• If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.
Xin chào ! Nếu đây là lần đầu tiên bạn đến với diễn đàn, xin vui lòng danh ra một phút bấm vào đây để đăng kí và tham gia thảo luận cùng VnPro.

Announcement

Collapse
No announcement yet.

Ethernet Spoofing

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Ethernet Spoofing

    Just in case if they ask u about ethernet spoofing in the CCIE exam


    Hi Hunt,

    the key is on the ACL's direction which is out in the perspective of the router. The first one is deny any packet coming out from the route F0/0 interface going to the internal network, which will deny all packet from going to 172.26.1.0/24 (bad thing)

    And the latter one will deny any packet coming out from the router F0/0 interface with a source IP address of 172.26.1.0/24, which is what you want.

    Regards,
    Donny



    Hunt Lee
    <huntl@webcentral To: "'ccielab@groupstudy.com'" <ccielab@groupstudy.com>
    .com.au> cc:
    Sent by: Subject: Ethernet Spoofing
    nobody@groupstudy
    .com


    10-04-2003 07:15
    Please respond to
    Hunt Lee






    Hi Group,

    |
    (s1/0.1)--- R14 ---| (fa0/0)
    |

    R14 is using CBAC. S0/0 is the outside interface for CBAC, while fa0/0 is theinside interface.

    Now, if a question says "block spoofing for the FastEthernet interface"...

    interface FastEthernet0/0
    ip address 172.26.1.14 255.255.255.0
    ip access-group 103 out
    ip nat inside
    ip inspect FW in
    duplex auto
    speed auto

    For the ACL 103, would I need:-

    access-list 103 deny ip any 172.26.1.0 0.0.0.255
    access-list 103 permit ip any any

    OR this?


    access-list 103 deny ip 172.26.1.0 0.0.0.255 any
    access-list 103 permit ip any any


    I would think the 1st one is the correct one, however, the answer claims that the latter one is correct... can anyone see any logic in this?

    And for completeness, here is the answer config for the entire router ;)

    r14#sh run
    Building configuration...
    !
    ip inspect name FW tcp
    ip inspect name FW udp
    ip inspect name FW cuseeme
    ip inspect name FW ftp
    ip inspect name FW h323
    ip inspect name FW rcmd
    ip inspect name FW realaudio
    ip inspect name FW smtp
    ip inspect name FW streamworks
    ip inspect name FW vdolive
    ip inspect name FW sqlnet
    ip inspect name FW tftp
    ip audit notify log
    ip audit po max-events 100
    !
    class-map match-all classvoip
    match access-group 199
    !
    !
    policy-map policyvoip
    class classvoip
    priority 26
    class class-default
    fair-queue
    !
    !
    !
    crypto isakmp policy 1
    authentication pre-share
    crypto isakmp key thor address 172.27.2.13
    !
    !
    crypto ipsec transform-set rt10 esp-des esp-sha-hmac
    !
    crypto map securevpn 10 ipsec-isakmp
    set peer 172.27.2.13
    set transform-set rt10
    match address 123
    !
    !
    interface Tunnel0
    ip address 23.1.1.14 255.255.255.0
    tunnel source 172.28.1.14
    tunnel destination 172.27.2.13
    crypto map securevpn
    !
    interface Tunnel2
    ip address 100.1.2.14 255.255.255.0
    tunnel source 172.28.1.14
    tunnel destination 62.5.1.3
    !
    interface Tunnel3
    ip address 99.1.1.14 255.255.255.0
    tunnel source 100.1.2.14
    tunnel destination 100.1.1.8
    !
    interface FastEthernet0/0
    ip address 172.26.1.14 255.255.255.0
    ip access-group 103 out
    ip nat inside
    ip inspect FW in
    duplex auto
    speed auto
    !
    interface Ethernet1/0
    no ip address
    shutdown
    half-duplex
    !
    interface Serial1/0
    no ip address
    encapsulation frame-relay
    no ip mroute-cache
    no fair-queue
    frame-relay traffic-shaping
    !
    interface Serial1/0.1 point-to-point
    ip address 172.28.1.14 255.255.255.240
    ip access-group 104 in
    ip nat outside
    ip ospf network broadcast
    frame-relay class frvoip
    frame-relay interface-dlci 146
    crypto map securevpn
    !
    router ospf 10
    log-adjacency-changes
    network 172.28.1.0 0.0.0.15 area 0
    !
    router rip
    version 2
    network 100.0.0.0
    !
    ip local policy route-map frvoipsetup
    ip kerberos source-interface any
    ip nat inside source list 1 interface Serial1/0.1 overload
    ip nat inside source static 172.26.1.10 172.28.1.10
    ip classless
    no ip http server
    !
    !
    map-class frame-relay frvoip
    frame-relay cir 64000
    frame-relay bc 640
    frame-relay be 0
    no frame-relay adaptive-shaping
    service-policy output policyvoip
    access-list 1 permit 172.26.1.0 0.0.0.255
    access-list 103 deny ip 172.26.1.0 0.0.0.255 any
    access-list 103 permit ip any any
    access-list 104 permit ospf host 172.28.1.6 any
    access-list 104 permit udp host 172.27.2.13 host 172.28.1.14 range 16383 20000 access-list 104 permit tcp host 172.27.2.13 eq 1720 host 172.28.1.14 access-list 104 permit tcp host 172.27.2.13 host 172.28.1.14 range 11000 11999 access-list 104 permit esp host 172.27.2.13 host 172.28.1.14 access-list 104 permit udp host 172.27.2.13 eq isakmp host 172.28.1.14 access-list 104 permit tcp any host 172.28.1.10 eq smtp access-list 104 permit tcp any host 172.28.1.10 eq www access-list 104 permit tcp any host 172.28.1.10 eq pop3 access-list 104 permit tcp any host 172.28.1.10 eq ftp access-list 104 permit gre host 62.5.1.3 host 172.28.1.14 access-list 104 permit gre host 172.28.1.14 host 62.5.1.3 access-list 104 permit icmp any any access-list 123 permit ip 172.26.1.0 0.0.0.255 172.27.3.0 0.0.0.15 access-list 123 permit ip host 172.28.1.14 host 172.27.2.13 access-list 199 permit udp any any range 16383 20000 access-list 199 permit tcp any eq 1720 any access-list 199 permit tcp any any eq 1720 access-list 199 permit tcp any any range 11000 11999 route-map frvoipsetup permit 10 match ip address 199 set ip precedence critical ! ! ! voice-port 3/0/0 ! voice-port 3/0/1 connection plar 411 ! dial-peer cor custom ! ! ! dial-peer voice 10 voip destination-pattern 411 session target ipv4:172.27.2.13 ip precedence 5 no vad ! dial-peer voice 20 voip destination-pattern 8675309 session target ipv4:172.27.2.13 ip precedence 5 no vad ! dial-peer voice 30 voip destination-pattern 3001 session target ipv4:172.27.2.13 ip precedence 5 no vad ! num-exp 867 8675309 num-exp 1900....... 3001 ! end

    Any help will be greatly appreciated.

    Regards,
    Hunt





    This message is for information purposes only and its content
    should not be construed as an offer, or solicitation of an offer, to buy or sell any banking or financial instruments or services and no representation or warranty is given in respect of its accuracy, completeness or fairness. The material is subject to change without notice. You should take your own independent tax, legal and other professional advice in respect of the content of this message. This message may contain confidential or legally privileged material and may not be copied, redistributed or published (in whole or in part) without our prior written consent. This email may have been intercepted, partially destroyed, arrive late, incomplete or contain viruses and no liability is accepted by any member of the Credit Agricole Indosuez group as a result. If you are not the intended recipient of this message, please immediately notify the sender and delete this message from your computer.

  • #2
    anh Hai Phung,

    Em không phân biệt được sự khác nhau, công dụng của 3 loại access-list sau:
    Reflexive Access-list , CBAC, TCP Intercept?

    Xin các anh giải thích giúp Em. Em có đọc cuốn S5 academy nhưng không hiểu lắm.

    Cám ơn Anh,

    Comment


    • #3
      Reflective access-list và CBAC giống nhau về mục đích trong trường hợp TCP, cả hai được sử dụng để kiểm tra các gói TCP theo bước đầu tiên của quá trình bắt tay TCP (bên sender gửi packet TCP có bit SYN được set), sau đó tạo các dynamic access list theo chiều ngược lại (có bit ACK set, note: trong access-list thông thường, từ khoá "established được dùng) để ám chỉ loại packet quay về này.)

      Bạn có thể dùng reflective-access list nếu bạn đang dùng IOS thông thường (basic IOS version từ 11.3 trở lên).

      Nếu bạn có IOS với FW feature set thì có thể dùng CBAC với chức năng giống như reflective acl (đối với TCP) nhưng cấu hìng đơn giản hơn và khả năng kiểm tra các loại protocol khác (như http, snmp, ...). Thêm nữa, CBAC có khả năng log vào Syslog và có chức năng IDS alert giới hạn.

      TCP intercept không được coi là Access-List vì dùng cho mục đích chống DOS attack. Do đó không thể so sánh với hai loại access-list trên.

      Comment

      Working...
      X