edge&DMZ core&distribution access
firewall routers switch
1. mac flooding attacks
cam arp mac flooding
基于mac也许流量
port-security (先shutdown port 然后做完安全no shutdown)
conf ter
interface fastethernet 0/0
switchport port-security
switchport port-security {max-value | mac-address}
switchport port-security violation {shutdown | restrict | protect} (shutdown——>err-disable)
switchport port-security mac-address sticky
switchport port-security aging static
spanning-tree portfast
conf ter
errdisable recovery cause psecure-violation
#errdisable recovery interval 30
show errdisable recovery
show port-security
show port-security interface fastethernet 0/0
show port-security address
基于mac限制流量
mac-address-table static 0010.7b80.7b9b vlan 1 drop
阻止未知的unicast & multicast blocked
switchport block {unicast | multicast}
2. vlan attacks
vlan hopping
vlan hopping with double tagging
conf ter
switchport mode access
vacl
ip/mac——>FWD/DROP
conf ter
vlan access-map map_name [seq#]
match {ip address {1-199 | 1300-2699 | acl_name} | ipx address (800-999 | acl_name) | mac address acl_name }
action {drop [log]} | {foreward [capture]} | {redirect {type slot/port} | {port-channel channel_id}}
vlan filter map_name vlan_list list
private vlan (2个sub domain :primary vlan,secondary vlan(隔离vlan isolated 团体vlan community))
promiscuous:communicate with all other port
isolated:communicate with only promiscuous ports
community:communicate with other members of community and all promiscuous port
vtp模式transparent
pri、sec vlan
port——>vlan
交换机高版本
config
vtp mode transparent
vlan 20
private-vlan private
exit
vlan 501
private-vlan community
exit
vlan 502
private-vlan isolated
exit
vlan 20
private-vlan association 501,502
exit
conf ter
interface f 0/1
switchport mode private-vlan promiscuous
switchport private-vlan mapping 20 501,502
spanning-tree portfast
no shutdown
conf ter
interface range f 0/2 f 0/3
switchport mode private-vlan host
switchport private-vlan host-association 20 501
spanning-tree portfast
no shutdown
conf ter
interface range f 0/4 f 0/5
switchport mode private-vlan host
switchport private-vlan host-association 20 502
spanning-tree portfast
no shutdown
网管交换机
conf ter
interface vlan 20
ip add 1.1.1.100 255.255.255.0
private-vlan mapping 501,502
no shutdown
exit
ip routing
低版本交换机
interface f0/0
switchport protected
interface f0/1
switchport protected
3. spoofing attacks
dhcp spoof attacks
R1是不合法的dhcp服务器
R2是合法的dhcp服务器
R3是dhcp客户端
配置
端口在同一个vlan
都为access端口
都启用spanning-tree portfast
R1分发1.1.1.0/24 不合法
ip dhcp pool DAVY
network 1.1.1.0 /24
R2分发2.2.2.0/24 合法
ip dhcp pool DAVY
network 2.2.2.0 /24
交换机上
ip dhcp snooping
ip dhcp snooping vlan 1 (基于vlan 交换机上端口全为untrust)
interface fastethernet 0/2
ip dhcp snooping trust
R2上还要做
ip dhcp relay information trust-all
R1限制discovery包的发生频率
ip dhcp snooping limit rate 1
交换机上对client端 (防止dos攻击 ip source guard)
interface fastethernet 0/3
ip verify source (vlan dhcp-snooping) port-security
arp spoofing (DAI&dhcp snooping)
临时解决方法:静态arp绑定
正常网关路由器和pc之间做
arp 10.1.1.2 aaaa.bbbb.cccc arpa
show arp
arp -s 10.1.1.2 aaaa.bbbb.cccc arpa
dynamic arp inspection
client
interface fastethernet 0/1 (sw的0/1 untrust)
ip address dhcp
假使中毒虚拟个mac
interface fastethernet 0/1
mac-address aaaa.bbbb.cccc (被deny了)
dhcp server
ip arp inspection vlan 1
interface f 0/2 (合法)
ip arp inspection trust
int f 0/1
ip arp inspection limit rate 10
show ip arp
4. attacks on switch device
show cdp neighbors
show cdp neighbors detail
no cdp run
interface e 0/0
no cdp enable
实验
在R1上
conf ter
int e 0/0
ip address 192.168.1.100 255.255.255.0
no shutdown
exit
username DAVY password amanda
line vty 0 4
login local
exit
SSH(secure shell protocol)
show version (iso有k指安全版本)
conf ter
ip domain name davy.com
crypto key generate rsa usage-keysgeneral-keys)modulus 512
username DAVY password amanda
line vty 0 4
login local
transport input ssh
exit
客户端(win使用ssh软件 路由器可直接使用)
ssh -l DAVY 192.168.1.100
相关推荐
赠送jar包:spring-security-crypto-5.5.2.jar; 赠送原API文档:spring-security-crypto-5.5.2-javadoc.jar; 赠送源代码:spring-security-crypto-5.5.2-sources.jar; 赠送Maven依赖信息文件:spring-security-...
赠送jar包:spring-security-core-5.5.2.jar; 赠送原API文档:spring-security-core-5.5.2-javadoc.jar; 赠送源代码:spring-security-core-5.5.2-sources.jar; 赠送Maven依赖信息文件:spring-security-core-...
Among the tests you perform on web applications, security testing is perhaps the most important, yet it's often the most neglected. The recipes in the Web Security Testing Cookbook demonstrate how ...
汽车网络安全和数据保护:UNECE R155 CSMS(cyber security management system) 适用范围 本法规适用于M类和N类车辆的cyber security。如果配备至少一个ECU,本法规也适用于O类车辆。 本法规也适用于L6和L7类车辆...
赠送jar包:spring-security-oauth2-2.3.5.RELEASE.jar; 赠送原API文档:spring-security-oauth2-2.3.5.RELEASE-javadoc.jar; 赠送源代码:spring-security-oauth2-2.3.5.RELEASE-sources.jar; 赠送Maven依赖信息...
使用AES加密时,当密钥大于128时,代码会抛出java.security.InvalidKeyException: Illegal key size or default parameters Illegal key size or default parameters是指密钥长度是受限制的,java运行时环境读到的...
Spring Security 演讲PPT(演讲嘉宾:张明星) WebSphere技术专家沙龙在广州圆满举办,WSC超级版主Fastzch(张明星)担任本次沙龙的演讲嘉宾,他给广州的WebSphere技术专家带来了以“Spring Security ”为主题的...
赠送jar包:spring-security-core-5.2.0.RELEASE.jar; 赠送原API文档:spring-security-core-5.2.0.RELEASE-javadoc.jar; 赠送源代码:spring-security-core-5.2.0.RELEASE-sources.jar; 赠送Maven依赖信息文件:...
赠送jar包:spring-security-core-5.3.9.RELEASE.jar; 赠送原API文档:spring-security-core-5.3.9.RELEASE-javadoc.jar; 赠送源代码:spring-security-core-5.3.9.RELEASE-sources.jar; 赠送Maven依赖信息文件:...
赠送jar包:spring-security-jwt-1.0.10.RELEASE.jar; 赠送原API文档:spring-security-jwt-1.0.10.RELEASE-javadoc.jar; 赠送源代码:spring-security-jwt-1.0.10.RELEASE-sources.jar; 赠送Maven依赖信息文件:...
赠送jar包:spring-security-crypto-5.6.1.jar; 赠送原API文档:spring-security-crypto-5.6.1-javadoc.jar; 赠送源代码:spring-security-crypto-5.6.1-sources.jar; 赠送Maven依赖信息文件:spring-security-...
Using real-world security breaches as examples, Foundations of Information Security explores common applications of these concepts, such as operations security, network design, hardening and patching ...
ISO/IEC 27034―Information Technology―Security Techniques―Application Security Other Resources for SDL Best Practices SAFECode U.S. Department of Homeland Security Software Assurance Program ...
赠送jar包:spring-security-rsa-1.0.10.RELEASE.jar; 赠送原API文档:spring-security-rsa-1.0.10.RELEASE-javadoc.jar; 赠送源代码:spring-security-rsa-1.0.10.RELEASE-sources.jar; 赠送Maven依赖信息文件:...
赠送jar包:spring-security-web-5.2.0.RELEASE.jar; 赠送原API文档:spring-security-web-5.2.0.RELEASE-javadoc.jar; 赠送源代码:spring-security-web-5.2.0.RELEASE-sources.jar; 赠送Maven依赖信息文件:...
proposed RFID security method achieves the following security requirements such as (1) Indistinguishability, (2) Forward Security, (3) Replay Attack, (4) Tag Killing, and (5) Ownership Transfer. ...
From the basics to advanced techniques: no Linux security experience necessary Realistic examples & step-by-step activities: practice hands-on without costly equipment The perfect introduction to ...
Author: Matthieu Bloch and Joao Barros Title: Physical-layer security: from information theory to security engineering Cambridge University Press
Spring Security:spring家族一员。是一个能够为基于Spring的企业应用系统提供声明式的安全访问控制解决方案的安全框架。它提供了一组可以在Spring应用上下文中配置的Bean,充分利用了Spring IoC,DI(控制反转...
Spring Security OAuth2.0学习笔记 什么是认证、授权、会话。 Java Servlet为支持http会话做了哪些事儿。 基于session认证机制的运作流程。 基于token认证机制的运作流程。 理解Spring Security的工作原理,Spring ...