华为中心AP 配置入侵防御实验

知孤云出岫2024-03-23 14:32

配置入侵防御示例

组网图形
图1入侵防御组网图

  • 组网需求
  • 配置思路
  • 操作步骤
  • 中心AP的配置文件
组网需求

图1所示,某企业部署了WLAN网络,内网用户可以访问Internet的Web服务器。现需要在中心AP上配置入侵防御功能,具体要求如下:

保护内网用户,避免内网用户访问Internet的Web服务器时受到攻击。例如,含有恶意代码的网站对内网用户发起攻击。

配置思路
  1. 配置WLAN基本业务。
  2. 配置入侵防御模板"profile_ips_pc",保护内网用户。通过配置签名过滤器来满足安全需要。
  3. 创建攻击防御模板"defence_1",并引用入侵防御模板"profile_ips_pc",保护内网用户免受来自Internet的攻击。
  4. 配置WLAN业务VAP引用攻击防御模板,使入侵防御功能生效。
操作步骤

  1. 配置WLAN基本业务,具体配置步骤请参照配置敏捷分布式WLAN组网示例

  2. 使能安全引擎。

    screen 复制代码 
    <span style="background-color:#dddddd">[AP] <strong>defence engine enable</strong>
</span>

  3. 创建入侵防御模板"profile_ips_pc",保护内网用户。

    screen 复制代码 
    <span style="background-color:#dddddd">[AP] <strong>profile type ips name profile_ips_pc</strong>
[AP-profile-ips-profile_ips_pc] <strong>description profile for intranet users</strong>
[AP-profile-ips-profile_ips_pc] <strong>collect-attack-evidence enable</strong>
Warning: Succeeded in configuring attack evidence collection for the IPS functio
n. The function is used for fault locating. This function may deteriorate system
 performance. Exercise caution before using the function.                       
Attack evidences can be collected only when a log storage device with sufficient
 storage space is available.                                                    
After all required attack evidences are collected, disable the function.        
Our company alone is unable to transfer or process the communication contents or
 personal data.  You are advised to enable the related functions based on the ap
plicable laws and regulations in terms of purpose and scope of usage. When the c
ommunication contents or personal data are being transferred or processed,  you 
are obliged to take considerable measures to ensure that these contents are full
y protected. Continue? [Y/N]: <strong>y</strong> 
[AP-profile-ips-profile_ips_pc] <strong>signature-set name filter1</strong>
[AP-profile-ips-profile_ips_pc-sigset-filter1] <strong>target client</strong>
[AP-profile-ips-profile_ips_pc-sigset-filter1] <strong>severity high</strong>
[AP-profile-ips-profile_ips_pc-sigset-filter1] <strong>protocol HTTP</strong>
[AP-profile-ips-profile_ips_pc-sigset-filter1] <strong>quit</strong>
[AP-profile-ips-profile_ips_pc] <strong>quit</strong>
</span>

  4. 提交配置。

    screen 复制代码 
    <span style="background-color:#dddddd">[AP] <strong>engine configuration commit</strong>
</span>

  5. 创建攻击防御模板"defence_1",引用入侵防御模板"profile_ips_pc"。

    screen 复制代码 
    <span style="background-color:#dddddd">[AP] <strong>defence-profile name defence_1</strong>
[AP-defence-profile-defence_1] <strong>profile type ips profile_ips_pc</strong>
[AP-defence-profile-defence_1] <strong>quit</strong>
</span>

  6. 在VAP模板上引用攻击防御模板"defence_1"。

    screen 复制代码 
    <span style="background-color:#dddddd">[AP] <strong>wlan</strong>
[AP-wlan-view] <strong>vap-profile name wlan-vap</strong>
[AP-wlan-vap-prof-wlan-vap] <strong>defence-profile defence_1</strong>
[AP-wlan-vap-prof-wlan-vap] <strong>quit</strong>
</span>

  7. 验证配置结果。

    在中心AP上执行命令display profile type ips name profile_ips_pc,查看入侵防御配置文件的配置信息。

    screen 复制代码 
    <span style="background-color:#dddddd">[AP-wlan-view] <strong>display profile type ips name profile_ips_pc</strong>
   IPS Profile Configurations:                                                    
 ----------------------------------------------------------------------         
 Name                              : profile_ips_pc                             
 Description                       : profile for intranet users                 
 Referenced                        : 1                                          
 State                             : committed                                  
 AttackEvidenceCollection          : enable                                     
                                                                                
 SignatureSet                      : filter1                                    
   Target                          : client                                     
   Severity                        : high                                       
   OS                              : N/A                                        
   Protocol                        : HTTP                                       
   Category                        : N/A                                        
   Action                          : default                                    
   Application                     : N/A                                        
                                                                                
 Exception:                                                                     
 ID       Action                                        Name                    
 ----------------------------------------------------------------------         

 DNS Protocol Check:                                                            
                                                                                
 HTTP Protocol Check:                                                  
 ----------------------------------------------------------------------    </span>
中心AP的配置文件
screen 复制代码 
<span style="background-color:#dddddd">#
 defence engine enable
 sysname AP
#
profile type ips name profile_ips_pc 
 description profile for intranet users 
 collect-attack-evidence enable 
 signature-set name filter1 
  target client 
  severity high 
  protocol HTTP 
#   
vlan batch 100 to 101
#
dhcp enable
#
defence-profile name defence_1                                                  
  profile type ips profile_ips_pc  
#
interface Vlanif100
 ip address 10.23.100.1 255.255.255.0
 dhcp select interface
#
interface Vlanif101
 ip address 10.23.101.1 255.255.255.0
 dhcp select interface
#
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk pvid vlan 100
 port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet0/0/24
 port link-type trunk
 port trunk allow-pass vlan 101
#
management-vlan 100
#
wlan
 security-profile name wlan-security
  security wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/Mc!,}s`X*B]}A%^%# aes
 ssid-profile name wlan-ssid
  ssid wlan-net
 vap-profile name wlan-vap
  service-vlan vlan-id 101
  ssid-profile wlan-ssid
  security-profile wlan-security
  defence-profile defence_1
 regulatory-domain-profile name domain1
 ap-group name ap-group1
  regulatory-domain-profile domain1
  radio 0
   vap-profile wlan-vap wlan 1
  radio 1
   vap-profile wlan-vap wlan 1
 ap-id 1 type-id 19 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
  ap-name area_1
  ap-group ap-group1
  radio 0
   channel 20mhz 6
   eirp 127
  radio 1
   channel 20mhz 149
   eirp 127
#
return</span>

父主题: 配置举例
版权所有 © 华为技术有限公司

相关推荐
张人玉12 小时前
C#WPF UI路由事件:事件冒泡与隧道机制
ui·c#·wpf
Aevget16 小时前
DevExpress WPF v25.2新功能预览 - 支持将JetBrains Rider与报表设计器集成
.net·wpf·界面控件·devexpress·ui开发
Aevget1 天前
界面控件DevExpress WPF v25.1新版亮点:AI功能的全面升级
c#·.net·wpf·界面控件·devexpress·ui开发
beyond谚语2 天前
第一章 WPF概述
wpf
necessary6533 天前
从工行“余额归零”事件看CAP定理:当金融系统在一致性与可用性之间做出选择
分布式·金融·wpf·可用性测试
棉晗榜3 天前
WPF隐藏控件后,怎么让其上部的控件空间自动撑高
wpf
壹佰大多4 天前
【Redisson分布式锁源码分析-3】
数据结构·分布式·mysql·spring·spring cloud·wpf·lua
LateFrames4 天前
以小白视角尝试 WPF / WinUI3 / MAUI / MAUI Blazor 构建 Windows 桌面程序
windows·wpf·maui·mauiblazor·winui3
偶尔的鼠标人5 天前
Avalonia/WPF 打开子窗口,并且跨页面传值
c#·wpf·mvvm·avalonia
玖笙&5 天前
✨WPF编程进阶【6.1】:图形原则(附源码)
c++·c#·wpf·visual studio
热门推荐
01GitHub 镜像站点02综合整理:pdf预览显示:你尝试预览的文件可能对你的计算机有害。如果你信任此文件以及其来源,请打开此文件以看其内容,如何解决以正常预览文件03UV安装并设置国内源04npm使用国内淘宝镜像的方法05Linux下V2Ray安装配置指南06安娜的档案(Anna’s Archive) 镜像网站/国内最新可访问入口(持续更新)07BongoCat - 跨平台键盘猫动画工具08《大数据技术原理与应用》实验报告三 熟悉HBase常用操作09NVIDIA显卡驱动、CUDA、cuDNN 和 TensorRT 版本匹配指南10GitLab 零基础入门指南:从安装到项目管理全流程