华为中心AP 配置入侵防御实验

  • 开发
  • 49

配置入侵防御示例

组网图形

图1 入侵防御组网图
  • 组网需求
  • 配置思路
  • 操作步骤
  • 中心AP的配置文件
组网需求

图1所示,某企业部署了WLAN网络,内网用户可以访问Internet的Web服务器。现需要在中心AP上配置入侵防御功能,具体要求如下:

保护内网用户,避免内网用户访问Internet的Web服务器时受到攻击。例如,含有恶意代码的网站对内网用户发起攻击。

配置思路
  1. 配置WLAN基本业务。
  2. 配置入侵防御模板“profile_ips_pc”,保护内网用户。通过配置签名过滤器来满足安全需要。
  3. 创建攻击防御模板“defence_1”,并引用入侵防御模板“profile_ips_pc”,保护内网用户免受来自Internet的攻击。
  4. 配置WLAN业务VAP引用攻击防御模板,使入侵防御功能生效。
操作步骤
  1. 配置WLAN基本业务,具体配置步骤请参照配置敏捷分布式WLAN组网示例
  2. 使能安全引擎。 

    <span style="background-color:#dddddd">[AP] <strong>defence engine enable</strong>
</span>
  3. 创建入侵防御模板“profile_ips_pc”,保护内网用户。 

    <span style="background-color:#dddddd">[AP] <strong>profile type ips name profile_ips_pc</strong>
[AP-profile-ips-profile_ips_pc] <strong>description profile for intranet users</strong>
[AP-profile-ips-profile_ips_pc] <strong>collect-attack-evidence enable</strong>
Warning: Succeeded in configuring attack evidence collection for the IPS functio
n. The function is used for fault locating. This function may deteriorate system
 performance. Exercise caution before using the function.                       
Attack evidences can be collected only when a log storage device with sufficient
 storage space is available.                                                    
After all required attack evidences are collected, disable the function.        
Our company alone is unable to transfer or process the communication contents or
 personal data.  You are advised to enable the related functions based on the ap
plicable laws and regulations in terms of purpose and scope of usage. When the c
ommunication contents or personal data are being transferred or processed,  you 
are obliged to take considerable measures to ensure that these contents are full
y protected. Continue? [Y/N]: <strong>y</strong> 
[AP-profile-ips-profile_ips_pc] <strong>signature-set name filter1</strong>
[AP-profile-ips-profile_ips_pc-sigset-filter1] <strong>target client</strong>
[AP-profile-ips-profile_ips_pc-sigset-filter1] <strong>severity high</strong>
[AP-profile-ips-profile_ips_pc-sigset-filter1] <strong>protocol HTTP</strong>
[AP-profile-ips-profile_ips_pc-sigset-filter1] <strong>quit</strong>
[AP-profile-ips-profile_ips_pc] <strong>quit</strong>
</span>
  4. 提交配置。 

    <span style="background-color:#dddddd">[AP] <strong>engine configuration commit</strong>
</span>
  5. 创建攻击防御模板“defence_1”,引用入侵防御模板“profile_ips_pc”。 

    <span style="background-color:#dddddd">[AP] <strong>defence-profile name defence_1</strong>
[AP-defence-profile-defence_1] <strong>profile type ips profile_ips_pc</strong>
[AP-defence-profile-defence_1] <strong>quit</strong>
</span>
  6. 在VAP模板上引用攻击防御模板“defence_1”。 

    <span style="background-color:#dddddd">[AP] <strong>wlan</strong>
[AP-wlan-view] <strong>vap-profile name wlan-vap</strong>
[AP-wlan-vap-prof-wlan-vap] <strong>defence-profile defence_1</strong>
[AP-wlan-vap-prof-wlan-vap] <strong>quit</strong>
</span>
  7. 验证配置结果。

    在中心AP上执行命令display profile type ips name profile_ips_pc,查看入侵防御配置文件的配置信息。

    <span style="background-color:#dddddd">[AP-wlan-view] <strong>display profile type ips name profile_ips_pc</strong>
   IPS Profile Configurations:                                                    
 ----------------------------------------------------------------------         
 Name                              : profile_ips_pc                             
 Description                       : profile for intranet users                 
 Referenced                        : 1                                          
 State                             : committed                                  
 AttackEvidenceCollection          : enable                                     
                                                                                
 SignatureSet                      : filter1                                    
   Target                          : client                                     
   Severity                        : high                                       
   OS                              : N/A                                        
   Protocol                        : HTTP                                       
   Category                        : N/A                                        
   Action                          : default                                    
   Application                     : N/A                                        
                                                                                
 Exception:                                                                     
 ID       Action                                        Name                    
 ----------------------------------------------------------------------         

 DNS Protocol Check:                                                            
                                                                                
 HTTP Protocol Check:                                                  
 ----------------------------------------------------------------------    </span>
中心AP的配置文件
<span style="background-color:#dddddd">#
 defence engine enable
 sysname AP
#
profile type ips name profile_ips_pc 
 description profile for intranet users 
 collect-attack-evidence enable 
 signature-set name filter1 
  target client 
  severity high 
  protocol HTTP 
#   
vlan batch 100 to 101
#
dhcp enable
#
defence-profile name defence_1                                                  
  profile type ips profile_ips_pc  
#
interface Vlanif100
 ip address 10.23.100.1 255.255.255.0
 dhcp select interface
#
interface Vlanif101
 ip address 10.23.101.1 255.255.255.0
 dhcp select interface
#
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk pvid vlan 100
 port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet0/0/24
 port link-type trunk
 port trunk allow-pass vlan 101
#
management-vlan 100
#
wlan
 security-profile name wlan-security
  security wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/Mc!,}s`X*B]}A%^%# aes
 ssid-profile name wlan-ssid
  ssid wlan-net
 vap-profile name wlan-vap
  service-vlan vlan-id 101
  ssid-profile wlan-ssid
  security-profile wlan-security
  defence-profile defence_1
 regulatory-domain-profile name domain1
 ap-group name ap-group1
  regulatory-domain-profile domain1
  radio 0
   vap-profile wlan-vap wlan 1
  radio 1
   vap-profile wlan-vap wlan 1
 ap-id 1 type-id 19 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
  ap-name area_1
  ap-group ap-group1
  radio 0
   channel 20mhz 6
   eirp 127
  radio 1
   channel 20mhz 149
   eirp 127
#
return</span>
父主题: 配置举例
版权所有 © 华为技术有限公司
阅读全部

相关推荐

最近更新

  3. docker php8.1+nginx base 镜像 dockerfile 配置

    2024-03-20 05:06:02       94 阅读

  4. Could not load dynamic library ‘cudart64_100.dll‘

    2024-03-20 05:06:02       100 阅读

  9. 在Django里面运行非项目文件

    2024-03-20 05:06:02       82 阅读

  19. Python语言-面向对象

    2024-03-20 05:06:02       91 阅读

  20. 如何分清楚常见的 Git 分支管理策略Git Flow、GitHub Flow 和 GitLab Flow

    2024-03-20 05:06:02       85 阅读

热门阅读

  1. 共享旅游卡与我们当下的生活关联

    2024-03-20 05:06:02       39 阅读

  11. 机器学习流程—数据收集

    2024-03-20 05:06:02       36 阅读

  13. 每日一题:C语言经典例题之退票费的计算

    2024-03-20 05:06:02       40 阅读

  15. node.js 的常用命令

    2024-03-20 05:06:02       41 阅读

  19. VB.NET高级面试题:请解释 VB.NET 中的 “Managed Code“ 和 “Unmanaged Code“

    2024-03-20 05:06:02       42 阅读

  24. v-for 和 v-if 在相同元素上存在优先级的问题

    2024-03-20 05:06:02       40 阅读

  27. 时间复杂度

    2024-03-20 05:06:02       38 阅读

  30. 解决 Windows 下 Git 下载过慢问题

    2024-03-20 05:06:02       47 阅读