非法AP可通过使用合法SSID或者其他的SSID引诱合法的无线客户端关联到非法AP上。这样,非法AP就可以从该无线客户端获取内网的网络信息,从而威胁到内网安全。针对这种攻击,可通过WIPS发现周围无线环境中存在这种行为的非法AP设备,并利用反制功能将无线客户端和非法AP断开关联,从而对内网环境形成保护。
如图1所示,AP通过交换机与AC相连,AP1和AP2为Client提供无线服务,配置SSID为service,在Sensor上开启WIPS功能,当检测到非法AP提供SSID诱使Client接入时,对非法AP进行反制,阻止Client在非法AP上线。
图1 WIPS组网图
配置AC
(1) 在AC上配置相关VLAN和对应虚接口地址,并放通对应接口,开启DHCP
server功能,AP、无线客户端Client能通过DHCP server自动获取IP地址。
(2) 配置WIPS
# 进入WIPS视图。
[AC] wips
# 配置AP分类规则,对SSID为service的进行匹配。
[AC-wips] ap-classification rule 1
[AC-wips-cls-rule-1] ssid equal service
# 配置AP分类规则,对SSID不为service的进行匹配。
[AC-wips] ap-classification rule 2
[AC-wips-cls-rule-1] ssid not equal service
# 配置AP分类策略,对符合分类规则rule1的AP分类为非法AP,设置反制的优先级为最高,并将信任的AP将入到信任列表中。
[AC-wips] classification policy class1
[AC-wips-cls-class1] apply ap-classification rule 1 rogue-ap severity-level 100
[AC-wips-cls-class1] apply ap-classification rule 2 rogue-ap severity-level 100
[AC-wips-cls-class1] trust mac-address 000f-1111-0111
# 创建虚拟安全域,并应用分类策略到虚拟安全域vsd1。
[AC-wips] virtual-security-domain vsd1
[AC-wips-vsd-1] apply classification policy class1
# 配制反制策略,反制非法AP。
[AC-wips] countermeasure policy 1
[AC-wips-cms-1] countermeasure rogue-ap
# 应用反制策略到虚拟安全域vsd1。
[AC-wips] virtual-security-domain vsd1
[AC-wips-vsd-vsd1] apply countermeasure policy 1
(3) 配置无线服务
[AC] wlan service-template service
[AC-wlan-st-service] ssid service
[AC-wlan-st-service] vlan 200
[AC-wlan-st-service] service-template enable
[AC-wlan-st-service] quit
# 配置AP1
[AC] wlan ap ap1 model WA4320i-ACN
[AC-wlan-ap-ap1] serial-id 210235A1GQC157001570
[AC-wlan-ap-ap1] radio 1
[AC-wlan-ap-ap1-radio-1] radio enable
[AC-wlan-ap-ap1-radio-1] service-template service
# 配置AP2
[AC] wlan ap ap2 model WA4320i-ACN
[AC-wlan-ap-ap2] serial-id 210235A1GQC157001571
[AC-wlan-ap-ap2] radio 1
[AC-wlan-ap-ap2-radio-1] radio enable
[AC-wlan-ap-ap2-radio-1] service-template service
[AC-wlan-ap-ap2-radio-1] quit
# 配置sensor AP
[AC] wlan ap sensor model WA4320i-ACN
[AC-wlan-ap-sensor] serial-id 210235A1GQC157001572
[AC-wlan-ap-sensor] wips virtual-security-domain vsd1
[AC-wlan-ap-sensor] radio 1
[AC-wlan-ap-sensor-radio-1] radio enable
[AC-wlan-ap-sensor-radio-1] wips enable
[AC-wlan-ap-sensor-radio-1] quit
配置Switch
# 创建相关VLAN,配置L2 switch和AP相连的接口为Trunk类型,PVID为AP 管理VLAN,并开启PoE供电功能。
验证配置
(1) 查看sensor所在虚拟安全域扫描到的设备,Rogue AP提供的服务SSID和本
地AC关联的业务AP提供的服务SSID相同,WIPS能正确识别关联的业务AP为
授权AP,Rogue AP为非法AP。
<AC> display wips virtual-security-domain vsd1 device
Total 3 detected devices in virtual-security-domain vsd1
Class: Auth - authorization; Ext - external; Mis - mistake;
Unauth - unauthorized; Uncate - uncategorized;
(A) - associate; (C) - config; (P) - potential
MAC address Type Class Duration Sensors Channel Status
000f-1111-0111 AP Auth 00h 05m 26s 1 13 Active
000f-e200-1202 AP Rogue 00h 05m 26s 1 161 Active
可以查看到外部AP被分类成Rogue AP,正确关联的AP被分类成授权AP。
(2) 验证反制功能正常,通过display wips virtual-security-domain命令查看反
制记录。
<AC> display wips virtual-security-domain vsd1 countermeasure record
Total 1 times countermeasure, current 1 countermeasure record in virtual-security-domain vsd1
Class: Auth - authorization; Ext - external; Mis - mistake;
Unauth - unauthorized; Uncate - uncategorized;
(A) - associate; (C) - config; (P) - potential
MAC address Type Class Sensor name Radio ID Time
000f-e200-1202 AP Rogue sensor 1 2015-11-27/15:52:53
(3) 查看被反制的终端端,通过display wips virtual-security-domain device
vsd1 client unauthorized命令查看反制记录。
[AC]display wips virtual-security-domain 1 device client unauthorized
Total 24 detected client in virtual-security-domain 1
Class: Auth - authorization; Ext - external; Mis - mistake;
Unauth - unauthorized; Uncate - uncategorized;
(A) - associate; (C) - config; (P) - potential
MAC address Type Class Duration Sensors Channel Status
3478-d742-0f72 Client Unauth 00h 00m 27s 1 149 Active
34f6-4bc8-6e28 Client Unauth 00h 00m 12s 1 149 Active
3871-de36-48f1 Client Unauth 00h 00m 07s 1 149 Active
4400-107d-1ba8 Client Unauth 00h 00m 30s 1 149 Active
该案例暂时没有网友评论
编辑评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作