Embed Size (px)
Citation preview
Cviko 30.9.2016
Príkazy cviko 2
ASW2
enable
conf t
hostname ASW2
Vlan 150
Vlan 250
int Fa0/1
switchport mode access
switchport access vlan 150
no shutdown
exit
int Fa0/2
switchport mode access
switchport access vlan 250
no shutdown
exit
int Fa0/3
switchport mode trunk
switchport trunk allowed vlan 150,250
show interfaces trunk
DSW2
hostname DSW2
vlan 150
vlan 250
int fa0/3
switchport trunk encapsulation dot1q
switchport mode trunk
ip routing
int vlan 150
ip address 172.17.150.1 255.255.255.0
int vlan 250
ip address 172.17.250.1 255.255.255.0
show vlan brief
show int trunk
show protocols : UP, UP
show ip route : 2x C
int fa0/1
no switchport
ip address 10.0.0.2 255.255.255.0
show protocols : up, up,
show ip route : 3x C
config(#) ip route 172.16.0.0 255.255.0.0 10.0.0.1
show ip route : pribudne S
Cviko 3 21.10.2016
Zadanie :
Vytvorte 2 vlany. Zabezpecte komunikaciu medzi VLANami t.j aby sa pingol kazdy s kazdym. Vytvorte agregaciu linky na L2 vrstve medzi DSWx. Nakonfigurujte HSRP tak aby v pripade vypadku jednoho DSW bola zapezpecena komunikacia pre vsetky vlany, Nastavte porty od PC ku switchu ako access a trunky na kazdom uplinku medzi switchmi. Nakonfigurujte PC. Pouzite protokol Rapid -PVST+.
ASW1
hostname ASW1
spanning-tree mode rapid-pvst
int fa0/3/
switchport mode access
switchport access vlan 10
spanning-tree portfast
int fa0/4
switchport mode access
switchport access vlan 20
Overenie show vlan brief
interface range fa0/1 - 2
switchport mode trunk
switchport trunk allowed vlan 10,20
Overenie show interfaces trunk
Analogicky pre ASW2 podľa topologie
DSW2
ip routing
vlan 10,20
interface range fa0/1-2
channel-group 1 mode active
interface range fa0/1-4
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 10,20
spanning-tree mode rapid-pvst
spanning-tree vlan 10 root secondary
spanning-tree vlan 20 root primary
Overenie show spanning-tree
interface vlan 10
ip address 172.16.10.3 255.255.255.0
standby 1 ip 172.16.10.1
standby 1 priority 100
standby 1 preempt
interface vlan 20
ip address 172.16.20.3 255.255.255.0
standby 1 ip 172.16.20.1
standby 1 priority 105
standby 1 preempt
DSW 1
ip routing
vlan 10,20
interface range fa0/1-2
channel-group 1 mode active
interface range fa0/1-4
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 10,20
spanning-tree mode rapid-pvst
spanning-tree vlan 10 root primary
spanning-tree vlan 20 root secondary
Overenie show etherchannel summary alebo show interface port-channel 1
interface vlan 10
ip address 172.16.10.2 255.255.255.0
standby 1 ip 172.16.10.1
standby 1 priority 105
standby 1 preempt
interface vlan 20
ip address 172.16.20.2 255.255.255.0
standby 1 ip 172.16.20.1
standby 1 priority 100
Overenie show spanning-tree alebo show vlan brief alebo aj show run
Cviko 4 4.11.2016 Zapajanie Core
DSW1
interface range fa0/5-6
no switchport
channel-group 11 mode active
interface Po11
IP address 192.168.1.2 255.255.255.0
show protocols
show etherchannel summary
show ip route
vlan 30
interface Po1
switchport trunk allowed vlan 10,20,30
int vlan 30
ip address 192.168.3.1 255.255.255.0
show ip route
show protocols
router ospf 1
router-id 11.11.11.11
no passive-interface po11
no passive-interface vlan30
area 0 authentication message-digest
int vlan 10
ip ospf 1 area 1
int vlan 20
ip ospf 1 area 1
interface po11
ip ospf message-digest-key 1 md5 HESLO
ip ospf network point-to-point
ip ospf 1 area 0
router ospf 1
area 1 range 172.16.0.0 255.255.0.0
DSW2
interface range fa0/5-6
no switchport
channel-group 12 mode active
interface Po12
ip address 192.168.2.2 255.255.255.0
show protocols
show etherchannel summary
show ip route
vlan 30
int vlan 30
ip address 192.168.3.2 255.255.255.0
interface Po1
switchport trunk allowed vlan 10,20,30
show ip route
show protocols
router ospf 1
router-id 12.12.12.12
no passive-interface po12
nopassive-interface vlan30
area 0 authentication message-digest
int vlan 10
ip ospf 1 area 1
int vlan 20
ip ospf 1 area 1
interface po12
ip ospf message-digest-key 1 md5 HESLO
ip ospf network point-to-point
ip ospf 1 area 0
CSW1
hostname CSW1
ip routing
interface range fa1/0/1-2
no switchport
channel-group 11 mode active
interface port-channel 11
ip address 192.168.1.1 255.255.255.0
interface range fa1/0/3-4
no switchport
channel-group 12 mode active
interface port-channel 12
ip address 192.168.2.1 255.255.255.0
show protocols
show etherchannel summarypassive-interface Po11
show ip routes
router ospf 1
router id 1.1.1.1
passive-interface default
no
no passive-interface Po11
ip ospf 1 area 0
area 0 authentication message-digest
default-information-originate always
interface po12
ip ospf message-digest-key 1 md5 HESLO
ip ospf network point-to-point
ip ospf 1 area 0
interface po11
ip ospf message-digest-key 1 md5 HESLO
ip ospf network point-to-point
ip ospf 1 area 0
show ip ospf neighbor
vidime : RID 11.11.11.11 via Po11, FULL
RID 12.12.12.12 via Po12, FULL
show ip ospf database
vidime : area 0
Router (type 1)
1.1.1.1
11.11.11.11
12.12.12.12
summary net link (type 3)
172.16.10.0/24 adv router 11.11.11.11
172.16.20.0/24 adv router 11.11.11.11
172.16.10.0/24 adv router 12.12.12.12
172.16.20.0/24 adv router 12.12.12.12
show ip route ospf - stary stav
O 172.16.10.0/24 via 192.168.1.2 [110/2]
via 192.168.2.2 [110/2]
O 172.16.20.0/24 via 192.168.1.2 [110/2]
via 192.168.2.2 [110/2]
int lo0
ip address 10.0.0.1 255.255.255.0
TESTOVANIE
červení pingaju ping 10.0.0.1
červení interface po1 shutdown
nepingaju spadlo PO1
HSRP Tracking
---------------------------------------------------
DSW1
int vlan 10
standby 1 track po11
overenie
show standby brief
DSW1 priority 95
DSW2 priority 100 active gw
rozbehnutie OSPF na PO1 medzi DSW1-2
DSW1
int vlan 30
ip ospf message-digest-key 1 md5 HESLO
ip ospf network point-to-point
ip ospf 1 area 0
DSW2
int vlan 30
ip ospf message-digest-key 1 md5 HESLO
ip ospf network point-to-point
ip ospf 1 area 0
overenie
show ip ospf neighbours ……..FULL s CSW
……...FULL s DSW
--------------------------------------------------------
DSW1,2:
router ospf 1
area 1 range 172.16.0.0 255.255.0.0
show ip route ospf novy stav
O 172.16.0.0/16
Cviko 5 11.11.2016 SecuritySecurity
ocrhana : právna
: technická
porušení dopravovaných správ par. 182
neopravený pristup k pocitacovemu systemu a nosici informacii par. 230,231,232
Autentizace:
Dynamic VLAN assigment
EAP
3 formy autentizacie:
PEAP - login -nieco viem
EAP -TLS certificate - nieco mam
nieco som -biotmetrika -
L2 útoky
NAC - Health agent - sledovanie zdravia klienta
Ochrana infractruktury:
CAM Overflow
Uknown unicast flooding
obrana: cisco funkce # port security - MAC/Port, Nastavenie portu ako access/trunk,
Princíp útoku. Útočníkovi ide o zaplnenie CAM tabuľky switcha. Ak sa CAM tabuľka zaplní, switch sa nevie učiť MAC adresy k daným portom a začne fungovať ako Hub. Začne rozposielať všetky rámce na všetky porty okrem tých na ktorým rámec prijal. Tzn. že pri útoku ak sa klient B snaží komunikovať cez switch a CAM tabuľka je plná útočník odchytáva všetku komunikáciu od klienta B.
útok na STP
obrana:BPDU Guard - deaktivace daného portu při přijetí BPDU na untrusted připojení
MAC address Spoofing
obrana: Port Security
- schválená MAC adresa / port
L3 útoky
DHCP server spoofing a DHCP server starvation
Rough DHCP server
obrana:DHCP Slooping - rozdělení portů na trusted/untrusted
DHCP rate limiting - max. možný počet zasílaných zpráv
ARP spoofing
obrana:Dynamic Arp Inspection (DAI)
IP address spoofing
obrana:IP Source Guard
Cviko prikazy
R1 conf# interface fa0/0
ip address 172.16.0.1 255.255.255.0
no shut
zisti MAC PC virtual a fizickej
S2 show mac address table dynamic
itnterface fa0/2
switchport mode access
switchport port-security
switchport port-security mac-address sticky
switchport port-security maximum 2
fa0/3 ...totéž
show int status …………………… “connected” -> “err_disabled”
resetování portu:
1. sh2. no sh
show port-security int <INT> …. rozhrani musi byt ve stavu “secure-up”
show run ….. u rozhrani jsou dve MAC
obrana utoku na STP:
SW conf # int fa0/3 spanning-tree bpduguard enable
CVIKO 18.11.2016 IPv6Topologia
config(#)sdn prefer dual-ipv4-and-ipv6 default
DSW:
en
conf, t
ip routing
ipv6 unicast routing
int fa0/1
no switchport
ip addr 192.168.1.1 255.255.255.0
ipv6 addr 2001:718:803:1::1/64
verifikace: IPV 4
show protocols - kontrolujeme spravnu masku a ip, up/up
show ip route -------------1xC
IPV 6
show ipv6 int brief -------up,up
show ipv6 route ----1x C
WIN PC: nastavit IPv4, IPv6 cez GUI
verifikace : ipconfig /all
LINUX PC:
ip addr add 192.168.1.12/24 dev eth0 ----------ip addr show
ip link set dev eth0 up
ip -6 addr add 2001:718:803:1::c/64 dev eth0 - ip -6 addr show dev eth0
ip route add default via 192.168.1.1 ----------------ip -6 route show | grep -v unr
ping6 2001:718:803:1::c
ping 192.168.1.11
RA
M-flag---Maganed config flag 1 0
DHCPv6 SLAAC
Statefull
O-flag ---- 1 0
DSW nastavenie SLAAC
int fa0/1
ipv6 nd ra interval 10
https://www.ripe.net/participate/member-support/new-lir/ipv6_reference_card.pdf
http://www.wkydd.com/index.php/blog/57-how-to-configure-dhcp-on-a-cisco-router
https://networklessons.com/ipv6/cisco-dhcpv6-server-configuration/
linux pre pridelenie IP je nutne : service network restart
ipv6 unicast-routing
ip routing
fa0/1
no switchport
ip address 195.178.1.1 255.255.255.0
ipv6 address 2001:718:803:1::1/64
int Gi0/1
podobne
ip dhcp excluded-address 195.178.1.1 195.178.1.10
ip dhcp pool LAN
network 195.178.1.0 255.255.255.0
default-router 195.178.1.1
dns-server 195.178.2.5
domain-name firma.cz
ip route 195.178.2.0 255.255.255.0 195.178.12.2
DSW#sho sdm prefer ---- switch device manager (dual-ipv4-ipv6)
DSW# show protocols --- funkcni royhrani
DSW#show ip route --- 2x C, 1x S
DSW#show ip dhcp binding --- dhcp leasses
----------------------------------------------------------------------------------------
Klient IPv4
ASW … porty ke klientum spanning-tree portfast (aby porty nestartovaly 30 vterin a vic)
win: ipconfig /release
ipconfig /renew
ipconfig /all … ip_k, ip_g, maska, ip_d, firma.cz
lin: dhclient -r eth0 … RELEASE
dhclient eth0 … nova zapujcka
ip addr show … IP_k, maska, up
ip route show … IP_g
cat /etc/resolv.conf … nameserver 195.178.2.5
search firma.cz
----------------------------------------------------------------------------------------
SERVER - IPv4
lin> ip addr add 195.178.2.5/24
lin> ip link set dev eth0 up
lin> ip route add default 195.178.2.1
lin> vim /etc/resolf.conf
search firma.cz
nameserver 127.0.0.1
lin> service httpd start [OK] … sshd bezi
lin> ps axf | grep httpd … bezi
lin> ps axf | grep sshd … bezi
lin> netstat --inet -anp | grep httpd … neukazuje
lin> netstat --inet -anp | grep sshd … bezi na 22/tcp
listen
local: 0.0.0.0:22
foreign: *:*
tcp
lin> service iptables stop … v lab podminkach to muzeme shodit, v realu urcite
ne
--------------------------------------------------------------------------------------------------------------
TEST - spojeni pres SSH od klientu na server
win> putty … spojeni ssh na 195.178.2.5
win> winscp … spojeni scp na 195.178.2.5
lin> ssh [email protected]
server> netstat --inet -anp
proto Local address foreign address State Process
tcp 195.178.2.5:22 195.178.1.x:PORT ESTABLISHED pid/sshd
-----------------------------------------------------------------------------------------------------------
test - spojeni pres http od klientu na server
“Apache test page” … nebo proste nejaka hello page
--------------------------------------------------------------------------------------------------------
TEST - odchzt/opakovani ARP y PS1
lin> arp -d 195.178.1.1
lin> arp -an … gw chybi (incomplete)
lin> novy odchyt
lin> ping -c 195.178.2.5
lin>zastavit odchyt a analyzovat odchyt
ARP request “Who has 195.178.1.1”
ARP reply “195.178.1.1 is at MAC_g”
ICMPv4 echo Req
ICMPv4 echo reply
lin> arp -an … 195.178.1.1 <-- ---> MAC_g
-----------------------------------------------------------------------------------------------------
DSW1 - static routing ipv6
dsw1(config)# ipv6 route 2001:718:803:2::/64 2001:718:803:12::2
dsw1# show ipv6 route c 2001:718;803:1::/64 is directly connected via Fa0/1
c 2001:718;803:12::/64 is directly connected via Gi0/1
s 2001:718;803:2::/64 via 2001:718:803:12::
-------------------------------------------------------------------------------------------------
dsw2 - static routing IPv6
dsw2(config)# ipv6 route
dsw2#
-------------------------------------------------------------------------------------------------
SERVER - amanualni konfigurace ipv6
lin> ip -6 addr add 2001:718:803:2::5/64
lin> getwaz … a) pres RA lin> ip -6 route show default via fe80::<EUI-64-GW>
… b)manualne lin> ip -6 route add default via 2001:718:803:2::1
lin> service ip6tables stop … firewall stop for ip6
kontrola
lin> ip -6 addr show dev eth0 … scope link fe80::<EUI-64>
lin>ifconfig eth0 … scope global 2001:718:803:2::5/64
lin> ip -6 route show | grep -v unreachable … default via fe80::<EUI-64-gw>
… default via 2001:718:803:2::1 … nase manual
-------------------------------------------------------------------------------------------------------------
Stateless DHCPv6 … dns informace pro klienty (dns domain, ipv6 adresa DNS serveru)
DSW1(config)# ipv6 dhcp pool LAN1
DSW1(config-dhcp)# dns-server 2001:718:803:2::5
domain-name firma.cz
dsw1(config)# int Fa0/1
dsw1(config-if)# ipv6 dhcp server LAN1
ipv6 nd ra other-config
ipv6 nd ra interval 10
Oba klienti wireshark |ICMPv6 RA | IPv6 | Eth|
src IP = fe80::<eui-64-gw>
dst IP = ff02::1
flags
M-flag = 0
O-flag = 1 ← kontaktuj bezstavovy DHCPv6 server kvuli DNS
options
prefix information prefis 2001:718:803:1::
prefis length /64
novy Odchyd na WIN
win> ipconfig /release6
win> ipconfig /renew6 … wireshark DHCPv6 information Request
DHCPv6 information replay
ochyd na linuxu
lin> ip -6 neigh flush dev eth0 -- pro jistotu smazat casche
lin> ip -6 neigh show
lin> wireshark
lin> ping6 2001:718:803:2::5 icmpv6 neighbor solicit
icmpv6 neighbor advertise 2001:715:803:1::1/LL ← mac_g
icmpv6 echo request mac_g → eth frame (dst MAC)
icmpv6 reply
------------------------------------------------------------------------------------------------------------
Sockety
server> netstat --inet6 -anp
proto localAddress foreignaddress state process
tcp :::22 nic LISTEN pid/sshd
tcp 2001:718:803:2::5:22 established pid/sshd … po navazni spojeni zde bude tento zaznam (ssh)
lin> ssh root@2001:718:803:2::5
win> putty … 2001:718:803:2::5
!!!! Meli jsme chybu 6e 2001:718:803:2::5 tahle adresa byla nastaven jako GW a ne adresa serveru, takze ssh neslo (spatne heslo apod).
TEST - firefox
na klientech win a lin spustit firefox a zadat adresu> [2001:718:803:2::5]
FIREWALL 9.12.2016
Funkce firewallu
-Zony
-2/3 zonovy firewall
-firewall politika (b,v)
-Bezstav. Stavovy firewall
- IPS (intrusion prevention system)
- IDP (intrusion detection system)
-routed vs. transparent
firewall policy -
a) whitelisting - povol WWW - povol e-mail
-vsechno ostatni zakazanob) blacklisting - zakaz torrent
-zakaz pokusy o DoS
-jinak vse povolit
Inside ----> Outside Outside ----> Inside
(iniciacni smer) povol pouze navratovy provoz
povol HTTP(80/TCP, 443/TCP) tzn. provoz ktery byl legitimne navazan a povolen
povol SSH (22/TCP) .,.... stavovy firewall
povol SMTP (25/TCP) Connection table (conntrack table -mikrotik, srcIP,
povol Ping(ICMPv4 Echo req) dstIPm srcPort, dstPort, TCP/UDP….)
-vse ostatni zakaz
Stavova filtrace
-Cisco ACL
- Juniper firewall filter
Bezstavova filtrace
- Linux iptables
-Cisco CBAC, ZWF, ASA (Firepower)
-Juniper (security zones, security policies)
- Mikrotik firewall
Filtrace tranzitiniho provozuDef. politika “DROP” nebo “REJECT”
Povolit spojeni ESTABLISHED, RELATED
Selektivní povolení určintých služeb:1.1) inside → DMZ_int 1.2)INSIDE -> OUTSIDE 1.3)DMZ_i --> OUTSISE
-povolen PING - povolit ping -povolit ping
-povoleno WWW -povolit www -povolit WWW
-povolit DNS (53/UDP-TCP) -povolit DNS
-povolit SSH
smazání pravidla:
iptables -D FORWARD <cislo pravidla (cislo radku v tabulce)>
FILTRACE VSTUPNIHO PROVOZU PRO ROUTER
→ INPUT
Povolit lo
Povolit EST,REL
Povolit management router … pouze ze site INSIDE pro sluzb SSH/WINBOX - mikrotik
Povolit ping na gateway ….ze vsech siti povolime vstupni ping echo request
Jinak def. politika retezce je DROP
FILTRACE ODCHOZICHO PROVOZU
bez filtrace , def. politika retezce OUTPUT je ACCEPT
Cviko
Firewall policy ----> whitelisting
INSIDE ---> OUTSIDE- povolit WWW (80/TCP, 443/TCP)- povolit ICMP ( ping Echo request max 5/s)- zakazat vse ostatni
OUTSIDE ---> INSIDE- povol jen navratovy provoz
Firewall policy ----> whitelisting
Management routeru je mozny pouze z INSIDE, a to pouze pro porty
22/TCP8291/TCP WinBox443/ TCP Web management (HTTPS)ping ICMP echo req
Action : REJECT, ACCEPT, DROP
FORWARDp0 any/any/any/any/any state Established, Related ---> ACCEPTp1 srcIP = 192.168.88.0/24, dstIP = any, srcPort = any, dstPort = 80/tcp ---> ACCEPTp2 srcIP = 192.168.88.0/24 dstIP = any, srcPort = any, dstPort = 443/tcp ---------> ACCEPTp3 srcIP = 192.168.88.0/24 dstIP = any, ICMP Type = 8 & code = 0 limit 5/s --->ACCEPTpN srcIP = any, dstIP = any, dstPort = any ---------------------------------------------->DROP|---------------------------------------MATCH-------------------------------------------|---ACTION----|
FORWARD IN to OUTSTATE NEW dstPort = 80/tcp ACCEPTSTATE NEW dstPort = 443/tcp ACCEPTFORWARDp1 srcIP 192.168.88.0/24 dstIP = any, srcPort any, jump to IN to OUT
INPUTANY/ANY/ANY/ANY192.168.88.0/24 -> 192.168.88.1 22/TCP ACCEPT192.168.88.0/24 -> 192.168.88.1 443/TCP ACCEPT192.168.88.0/24 -> 192.168.88.1 8291/TCP ACCEPT192.168.88.0/24 -> 192.168.88.1 ICMMP ECHO REQUEST
INPUT ANY/ANY/ANY/ANY192.168.88.0/24 -> 192.168.88.1 22/TCP Jump to Management MikroTikManagement Mikrotikany/any/any/ 22-tcp ACCEPTany/any/any/ 8291-TCP ACCEPTany/any/any/ 443-TCP ACCEPT
VPN 16.12
http://unixwiz.net/techtips/iguide-ipsec.html#ip
CVIKO
lab:
hostname RouterB
RouterB(config)#
int Fa0/0
ip addr 172.16.2.1 255.255.255.0
no sh
int Fa0/1
ip addr 10.0.0.2 255.255.255.0
no sh
ip route 0.0.0.0 0.0.0.0 10.0.0.1
hostname RouterA
RouterA(config)# int fa0/0
RouterA(config-if)# ip addr 10.1.1.2 255.255.255.0
RouterA(config-if)# no sh
RouterA(config)# int fa0/1
RouterA(config-if)# ip addr 172.16.1.1 255.255.255.0
RouterA(config-if)#no sh
RouterA(config)# ip route 0.0.0.0 0.0.0.0. 172.16.1.2
ISP(config)#
int Fa0/0
ip addr 172.16.1.2 255.255.255.0
no sh
int Fa0/1
ip addr 10.0.0.1 255.255.255.0
no sh
ip route 10.1.1.0 255.255.255.0 172.16.1.1
ip route 172.16.2.0 255.255.255.0 10.0.0.2
WWW server#
service httpd start
service iptables stop
//vypnuti rozhrani pro odchyt provozu a pote znovu aktivace
RouterA(config)#
int Fa0/1
sh
ISP(config)#
int Fa0/0
sh
RouterA(config)#
int Fa0/1
no sh
ISP(config)#
int Fa0/0
no sh
RouterA,B(config)#
crypto isakmp policy 10
encryption aes 128
hash sha
group 5
authentication pre-share
RouterA(config)# crypto isakmp key HESLO address 10.0.0.2
RouterB(config)# crypto isakmp key HESLO address 172.16.1.1
RouterA(config)# access-list 100 permit ip 10.1.1.0 0.0.0.255 172.16.2.0 0.0.0.255
RouterA(config)# access-list 100 permit ip 172.16.2.0 0.0.0.255 10.1.1.0 0.0.0.255
RouterA,B(config)# crypto ipsec transform-set VPN esp-aes 128 esp-sha-hmac
RouterA(config)# crypto map MAP 10 ipsec-isakmp
RouterA(config-map)# match address 100
set transform-set VPN
set peer 10.0.0.2
RouterB(config)# crypto map MAP 10 ipsec-isakmp
RouterB(config-map)# match address 100
set transform-set VPN
set peer 172.16.1.1
RouterA,B(config)# int Fa0/1
crypto map MAP
overeni:
RouterA,B(config)# show crypto ipsec sa
RouterA,B(config)# show crypto (cosi)
CHAT-------------------------------------------------------------
