devbox
知新_RL
这个屌丝很懒,什么也没留下!
关注作者
热门标签
热门文章
当前位置:   article > 正文

华为中心AP 配置入侵防御实验

作者:知新_RL | 2024-03-23 17:59:04

华为中心AP 配置入侵防御实验

配置入侵防御示例

组网图形

图1 入侵防御组网图
  • 组网需求
  • 配置思路
  • 操作步骤
  • 中心AP的配置文件
组网需求

图1所示,某企业部署了WLAN网络,内网用户可以访问Internet的Web服务器。现需要在中心AP上配置入侵防御功能,具体要求如下:

保护内网用户,避免内网用户访问Internet的Web服务器时受到攻击。例如,含有恶意代码的网站对内网用户发起攻击。

配置思路
  1. 配置WLAN基本业务。
  2. 配置入侵防御模板“profile_ips_pc”,保护内网用户。通过配置签名过滤器来满足安全需要。
  3. 创建攻击防御模板“defence_1”,并引用入侵防御模板“profile_ips_pc”,保护内网用户免受来自Internet的攻击。
  4. 配置WLAN业务VAP引用攻击防御模板,使入侵防御功能生效。
操作步骤
  1. 配置WLAN基本业务,具体配置步骤请参照配置敏捷分布式WLAN组网示例
  2. 使能安全引擎。 

    1. <span style="background-color:#dddddd">[AP] <strong>defence engine enable</strong>
    2. </span>
  3. 创建入侵防御模板“profile_ips_pc”,保护内网用户。 

    1. <span style="background-color:#dddddd">[AP] <strong>profile type ips name profile_ips_pc</strong>
    2. [AP-profile-ips-profile_ips_pc] <strong>description profile for intranet users</strong>
    3. [AP-profile-ips-profile_ips_pc] <strong>collect-attack-evidence enable</strong>
    4. Warning: Succeeded in configuring attack evidence collection for the IPS functio
    5. n. The function is used for fault locating. This function may deteriorate system
    6.  performance. Exercise caution before using the function.                       
    7. Attack evidences can be collected only when a log storage device with sufficient
    8.  storage space is available.                                                    
    9. After all required attack evidences are collected, disable the function.        
    10. Our company alone is unable to transfer or process the communication contents or
    11.  personal data.  You are advised to enable the related functions based on the ap
    12. plicable laws and regulations in terms of purpose and scope of usage. When the c
    13. ommunication contents or personal data are being transferred or processed,  you 
    14. are obliged to take considerable measures to ensure that these contents are full
    15. y protected. Continue? [Y/N]: <strong>y</strong> 
    16. [AP-profile-ips-profile_ips_pc] <strong>signature-set name filter1</strong>
    17. [AP-profile-ips-profile_ips_pc-sigset-filter1] <strong>target client</strong>
    18. [AP-profile-ips-profile_ips_pc-sigset-filter1] <strong>severity high</strong>
    19. [AP-profile-ips-profile_ips_pc-sigset-filter1] <strong>protocol HTTP</strong>
    20. [AP-profile-ips-profile_ips_pc-sigset-filter1] <strong>quit</strong>
    21. [AP-profile-ips-profile_ips_pc] <strong>quit</strong>
    22. </span>
  4. 提交配置。 

    1. <span style="background-color:#dddddd">[AP] <strong>engine configuration commit</strong>
    2. </span>
  5. 创建攻击防御模板“defence_1”,引用入侵防御模板“profile_ips_pc”。 

    1. <span style="background-color:#dddddd">[AP] <strong>defence-profile name defence_1</strong>
    2. [AP-defence-profile-defence_1] <strong>profile type ips profile_ips_pc</strong>
    3. [AP-defence-profile-defence_1] <strong>quit</strong>
    4. </span>
  6. 在VAP模板上引用攻击防御模板“defence_1”。 

    1. <span style="background-color:#dddddd">[AP] <strong>wlan</strong>
    2. [AP-wlan-view] <strong>vap-profile name wlan-vap</strong>
    3. [AP-wlan-vap-prof-wlan-vap] <strong>defence-profile defence_1</strong>
    4. [AP-wlan-vap-prof-wlan-vap] <strong>quit</strong>
    5. </span>
  7. 验证配置结果。

    在中心AP上执行命令display profile type ips name profile_ips_pc,查看入侵防御配置文件的配置信息。

    1. <span style="background-color:#dddddd">[AP-wlan-view] <strong>display profile type ips name profile_ips_pc</strong>
    2.    IPS Profile Configurations:                                                    
    3.  ----------------------------------------------------------------------         
    4.  Name                              : profile_ips_pc                             
    5.  Description                       : profile for intranet users                 
    6.  Referenced                        : 1                                          
    7.  State                             : committed                                  
    8.  AttackEvidenceCollection          : enable                                     
    9.                                                                                 
    10.  SignatureSet                      : filter1                                    
    11.    Target                          : client                                     
    12.    Severity                        : high                                       
    13.    OS                              : N/A                                        
    14.    Protocol                        : HTTP                                       
    15.    Category                        : N/A                                        
    16.    Action                          : default                                    
    17.    Application                     : N/A                                        
    18.                                                                                 
    19.  Exception:                                                                     
    20.  ID       Action                                        Name                    
    21.  ----------------------------------------------------------------------         
    22.  
    23.  DNS Protocol Check:                                                            
    24.                                                                                 
    25.  HTTP Protocol Check:                                                  
    26.  ----------------------------------------------------------------------    </span>
中心AP的配置文件
  1. <span style="background-color:#dddddd">#
  2.  defence engine enable
  3.  sysname AP
  4. #
  5. profile type ips name profile_ips_pc 
  6.  description profile for intranet users 
  7.  collect-attack-evidence enable 
  8.  signature-set name filter1 
  9.   target client 
  10.   severity high 
  11.   protocol HTTP 
  12. #   
  13. vlan batch 100 to 101
  14. #
  15. dhcp enable
  16. #
  17. defence-profile name defence_1                                                  
  18.   profile type ips profile_ips_pc  
  19. #
  20. interface Vlanif100
  21.  ip address 10.23.100.1 255.255.255.0
  22.  dhcp select interface
  23. #
  24. interface Vlanif101
  25.  ip address 10.23.101.1 255.255.255.0
  26.  dhcp select interface
  27. #
  28. interface GigabitEthernet0/0/1
  29.  port link-type trunk
  30.  port trunk pvid vlan 100
  31.  port trunk allow-pass vlan 100 to 101
  32. #
  33. interface GigabitEthernet0/0/24
  34.  port link-type trunk
  35.  port trunk allow-pass vlan 101
  36. #
  37. management-vlan 100
  38. #
  39. wlan
  40.  security-profile name wlan-security
  41.   security wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/Mc!,}s`X*B]}A%^%# aes
  42.  ssid-profile name wlan-ssid
  43.   ssid wlan-net
  44.  vap-profile name wlan-vap
  45.   service-vlan vlan-id 101
  46.   ssid-profile wlan-ssid
  47.   security-profile wlan-security
  48.   defence-profile defence_1
  49.  regulatory-domain-profile name domain1
  50.  ap-group name ap-group1
  51.   regulatory-domain-profile domain1
  52.   radio 0
  53.    vap-profile wlan-vap wlan 1
  54.   radio 1
  55.    vap-profile wlan-vap wlan 1
  56.  ap-id 1 type-id 19 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
  57.   ap-name area_1
  58.   ap-group ap-group1
  59.   radio 0
  60.    channel 20mhz 6
  61.    eirp 127
  62.   radio 1
  63.    channel 20mhz 149
  64.    eirp 127
  65. #
  66. return</span>
父主题: 配置举例
版权所有 © 华为技术有限公司
本文内容由网友自发贡献,转载请注明出处:【wpsshop博客】
推荐阅读
相关标签

Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。

  

闽ICP备14008679号