华为中心AP 配置入侵防御实验

知孤云出岫2024-03-23 14:32

配置入侵防御示例

组网图形
图1入侵防御组网图

  • 组网需求
  • 配置思路
  • 操作步骤
  • 中心AP的配置文件
组网需求

图1所示,某企业部署了WLAN网络,内网用户可以访问Internet的Web服务器。现需要在中心AP上配置入侵防御功能,具体要求如下:

保护内网用户,避免内网用户访问Internet的Web服务器时受到攻击。例如,含有恶意代码的网站对内网用户发起攻击。

配置思路
  1. 配置WLAN基本业务。
  2. 配置入侵防御模板"profile_ips_pc",保护内网用户。通过配置签名过滤器来满足安全需要。
  3. 创建攻击防御模板"defence_1",并引用入侵防御模板"profile_ips_pc",保护内网用户免受来自Internet的攻击。
  4. 配置WLAN业务VAP引用攻击防御模板,使入侵防御功能生效。
操作步骤

  1. 配置WLAN基本业务,具体配置步骤请参照配置敏捷分布式WLAN组网示例

  2. 使能安全引擎。

    screen 复制代码 
    <span style="background-color:#dddddd">[AP] <strong>defence engine enable</strong>
</span>

  3. 创建入侵防御模板"profile_ips_pc",保护内网用户。

    screen 复制代码 
    <span style="background-color:#dddddd">[AP] <strong>profile type ips name profile_ips_pc</strong>
[AP-profile-ips-profile_ips_pc] <strong>description profile for intranet users</strong>
[AP-profile-ips-profile_ips_pc] <strong>collect-attack-evidence enable</strong>
Warning: Succeeded in configuring attack evidence collection for the IPS functio
n. The function is used for fault locating. This function may deteriorate system
 performance. Exercise caution before using the function.                       
Attack evidences can be collected only when a log storage device with sufficient
 storage space is available.                                                    
After all required attack evidences are collected, disable the function.        
Our company alone is unable to transfer or process the communication contents or
 personal data.  You are advised to enable the related functions based on the ap
plicable laws and regulations in terms of purpose and scope of usage. When the c
ommunication contents or personal data are being transferred or processed,  you 
are obliged to take considerable measures to ensure that these contents are full
y protected. Continue? [Y/N]: <strong>y</strong> 
[AP-profile-ips-profile_ips_pc] <strong>signature-set name filter1</strong>
[AP-profile-ips-profile_ips_pc-sigset-filter1] <strong>target client</strong>
[AP-profile-ips-profile_ips_pc-sigset-filter1] <strong>severity high</strong>
[AP-profile-ips-profile_ips_pc-sigset-filter1] <strong>protocol HTTP</strong>
[AP-profile-ips-profile_ips_pc-sigset-filter1] <strong>quit</strong>
[AP-profile-ips-profile_ips_pc] <strong>quit</strong>
</span>

  4. 提交配置。

    screen 复制代码 
    <span style="background-color:#dddddd">[AP] <strong>engine configuration commit</strong>
</span>

  5. 创建攻击防御模板"defence_1",引用入侵防御模板"profile_ips_pc"。

    screen 复制代码 
    <span style="background-color:#dddddd">[AP] <strong>defence-profile name defence_1</strong>
[AP-defence-profile-defence_1] <strong>profile type ips profile_ips_pc</strong>
[AP-defence-profile-defence_1] <strong>quit</strong>
</span>

  6. 在VAP模板上引用攻击防御模板"defence_1"。

    screen 复制代码 
    <span style="background-color:#dddddd">[AP] <strong>wlan</strong>
[AP-wlan-view] <strong>vap-profile name wlan-vap</strong>
[AP-wlan-vap-prof-wlan-vap] <strong>defence-profile defence_1</strong>
[AP-wlan-vap-prof-wlan-vap] <strong>quit</strong>
</span>

  7. 验证配置结果。

    在中心AP上执行命令display profile type ips name profile_ips_pc,查看入侵防御配置文件的配置信息。

    screen 复制代码 
    <span style="background-color:#dddddd">[AP-wlan-view] <strong>display profile type ips name profile_ips_pc</strong>
   IPS Profile Configurations:                                                    
 ----------------------------------------------------------------------         
 Name                              : profile_ips_pc                             
 Description                       : profile for intranet users                 
 Referenced                        : 1                                          
 State                             : committed                                  
 AttackEvidenceCollection          : enable                                     
                                                                                
 SignatureSet                      : filter1                                    
   Target                          : client                                     
   Severity                        : high                                       
   OS                              : N/A                                        
   Protocol                        : HTTP                                       
   Category                        : N/A                                        
   Action                          : default                                    
   Application                     : N/A                                        
                                                                                
 Exception:                                                                     
 ID       Action                                        Name                    
 ----------------------------------------------------------------------         

 DNS Protocol Check:                                                            
                                                                                
 HTTP Protocol Check:                                                  
 ----------------------------------------------------------------------    </span>
中心AP的配置文件
screen 复制代码 
<span style="background-color:#dddddd">#
 defence engine enable
 sysname AP
#
profile type ips name profile_ips_pc 
 description profile for intranet users 
 collect-attack-evidence enable 
 signature-set name filter1 
  target client 
  severity high 
  protocol HTTP 
#   
vlan batch 100 to 101
#
dhcp enable
#
defence-profile name defence_1                                                  
  profile type ips profile_ips_pc  
#
interface Vlanif100
 ip address 10.23.100.1 255.255.255.0
 dhcp select interface
#
interface Vlanif101
 ip address 10.23.101.1 255.255.255.0
 dhcp select interface
#
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk pvid vlan 100
 port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet0/0/24
 port link-type trunk
 port trunk allow-pass vlan 101
#
management-vlan 100
#
wlan
 security-profile name wlan-security
  security wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/Mc!,}s`X*B]}A%^%# aes
 ssid-profile name wlan-ssid
  ssid wlan-net
 vap-profile name wlan-vap
  service-vlan vlan-id 101
  ssid-profile wlan-ssid
  security-profile wlan-security
  defence-profile defence_1
 regulatory-domain-profile name domain1
 ap-group name ap-group1
  regulatory-domain-profile domain1
  radio 0
   vap-profile wlan-vap wlan 1
  radio 1
   vap-profile wlan-vap wlan 1
 ap-id 1 type-id 19 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
  ap-name area_1
  ap-group ap-group1
  radio 0
   channel 20mhz 6
   eirp 127
  radio 1
   channel 20mhz 149
   eirp 127
#
return</span>

父主题: 配置举例
版权所有 © 华为技术有限公司

相关推荐
月落.7 小时前
WPF的<ContentControl>控件
wpf
就是有点傻7 小时前
WPF中的依赖属性
开发语言·wpf
wangnaisheng7 小时前
【WPF】把一个Window放在左上角/右上角顶格显示
wpf
WineMonk7 小时前
.NET WPF CommunityToolkit.Mvvm框架
.net·wpf·mvvm
月落.7 小时前
WPF中的INotifyPropertyChanged接口
wpf
界面开发小八哥7 小时前
界面控件DevExpress WPF中文教程:Data Grid——卡片视图设置
.net·wpf·界面控件·devexpress·ui开发
平凡シンプル7 小时前
WPF 打包
wpf
VickyJames7 小时前
基于XAML框架和跨平台项目架构设计的深入技术分析
wpf·开源分享·unoplatform·winui3·项目架构
冷眼Σ(-᷅_-᷄๑)11 小时前
WPF缩放动画和平移动画叠加后会发生什么?
wpf·动画
△曉風殘月〆13 小时前
WPF MVVM入门系列教程(二、依赖属性)
c#·wpf·mvvm
热门推荐
01【HarmonyOS】HUAWEI DevEco Studio 下载地址汇总02(欧拉)openEuler系统添加网卡文件配置流程、(欧拉)openEuler系统手动配置ipv6地址流程、(欧拉)openEuler系统网络管理说明03组基轨迹建模 GBTM的介绍与实现(Stata 或 R)04【AIGC】重塑未来的科技巨轮05全面解析:构建基于深度学习的安全帽检测系统(UI界面+YOLO代码+数据集)06【经验分享】Ubuntu22.04安装微信(linux官方版)07基于YOLOv10深度学习的CT扫描图像肾结石智能检测系统【python源码+Pyqt5界面+数据集+训练代码】深度学习实战、目标检测08Ubuntu 20.04使用Livox mid 360 测试 FAST_LIO09RAG 实践- Ollama+RagFlow 部署本地知识库10【TC3xx芯片】TC3xx芯片电源管理系统PMS详解