Namhlanje siza kujonga izihloko ezibini ezibalulekileyo: I-DHCP Snooping kunye "ne-non-default" ye-VLAN yoMthonyama. Ngaphambi kokuba uqhubele phambili nesifundo, ndikumema ukuba undwendwele esinye isitishi seYouTube apho unokubukela ividiyo malunga nendlela yokuphucula inkumbulo yakho. Ndincoma ukuba ubhalisele kweli jelo, njengoko sithumela iingcebiso ezininzi eziluncedo zokuziphucula apho.
Esi sifundo sinikezelwe kuphononongo lwamacandelwana 1.7b kunye ne-1.7c kwisihloko se-ICND2. Ngaphambi kokuba siqalise nge-DHCP Snooping, masikhumbule amanqaku athile kwizifundo ezidlulileyo. Ukuba andiphazami, sifunde nge-DHCP ngoSuku lwesi-6 kunye noSuku lwama-24. Apho, imiba ebalulekileyo yaxoxwa malunga nokunikezelwa kweedilesi ze-IP ngumncedisi we-DHCP kunye nokutshintshwa kwemiyalezo ehambelanayo.
Ngokuqhelekileyo, xa uMsebenzisi wokuphela eloga kwinethiwekhi, ithumela isicelo sosasazo kwinethiwekhi “esiviwe” zizo zonke izixhobo zenethiwekhi. Ukuba idibaniswe ngokuthe ngqo kwiseva yeDHCP, ke isicelo siya ngqo kumncedisi. Ukuba kukho izixhobo zokuhambisa kwinethiwekhi - ii-routers kunye nokutshintsha - ngoko isicelo kumncedisi sidlula kubo. Emva kokufumana isicelo, umncedisi we-DHCP uphendula kumsebenzisi, omthumelela isicelo sokufumana idilesi ye-IP, emva koko umncedisi ukhupha idilesi enjalo kwisixhobo somsebenzisi. Yile ndlela inkqubo yokufumana idilesi ye-IP eyenzekayo phantsi kweemeko eziqhelekileyo. Ngokomzekelo okwidayagram, uMsebenzisi wokugqibela uya kufumana idilesi 192.168.10.10 kunye nedilesi yesango 192.168.10.1. Emva koku, umsebenzisi uya kuba nakho ukufikelela kwi-Intanethi ngeli sango okanye ukunxibelelana nezinye izixhobo zenethiwekhi.
Makhe sicinge ukuba ukongeza kwi-server ye-DHCP yangempela, kukho iseva ye-DHCP yobuqhetseba kwinethiwekhi, oko kukuthi, umhlaseli ufaka nje iseva ye-DHCP kwikhompyutheni yakhe. Kule meko, umsebenzisi, engenile kwinethiwekhi, naye uthumela umyalezo wokusasazwa, apho i-router kunye nokutshintsha kuya kuthumela kwi-server yangempela.
Nangona kunjalo, umncedisi okhohlakeleyo naye "uphulaphula" kwinethiwekhi, kwaye, emva kokufumana umyalezo wokusasazwa, uya kuphendula kumsebenzisi ngokunikezela kwakhe endaweni ye-DHCP yokwenene iseva. Emva kokuyifumana, umsebenzisi uya kunika imvume yakhe, ngenxa yoko uya kufumana idilesi ye-IP evela kumhlaseli 192.168.10.2 kunye nedilesi yesango 192.168.10.95.
Inkqubo yokufumana idilesi ye-IP ifinyeziwe njenge-DORA kwaye iqukethe izigaba ezi-4: Ukufunyanwa, ukunikezelwa, ukucela kunye nokuvuma. Njengoko ubona, umhlaseli uya kunika isixhobo idilesi ye-IP esemthethweni ekuluhlu olukhoyo lweedilesi zenethiwekhi, kodwa endaweni yedilesi yokwenyani yesango 192.168.10.1, uya "kuyiphosa" ngedilesi yobuxoki 192.168.10.95, oko kukuthi, idilesi yekhompyutha yakhe.
Emva koku, zonke iitrafikhi zabasebenzisi bokugqibela ezijoliswe kwi-Intanethi ziya kudlula kwikhompyuter yomhlaseli. Umhlaseli uya kuyithumela kwakhona, kwaye umsebenzisi akayi kuva nayiphi na imohluko ngale ndlela yokunxibelelana, kuba uya kukwazi ukufikelela kwi-Intanethi.
Ngendlela efanayo, ukubuya kwe-traffic kwi-Intanethi kuya kumpompoza kumsebenzisi ngekhompyuter yomhlaseli. Le yinto ebizwa ngokuba yi-Man in the Middle (MiM) uhlaselo. Zonke izithuthi zabasebenzisi ziya kudlula kwikhompyuter ye-hacker, eya kukwazi ukufunda yonke into ayithumelayo okanye ayifumanayo. Olu lolunye uhlobo lohlaselo olunokuthi lwenzeke kwiinethiwekhi zeDHCP.
Uhlobo lwesibini lohlaselo lubizwa ngokuba yiDenial of Service (DoS), okanye “ukwaliwa kwenkonzo.” Kwenzekani? Ikhompyuter ye-hacker ayisasebenzi njengeseva ye-DHCP, ngoku isisixhobo esihlaselayo. Ithumela isicelo sokuFumana kwi-server ye-DHCP yangempela kwaye ifumana umyalezo we-Offer ngempendulo, emva koko ithumele iSicelo kumncedisi kwaye ifumana idilesi ye-IP kuyo. Ikhompyuter yomhlaseli yenza oku rhoqo kwi-milliseconds ezimbalwa, ixesha ngalinye ifumana idilesi ye-IP entsha.
Ngokuxhomekeke kwisethingi, iseva yokwenyani yeDHCP inechibi lamakhulu okanye amakhulu aliqela eedilesi ze-IP ezingenamntu. Ikhompyutha ye-hacker iya kufumana iidilesi ze-IP .1, .2, .3, njalo njalo de i-pool yeedilesi iphelelwe ngokupheleleyo. Emva koku, umncedisi we-DHCP akayi kukwazi ukubonelela ngeedilesi ze-IP kubathengi abatsha kwinethiwekhi. Ukuba umsebenzisi omtsha ungena kwinethiwekhi, akayi kukwazi ukufumana idilesi ye-IP yamahhala. Le ngongoma yokuhlaselwa kwe-DoS kwiseva ye-DHCP: ukuyikhusela ekukhupheni iidilesi ze-IP kubasebenzisi abatsha.
Ukuchasana nokuhlaselwa okunjalo, ingcamango ye-DHCP Snooping isetyenziswa. Lo ngumaleko we-OSI 2 umsebenzi osebenza njenge-ACL kwaye usebenza kuphela kwiiswitshi. Ukuze uqonde i-DHCP Snooping, kufuneka uqwalasele iikhonsepthi ezimbini: izibuko ezithembekileyo zotshintsho oluthembekileyo kunye nezibuko ezingathembekanga ezingathembekanga kwezinye izixhobo zomsebenzi womnatha.
Amazibuko athembekileyo avumela naluphi na uhlobo lomyalezo we-DHCP ukuba udlule. Amazibuko angathembekanga ngamazibuko abaxumi abaqhagamshelwe kuwo, kwaye i-DHCP Snooping yenza ukuba nayiphi na imiyalezo ye-DHCP evela kula mazibuko iya kulahlwa.
Ukuba sikhumbula inkqubo yeDORA, umyalezo D uvela kumxhasi ukuya kumncedisi, kwaye umyalezo O uvela kumncedisi ukuya kumxhasi. Emva koko, umyalezo u-R uthunyelwa kumxhasi ukuya kumncedisi, kwaye umncedisi uthumela umyalezo A kumxhasi.
Imiyalezo D kunye no-R evela kumazibuko angakhuselekanga yamkelwa, kwaye imiyalezo efana no-O kunye no-A ilahliwe. Xa umsebenzi we-DHCP Snooping uvuliwe, onke amazibuko okutshintsha athathwa njengokungakhuselekanga ngokungagqibekanga. Lo msebenzi unokusetyenziswa kokubini kutshintshiselwano lulonke kunye neVLAN nganye. Umzekelo, ukuba i-VLAN10 idityanisiwe kwizibuko, ungenza olu phawu kuphela kwi-VLAN10, kwaye izibuko layo liza kuba lingathenjwa.
Xa usenza i-DHCP Snooping, wena, njengomlawuli wenkqubo, kuya kufuneka uye kwizicwangciso zokutshintsha kwaye uqwalasele amazibuko ngendlela yokuba kuphela apho izixhobo ezifana nomncedisi ziqhagamshelwe njengezingathenjwa. Oku kuthetha naluphi na uhlobo lomncedisi, kungekhona nje i-DHCP.
Ngokomzekelo, ukuba enye iswitshi, i-router okanye iseva yangempela ye-DHCP iqhagamshelwe kwi-port, ke eli zibuko liqwalaselwe njengento ethembekileyo. Izibuko eziseleyo zokutshintsha apho izixhobo zabasebenzisi bokugqibela okanye iindawo zofikelelo ezingenazingcingo ziqhagamshelwe kufuneka ziqwalaselwe njengokungakhuselekanga. Ngoko ke, nasiphi na isixhobo esinjengendawo yokufikelela apho abasebenzisi badityaniswe khona kwiswitshi ngokusebenzisa izibuko elingathembekanga.
Ukuba ikhomputha yomhlaseli ithumela imiyalezo yohlobo lwe-O kunye no-A ekutshintsheni, baya kuvalwa, oko kukuthi, i-traffic enjalo ayiyi kukwazi ukudlula kwi-port engathembekanga. Yile ndlela i-DHCP Snooping ikhusela ngayo iintlobo zohlaselo ezixoxwe ngasentla.
Ukongeza, i-DHCP Snooping idala iitafile zokubopha i-DHCP. Emva kokuba umxhasi efumene idilesi ye-IP kumncedisi, le dilesi, kunye nedilesi ye-MAC yesixhobo esiyifumeneyo, iya kufakwa kwitafile ye-DHCP Snooping. Ezi mpawu zimbini ziya kudibaniswa nezibuko elingakhuselekanga apho umxhasi adityaniswe khona.
Oku kunceda, umzekelo, ukukhusela ukuhlaselwa kweDoS. Ukuba umxhasi onikwe idilesi ye-MAC sele efumene idilesi ye-IP, ngoko kutheni kufuneka afune idilesi ye-IP entsha? Kule meko, nayiphi na inzame kumsebenzi onjalo iya kuthintelwa ngokukhawuleza emva kokujonga ukungena kwitafile.
Into elandelayo ekufuneka siyixoxe yi-Nondefault, okanye "engagqibekanga" iiVLAN zoMthonyama. Siye sachukumisa ngokuphindaphindiweyo isihloko seeVLAN, sinikela izifundo zevidiyo ezi-4 kula manethiwekhi. Ukuba ulibele ukuba yintoni le, ndikucebisa ukuba uphonononge ezi zifundo.
Siyazi ukuba kwiCisco itshintsha i-VLAN yoMthonyama engagqibekanga yiVLAN1. Kukho uhlaselo olubizwa ngokuba yiVLAN Hopping. Makhe sicinge ukuba ikhompyutha kwidayagram iqhagamshelwe iswitshi yokuqala nge-default network VLAN1, kwaye iswitshi yokugqibela iqhagamshelwe kwikhompyuter yi-VLAN10 network. I-trunk isungulwa phakathi kokutshintsha.
Ngokuqhelekileyo, xa i-traffic esuka kwikhompyutheni yokuqala ifika kwi-switch, iyazi ukuba i-port apho le khompyutha idityaniswe yinxalenye ye-VLAN1. Okulandelayo, le traffic iya kwi-trunk phakathi kwezitshintshi zimbini, kwaye iswitshi yokuqala icinga ngolu hlobo: "le traffic ivela kwi-Native VLAN, ngoko akuyomfuneko ukuba ndiyifake," kwaye iqhubela phambili i-traffic engabhalwanga ecaleni kwe-trunk, leyo. ifika kutshintshi lwesibini.
Tshintshela isi-2, emva kokufumana itrafikhi engabhalwanga, ucinga ngolu hlobo: "ekubeni le traffic ingafakwanga, ithetha ukuba yeyeVLAN1, andinakuyithumela ngeVLAN10." Ngenxa yoko, itrafikhi ethunyelwe yikhompyuter yokuqala ayikwazi ukufikelela kwikhompyuter yesibini.
Ngokwenyani, le yindlela ekufanele ukuba yenzeke ngayo - i-VLAN1 traffic akufuneki ingene kwi-VLAN10. Ngoku makhe sicinge ukuba emva kwekhompyuter yokuqala kukho umhlaseli owenza isakhelo kunye nethegi yeVLAN10 kwaye ayithumele kwiswitshi. Ukuba uyakhumbula indlela esebenza ngayo iVLAN, ngoko uyazi ukuba i-traffic ephawulweyo ifikelela kwiswitshi, ayenzi nto ngesakhelo, kodwa imane iyihambise ngakumbi ecaleni kwesiqu. Ngenxa yoko, ukutshintshwa kwesibini kuya kufumana i-traffic kunye nethegi eyenziwe ngumhlaseli, kwaye kungekhona ngokutshintsha kokuqala.
Oku kuthetha ukuba ubeka endaweni yeNative VLAN ngenye into engeyiyo iVLAN1.
Kuba iswitshi yesibini engazi ukuba ngubani odale ithegi yeVLAN10, ithumela ngokulula i-traffic kwikhompyuter yesibini. Yile ndlela uhlaselo lwe-VLAN Hopping lwenzeka ngayo, xa umhlaseli engena kwinethiwekhi eyayingafumaneki kuye ekuqaleni.
Ukuthintela ukuhlaselwa okunjalo, kufuneka udale i-Random VLAN, okanye i-VLAN engahleliwe, umzekelo i-VLAN999, i-VLAN666, i-VLAN777, njl., engenakusetyenziselwa umhlaseli nonke. Ngelo xesha, siya kwi-trunk port of switches kwaye silungiselele ukuba basebenze, umzekelo, kunye ne-Native VLAN666. Kule meko, sitshintsha i-Native VLAN ye-trunk port ukusuka kwi-VLAN1 ukuya kwi-VLAN66, oko kukuthi, sisebenzisa nayiphi na inethiwekhi ngaphandle kwe-VLAN1 njenge-VLAN yoMthonyama.
Amazibuko kumacala omabini esiqwini kufuneka aqwalaselwe kwiVLAN enye, kungenjalo siya kufumana impazamo yenombolo yeVLAN engafaniyo.
Emva kolu cwangciso, ukuba i-hacker ithatha isigqibo sokwenza uhlaselo lwe-VLAN Hopping, akayi kuphumelela, kuba i-VLAN1 yomthonyama ayibelwanga kuyo nayiphi na izibuko ze-trunk zokutshintsha. Le yindlela yokukhusela kuhlaselo ngokwenza iiVLAN zomthonyama ezingagqibekanga.
Enkosi ngokuhlala nathi. Ngaba uyawathanda amanqaku ethu? Ngaba ufuna ukubona umxholo onomdla ngakumbi? Sixhase ngokufaka iodolo okanye ngokucebisa abahlobo, I-30% isaphulelo kubasebenzisi beHabr kwi-analogue ekhethekileyo yeeseva zomgangatho wokungena, eyenzelwe wena: (ifumaneka nge-RAID1 kunye ne-RAID10, ukuya kuthi ga kwi-24 cores kunye ne-40GB DDR4).
I-Dell R730xd 2 amaxesha aphantsi? Kuphela apha eNetherlands! Dell R420 - 2x E5-2430 2.2Ghz 6C 128GB DDR3 2x960GB SSD 1Gbps 100TB - ukusuka $99! Funda malunga
umthombo: www.habr.com
