修改;Secure Multipurpose Internet Mail Extensions保护电子邮件的最佳方法:Confidentiality;Integrity;Authentication;Non-repudiation;150PGPPretty Good Privacy;由Phil R. Zimmermann开发,作为对1991 Senate Bill 266法案的回应;第一个广泛应用的公钥加密程序;使用RSA公钥加密算法用于密钥管理; 使用IDEA对称密钥算法用于数据加密; 混合加密系统-Compresses then encrypts;依赖于“web of trust”机制。151CookiesNetscape开发;用于应对HTTP协议无状态的机制;微型文本文件,置于计算机系统中;用于标识或存储某一类型的信息,如输入到表单中的数据;作为信息的接收者,但不能收集信息;可以被用来存储机密信息或跟踪访问活动;152153
