№ 2 LABORATORIYA ISHI KOMMUTATORDA PORT XAVFSIZLIGI (PORT SECURITY) NI SOZLASH Ishdan maqsad: Kommutatsiya jadvallari to`ldirilishiga yo`naltirilgan hujumlardan, tarmoqni himoya qilish imkonini beruvchi kommutatorning “portsecurity” funksiyasini sozlash bo`yicha amaliy ko`nikmalarga ega bo’lish. Qisqacha nazariy ma’lumotlar Port-security funksiyasi kommutatorning biror bir porti orqali tarmoqqa faqat ko`rsatilgan qurilmalar kirishini sozlashga imkon beradi. Ushbu portga kirishga ruxsat berilgan qurilmalar MAC-manzillar bo`yicha aniqlanadi. MACmanzillar dinamik yoki tarmoq administrator tomonidan qo`lda sozlanishi mumkin. Bundan tashqari Port-security funksiyasi portga ulanuvchi tugunlar sonini cheklashga imkoniyat yaratadi, bu esa portga MAC-manzillar sonini ko`rsatish orqali amalga oshiriladi. Yana bir funksiyasi MAC-manzillar jadvali to`ldirilishiga yo`naltirilgan hujumlardan kommutatorni himoyalash hisoblanadi (2.1-rasm.). 2.1-rasm. Kommutatorda Port Security funksiyasining ishlash tartibi MAC-manzillarga cheklov kiritishning ikkita usuli mavjud: 1. Statik – administrator qaysi manzillar kirishini ko`rsatadi (2.3-rasm); 2. Dinamik – administrator nechta manzil kirishini ko`rsatadi va kommutator qaysi manzillar shu vaqtda ko`rsatilgan port orqali murojat qilayotganini eslab qoladi ((2.3-rasm). Windows OS da Ethernet adapterining MAC-manzilini ipconfig /all buyrug`i yordamida aniqlanadi. Quyidagi 2.2-rasmga kompyuterning MAC-manzili 00-18DE-C7-F3-FB ko`rinishda keltirilgan. 2.2-rasm. Kompyuter qurilmasining MAC-manzilini ko`rish Kommutator qurilmasining MAC-manzillar jadvalini ko`rish uchun show mac-address-table buyrug`i orqali aniqlanadi (2.3-rasm). 2.3-rasm. Kommutator qurilmasining MAC-manzilini ko`rish Kommutatorni himoya qilishning oddiy usullaridan biri bu – ishlatilmayotgan portlarni o`chirib qo`yish hisoblanadi. Ishlatilmayotgan portlarni o`chirish Ishlatilmayotgan portlarni o`chirish – bu ko`pchilik administratorlar foydalanadigan, tarmoqni ruxsatsiz kirishdan himoya qilishda oddiy usullardan biri. Masalan, agar Catalyst 2960 kommutatori 24 portga ega va unda 3 ta FastEthernet portlari ishlatilayotgan bo`lsa, qolgan 21 ta ishlatilmayotgan portlarni o`chirib qo`yish tavsiya etiladi. Buni amalga oshirish uchun har bir ishlatilmayotgan portga alohida kiritiladi va o`chirib qo`yish buyrug`i beriladi: Cisco IOSda shutdown Sw1(config)#interface range fastEthernet 0/5-24 Sw1(config-if-range)#shutdown Agar keyinchalik portlarni yana ishga tushurish kerak bo`lsa, no shutdown buyrug`idan foydalaniladi: Sw1(config)#interface range fastEthernet 0/5-24 Sw1(config-if-range)#no shutdown Cisco kommutatorlarida Port-security Port-securityni sozlash Port-security interfeysni sozlash kommutatorning port rejimlar orqali amalga oshiriladi. Ko`pchilik Cisco kommutatorlarida portlar odatda dynamic auto rejimida turadi, ushbu rejim port-security funksiyasiga to`g`ri kelmaydi. Shuning uchun interfeysni trunk yoki access rejimiga o`tkazish kerak: switch(config-if)# switchport mode <access | trunk> Interfeysda port securityni ishga tushurish: switch(config-if)# switchport port-security Xavfsiz MAC-manzillarni sozlash Manzillarni dinamik saqlash (sticky) buyrug`i orqali ishga tushurish: switch(config-if)# switchport port-security mac-address sticky Agar manzillarni statik tarzda kiritish kerak bo`lsa sticky buyrug`i o`rniga manzillar yoziladi: switch (config) # interface ethernet 0/1 switch (config-if) # switchport port-security mac- address 0050.3e8d.6400 Xavfsiz MAC-manzillarning maksimal soni switchport port-security maximum N – bu bir vaqtda N sonli MAC-manzillar interfeysda ishlashini anglatadi. Masalan: switch(config)# interface Fastethernet0/3 switch(config-if)# switchport mode access switch(config-if)# switchport port-security maximum 3 switch(config-if)# switchport port-security Xavfsizlik buzilishiga javob berish (реагирование) rejimini sozlash Xavfsizlik buzilishiga javob berish ning uchta usuli mavjud: switch(config-if)# switchport port-security violation <protect | restrict | shutdown> switchport port-security violation restrict – buzilishga javob berish rjimini ko`rsatish. Bunda, agar interfeysda uchinchi notanish MAC-manzil paydo bo`lsa, undan keluvchi barcha paketlar qabul qilinmaydi. Undan tashqari syslog, SNMP trap, violetion counter ka`bi jurnallashtiruvchilarga xabar jo`natiladi. switchport port-security violation shutdown- buzilish aniqlanganda interfeysni error-disabled holatiga o`tkazadi va o`chiradi. Undan tashqari syslog, SNMP trap, violetion counter ka`bi jurnallashtiruvchilarga xabar jo`natiladi. Ushbu holatdan chiqarish uchun shutdown va no shutdown buyruqlaridan foydalaniladi. Agar interfeysga switchport port-security violation protect buyrug`i kiritilgan bo`lsa, unda notanish MAC-manzil paketlari qabul qilinmaydi va xech qanday xabar yaratilmaydi, hamda port shutdown holatiga o`tmaydi. Ushbu usullardan switchport port-security violation restrict ko`pchilik hollarda tavsiya etiladi. MAC-manzillar jadvalini tozalash Boshqa qurilmalar ulanishi uchun MAC-manzillar jadvalini tozalash: switch# clear port-security [all|configured|dynamic|sticky] [address <mac>|interface <int-id>] switch #clear port-security all switch #clear port-security configured switch #clear port-security dynamic switch #clear port-security sticky Port-security sozlanishlari haqidagi ma’lumotlarni ko`rish switch# show port-security switch# show port-security interface fa0/3 switch# show port-security address Topshiriq 2.4-rasmda keltirilgan tarmoq topologiyasini Cisco Packet Tracer dasturida tuzish talab qilinadi; Har bir kompyuter uchun IP manzilni sozlang va MAC manzillarni 2.2rasmda ko`rsatilgandek aniqlang; Kommutatorning har bir portlariga xavfsizlik ko`rsatkichlarini sozlang; 2.1-jadvalga yuqorida keltirilgan topshiriqlarni kiriting. 2.4-rasm. Tarmoq topologiyasi. 2.1-jadval Qurilma IP-manzil МАС-manzil Interfeys Port rejimlari Laptop0 192.168.1.1 00E0.F902.D683 Fa0 n/a Laptop1 192.168.1.2 000B.BE9B.EE4A Fa0 n/a Laptop2 192.168.1.3 00D0.5819.04E3 Fa0 n/a Laptop3 192.168.1.4 0004.9AB9.DAC2 Fa0 n/a Laptop4 192.168.1.5 00D0.BAC2.8C58 Fa0 n/a Laptop5 192.168.1.6 0000.0C6E.01E0 Fa0 n/a SW1 N/A N/A Fa0/1 sticky SW1 N/A N/A Fa0/2 SW1 N/A N/A Fa0/3 violation protect SW1 N/A N/A Fa0/5-24 Shutdown SW2 N/A N/A Fa0/1 restrict SW2 N/A N/A Fa0/2 restrict SW2 N/A N/A Fa0/3 Protect SW2 N/A N/A Fa0/4 maximum 4 mac-address 00D0.5819.04E3 Ishni bajarish tartibi Switch>enable Switch#configure terminal Switch(config)#hostname Sw1 Sw1(config)#interface fa0/1 1. Portni access rejimiga o`zgartirish Sw1(config-if)#switchport mode access 2. Portda port-securityni ishga tushurish Sw1 (config-if)#switchport port-security 3. Secure-MAC ni dinamik aniqlashni ko`rsatish Sw1 (config-if)#switchport port-security mac-address sticky Sw1 (config-if)#exit 4. Secure-MAC ni statik aniqlashni ko`rsatish Sw1(config)#interface fastEthernet 0/2 Sw1(config-if)#switchport mode access Sw1(config-if)#switchport port-security Sw1(config-if)#switchport port-security mac-address 000B.BE9B.EE4A Sw1(config-if)#end 5. Xavfsizlik buzilishigi javob berish rejimini sozlash Sw1(config)#interface fastEthernet 0/3 Sw1(config-if)#switchport mode access Sw1(config-if)#switchport port-security Sw1(config-if)#switchport port-security mac-address sticky Sw1(config-if)#switchport port-security violation protect Sw1(config-if)#end 6. Ishlatilmayotgan portlarni o`chirish Sw1(config)#interface range fastEthernet 0/5-24 Sw1(config-if-range)#shutdown 7. Portda secure-MAC maksimal soni N ni ko`rsatish (Bu buyruq Sw2 kommutatorga tavsiya etiladi) Switch>enable Switch#configure terminal Switch(config)#hostname Sw2 Sw2(config)#interface fa0/4 Sw2(config-if)#switchport mode trunk Sw2(config-if)#switchport port-security maximum 4 Sw1(config-if)#switchport port-security violation restrict 8. Natijani tekshirish Switch#show port-security interface fa 0/1 Port Security : Enabled Port Status : Secure-up Violation Mode : Shutdown Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 1 Total MAC Addresses : 0 Configured MAC Addresses : 0 Sticky MAC Addresses : 0 Last Source Address:Vlan : 0001.63B4.E4A6:1 Security Violation Count : 0 9. Sozlamalarni saqlash Switch#copy running-config startup-config Topshiriq Har bir talaba yuqorida keltirilgan ma’lumotlar bo`yicha Cisco Packet tracer muhitida laboratoriya ishini bajaradi. Nazorat savollari 1. MAC-manzil bu nima va qurilmalarda qanday aniqlanadi? 2. Kommutatorda port xavfsizligi funksiyasini nima uchun ishlatiladi? 3. Secure-MAC maksimal sonini N qaysi holatlarda ishlatiladi? 4. Port security asosiy atributalari keltiring. 5. Kommutatorning xavfsizligini ta`minlashning yana qanday chorlarini bilasiz ?