AP反製
- 0關注
- 3收藏,4556瀏覽
問題描述:
需求:對除了內網AP外的其他AP進行反製,內網AP和AC有不同廠家的設備,在SSID都相同的情況下,怎麼去匹配區分是內網的AP還是非法的AP?
配置對外部AP進行反製:
countermeasure external-ap
這個命令是通過什麼機製來識別是內網AP還是非法的外部AP呢?
組網及組網描述:
無
- 2022-06-29提問
- 舉報
-
(0)
最佳答案
分類與反製配置舉例
1. 組網需求
如圖1-3所示,AP通過交換機與AC相連,AP1和AP2為Client提供無線服務,SSID為“abc”,在Sensor上開啟WIPS功能,配置分類策略,將非法客戶端的MAC地址(000f-1c35-12a5)添加到靜態禁用列表中,將SSID“abc”添加到靜態信任列表中,要求對檢測到的潛在外部AP和未授權客戶端進行反製。
2. 組網圖
圖1-3 WIPS分類與反製組網圖
3. 配置步驟
在AC上完成無線服務的相關配置,具體配置步驟可參見“WLAN配置指導”中的“WLAN接入”,此處不再重複。
# 配置虛擬安全域vsd1。
<AC> system-view
[AC] wips
[AC-wips] virtual-security-domain vsd1
[AP-wips-vsd-vsd1] quit
[AC-wips] quit
# 創建AP名稱為Sensor,開啟WIPS功能。
[AC] wlan ap Sensor model WA4320i-ACN
[AC-wlan-ap-Sensor] serial-id 210235A1GQB139000435
[AC-wlan-ap-Sensor] radio 1
[AC-wlan-ap-Sensor-radio-1] radio enable
[AC-wlan-ap-Sensor-radio-1] wips enable
[AC-wlan-ap-Sensor-radio-1] quit
# 配置Sensor加入虛擬安全域vsd1。
[AC-wlan-ap-Sensor] wips virtual-security-domain vsd1
[AC-wlan-ap-Sensor] quit
# 配置分類策略class1,將Client 2的MAC地址配置禁用MAC地址,並且將名為“abc”的SSID配置為信任SSID。
[AC] wips
[AC-wips] classification policy class1
[AC-wips-cls-class1] block mac-address 000f-1c35-12a5
[AC-wips-cls-class1] trust ssid abc
[AC-wips-cls-class1] quit
# 虛擬安全域vsd1應用分類策略class1。
[AC-wips] virtual-security-domain vsd1
[AC-wips-vsd-vsd1] apply classification policy class1
[AC-wips-vsd-vsd1] quit
# 配置反製策略protect,反製未授權客戶端和潛在外部AP。
[AC-wips] countermeasure policy protect
[AC-wips-cms-protect] countermeasure unauthorized-client
[AC-wips-cms-protect] countermeasure potential-external-ap
[AC-wips-cms-protect] quit
# 虛擬安全域vsd1應用反製策略protect。
[AC-wips] virtual-security-domain vsd1
[AC-wips-vsd-vsd1] apply countermeasure policy protect
[AC-wips-vsd-vsd1] quit
[AC-wips] quit
4. 驗證配置
(1) 通過display wips virtual-security-domain命令查看無線設備的分類結果。
[AC] display wips virtual-security-domain vsd1 device
Total 3 detected devices in virtual-security-domain vsd1
Class: Auth - authorization; Ext - extern; Mis - mistake;
Unauth - unauthorized; Uncate - uncategorized;
(A) - associate; (C) - config; (P) - potential
MAC address Type Class Duration Sensors Channel Status
00e0-fc00-5829 AP Auth 00h 10m 24s 1 149 Active
000f-e228-2528 AP Auth 00h 10m 04s 1 149 Active
000f-e223-1616 AP Ext(P) 00h 10m 46s 1 149 Active
000f-1c35-12a5 Client Unauth 00h 10m 02s 1 149 Active
000f-e201-0102 Client Auth 00h 10m 02s 1 149 Active
在虛擬安全域vsd1,MAC地址為000f-e223-1616的AP被分類成潛在外部AP,MAC地址為000f-1c35-12a5的客戶端被分類為未授權的客戶端。
(2) 通過命令行display wips virtual-security-domain vsd1 countermeasure record命令查看反製過的設備記錄信息。
[AC] display wips virtual-security-domain vsd1 countermeasure record
Total 2 times countermeasure, current 2 countermeasure record in virtual-security-domain vsd1
Reason: Attack; Ass - associated; Black - blacklist;
Class - classification; Manu - manual;
MAC address Type Reason Countermeasure AP Radio ID Time
000f-e223-1616 AP Class Sensor 1 2014-06-03/10:30:36
000f-1c35-12a5 Client Class Sensor 1 2014-06-03/09:13:26
在虛擬安全域vsd1,MAC地址為000f-1c35-12a5的未授權客戶端和MAC地址為000f-e223-1616的潛在外部AP被反製。
1.15.2 WIPS畸形報文檢測和泛洪攻擊檢測配置舉例
1. 組網需求
如圖1-4所示,AP通過交換機與AC相連,將兩台AP分別配置為Sensor,配置虛擬安全域VSD_1,並配置兩台Sensor屬於這個虛擬安全域,當檢測到攻擊者對無線網絡進行IE重複的畸形報文或Beacon幀泛洪攻擊時,AP向AC發送告警信息。
2. 組網圖
3. 配置步驟
在AC上完成無線服務的相關配置,具體配置步驟可參見“WLAN配置指導”中的“WLAN接入”,此處不再重複。
# 創建AP名稱為sensor1,開啟WIPS功能。
<AC> system-view
[AC] wlan ap sensor1 model WA4320i-ACN
[AC-wlan-ap-sensor1] serial-id 210235A1GQB139000435
[AC-wlan-ap-sensor1] radio 1
[AC-wlan-ap-sensor1-radio-1] radio enable
[AC-wlan-ap-sensor1-radio-1] wips enable
[AC-wlan-ap-sensor1-radio-1] return
# 創建AP名稱為sensor2,開啟WIPS功能。
<AC> system-view
[AC] wlan ap sensor2 model WA4320i-ACN
[AC-wlan-ap-sensor2] serial-id 210235A1GQB139000436
[AC-wlan-ap-sensor2] radio 1
[AC-wlan-ap-sensor2-radio-1] radio enable
[AC-wlan-ap-sensor2-radio-1] wips enable
[AC-wlan-ap-sensor2-radio-1] quit
[AC-wlan-ap-sensor2] quit
# 配置虛擬安全域VSD_1。
[AC] wips
[AC-wips] virtual-security-domain VSD_1
[AP-wips-vsd-VSD_1] quit
# 創建攻擊檢測策略,當檢測到IE重複的畸形報文和Beacon幀泛洪攻擊時,向AC發送日誌信息或告警信息。檢測IE重複的畸形報文的靜默時間為50秒,檢測Beacon幀的統計周期為100秒,觸發閾值為200,靜默時間為50秒。
[AC-wips] detect policy dtc1
[AC-wips-dtc-dtc1] malformed duplicated-ie quiet 50
[AC-wips-dtc-dtc1] flood beacon interval 100 quiet 50 threshold 200
[AC-wips-dtc-dtc1] quit
# 在虛擬安全域VSD_1上應用攻擊檢測策略。
[AC-wips] virtual-security-domain VSD_1
[AC-wips-vsd-VSD_1] apply detect policy dtc1
[AC-wips-vsd-VSD_1] quit
[AC-wips] quit
# 配置sensor1加入虛擬安全域VSD_1。
[AC] wlan ap sensor1
[AC-wlan-ap-sensor1] wips virtual-security-domain VSD_1
[AC-wlan-ap-sensor1] quit
# 配置sensor2加入虛擬安全域VSD_1。
[AC] wlan ap sensor2
[AC-wlan-ap-sensor2] wips virtual-security-domain VSD_1
[AC-wlan-ap-sensor2] return
4. 驗證結果
(1) 當網絡中沒有攻擊者時,在AC上通過命令行display wips statistics receive命令查看收到報文的統計信息,畸形報文和泛洪報文的統計個數為0。
<AC> display wips statistics receive
Information from sensor 1
Information about attack statistics:
Detected association-request flood messages: 0
Detected authentication flood messages: 0
Detected beacon flood messages: 0
Detected block-ack flood messages: 0
Detected cts flood messages: 0
Detected deauthentication flood messages: 0
Detected disassociation flood messages: 0
Detected eapol-start flood messages: 0
Detected null-data flood messages: 0
Detected probe-request flood messages: 0
Detected reassociation-request flood messages: 0
Detected rts flood messages: 0
Detected duplicated-ie messages: 0
Detected fata-jack messages: 0
Detected illegal-ibss-ess messages: 0
Detected invalid-address-combination messages: 0
Detected invalid-assoc-req messages: 0
Detected invalid-auth messages: 0
Detected invalid-deauth-code messages: 0
Detected invalid-disassoc-code messages: 0
Detected invalid-ht-ie messages: 0
Detected invalid-ie-length messages: 0
Detected invalid-pkt-length messages: 0
Detected large-duration messages: 0
Detected null-probe-resp messages: 0
Detected overflow-eapol-key messages: 0
Detected overflow-ssid messages: 0
Detected redundant-ie messages: 0
Detected AP spoof AP messages: 0
Detected AP spoof client messages: 0
Detected AP spoof ad-hoc messages: 0
Detected ad-hoc spoof AP messages: 0
Detected client spoof AP messages: 0
Detected weak IV messages: 0
Detected excess AP messages: 0
Detected excess client messages: 0
Detected sig rule messages: 0
Information from sensor 2
Information about attack statistics:
Detected association-request flood messages: 0
Detected authentication flood messages: 0
Detected beacon flood messages: 0
Detected block-ack flood messages: 0
Detected cts flood messages: 0
Detected deauthentication flood messages: 0
Detected disassociation flood messages: 0
Detected eapol-start flood messages: 0
Detected null-data flood messages: 0
Detected probe-request flood messages: 0
Detected reassociation-request flood messages: 0
Detected rts flood messages: 0
Detected duplicated-ie messages: 0
Detected fata-jack messages: 0
Detected illegal-ibss-ess messages: 0
Detected invalid-address-combination messages: 0
Detected invalid-assoc-req messages: 0
Detected invalid-auth messages: 0
Detected invalid-deauth-code messages: 0
Detected invalid-disassoc-code messages: 0
Detected invalid-ht-ie messages: 0
Detected invalid-ie-length messages: 0
Detected invalid-pkt-length messages: 0
Detected large-duration messages: 0
Detected null-probe-resp messages: 0
Detected overflow-eapol-key messages: 0
Detected overflow-ssid messages: 0
Detected redundant-ie messages: 0
Detected AP spoof AP messages: 0
Detected AP spoof client messages: 0
Detected AP spoof ad-hoc messages: 0
Detected ad-hoc spoof AP messages: 0
Detected client spoof AP messages: 0
Detected weak IV messages: 0
Detected excess AP messages: 0
Detected excess client messages: 0
Detected sig rule messages: 0
(2) 當檢測到IE重複的畸形報文和Beacon幀泛洪攻擊時,在AC上通過命令行display wips statistics receive查看收到報文的統計信息,IE重複的畸形報文的統計個數為28和Beacon幀泛洪攻擊的統計個數為18。
<AC> display wips statistics receive
Information from sensor 1
Information about attack statistics:
Detected association-request flood messages: 0
Detected authentication flood messages: 0
Detected beacon flood messages: 18
Detected block-ack flood messages: 0
Detected cts flood messages: 0
Detected deauthentication flood messages: 0
Detected disassociation flood messages: 0
Detected eapol-start flood messages: 0
Detected null-data flood messages: 0
Detected probe-request flood messages: 0
Detected reassociation-request flood messages: 0
Detected rts flood messages: 0
Detected duplicated-ie messages: 0
Detected fata-jack messages: 0
Detected illegal-ibss-ess messages: 0
Detected invalid-address-combination messages: 0
Detected invalid-assoc-req messages: 0
Detected invalid-auth messages: 0
Detected invalid-deauth-code messages: 0
Detected invalid-disassoc-code messages: 0
Detected invalid-ht-ie messages: 0
Detected invalid-ie-length messages: 0
Detected invalid-pkt-length messages: 0
Detected large-duration messages: 0
Detected null-probe-resp messages: 0
Detected overflow-eapol-key messages: 0
Detected overflow-ssid messages: 0
Detected redundant-ie messages: 0
Detected AP spoof AP messages: 0
Detected AP spoof client messages: 0
Detected AP spoof ad-hoc messages: 0
Detected ad-hoc spoof AP messages: 0
Detected client spoof AP messages: 0
Detected weak IV messages: 0
Detected excess AP messages: 0
Detected excess client messages: 0
Detected sig rule messages: 0
Information from sensor 2
Information about attack statistics:
Detected association-request flood messages: 0
Detected authentication flood messages: 0
Detected beacon flood messages: 0
Detected block-ack flood messages: 0
Detected cts flood messages: 0
Detected deauthentication flood messages: 0
Detected disassociation flood messages: 0
Detected eapol-start flood messages: 0
Detected null-data flood messages: 0
Detected probe-request flood messages: 0
Detected reassociation-request flood messages: 0
Detected rts flood messages: 0
Detected duplicated-ie messages: 28
Detected fata-jack messages: 0
Detected illegal-ibss-ess messages: 0
Detected invalid-address-combination messages: 0
Detected invalid-assoc-req messages: 0
Detected invalid-auth messages: 0
Detected invalid-deauth-code messages: 0
Detected invalid-disassoc-code messages: 0
Detected invalid-ht-ie messages: 0
Detected invalid-ie-length messages: 0
Detected invalid-pkt-length messages: 0
Detected large-duration messages: 0
Detected null-probe-resp messages: 0
Detected overflow-eapol-key messages: 0
Detected overflow-ssid messages: 0
Detected redundant-ie messages: 0
Detected AP spoof AP messages: 0
Detected AP spoof client messages: 0
Detected AP spoof ad-hoc messages: 0
Detected ad-hoc spoof AP messages: 0
Detected client spoof AP messages: 0
Detected weak IV messages: 0
Detected excess AP messages: 0
Detected excess client messages: 0
Detected sig rule messages: 0
- 2022-06-29回答
- 評論(3)
- 舉報
-
(0)
這個配置好像不能實現我說的那個需求吧,如果有個SSID為abc的非法AP接入,不能對其進行反製吧?
第一個案例不符合嘛
親~登錄後才可以操作哦!
確定你的郵箱還未認證,請認證郵箱或綁定手機後進行當前操作
舉報
×
侵犯我的權益
×
侵犯了我企業的權益
×
- 1. 您舉報的內容是什麼?(請在郵件中列出您舉報的內容和鏈接地址)
- 2. 您是誰?(身份證明材料,可以是身份證或護照等證件)
- 3. 是哪家企業?(營業執照,單位登記證明等證件)
- 4. 您與該企業的關係是?(您是企業法人或被授權人,需提供企業委托授權書)
抄襲了我的內容
×
原文鏈接或出處
誹謗我
×
- 1. 您舉報的內容以及侵犯了您什麼權益?(請在郵件中列出您舉報的內容、鏈接地址,並給出簡短的說明)
- 2. 您是誰?(身份證明材料,可以是身份證或護照等證件)
對根叔社區有害的內容
×
不規範轉載
×
舉報說明
如果有個非法的SSID也是abc,那是不是也不能進行反製了