Establish a pppoe server to defend against spoofing (1)

Network security problems are very sensitive, and numerous security risks have plagued us. Here we will explain how to prevent ARP spoofing by setting up a pppoe server for dial-up Internet access. ARP virus is an unavoidable topic in the LAN, but it seems that the dial-up users have never heard of it. Currently, domestic users of China Telecom or China Netcom generally use the PPPOE dial-up method to access the Internet, when I went to my relatives' home to help debug the network, I found out how the IP address in his machine is the same as the gateway address. As we used to debug the network in the LAN, obtain a machine and run the ipconfig/all command to check the basic network conditions.) generally, the network topology of the China Telecom or China Netcom ADSL cat PPPOE dialing is shown in 1:

Figure 1

Yes, although there are many ways to solve ARP Address Spoofing, we use the PPPOE dial-up method adopted by ADSL in the LAN to establish a PPPOE server in the LAN, allow LAN users to access the Internet through the PPPOE server, so that the Microcomputer in the LAN can access the Internet and make the obtained IP address consistent with the gateway address, so as to prevent ARP Address Spoofing from initiating attacks in the LAN, isn't it a way of thinking.

I. Clarify the PPPOE Network Topology

You can also find a tutorial on setting up a pppoe server on the Internet. However, if no one knows how to set up a pppoe server, you can find out why the configuration is difficult, because the tutorial on the internet is based on command configuration, the network topology is not clearly stated. If it is configured in a virtual machine, the network topology is hard to say clearly, therefore, to clarify the configuration of the PPPOE server, first clarify the network topology. First, let's talk about the topology of the normal PPPOE server in the LAN. 2 ).

Figure 2

In combination with figure 2, we need to explain that in general, in the LAN of the organization, the user accesses the Internet through the network cable to connect to the switch, and then the switch connects to the NAT address translation) A device's Broadband Router, hardware firewall, or broadband Internet access management system). The PPPOE server is located between the vswitch and NAT device and serves to verify the dialing user information and assign IP addresses, however, the IP address assigned by the PPPOE server to the user is different from the IP address assigned to the user by the DHCP server. The DHCP server is assigned to the user with the complete IP address, subnet mask, gateway, DNS, and other information, however, PPPOE only assigns IP addresses and DNS server addresses to users.

If we want to use the routeros software in a virtual machine for PPPOE server experiments, we need to better plan the network topology,

The first key point is to virtualize an XP system in a real machine as a dial-up test client), and then Virtualize A routeros system as a PPPOE server ).

The second key point is that the virtual routeros system must have two NICs in bridging mode, as shown in network topology 2:

Figure 3

However, we do not actually have these two switches, but because of the functionality of the virtual machine's bridging Nic, we can understand it according to the figure above.