您好,欢迎访问三七文档
当前位置:首页 > 商业/管理/HR > 质量控制/管理 > H3C WX系列动态黑名单典型配置举例
iH3CWX系列动态黑名单典型配置举例关键词:FloodAttack,Dynamicblacklist摘要:本文介绍了用H3C公司WX系列WLAN动态黑名单功能时必需的配置。缩略语:缩略语英文全名中文解释WLANIDSWirelessIntrusionDetectionSystem无线入侵检测系统H3Cii目录1特性简介..................................................................................................................................................11.1特性介绍........................................................................................................................................12应用场合..................................................................................................................................................13注意事项..................................................................................................................................................14配置举例..................................................................................................................................................14.1组网需求........................................................................................................................................14.2配置思路........................................................................................................................................24.3使用版本........................................................................................................................................24.4配置步骤........................................................................................................................................24.5注意事项........................................................................................................................................45相关资料..................................................................................................................................................55.1相关协议和标准..............................................................................................................................55.2其它相关资料.................................................................................................................................5H3C11特性简介1.1特性介绍泛洪攻击(Flooding攻击)是指WLAN设备会在短时间内接收了大量的同种类型的报文。此时WLAN设备会被泛洪的攻击报文淹没而无法处理真正的无线终端的报文。IDS攻击检测通过持续的监控每台设备的流量大小来预防这种泛洪攻击。当流量超出可容忍的上限时,该设备将被认为要在网络内泛洪从而被锁定,此时如果使能了动态黑名单,检查到的攻击设备将被加入动态黑名单。IDS支持下列报文的泛洪攻击检测。l认证请求/解除认证请求(Authentication/De-authentication);l关联请求/解除关联请求/重新关联请求(Association/Disassociation/Reassociation);l探查请求(Proberequest);l空数据帧;lAction帧;当一个AP支持超过一个BSSID时,无线终端会发送探查请求报文到每个单独的BSSID。所以在报文为探查请求报文的情况下,需要考虑源端和目的地的共同流量,而对于其它类型的报文,只需要考虑源端的流量即可。2应用场合需要抑止泛洪攻击的场合。3注意事项无。4配置举例4.1组网需求本配置举例中的AC使用的是WX6103无线控制器,AP使用的是WA2200系列无线局域网接入点设备,Client上线后通过DHCP服务器获取IP地址。H3C2图4-1动态黑名单配置组网图4.2配置思路在WLANIDS视图下启动攻击检测,并使能动态黑名单。4.3使用版本ACdisplayversionH3CComwarePlatformSoftwareComwareSoftware,Version5.20,Beta2108Copyright(c)2004-2008HangzhouH3CTech.Co.,Ltd.Allrightsreserved.H3CWX6103uptimeis1week,0day,16hours,4minutesH3CWX6103with1BCMMIPS1125H600MHzProcessor1024MbytesDDR259MbytesCFCardMemoryConfigRegisterpointstoCFCARDHardwareVersionisVer.CCPLDVersionisCPLD007BackboardCPLDVersionisCPLD003BasicBootromVersionis1.11ExtendBootromVersionis1.12[Slot0]EWPX1G24XA0HardwareVersionisNA[Slot2]EWPX1WCMB0HardwareVersionisVer.C4.4配置步骤1.配置信息:ACdisplaycurrent-configuration#version5.20,Release2108#sysnameAC#domaindefaultenablesystem#vlan1H3C3#domainsystemaccess-limitdisablestateactiveidle-cutdisableself-service-urldisable#wlanrrm11amandatory-rate6122411asupported-rate91836485411bmandatory-rate1211bsupported-rate5.51111gmandatory-rate125.51111gsupported-rate69121824364854#wlanservice-template1clearssidwmmbindWLAN-ESS1authentication-methodopen-systemservice-templateenable#interfaceNULL0#interfaceVlan-interface1ipaddress63.1.1.20255.255.0.0#interfaceM-GigabitEthernet1/0/1#interfaceTen-GigabitEthernet1/0/1portlink-typetrunkporttrunkpermitvlanall#interfaceWLAN-ESS1#wlanapapmodelWA2220E-AGserial-id210235A29F007C000177radio1channel157service-template1radioenableradio2#wlanidsdynamic-blacklistenableattack-detectionenableflood#user-interfacecon0user-interfaceaux0H3C4user-interfacevty04#return2.主要配置步骤#在WLANIDS视图下使能动态黑名单功能[AC]wlanids[AC-wlan-ids]dynamic-blacklistenable3.验证结果当检测到洪攻击后(可以使用模拟工具每秒发送100个管理祯给AP),攻击源被加入动态黑名单,在动态黑名单老化期内,AC拒绝攻击源关联请求。ACdisplaywlanidsstatisticsCurrentattacktrackingsince:2008-08-29/10:22:07-------------------------------------------------------------------------------TypeCurrentTotal-------------------------------------------------------------------------------ProbeRequestFrameFloodAttack00AuthenticationRequestFrameFloodAttack00DeauthenticationFrameFloodAttack11AssociationRequestFrameFloodAttack00DisassociationRequestFrameFloodAttack00ReassociationRequestFrameFloodAttack00ActionFrameFloodAttack00NullDataFrameFloodAttack00WeakIVsDetected00SpoofedDeauthenticationFrameAttack00SpoofedDisassociationFrameAttack00-------------------------------------------------------------------------------ACdisplaywlanblacklistdynamicTotalNumberofEntries:1DynamicBlacklist--------------------------------------------------------------
三七文档所有资源均是用户自行上传分享,仅供网友学习交流,未经上传用户书面授权,请勿作他用。
扫描二维码
crazylotte
本文标题:H3C WX系列动态黑名单典型配置举例
链接地址:https://www.777doc.com/doc-431349 .html