A yau za mu kalli muhimman batutuwa guda biyu: DHCP Snooping da “marasa tsoho” VLANs na asali. Kafin mu ci gaba da darasin, ina gayyatar ku da ku ziyarci sauran tasharmu ta YouTube inda za ku iya kallon bidiyon yadda ake inganta ƙwaƙwalwar ajiya. Ina ba da shawarar ku yi subscribing na wannan tashar, kamar yadda muka sanya abubuwa da yawa masu amfani don inganta kai a can.
Wannan darasi an keɓe shi ne don nazarin ƙananan sashe na 1.7b da 1.7c na batun ICND2. Kafin mu fara da DHCP Snooping, bari mu tuna da wasu batutuwa daga darussan da suka gabata. Idan ban yi kuskure ba, mun koyi game da DHCP a Rana ta 6 da Day 24. A can, an tattauna batutuwa masu mahimmanci game da sanya adiresoshin IP ta hanyar uwar garken DHCP da musayar saƙonni masu dacewa.
Yawanci, lokacin da mai amfani na Ƙarshen ya shiga hanyar sadarwa, yana aika buƙatar watsa shirye-shirye zuwa cibiyar sadarwar da duk na'urorin cibiyar sadarwa ke "ji". Idan an haɗa kai tsaye zuwa uwar garken DHCP, to buƙatar ta tafi kai tsaye zuwa uwar garken. Idan akwai na'urorin watsawa a kan hanyar sadarwa - masu ba da hanya tsakanin hanyoyin sadarwa da masu sauyawa - to buƙatun uwar garken yana wucewa ta hanyar su. Bayan karɓar buƙatun, uwar garken DHCP ya amsa wa mai amfani, wanda ya aika masa da buƙatar samun adireshin IP, bayan haka uwar garken ya ba da irin wannan adireshin zuwa na'urar mai amfani. Wannan shine yadda tsarin samun adireshin IP ke faruwa a ƙarƙashin yanayin al'ada. Dangane da misalin da ke cikin zanen, Ƙarshen Mai amfani zai karɓi adireshin 192.168.10.10 da adireshin ƙofar 192.168.10.1. Bayan haka, mai amfani zai iya shiga Intanet ta wannan ƙofar ko sadarwa tare da wasu na'urorin sadarwar.
Mu dauka cewa baya ga ainihin uwar garken DHCP, akwai sabar DHCP na yaudara a kan hanyar sadarwa, wato, maharin kawai ya sanya uwar garken DHCP akan kwamfutarsa. A wannan yanayin, mai amfani, bayan shigar da hanyar sadarwa, kuma yana aika saƙon watsa shirye-shirye, wanda na'ura mai ba da hanya tsakanin hanyoyin sadarwa da sauyawa za su tura zuwa sabar na ainihi.
Koyaya, uwar garken ɗan damfara kuma yana “sauraron” hanyar sadarwar, kuma, bayan karɓar saƙon watsa shirye-shirye, zai amsa wa mai amfani tare da tayin nasa maimakon sabar DHCP ta ainihi. Bayan ya karba, mai amfani zai ba da izininsa, saboda haka zai karɓi adireshin IP daga maharin 192.168.10.2 da adireshin ƙofar 192.168.10.95.
Tsarin samun adireshin IP an taƙaita shi azaman DORA kuma ya ƙunshi matakai 4: Ganowa, Bayarwa, Buƙata da Amincewa. Kamar yadda kake gani, maharin zai ba da na'urar adireshin IP na doka wanda ke cikin kewayon adiresoshin cibiyar sadarwa, amma maimakon ainihin adireshin ƙofar 192.168.10.1, zai "zamewa" tare da adireshin karya 192.168.10.95, wato adireshin kwamfutarsa.
Bayan wannan, duk zirga-zirgar masu amfani da ƙarshen da aka kai zuwa Intanet za su wuce ta kwamfutar maharin. Maharin zai sake tura shi gaba, kuma mai amfani ba zai ji wani bambanci da wannan hanyar sadarwa ba, tunda har yanzu zai sami damar shiga Intanet.
Hakazalika, dawo da zirga-zirga daga Intanet za ta gudana zuwa ga mai amfani ta kwamfutar maharin. Wannan shi ne abin da ake kira Man in the Middle (MiM) harin. Duk zirga-zirgar masu amfani za su ratsa ta cikin kwamfutar mai kutse, wanda zai iya karanta duk abin da ya aiko ko ya karba. Wannan nau'in hari ɗaya ne wanda zai iya faruwa akan cibiyoyin sadarwa na DHCP.
Nau'in harin na biyu ana kiransa Denial of Service (DoS), ko "insan sabis." Me ZE faru? Kwamfutar dan Dandatsa baya aiki azaman uwar garken DHCP, yanzu na'urar kai hari ce kawai. Yana aika buƙatun Ganowa zuwa uwar garken DHCP na ainihi kuma yana karɓar saƙon Offer don amsawa, sannan aika Buƙatun zuwa uwar garken kuma ya karɓi adireshin IP daga gare ta. Kwamfutar mai kai harin yana yin haka kowane ƴan miliyon daƙiƙa, duk lokacin da take karɓar sabon adireshin IP.
Dangane da saitunan, uwar garken DHCP na ainihi yana da tafki na ɗaruruwa ko ɗaruruwan da ba kowa a cikin adiresoshin IP. Kwamfutar dan dandatsa za ta karbi adiresoshin IP .1, .2, .3, da dai sauransu har sai an gama da wurin da adireshin ya kare. Bayan wannan, uwar garken DHCP ba zai iya samar da adiresoshin IP ga sababbin abokan ciniki a kan hanyar sadarwa ba. Idan sabon mai amfani ya shiga hanyar sadarwar, ba zai iya samun adireshin IP kyauta ba. Wannan shine batun harin DoS akan uwar garken DHCP: don hana shi ba da adiresoshin IP ga sababbin masu amfani.
Don magance irin waɗannan hare-haren, ana amfani da manufar DHCP Snooping. Wannan aiki ne na OSI Layer XNUMX wanda ke aiki kamar ACL kuma yana aiki kawai akan masu sauyawa. Don fahimtar DHCP Snooping, kuna buƙatar yin la'akari da ra'ayoyi guda biyu: amintattun tashoshin jiragen ruwa na Amintaccen canji da mashigai marasa amana na wasu na'urorin cibiyar sadarwa.
Amintattun tashoshin jiragen ruwa suna ba da damar kowane nau'in saƙon DHCP ya wuce ta. Tashar jiragen ruwa marasa amana su ne tashoshin jiragen ruwa waɗanda abokan ciniki ke da alaƙa da su, kuma DHCP Snooping ya sa duk wani saƙon DHCP da ke fitowa daga waɗannan tashoshin jiragen ruwa za a watsar da su.
Idan muka tuna tsarin DORA, saƙon D ya fito daga abokin ciniki zuwa uwar garken, kuma saƙon O ya fito daga uwar garken zuwa abokin ciniki. Bayan haka, ana aika saƙon R daga abokin ciniki zuwa uwar garken, sabar kuma tana aika saƙon A ga abokin ciniki.
Ana karɓar saƙon D da R daga tashar jiragen ruwa marasa tsaro, kuma ana watsar da saƙonni kamar O da A. Lokacin da aka kunna aikin Snooping na DHCP, duk tashar tashar jiragen ruwa ana ɗaukar marasa tsaro ta tsohuwa. Ana iya amfani da wannan aikin duka don sauyawa gaba ɗaya da na VLAN guda ɗaya. Misali, idan an haɗa VLAN10 zuwa tashar jiragen ruwa, zaku iya kunna wannan fasalin don VLAN10 kawai, sannan tashar tashar ta zata zama mara aminci.
Lokacin da ka kunna DHCP Snooping, kai, a matsayin mai kula da tsarin, dole ne ka shiga cikin saitunan canzawa kuma ka tsara tashoshin jiragen ruwa ta yadda kawai tashoshin da aka haɗa na'urori masu kama da uwar garke ba su da aminci. Wannan yana nufin kowane nau'in uwar garken, ba kawai DHCP ba.
Misali, idan an haɗa wani maɓalli, na'ura mai ba da hanya tsakanin hanyoyin sadarwa ko sabar DHCP ta ainihi zuwa tashar jiragen ruwa, to an saita wannan tashar a matsayin amintaccen. Dole ne a saita ragowar tashar jiragen ruwa masu sauyawa waɗanda na'urorin masu amfani na ƙarshe ko wuraren shiga mara waya suka haɗa su azaman marasa tsaro. Don haka, duk wata na'ura kamar wurin shiga da aka haɗa masu amfani da ita ta haɗa zuwa maɓalli ta hanyar tashar da ba a amince da ita ba.
Idan kwamfutar maharin ta aika saƙon nau'in O da A zuwa na'urar, za a toshe su, wato irin waɗannan zirga-zirgar ba za su iya wucewa ta tashar da ba a amince da su ba. Wannan shine yadda DHCP Snooping ke hana nau'ikan hare-haren da aka tattauna a sama.
Bugu da ƙari, DHCP Snooping yana ƙirƙirar tebur masu ɗaure DHCP. Bayan abokin ciniki ya karɓi adireshin IP daga uwar garken, wannan adireshin, tare da adireshin MAC na na'urar da ta karɓa, za a shigar da ita cikin teburin Snooping na DHCP. Wadannan halaye guda biyu za su kasance masu alaƙa da tashar jiragen ruwa mara tsaro wanda aka haɗa abokin ciniki.
Wannan yana taimakawa, misali, don hana harin DoS. Idan abokin ciniki tare da adireshin MAC da aka ba ya riga ya karɓi adireshin IP, to me yasa zai buƙaci sabon adireshin IP? A wannan yanayin, duk wani ƙoƙari na irin wannan aikin za a hana shi nan da nan bayan duba shigarwa a cikin tebur.
Abu na gaba da muke buƙatar tattaunawa shine Nondefault, ko "marasa tsoho" VLANs na asali. Mun sha tabo batun VLANs, muna ba da darussan bidiyo guda 4 ga waɗannan hanyoyin sadarwa. Idan kun manta menene wannan, ina ba ku shawara ku sake duba waɗannan darussan.
Mun san cewa a cikin Sisiko yana sauyawa tsohowar VLAN ta asali shine VLAN1. Akwai hare-hare da ake kira VLAN Hopping. Bari mu ɗauka cewa kwamfutar da ke cikin zane an haɗa ta zuwa farkon sauyawa ta hanyar hanyar sadarwa ta asali ta VLAN1, kuma maɓallin karshe yana haɗa da kwamfutar ta hanyar hanyar sadarwa ta VLAN10. An kafa akwati tsakanin masu juyawa.
Yawanci, lokacin da zirga-zirga daga kwamfuta ta farko ta isa wurin sauyawa, ya san cewa tashar da aka haɗa wannan kwamfutar wani ɓangare ne na VLAN1. Bayan haka, wannan zirga-zirgar yana zuwa gangar jikin da ke tsakanin maɓallai biyu, kuma na farko yana tunani kamar haka: “Wannan zirga-zirgar ta fito ne daga Native VLAN, don haka ba na buƙatar sanya shi,” kuma ya tura zirga-zirgar da ba a taɓa gani ba tare da gangar jikin, wanda ya iso wurin canji na biyu.
Canja 2, tun da ya karɓi zirga-zirgar zirga-zirgar da ba a sanya shi ba, yana tunani kamar haka: "Tunda wannan zirga-zirgar ba ta da alama, yana nufin na VLAN1 ne, don haka ba zan iya aika shi sama da VLAN10 ba." Sakamakon haka, zirga-zirgar da kwamfuta ta farko ta aika ba za ta iya kaiwa kwamfuta ta biyu ba.
A gaskiya, haka ya kamata ya faru - VLAN1 zirga-zirga bai kamata ya shiga cikin VLAN10 ba. Yanzu bari mu yi tunanin cewa a bayan kwamfutar ta farko akwai wani maharin da ya ƙirƙiri firam tare da alamar VLAN10 kuma ya aika zuwa maɓalli. Idan kun tuna yadda VLAN ke aiki, to kun san cewa idan alamar zirga-zirgar zirga-zirga ta isa wurin sauyawa, ba ta yin komai tare da firam ɗin, amma kawai tana watsa shi gaba tare da gangar jikin. A sakamakon haka, maɓalli na biyu zai karɓi zirga-zirga tare da alamar da maharin ya ƙirƙira, ba ta hanyar canjin farko ba.
Wannan yana nufin cewa kuna maye gurbin VLAN na asali da wani abu banda VLAN1.
Tunda mai sauyawa na biyu bai san wanda ya ƙirƙiri alamar VLAN10 ba, kawai yana aika zirga-zirga zuwa kwamfuta ta biyu. Wannan shi ne yadda VLAN Hopping harin ke faruwa, lokacin da maharin ya shiga hanyar sadarwar da ba ta iya shiga gare shi da farko.
Don hana irin waɗannan hare-hare, kuna buƙatar ƙirƙirar Random VLAN, ko VLAN bazuwar, misali VLAN999, VLAN666, VLAN777, da sauransu, waɗanda maharin ba zai iya amfani da su kwata-kwata. A lokaci guda, muna zuwa tashar jiragen ruwa na masu sauyawa kuma muna saita su don yin aiki, alal misali, tare da Native VLAN666. A wannan yanayin, muna canza Native VLAN don tashar jiragen ruwa daga VLAN1 zuwa VLAN66, wato, muna amfani da kowace hanyar sadarwa banda VLAN1 azaman VLAN ta asali.
Dole ne a daidaita tashoshin jiragen ruwa a bangarorin biyu na gangar jikin zuwa VLAN iri ɗaya, in ba haka ba za mu sami kuskuren kuskuren lambar VLAN.
Bayan wannan saitin, idan dan gwanin kwamfuta ya yanke shawarar kai harin VLAN Hopping, ba zai yi nasara ba, saboda ba a sanya VLAN1 na asali zuwa kowane tashar jiragen ruwa na maɓallan. Wannan ita ce hanyar kariya daga hare-hare ta hanyar ƙirƙirar VLANs na asali waɗanda ba na asali ba.
Na gode da kasancewa tare da mu. Kuna son labaran mu? Kuna son ganin ƙarin abun ciki mai ban sha'awa? Goyon bayan mu ta hanyar ba da oda ko ba da shawara ga abokai, Rangwamen 30% ga masu amfani da Habr akan keɓaɓɓen analogue na sabar matakin shigarwa, wanda mu muka ƙirƙira muku: (akwai tare da RAID1 da RAID10, har zuwa 24 cores kuma har zuwa 40GB DDR4).
Dell R730xd sau 2 mai rahusa? Nan kawai a cikin Netherlands! Dell R420 - 2x E5-2430 2.2Ghz 6C 128GB DDR3 2x960GB SSD 1Gbps 100TB - daga $99! Karanta game da
source: www.habr.com