NBAR ile Guvenlik

**6R7C6531342** · 14.09.2010, 05:42

NBAR ile trafik filitreleme:
NBAR aslinda QoS ta degisik turdeki trafikleri siniflandirmada kullanmak icin cisco tarafindan gelistirilen bir aplikasyondur. Daha sonra NBAR dahada gelistirildi ve gunumuzde artik NBAR guvenlik amacli olarakta kullaniliyor. Bu noktada biz sadece guvenlik acisindan NBAR a bakacagiz. Daha ayrintili olarak NBAR i QoS basligi altinda inceleyebilirsiniz. NBAR paketleri layer 4 ile 7 arasinda inceleyebilir. NBAR ayni zamanda protokol kesfi yapmak icinde kullanilabilir.
Gelin simdi NBAR i bir ornek uygulama ile guvenlik icin nasil kullanabiliriz gorelim:
Bu uygulamamizda http url'ler (.gif, .jpeg, .jpg) iceriyor ise ve butun paylasim trafigini reddet.

R2-----------

Kod:

!
ip cef <--- NBAR'in calisabilmesi icin aktif edilmeli
!

!
class-map match-any JUNK       <---bu trafiklerden herhagibiri(match-any) yakalandiginda, class-map isleme konacak.(match-all anlami ise bu trafiklerin hepsi  match protocol http url "*.gif"   birden yakalanmali, aksi taktirde bir yada birkacinin yakalanmasi class-map isleme konmayacaktir) match protocol http url "*.jpeg"
 match protocol http url "*.jpg"
 match protocol edonkey
 match protocol kazaa2
 match protocol gnutella
 match protocol napster
 match protocol novadigm
 match protocol gopher
!
!
policy-map MY_POLICY
 class JUNK
   drop   <----ve burada da islem sonucu bu tur trafik reddedilecek.
!

!
interface Ethernet0/0
 full-duplex
 service-policy input MY_POLICY <---- kurallarimizi(policy) interface'ye baglanmasi.!

R1---------------

Kod:

R1(config)#ip http server 
R1(config)#ip http path flash:         
R1(config)#do copy start flash:test.txt <----
Destination filename [test.txt]? 
Erase flash: before copying? [confirm]n
Verifying checksum...  OK (0xC116)
1203 bytes copied in 0.040 secs (30075 bytes/sec)
R1(config)#do copy start flash:test.jpeg <-----
Destination filename [test.jpeg]? 
Erase flash: before copying? [confirm]n
Verifying checksum...  OK (0xC116)
1203 bytes copied in 0.040 secs (30075 bytes/sec)
R1(config)#do copy start flash:test.jpg  <-----Destination filename [test.jpg]?  
Erase flash: before copying? [confirm]n
Verifying checksum...  OK (0xC116)
1203 bytes copied in 0.040 secs (30075 bytes/sec)
R1(config)#do copy start flash:test.gif <----Destination filename [test.gif]? 
Erase flash: before copying? [confirm]n
Verifying checksum...  OK (0xC116)
1203 bytes copied in 0.040 secs (30075 bytes/sec)
R1(config)#end

R1 de test icin kullanacagimiz dosyalari olusturduk ve http server i aktif hale getirdik.

R2-----------------------

Kod:

R2#sh policy-map interface e0/0
 Ethernet0/0 

  Service-policy input: MY_POLICY

    Class-map: JUNK (match-any)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: protocol http url "*.gif"
        0 packets, 0 bytes
        5 minute rate 0 bps
      Match: protocol http url "*.jpeg"
        0 packets, 0 bytes
        5 minute rate 0 bps
      Match: protocol http url "*.jpg"
        0 packets, 0 bytes
        5 minute rate 0 bps
      Match: protocol edonkey
        0 packets, 0 bytes
        5 minute rate 0 bps
      Match: protocol kazaa2
        0 packets, 0 bytes
        5 minute rate 0 bps
      Match: protocol gnutella
        0 packets, 0 bytes
        5 minute rate 0 bps
      Match: protocol napster
        0 packets, 0 bytes
        5 minute rate 0 bps
      Match: protocol novadigm
        0 packets, 0 bytes
        5 minute rate 0 bps
      Match: protocol gopher
        0 packets, 0 bytes
        5 minute rate 0 bps
      drop

    Class-map: class-default (match-any)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any

R3-----------------------

Kod:

R3#copy http://132.1.12.1/test.txt nul
R3#copy http://132.1.12.1/test.txt null:
Loading http://132.1.12.1/test.txt !  <-----basarili
1203 bytes copied in 1.108 secs (1086 bytes/sec)
R3#copy http://132.1.12.1/test.jpeg null:
%Error opening http://132.1.12.1/test.jpeg (I/O error) <---basarili degil
R3#copy http://132.1.12.1/test.jpg null: 
%Error opening http://132.1.12.1/test.jpg (I/O error)  <---basarili degil
R3#copy http://132.1.12.1/test.gif null:
%Error opening http://132.1.12.1/test.gif (I/O error)  <---basarili degil

R2---------------------

Kod:

R2#sh policy-map interface e0/0
 Ethernet0/0 

  Service-policy input: MY_POLICY

    Class-map: JUNK (match-any)
      43 packets, 8389 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: protocol http url "*.gif"
        14 packets, 2732 bytes  <--------------14 paket yakalandi        5 minute rate 0 bps
      Match: protocol http url "*.jpeg"
        16 packets, 3102 bytes  <--------------16 paket yakalandi
        5 minute rate 0 bps
      Match: protocol http url "*.jpg"
        13 packets, 2555 bytes  <--------------13 paket yakalandi
        5 minute rate 0 bps
      Match: protocol edonkey
        0 packets, 0 bytes
        5 minute rate 0 bps
      Match: protocol kazaa2
        0 packets, 0 bytes
        5 minute rate 0 bps
      Match: protocol gnutella
        0 packets, 0 bytes
        5 minute rate 0 bps
      Match: protocol napster
        0 packets, 0 bytes
        5 minute rate 0 bps
      Match: protocol novadigm
        0 packets, 0 bytes
        5 minute rate 0 bps
      Match: protocol gopher
        0 packets, 0 bytes
        5 minute rate 0 bps
      drop                  <-------------ve reddedildi(drop)

    Class-map: class-default (match-any)
      53 packets, 5941 bytes <--------------53 paket yakalandi test.txt, bgp, ospf ve diger trafik izin verildi.
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any

Sonuctada goruldugu uzere red listemizde olan trafikler yakalanip reddedildi, liste disinda kalan butun trafik ise policy-map i olusturdugumuzda otomatik olarak olusturulan class-default tarafindan yakalandi ve bu trafiklere izin verildi.

**GhoSt** · 14.09.2010, 09:10

Deep packet inspection ı IOS üzerinden yaptırmak bazı yerlerde sorun çıkartabiliyor cihaz kaldırmayabiliyor ancak güzel bir özellik tabi ...

Seçenekler

Konuda Ara

Görünüm

NBAR ile Guvenlik

Bu Konuyu Paylaşın !

Bu Konuyu Paylaşın !

Yetkileriniz