Upload
do-toan
View
218
Download
0
Embed Size (px)
Citation preview
8/2/2019 Docx 20110922 Bao Cao VPN Final
1/44
ti VPN (Virtual Private Network(______________________________________________________________________
__
I HC QUC GIA TP.H CH MINH
TRNG I HC KHOA HC T NHINKHOA IN T VIN THNG
-------------oOo---------------
ti :
GVHD: Nguyn Anh Vinh
Mn : Cng ngh mngNhm :
Phan B Tu -0520091
Nguyn Minh Tm -0520093Nguyn Thanh Hng -0520031
______________________________________________________________
1Khoa in T Vin Thng i hc Khoa Hc T Nhin
8/2/2019 Docx 20110922 Bao Cao VPN Final
2/44
ti VPN (Virtual Private Network(______________________________________________________________________
__
MC LC
I. Gii thiu v Cng ngh VPN.....................................................21.1 VPN l g................................................................................................................31.2 Li ch ca VPN em li.......................................................................................3
VPN lm gim chi ph thng xuyn:......................................................................4Gim chi ph qun l v h tr.................................................................................4VPN m bo an ton thng tin, tnh ton vn v xc thc4Error: Reference source not foundVPN d dng kt ni cc chi nhnh thnh mt mng cc b ..4
1.3 Cc thnh phn cn thit to kt ni VPN. 4II. Cc loi VPN...............................................................................5
2.1 VPN Remote Access.......................................Error: Reference source not found6VPN Remote Access. 6 thc hin c VPN Remote Access cn:.........................................................6
2.2 VPN Site - to - Site.................................................................................................6VPN Site - to - Site...................................................................................................6 Intranet VPN...........................................................................................................6 Extranet VPN..6 thc hin c VPN Site - to Site cn:..............................................................6
III. Cc cng ngh v giao thc h tr VPN..................................73.1 ng hm v m ho..............................................................................................3.2 ng hm...............................................................................................................3.2 M ho.................................................................................................................13
Cng ngh VPN lp 2............................................................................................14Cng ngh VPN lp 3............................................................................................15ng hm GRE....................................................................................................16MPLS VPNs....................................................16Error: Reference source not found
IV. Giao thc bo mt IPSec17Error: Reference source not foundDigital Signatures............................................18Error: Reference source not foundIPSec Security Protocol..........................................................................................19
IPSec Transport Mode.....................................Error: Reference source not found20IPSec Tunnle Mode.........................................Error: Reference source not found21Encapsulating Security Header (ESP)............Error: Reference source not found22
______________________________________________________________
2Khoa in T Vin Thng i hc Khoa Hc T Nhin
8/2/2019 Docx 20110922 Bao Cao VPN Final
3/44
ti VPN (Virtual Private Network(______________________________________________________________________
__
Authentication Header (AH)...........................Error: Reference source not found23Tin trnh chng thc bt tay 3 bc -...........Error: Reference source not found24Three-Way CHAP Authentication Process.....Error: Reference source not found25
V. Kt lun26VI. Cch cu hnh m hnh VPN (Client to Site)..VII.Ti liu tham kho.27
I. Gii thiu v Cng ngh VPN:1.1 VPN l g ?
Mng ring o hay cn c bit n vi t vit tt VPN, y khng phi l mtkhi nim mi trong cng ngh mng. VPN c th c inh ngha nh l mt dchv mng o c trin khai trn c s h tng ca h thng mng cng cng vimc ch tit kim chi ph cho cc kt ni im-im. Mt cuc in thoi gia haic nhn l v d n gin nht m t mt kt ni ring o trn mng in thoicng cng. Hai c im quan trng ca cng ngh VPN l ''ring'' v ''o" tngng vi hai thut ng ting anh (Virtual and Private). VPN c th xut hin ti btc lp no trong m hnh OSI, VPN l s ci tin c s h tng mng WAN, lmthay i v lm tng thm tch cht ca mng cc b cho mng WAN.
______________________________________________________________
3Khoa in T Vin Thng i hc Khoa Hc T Nhin
8/2/2019 Docx 20110922 Bao Cao VPN Final
4/44
ti VPN (Virtual Private Network(______________________________________________________________________
__
V PN = ng h m + M ho
______________________________________________________________
4Khoa in T Vin Thng i hc Khoa Hc T Nhin
8/2/2019 Docx 20110922 Bao Cao VPN Final
5/44
ti VPN (Virtual Private Network(______________________________________________________________________
__
1.2 Li ch ca VPN em li :
VPN lm gim chi ph thng xuyn:
VPN cho php tit kim chi ph thu ng truyn v gim chi ph pht sinh chonhn vin xa nh vo vic h truy cp vo h thng mng ni b thngqua cc im cung cp dch v a phng POP(Point of Presence), hn
ch thu ng truy cp ca nh cung cp dn n gi thnh cho vic ktni Lan - to - Lan gim i ng k so vi vic thu ng Leased-Line
Gim chi ph qun l v h tr:
Vi vic s dng dch v ca nh cung cp, chng ta ch phi qun l cc kt niu cui ti cc chi nhnh mng khng phi qun l cc thit b chuynmch trn mng. ng thi tn dng c s h tng ca mng Internet vi ng k thut ca nh cung cp dch v t cng ty c th tp trungvo cc i tng kinh doanh.
VPN m bo an ton thng tin, tnh ton vn v xc thc
______________________________________________________________
5Khoa in T Vin Thng i hc Khoa Hc T Nhin
8/2/2019 Docx 20110922 Bao Cao VPN Final
6/44
ti VPN (Virtual Private Network(______________________________________________________________________
__
D liu truyn trn mng c m ho bng cc thut ton, ng thi c truyntrong cc ng hm(Tunnle) nn thng tin c an ton cao.
VPN d dng kt ni cc chi nhnh thnh mt mng cc b
Vi xu th ton cu ho, mt cng ty c th c nhiu chi nhnh ti nhiu quc giakhc nhau. Vic tp trung qun l thng tin ti tt c cc chi nhnh l cnthit. VPN c th d dng kt ni h thng mng gia cc chi nhnh vvn phng trung tm thnh mt mng LAN vi chi ph thp.
VPN h tr cc giao thc mng thng dng nht hin nay nh TCP/IP
Bo mt a ch IP : thng tin c gi i trn VPN c m ha do cc ach trn mng ring c che giu v ch s dng cc a ch bn ngoi internet
1.3 Cc thnh phn cn thit to nn kt ni VPN: User authentication : cung cp c ch chng thc ngi dng, ch cho php
ngi dng hp l kt ni vo h thng VPN Address management : cung cp a ch IP hp l cho ngi dng sau khi
gia nhp h thng VPN c th truy cp ti nguyn trn mng ni b Data Encryption : cung cp gii php m ha d liu trong qu trnh truyn
nhm bo m tnh ring t v ton vn d liu. Key Management: cung cp gii php qun l cc kha dng cho qu trnh
m ha v gii m d liu .
______________________________________________________________
6Khoa in T Vin Thng i hc Khoa Hc T Nhin
8/2/2019 Docx 20110922 Bao Cao VPN Final
7/44
ti VPN (Virtual Private Network(______________________________________________________________________
__
II. Cc loi VPN :VPN c chia thnh 2 loi :
VPN Remote Accesss VPN Site to Site
o VPN Intraneto VPN Extranet
Hnh 1 - VPN Remote Access
2.1 VPN Remote Access
______________________________________________________________
7Khoa in T Vin Thng i hc Khoa Hc T Nhin
8/2/2019 Docx 20110922 Bao Cao VPN Final
8/44
ti VPN (Virtual Private Network(______________________________________________________________________
__
VPN Remote Access : Cung cp kt ni truy cp t xa n mt mng Intranet hoc
Extranet da trn h tng c chia s. VPN Remote Access s dng ng truynAnalog, Dial, ISDN, DSL, Mobile IP v Cable thit lp kt ni n cc Mobileuser.
Mt c im quan trng ca VPN Remote Access l: Cho php ngi dng ding truy cp t xa vo h thng mng ni b trong cng ty lm vic.
thc hin c VPN Remote Access cn:
C 01 VPN Getway(c 01 IP Public). y l im tp trung x l khi VPNClient quay s truy cp vo h thng VPN ni b.
Cc VPN Client kt ni vo mng Internet
______________________________________________________________
8Khoa in T Vin Thng i hc Khoa Hc T Nhin
8/2/2019 Docx 20110922 Bao Cao VPN Final
9/44
ti VPN (Virtual Private Network(______________________________________________________________________
__
Hnh 2 - VPN Site to Site
2.2 VPN Site - to Site:
VPN Site - to - Site c chia lm hai loi nh l VPN Intranet v VPN Extranet
Intranet VPN : Kt ni vn phng trung tm, cc chi nhnh v vn phng xavo mng ni b ca cng ty da trn h tng mng c chia s. Intranet VPNkhc vi Extranet VPN ch n ch cho php cc nhn vin ni b trong cng tytruy cp vo h thng mng ni b ca cng ty.
Extranet VPN : Kt ni b phn khch hng ca cng ty, b phn t vn, hoccc i tc ca cng ty thnh mt h thng mng da trn h tng c chia s.Extranet VPN khc vi Intranet VPN ch cho php cc user ngoi cng ty truycp vo h thng.
thc hin c VPN Site - to Site cn C 02 VPN Getway(Mi VPN Getway c 01 IP Public). y l im tp
trung x l khi VPN Getway pha bn kia quay s truy cp vo. Cc Client kt ni vo h thng mng ni b.
III. Cc cng ngh v giao thc h tr VPN :3.1 ng hm v m ho
Chc nng chnh ca mt mng VPN l truyn thng tin c m ho trong mtng hm da trn h tng mng c chia s
3.2 ng hm
Hu ht cc VPN u da vo k thut gi l Tunneling to ra mt mng ringtrn nn Internet. V bn cht, y l qu trnh t ton b gi tin vo trong mt
______________________________________________________________
9Khoa in T Vin Thng i hc Khoa Hc T Nhin
8/2/2019 Docx 20110922 Bao Cao VPN Final
10/44
ti VPN (Virtual Private Network(______________________________________________________________________
__
lp header (tiu ) cha thng tin nh tuyn c th truyn qua h thng mngtrung gian theo nhng "ng ng" ring (tunnel).
Khi gi tin c truyn n ch, chng c tch lp header v chuyn n ccmy trm cui cng cn nhn d liu. thit lp kt ni Tunnel, my khch vmy ch phi s dng chung mt giao thc (tunnel protocol).
Giao thc ca gi tin bc ngoi c c mng v hai im u cui nhn bit. Haiim u cui ny c gi l giao din Tunnel (tunnel interface), ni gi tin ivo v i ra trong mng.
K thut Tunneling yu cu 3 giao thc khc nhau:
- Giao thc truyn ti (Carrier Protocol) l giao thc c s dng bi mng cthng tin ang i qua.- Giao thc m ha d liu (Encapsulating Protocol) l giao thc (nh GRE, IPSec,L2F, PPTP, L2TP) c bc quanh gi d liu gc.- Giao thc gi tin (Passenger Protocol) l giao thc ca d liu gc c truyn i(nh IPX, NetBeui, IP).
Ngi dng c th t mt gi tin s dng giao thc khng c h tr trn Internet (nhNetBeui) bn trong mt gi IP v gi n an ton qua Internet. Hoc, h c th t mt gi tin dng
a ch IP ring (khng nh tuyn) bn trong mt gi khc dng a ch IP chung (nh tuyn) m rng mt mng ring trn Internet.
K thut Tunneling trong mng VPN im-ni im
Trong VPN loi ny, giao thc m ha nh tuyn GRE (Generic RoutingEncapsulation) cung cp c cu "ng gi" giao thc gi tin (Passenger Protocol) truyn i trn giao thc truyn ti (Carier Protocol). N bao gm thng tin vloi gi tin m bn nag m ha v thng tin v kt ni gia my ch vi mykhch. Nhng IPSec trong c ch Tunnel, thay v dng GRE, i khi li ng vai
tr l giao thc m ha. IPSec hot ng tt trn c hai loi mng VPN truy cp txa v im- ni-im. Tt nhin, n phi c h tr c hai giao din Tunnel.
______________________________________________________________
10Khoa in T Vin Thng i hc Khoa Hc T Nhin
8/2/2019 Docx 20110922 Bao Cao VPN Final
11/44
ti VPN (Virtual Private Network(______________________________________________________________________
__
Trong m hnh ny, gi tin c chuyn t mtmy tnh vn phng chnh qua my ch truycp, ti router (ti y giao thc m ha GREdin ra), qua Tunnel ti my tnh ca vn
phng t xa.
K thut Tunneling trong mng VPN truy cp t xaVi loi VPN ny, Tunneling thng dng giao thc im-ni-im PPP (Point-to-Point Protocol). L mt phn ca TCP/IP, PPP ng vai tr truyn ti cho cc giaothc IP khc khi lin h trn mng gia my ch v my truy cp t xa. Ni tmli, k thut Tunneling cho mng VPN truy cp t xa ph thuc vo PPP.
Cc giao thc di y c thit lp da trn cu trc c bn ca PPP v dngtrong mng VPN truy cp t xa.
Giao thc L2F
______________________________________________________________
11Khoa in T Vin Thng i hc Khoa Hc T Nhin
8/2/2019 Docx 20110922 Bao Cao VPN Final
12/44
ti VPN (Virtual Private Network(______________________________________________________________________
__
L giao thc lp 2 c pht trin bi Cisco System. L2F c thit k cho phpto ng hm gia NAS v mt thit b VPN Getway truyn cc Frame, ngi
s dng t xa c th kt ni n NAS v truyn Frame PPP t remote user nVPN Getway trong ng hm c to ra.
Giao thc PPTP(Point-to-Point Tunneling Protocol)
y l giao thc ng hm ph bin nht hin nay. Giao thc c pht trin biMicrosoft.PPTP cung cp mt phn ca dch v truy cp t xa RAS(Remote Access Service).
Nh L2F, PPTP cho php to ng hm t pha ngi dng(Mobile User) truycp vo VPN Getway/Concentrator
Giao thc L2TP
L chun giao thc do IETF xut, L2TP tch hp c hai im mnh l truy nhpt xa ca L2F(Layer 2 Forwarding ca Cisco System) v tnh kt ni nhanh Point -to Point ca PPTP(Point to Point Tunnling Protocol ca Microsoft). Trong mitrng Remote Access L2TP cho php khi to ng hm cho cc frame v sdng giao thc PPP truyn d liu trong ng hm.
Mt s u im ca L2TP
L2TP h tr a giao thc Khng yu cu cc phn mm m rng hay s h tr ca HH. V vy
nhng ngi dng t xa cng nh trong mng Intranet khng cn ci thmcc phn mm c bit.
L2TP cho php nhiu Mobile user truy cp vo Remote Network thng qua
h thng mng cng cng L2TP khng c tnh bo mt cao tuy nhin L2TP c th kt hp vi c ch
bo mt IPSec bo v d liu.
______________________________________________________________
12Khoa in T Vin Thng i hc Khoa Hc T Nhin
8/2/2019 Docx 20110922 Bao Cao VPN Final
13/44
ti VPN (Virtual Private Network(______________________________________________________________________
__
Vi L2TP s xc thc ti khon da trn Host Getway Network do vy pha nhcung cp dch v khng phi duy tr mt Database thm nh quyn truy cp
Giao thc Point to Point Protocol(PPP)
y l giao thc ng gi truyn d liu qua kt ni Serial. Li th ln nht caPPP l c th hot ng trn mi Data Terminal Equipment (DTE) hoc DataConnection Equipment(DCE). Mt c im thun li ca PPP l n khng giihn tc truy cp. PPP l sn sng cho kt ni song cng (Full Duplex) v l gii
php tt cho kt ni Dial-up.
Cc ch :
Nu mun thit lp mt ci "ng o" b mt trn mng Internet theo c chtruy cp t xa, bn ch c th s dng giao thc IPSec trc tip khi mykhch c a ch IP thc.
Do L2TP vi c ch m ha IPSec yu cu cu trc m kha chung (PublicKey Infrastructure) nn kh khai thc v tn km so vi PPTP. L2TP/IPSecl giao thc L2TP chy trn nn IPSec, cn c ch truyn tin IPSec TunelMode li l mt giao thc khc.
Do c c ch thm nh quyn truy cp nn L2TP/IPSec hay IPSec Tunnel
Mode ch c th truyn qua mt thit b dch a ch mng NAT (networkaddress translation) bng cch i qua nhiu ci "ng o" hn. Nu dng mtNAT gia im hin din POP (Point of Present) v Internet, bn s gp khkhn. Cn trong PPTP, mt gi tin IP c m ha t trong mt gi tinIP khng c m ha nn n c th i qua mt NAT.
PPTP v L2TP c th hot ng vi cc h thng thm nh quyn truy cpda trn mt khu v chng h tr quyn ny mc cao cp bng nhngloi th thng minh, cng ngh sinh trc hc v cc thit b c chc nngtng t.
Li khuyn:
______________________________________________________________
13Khoa in T Vin Thng i hc Khoa Hc T Nhin
8/2/2019 Docx 20110922 Bao Cao VPN Final
14/44
ti VPN (Virtual Private Network(______________________________________________________________________
__
PPTP l gii php ti u khi khch hng mun c c ch bo mt khng tnkm v phc tp. Giao thc ny cng t ra hu hiu khi cc lung d liu
phi truyn qua NAT. Khch hng nu mun c NAT v bo mt cao hnc th nh cu hnh cho cc quy tc IPSec trn Windows 2000. L2TP l gii php tt nht khi khch hng coi bo mt l vn quan trng
hng u v cam kt khai thc cu trc m kha chung PKI. Nu bn cnmt thit b NAT trong ng truyn VPN th gii php ny c th khng
pht huy hiu qu. IPSec Tunnel Mode li t ra hu hiu hn vi VPN im-ni-im (site to
site). Mc d giao thc ny hin nay cng c p dng cho VPN truy cpt xa nhng cc hot ng ca n khng "lin thng" vi nhau. IPSec
Tunnel Mode s c cp k hn trong phn VPN im-ni-im k sau.
So snh cc giao thc VPNTn im mnh im yu S dng trong mng
IPSE
C
+ Hot ng mt
cch c lp+ Cho php giua ch mng
+ Khng c qun l
ngi dng+ t sn phm c khnng tng tc vi
+ Phn mm tt nht
trn my ngi dngi vi vic truy cpt xa
______________________________________________________________
14Khoa in T Vin Thng i hc Khoa Hc T Nhin
8/2/2019 Docx 20110922 Bao Cao VPN Final
15/44
ti VPN (Virtual Private Network(______________________________________________________________________
__
+ p ng cc kthut m ha
nh sn xut+ t h tr giao din
PPTP + Chy trn nnWin NT,98,95+ nh ng hmkt ni+ Cung cp khnng a giao thc+M ha RSA RC-4
+ Khng cung cp mha d liu t nhngmy ch truy cp txa+ Mang tnh cquyn rng ln
+ c dng mych truy cp t xa+ C th dng chomy bn win9xhay my trm dngwinNT
L2F + Cho php nh
ng hm a giaothc+ c cung cp
bi nhiu nh cungcp
+ Khng c m ha
+ Yu trong vic xcthc ngi dng+ Khng c iukhinlung cho nghm
+ Dng cho truy cp
t xa
L2TP + Kt hp PPTP vL2F+ Ch cn mt gichy trn X25 vFrame relay+ S dng IPSECcho vic m ha
+ Cha c cung cpnhiu trong sn phm+ Khng bo mt nhng on cui
+ Dng cho truy cpt xa
3.2 M ho
______________________________________________________________
15Khoa in T Vin Thng i hc Khoa Hc T Nhin
8/2/2019 Docx 20110922 Bao Cao VPN Final
16/44
ti VPN (Virtual Private Network(______________________________________________________________________
__
M ho l mt c im c bn trong vic xy dng v thit k mng VPN. MngVPN s dng h tng ca h thng Internet v cc mng cng cng khc.
Do vy d liu truyn trn mng c th b bt gi v xem thng tin. m bo thng tin ch c c bi ngi nhn v ngi gi th d liuphi c m ho vi cc thut ton phc tp. Tuy nhin ch nn m hocc thng tin quan trng v qu trnh m ho v gii m s nh hng ntc truyn ti thng tin.
Cc nh cung cp dch v VPN chia VPN thnh 3 tp hp l VPN lp 1, 2 v 3.
VPN lp 1 c s dng vn chuyn cc dch v lp 1 trn h tng mng cchia s, c iu khin v qun l bi Generalized Multiprotocol Label
Switching (GMPLS).
Hin nay, vic pht trin VPN lp 1 cn ang trong giai on th nghim nn VPNLayer 1 khng c cp n trong ti ny.
Hiu n gin nht, mt kt ni VPN gia hai im trn mng cng cng l hnhthc thit lp mt kt ni logic. Kt ni logic c th c thit lp trn lp 2 hoclp 3 ca m hnh OSI v cng ngh VPN c th c phn loi rng ri theo tiuchun ny nh l VPN lp 2 v VPN lp 3(Layer 2 VPNs or Layer 3 VPNs).
Cng ngh VPN lp 2
VPN lp 2 thc thi ti lp 2 ca m hnh tham chiu OSI; Cc kt ni point-to-point c thit lp gia cc site da trn mt mch o(virtual circuit). Mt mcho l mt kt ni logic gia 2 im trn mt mng v c th m rng thnh nhiuim. Mt mch o kt ni gia 2 im u cui(end-to-end) thng c gi lmt mch vnh cu(Permanent Virtual Circuit-PVC). Mt mch o kt ni ng 2im trn mng(point to point) cn c bit n nh mng chuynmch(Switched Virtual Circuit - SVC). SVC t c s dng hn v phc tp
trong qu trnh trin khai cng nh khc phc h thng li. ATM v Frame Relayl 02 cng ngh VPN lp 2 ph bin.
______________________________________________________________
16Khoa in T Vin Thng i hc Khoa Hc T Nhin
8/2/2019 Docx 20110922 Bao Cao VPN Final
17/44
ti VPN (Virtual Private Network(______________________________________________________________________
__
Cc nh cung cp h thng mng ATM v Frame Relay c th cung cp cc kt nisite - to - site cho cc tp on, cng ty bng cch cu hnh cc mch o vnh
cu(PVC) thng qua h thng cp Backbone c chia s.
Mt s tin li ca VPN lp 2 l c lp vi cc lung d liu lp 3. Cc mngATM v Frame Relay kt ni gia cc site c th s dng rt nhiu cc loi giaothc c nh tuyn khc nhau nh IP, IPX, AppleTalk, IP Multicast...ATM vFrame Relay cn cung cp c im QoS(Quality of Service). y l iu kin tinquyt khi vn chuyn cc lung d liu cho Voice.
Cng ngh VPN lp 3
Mt kt ni gia cc site c th c nh ngha nh l VPN lp 3. Cc loi VPNlp 3 nh GRE, MPLS v IPSec. Cng ngh GRE v IPSec c s dng thchin kt ni point - to - point, cng ngh MPLS thc hin kt ni a im(any - to -any)
ng hm GRE
Generic routing encapsulation (GRE) c khi xng v pht trin bi Cisco vsau c IETF xc nhn thnh chun RFC 1702. GRE c dng khi tocc ng hm v c th vn chuyn nhiu loi giao thc nh IP, IPX, Apple Talkv bt k cc gi d liu giao thc khc vo bn trong ng hm IP. GRE khngc chc nng bo mt cp cao nhng c th c bo v bng cch s dng c chIPSec. Mt ng hm GRE gia 2 site, IP c th vn ti c c th cm t nh l mt VPN bi v d liu ring gia 2 site c th c ng gi thnhcc gi tin vi phn Header tun theo chun GRE.
______________________________________________________________
17Khoa in T Vin Thng i hc Khoa Hc T Nhin
8/2/2019 Docx 20110922 Bao Cao VPN Final
18/44
ti VPN (Virtual Private Network(______________________________________________________________________
__
Bi v mng Internet cng cng c kt ni trn ton th gii. Cc chi nhnh camt tp on nm trn nhng vng a l khc nhau. cc chi nhnh ny c th
truyn d liu cho nhau v cho vn phng chnh ti trung tm th iu kin cn lmi chi nhnh ch cn thit lp mt kt ni vt l n nh cung cp dch vInternet(ISP). Thng qua mng VPN c thit lp s dng GRE Tunnel. Tt ccc d liu gia cc chi nhnh s trao i vi nhau trong mt ng hm GRE.Hn th d liu cn c bo mt v chng li cc nguy c tn cng
MPLS VPNs
Cng ngh MPLS VPN xy dng cc kt ni chuyn mch nhn(Label SwitchedPath) thng qua cc Router chuyn mnh nhn(Label Switch Routers). Cc gi tin
c chuyn i da vo Label ca mi gi tin. MPLS VPN c th s dng cc giaothc TDP(Tag Distribution Protocol), LDP(Label Ditribution Protocol) hocRSVP(Reservation Protocol)
Khi xng cho cng ngh ny l Cisco, MPLS c ngun gc l cc Tag trongmng chuyn mch v sau c IETF chun ho thnh MPLS. MPLS c tora thng qua cc Router s dng c ch chuyn mch nhn(Label Switch Routers).Trong mt mng MPLS, cc gi tin c chuyn mch da trn nhn ca mi gitin. Cc nh cung cp dch v hin nay ang tng cng trin khai MPLS cungcp dch v VPN MPLS n khch hng.
Ngun gc ca tt c cc cng ngh VPN l d liu ring c ng gi v phnphi n ch vi vic gn cho cc gi tin thm phn Header; MPLS VPN s dngcc nhn(Label) ng gi d liu gc v thc hin truyn gi tin n ch.
RFC 2547 nh ngha cho dch v VPN s dng MPLS. Mt tin ch ca VPNMPLS so vi cc cng ngh VPN khc l n gim phc tp cu hnh VPNgia cc site.
______________________________________________________________
18Khoa in T Vin Thng i hc Khoa Hc T Nhin
8/2/2019 Docx 20110922 Bao Cao VPN Final
19/44
ti VPN (Virtual Private Network(______________________________________________________________________
__
IV. Giao thc bo mt IPSec :
Cng ngh VPN s dng c s h tng mng cng cng v cc mi trng truyndn c chia s khc truyn d liu, do vy bo mt d liu trong mng VPNl vn v cng quan trng. gii quyt vn ny, VPN xy dng nghm(Tunnle) v s dng b giao thc IPSec m ho d liu trong ng hm.
Mt thut ton m ho c hai chc nng m ho v gii m
M ho(Encryption): C chc nng chuyn d liu dng bn r(Plain text) thnhdng d liu c m ho
Gii m(Decryption): C chc nng chuyn thng tin c m ho thnh dngbn r(Plain Text) vi key c cung cp.
Cc thut ton mt m c xp vo hai loi sau:
i xng(Symmetric) Bt i xng(Asymmetric)
Thut ton mt m i xng(Symmetric) c c im l ngi nhn v ngi gicng s dng chung mt kho b mt(secret key). Bt k ai c kho b mt u cth gii m bn m.
Thut ton mt m bt i xng(Asymmetric) cn c bit n nh l thut tonkho cng khai(Public Key). Kho m c gi l kho cng khai v c th c
cng b, ch kho o(Private Key) l cn c gi b mt. Nh vy Public Key vPrivate Key l lin quan n nhau. Bt k ai c Public Key u c th m ho bnPlain Text nhng ch c ai c Private Key mi c th gii m t bn m v dng r.
______________________________________________________________
19Khoa in T Vin Thng i hc Khoa Hc T Nhin
8/2/2019 Docx 20110922 Bao Cao VPN Final
20/44
ti VPN (Virtual Private Network(______________________________________________________________________
__
minh ho cho thut ton ny, chng ta quay tr li v d v bi ton mt min hnh l: Bob v Alice cn truyng thng tin b mt cho nhau s dng thut
ton m ho cng khai.
Trong thc t thut ton m kho cng khai t c s dng m ho ni dungthng tin v thut ton ny x l chm hn so vi thut ton i xng. tuy nhin
______________________________________________________________
20Khoa in T Vin Thng i hc Khoa Hc T Nhin
C ch m ho v gii m s dng Public Key
8/2/2019 Docx 20110922 Bao Cao VPN Final
21/44
ti VPN (Virtual Private Network(______________________________________________________________________
__
Public Key thng c dng gii quyt vn phn phi Key ca thut toni xng. Public Key khng thay th Symmetric m chng tr gip ln nhau.
Digital Signatures
Mt ng dng khc ca thut ton m ho cng khai l ch k in t(DigitalSignature). Tr li bi ton Alice v Bob. Lc ny Bob mun chng thc l thAlice gi cho mnh do chnh Alice gi ch khng phi l mt l th nc danh tmt k thc 3 no . Do vy mt ch k in t c sinh ra v gn km vo tptin ca Alice, Bob s dng Public Key gii m v xc nhn y ng l ch k
ca Alice. C ch xc thc nh sau:
My tnh Alice s dng hm HASH bm vn bn cn mun gi cho Bobthnh mt tp 512 byte gi l tp HASH.
______________________________________________________________
21Khoa in T Vin Thng i hc Khoa Hc T Nhin
C ch xc thc ch k s
8/2/2019 Docx 20110922 Bao Cao VPN Final
22/44
ti VPN (Virtual Private Network(______________________________________________________________________
__
Alice m ho tp HASH vi Private Key thnh ch k s. Ch k s c
nh km vo vn bn gi i
Bob gii m ch k in t ca Alice vi Public key to ra tp HASH1 vsau s dng hm HASH bm tp Plain Text nhn c t Alice to ra tpHASH2
HASH1 v HASH2 c so snh vi nhau, nu hp nht th vn bn Bobnhn c ng l ca Alice gi.
IPSec Security Protocol
Mc ch ca IPSec l cung cp dch v bo mt cho gi tin IP ti lp Network.Nhng dch v ny bao gm iu khin truy cp, ton vn d liu, chng thc vbo mt d liu.Encapsulating security payload (ESP) v authentication header (AH) l hai giaothc chnh c s dng cung cp tnh nng bo mt cho gi IP. IPSec hotng vi hai c ch Transport Mode v Tunnel Mode
IPSec Transport Mode
Trong ch ny mt IPSec Transport Header(AH hoc ESP) c chn vo giaIP Header v cc Header lp trn.
______________________________________________________________
22Khoa in T Vin Thng i hc Khoa Hc T Nhin
Hnh: Hin th mt IP Packet c bo v bi IPSec trong
ch Transport Mode
8/2/2019 Docx 20110922 Bao Cao VPN Final
23/44
ti VPN (Virtual Private Network(______________________________________________________________________
__
Trong ch ny, IP Header cng ging nh IP Header ca gi d liu gc trtrng IP Protocol l c thay i nu s dng giao thc ESP(50) hoc AH(51)v IP Header Checksum l c tnh ton li. Trong ch ny, a ch IP chtrong IP Header l khng c thay i bi IPSec ngun v vy ch ny chc s dng bo v cc gi c IP EndPoint v IPSec EndPoint ging nhau.
IPSec Transport Mode l rt tt khi bo v lung d liu gia hai host hn l mhnh site-to-site. Hn th hai a ch IP ca hai host ny phi c nh tuyn(Nhnthy nhau trn mng) iu tng ng vi vic cc Host khng c php
NAT trn mang. Do vy IPSec Transport Mode thng c dng bo v ccTunnle do GRE khi to gia cc VPN Getway trong m hnh Site-to-Site,
IPSec Tunnle Mode
Dch v IPSec VPN s dng ch Transport v phng thc ng gi GRE giacc VPN Getway trong m hnh Site-to-Site l hiu qu. Nhng khi cc Client ktni vo Getway VPN th t Client v Getway VPN l cha c bo v, hn thkhi cc Client mun kt ni vo mt Site th vic bo v IPSec cng l mt vn .IPSec Tunnle Mode ra i h tr vn ny.
ch Tunnle Mode, gi IP ngun c ng gi trong mt IP Datagram v mtIPSec header(AH hoc ESP) c chn vo gia outer v inner header, bi v ng
______________________________________________________________
23Khoa in T Vin Thng i hc Khoa Hc T Nhin
8/2/2019 Docx 20110922 Bao Cao VPN Final
24/44
ti VPN (Virtual Private Network(______________________________________________________________________
__
gi vi mt "outer" IP Packet, ch Tunnle c c th c s dng cungcp dch v bo mt gia cc IP Node ng sau mt VPN Getway
Encapsulating Security Header (ESP)
ESP cung cp s bo mt, ton vn d liu, v chng thc ngun gc d liu vdch v chng tn cng Anti-reply
______________________________________________________________
24Khoa in T Vin Thng i hc Khoa Hc T Nhin
Hnh: Gi IP trong ch IPSec Tunnle
Gi d liu IP c bo v bi ESP
8/2/2019 Docx 20110922 Bao Cao VPN Final
25/44
ti VPN (Virtual Private Network(______________________________________________________________________
__
ESP in gi tr 50 trong IP Header. ESP Header c chn vo sau IP Header vtrc Header ca giao thc lp trn. IP Header c th l mt IP Header mi trongch Tunnle hoc l IP Header ngun nu trong ch Transport.
Tham s bo mt Security Parameter Index (SPI) trong ESP Header l mt gi tr32 bit c tch hp vi a ch ch v giao thc trong IP Header.SPI l mt s c la chn bi Host ch trong sut qu trnh din ra thnglng Public Key gia cc Peer-to-Peer. S ny tng mt cch tun t v nm
______________________________________________________________
25Khoa in T Vin Thng i hc Khoa Hc T Nhin
Gi IP c bo v bi ESP trong ch Transport
Gi IP c bo v bi ESP trong ch Tunnle
8/2/2019 Docx 20110922 Bao Cao VPN Final
26/44
ti VPN (Virtual Private Network(______________________________________________________________________
__
trong Header ca ngi gi. SPI kt hp vi c ch Slide Window to thnh c chchng tn cng Anti-Replay.
Authentication Header (AH)
AH cng cung cp c ch kim tra ton vn d liu, chng thc d liu v chngtn cng. Nhng khng ging EPS, n khng cung cp c ch bo mt dliu. Phn Header ca AH n gin hn nhiu so vi EPS
AH l mt giao thc IP, c xc nh bi gi tr 51 trong IP Header. Trong ch Transport, g tr giao thc lp trn c bo v nh UPD, TCP..., trong ch Tunnle, gi tr ny l 4. V tr ca AH trong ch Transport v Tunnle nh tronghnh sau:
______________________________________________________________
26Khoa in T Vin Thng i hc Khoa Hc T Nhin
Gi IP c bo v bi AH
Hnh: Gi IP c bo v bi AH trong ch Transport
8/2/2019 Docx 20110922 Bao Cao VPN Final
27/44
ti VPN (Virtual Private Network(______________________________________________________________________
__
Trong ch Transport, AH l rt tt cho kt ni cc endpoint s dng IPSec,trong ch Tunnle AH ng gi gi IP v thm IP Header vo pha trc Header.Qua AH trong ch Tunnle c s dng cung cp kt ni VPN end-to-end
bo mt. Tuy nhin phn ni dung ca gi tin l khng c bo mt
Tin trnh chng thc bt tay 3 bc -
Three-Way CHAP Authentication Process
______________________________________________________________
27Khoa in T Vin Thng i hc Khoa Hc T Nhin
Gi IP bo v bi AH trong ch Tunnle
8/2/2019 Docx 20110922 Bao Cao VPN Final
28/44
8/2/2019 Docx 20110922 Bao Cao VPN Final
29/44
ti VPN (Virtual Private Network(______________________________________________________________________
__
VI. Kt lun
Hin nay xu hng cc cng ty c nhiu chi nhnh l ph bin, do nhu cu trao ithng tin gia cc chi nhnh l cn thit v cp bch. Do vy trong tng lai, nhucu trin khai h thng mng VPN gia cc chi nhnh trong mt cng ty l nhu cutt yu.
VI. Cch cu hnh m hnh VPN (Client to Site)
______________________________________________________________
29Khoa in T Vin Thng i hc Khoa Hc T Nhin
8/2/2019 Docx 20110922 Bao Cao VPN Final
30/44
ti VPN (Virtual Private Network(______________________________________________________________________
__
Quy c:card LAN: card mng dng ni gia 2 my vi nhau
card INTERNET: card mng ni n switch cc my u thy nhau v ni voRouter- M hnh bi Lab nh sau:
**Quy c:card LAN: card mng dng ni gia 2 my vi nhaucard INTERNET: card mng ni n switch cc my u thy nhauv ni vo Router
Client1 : s dng 1 cardCard LAN:
IP Address : 172.16.1.2
Subnet Mask : 255.255.0.0
Default Gateway : 172.16.1.1
Preferred DNS : trngSERVER1Card LAN:
IP Address : 172.16.1.1
Subnet Mask : 255.255.0.0
______________________________________________________________
30Khoa in T Vin Thng i hc Khoa Hc T Nhin
http://www.zensoft.vn/Attachs/Articles/3674/1.jpg8/2/2019 Docx 20110922 Bao Cao VPN Final
31/44
ti VPN (Virtual Private Network(______________________________________________________________________
__
Default Gateway : trng
Preferred DNS : trng
Card INTERNET:
IP Address : 192.168.1.1
Subnet Mask : 255.255.255.0
Default Gateway : 192.168.1.254 (tr v router )
Preferred DNS : 210.245.24.20
Client2: s dng 1 card
Card INTERNET
IP Address : 10.0.0.5
Subnet Mask : 255.255.255.0
Default Gateway : 10.0.0.2Preferred DNS : 210.245.24.20
Cc bc thc hin
1.NAT port 1723 ca Router ADSL v my SERVER1.
2. Cu hnh VPN Server trn my SERVER:
Bc 1 : To user Client2 kt ni vo VPN Server
User: u1
______________________________________________________________
31Khoa in T Vin Thng i hc Khoa Hc T Nhin
8/2/2019 Docx 20110922 Bao Cao VPN Final
32/44
ti VPN (Virtual Private Network(______________________________________________________________________
__
Password: 123
-b du chn ti User must change password at next logon.OK Cho php U1 c quyn Allow access
Bc 2: Chn Start -- Programs -- Administrative Tools -- Routing and RemoteAccess.
Trong ca s Routing and Remote Access, Click chut phi SERVER1 --- chnConfigure and Enable Routing and Remote Access.
______________________________________________________________
32Khoa in T Vin Thng i hc Khoa Hc T Nhin
http://www.zensoft.vn/Attachs/Articles/3674/2.jpg8/2/2019 Docx 20110922 Bao Cao VPN Final
33/44
ti VPN (Virtual Private Network(______________________________________________________________________
__
______________________________________________________________
33Khoa in T Vin Thng i hc Khoa Hc T Nhin
http://www.zensoft.vn/Attachs/Articles/3674/3%20%28540%20x%20389%29.jpg8/2/2019 Docx 20110922 Bao Cao VPN Final
34/44
ti VPN (Virtual Private Network(______________________________________________________________________
__
- Bc 3: Ca s Welcome to the Routing and Remote Access Server Setup
Wizard, nhn Next.Ti ca s Configuration, check vo Remote Access (dial-upor VPN) v Next
______________________________________________________________
34Khoa in T Vin Thng i hc Khoa Hc T Nhin
http://www.zensoft.vn/Attachs/Articles/3674/4.png8/2/2019 Docx 20110922 Bao Cao VPN Final
35/44
ti VPN (Virtual Private Network(______________________________________________________________________
__
- Bc 4: Next Ca s Remote Access, check vo VPN
______________________________________________________________
35Khoa in T Vin Thng i hc Khoa Hc T Nhin
http://www.zensoft.vn/Attachs/Articles/3674/5.png8/2/2019 Docx 20110922 Bao Cao VPN Final
36/44
ti VPN (Virtual Private Network(______________________________________________________________________
__
- Bc 5: Ca s VPN Connection ,chn card INTERNET v b du chn ti Enable security on the selected packet filters , nhn Next .
______________________________________________________________
36Khoa in T Vin Thng i hc Khoa Hc T Nhin
http://www.zensoft.vn/Attachs/Articles/3674/6%281%29.jpg8/2/2019 Docx 20110922 Bao Cao VPN Final
37/44
ti VPN (Virtual Private Network(______________________________________________________________________
__
- Bc 6: Ca s IP Address Assignment, check vo From a specified range ofaddresses nhn Next
______________________________________________________________
37Khoa in T Vin Thng i hc Khoa Hc T Nhin
http://www.zensoft.vn/Attachs/Articles/3674/7.gif8/2/2019 Docx 20110922 Bao Cao VPN Final
38/44
ti VPN (Virtual Private Network(______________________________________________________________________
__
- Bc 7: Ti ca s Address Range Assignment, chn New
- Bc 8: Ti ca s New Address Range, nhp vo Start IP v End IP, nhn OK --Next
______________________________________________________________
38Khoa in T Vin Thng i hc Khoa Hc T Nhin
http://www.zensoft.vn/Attachs/Articles/3674/8.jpg8/2/2019 Docx 20110922 Bao Cao VPN Final
39/44
ti VPN (Virtual Private Network(______________________________________________________________________
__
- Bc 9: Ti ca s Managing Multiple Remote Access Servers, check vo No,use Routing and requests--> Next -- > Finish --->OK
______________________________________________________________
39Khoa in T Vin Thng i hc Khoa Hc T Nhin
http://www.zensoft.vn/Attachs/Articles/3674/10.jpghttp://www.zensoft.vn/Attachs/Articles/3674/9.jpg8/2/2019 Docx 20110922 Bao Cao VPN Final
40/44
ti VPN (Virtual Private Network(______________________________________________________________________
__
3.Cu hnh VPN Client trn my Client2:
-Click chut phi trn My Network Places chn Properties - Create a newconnection -- ca s Welcome --> Next.-Ti ca s Network Connection Type --> check vo Connect to the network atmy workplace --->Next
- Ca s Network Connection, check vo Virtual Private Network Connection-- Next
______________________________________________________________
40Khoa in T Vin Thng i hc Khoa Hc T Nhin
http://www.zensoft.vn/Attachs/Articles/3674/11.gif8/2/2019 Docx 20110922 Bao Cao VPN Final
41/44
ti VPN (Virtual Private Network(______________________________________________________________________
__
- Ti ca s Connection Name -->ti Company Name g vo tn bt k(VD:ITLab) Next.
______________________________________________________________
41Khoa in T Vin Thng i hc Khoa Hc T Nhin
http://www.zensoft.vn/Attachs/Articles/3674/12.gif8/2/2019 Docx 20110922 Bao Cao VPN Final
42/44
ti VPN (Virtual Private Network(______________________________________________________________________
__
-Ti ca s VPN Server Selection, g Hostname ng k trn NO-IP vo Host name or IP address --> Next --->Finish
______________________________________________________________
42Khoa in T Vin Thng i hc Khoa Hc T Nhin
http://www.zensoft.vn/Attachs/Articles/3674/13.gif8/2/2019 Docx 20110922 Bao Cao VPN Final
43/44
ti VPN (Virtual Private Network(______________________________________________________________________
__
**Lu : Ti SERVER1 bn phi ci chng trnh cp nht IP cho host namebanbeit.no-ip.com !
-Ti ca s Connect, nhp User name l u1, Password l 123 v Connect
______________________________________________________________
43Khoa in T Vin Thng i hc Khoa Hc T Nhin
http://www.zensoft.vn/Attachs/Articles/3674/14.gif8/2/2019 Docx 20110922 Bao Cao VPN Final
44/44
ti VPN (Virtual Private Network(______________________________________________________________________
__
VII. Ti liu tham kho
1. Ti liu VPN ca HSP K Thut Hng Yn2. K thut mng ring o Bin son Trn Cng Hng3. Vnexpress.net
http://www.zensoft.vn/Attachs/Articles/3674/15.jpg