1 / 22

CBQ: Class-Based Queuing

CBQ: Class-Based Queuing. Class-Based Tree. Root 100 Mbps. TCP 60 Mbps. ICMP 0Mbps. UDP 40 Mbps. HTTP 30 Mbps. FTP 30 Mbps. Sentido. As regras se aplicam de forma diferente de acordo com o sentido do pacote. Existe uma árvore diferente para cada sentido em cada porta do roteador.

brinda
Télécharger la présentation

CBQ: Class-Based Queuing

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CBQ: Class-Based Queuing • Class-Based Tree Root 100 Mbps TCP 60 Mbps ICMP 0Mbps UDP 40 Mbps HTTP 30 Mbps FTP 30 Mbps

  2. Sentido • As regras se aplicam de forma diferente de acordo com o sentido do pacote. • Existe uma árvore diferente para cada sentido em cada porta do roteador. Outbound: root-output-tree Inbound: root-input-tree CBQ.2 CBQ.1 ROTEADOR Inbound: root-input-tree Outbound: root-output-tree

  3. Comandos • config cbq.1 traffic-class.tcpin protocols tcp parent root-input-tree[ bandwidth-allocation 500000bounded falsemaxbandwidth 6000000priority 1] • config cbq.1 traffic-class.root-input-treerow-status active

  4. Comandos • Regra para subrede: • config cbq.1 traffic-class.bancada1src-ip-addresses 192.168.1.0-192.168.1.20 parent root-input-tree • Regra de bloqueio: • config cbq.2 traffic-class.udp protocols udpparent root-input-treebandwidth-allocation 0 bounded true. • Regra default: (não precisa criar ...) • config cbq.1 traffic-class.other-defaultparent root-input-treebandwidth-allocation 0 bounded true

  5. Verificação e Alteração • show cbq.1 traffic-filters summary • delete cbq.1 traffic-filter.bancada1

  6. Opções de Filtro • Endereços IP: • src-ip-addresses ip_inicio-ip_fim • dest-ip-addresses ip_inicio-ip_fim • Portas: • src-ports porta_inicio-porta_fim • dst-port porta_inicio-porta_fim

  7. Opções de Filtro • applications sigla • http, ftp, smtp, etc. • traffic-class.http-outapplications http • traffic-class.http-returnaplications httpEstablished • protocols sigla ou número • traffic-class.TCP-out protocols TCP • traffic-class.TCPUDP protocols 6-17

  8. Applicações Statefull • allTcp, allTcpEstablished • allUdp, allUdpEstablished • allIcmp, allIcmpEstablished • ftp, ftpEstablished • http, httpEstablished • telnet, telnetEstablished

  9. Exemplo • Criar uma entrada root ativa: • config cbq.1 traffic-class.root-input-tree row-status active • Para permitir o tráfego: • config cbq.1.traffic-class.smtp-out parent root-input-tree applications smtp • config cbq.2.traffic-class.smtp-return parent root-input-tree applications smtpEstablished

  10. Operadores • operator and • operator or • config cbq.1 traffic-class.httpserver src-ip-addresses 192.168.1.2 protocols tcp operator and

  11. Exemplo • config cbq.3 traffic-class.respostaHTTP • src-ports 80 parent root-input-tree (** ERRADO **) • config cbq.3 traffic-class.respostaHTTP • src-ports 80 applications allTcpEstablished • parent root-input-tree cbq.3 Bancada 1 roteador Bancada 2 cliente Servidor HTTP resposta

  12. Cenário 192.168.1.1 SW1 R1 rede interna 1 (192.168.1.0/24) 192.168.2.2 R2 192.168.0.5 dmz 1 (192.168.2.0/24) SW2 192.168.2.1 internet 192.168.3.1 R3 192.168.0.6 dmz 2 (192.168.3.0/24) SW3 192.168.4.2 R4 rede interna 2 (192.168.4.0/24) SW4 192.168.4.1

  13. Indentifique as Interfaces na sua rede cbq. root-input-tree cbq. root-input-tree rede interna IP: Mascara: SW1 R1 Internet R2 dmz IP: Mascara SW2 cbq. root-input-tree cbq. root-input-tree

  14. Considere que os seguintes serviços estão disponíveis na DMZ • SMTP: TCP 25 e IP: • POP3: TCP 110 e IP: • HTTP: TCP 80 e IP: • DNS: UDP 53 e IP: • FTP: TCP 21 e IP:

  15. Pacotes rede Interna-DMZ • HTTPreq: config cbq. • POP3req: config cbq. • SMTPreq: config cbq. • DNSreq: config cbq. • FTPreq: config cbq.

  16. Pacotes DMZ-Rede Interna • HTTPresp: config cbq. • POP3resp: config cbq. • SMTPresp: config cbq. • DNSresp: config cbq. • FTPresp: config cbq.

  17. Pacotes DMZ-Internet (requisições) • HTTPRIreq: config cbq. • FTPRIreq: config cbq. • SMTPDMZreq: config cbq. • DNSDMZreq: config cbq.

  18. Pacotes DMZ-Internet (respostas) • HTTPDMZresp: config cbq. • FTPDMZresp: config cbq. • SMTPDMZresp: config cbq. • DNSDMZresp: config cbq.

  19. Pacotes Internet-DMZ (requisições) • HTTPREreq: config cbq. • FTPREreq: config cbq. • SMTPREreq: config cbq. • DNSREreq: config cbq.

  20. Pacotes Internet-DMZ (respostas) • HTTPREresp: config cbq. • FTPREresp: config cbq. • SMTPREresp: config cbq. • DNSREresp: config cbq.

  21. Testes • Para simular os servidores na bancada DMZ: • jview mserver porta • Exemplo: jview mserver 21 • Para simular os clientes nas bancadas internas: • jview cliente IPServidor PortaServidor • Exemplo: jview cliente 192.168.1.7 21 • Para simular ataques por spoofing de porta: • jview cliente IPServidor PortaServidor PortaCliente • Exemplo: jview cliente 192.168.1.7 8080 21

  22. Verificações • Os clientes da rede interna conseguem acessar aos servidores na DMZ local? • Os clientes da rede interna conseguem acessar aos servidores na DMZ remota? • Outras portas de serviços não autorizados estão bloqueadas? Exemplo: ICMP, telnet, etc. Simule este teste criando um servidor telnet na DMZ. • Suas regras estão protegidas contra spoofing de porta?

More Related