Upload
nguyen-huu-dat
View
6.105
Download
0
Embed Size (px)
Citation preview
Kho lun tt nghip
i hc Cng ngh
Mc lc Li m u Chng 1: Tng quan v VPN1. Tng Quan...................................................................................................................4 1.1 nh ngha VPN......................................................................................................5 1.2 Li ch ca VPN.....................................................................................................6 1.3 Chc nng ca VPN..............................................................................................7 2 nh ngha ng hm v m ho..........................................................................7 2.1 nh ngha ng hm: ........................................................................................7 2.2 Cu trc mt gi tin IP trong ng hm:.............................................................7 2.3 M ho v gii m (Encryption/Deccryption):......................................................8 2.4 Mt s thut ng s dng trong VPN:...................................................................8 3 Cc dng kt ni mng ring o VPN........................................................................10 3.1 Truy cp VPN (Remote Access VPNs)................................................................10 3.1.1 Mt s thnh phn chnh................................................................................10 3.1.2 Thun li chnh ca Remote Access VPNs:..................................................12 3.1.3 Ngoi nhng thun li trn, VPNs cng tn ti mt s bt li khc nh:.....12 3.2 Site To Site VPN...........................................................................................13 3.2.1 Intranet..........................................................................................................14 3.2.2 Extranet VPNs (VPN m rng)....................................................................16 4. VPN v cc vn an ton bo mt trn Internet.....................................................18 4.1 An ton v tin cy................................................................................................19 4.2 Hnh thc an ton.................................................................................................20 1 B giao thc IPSec (IP Security Protocol):................................................................22 1.1 Cu trc bo mt...................................................................................................22 1.1.1 Hin trng......................................................................................................23 2 Ch lm vic ca IPSec..........................................................................................23 2.1 Ch chuyn vn (Transport mode)..................................................................23 2.2 Ch ng hm ( Tunnel Mode ): ..................................................................24 3 Giao thc PPTP v L2TP............................................................................................31 3.1 Giao thc nh ng hm im ti im (Point-to-Point Tunneling Protocol)..31 3.1.1 Quan h gia PPTP v PPP...........................................................................32 3.2 Giao thc chuyn tip lp 2 (Layer 2 Forwarding Protocol)................................34 3.3 Giao thc nh ng hm lp 2 (Layer 2 Tunneling Protocol)..........................35 3.3.1 Quan h gia L2TP vi PPP.........................................................................36 3.4 Tng quan giao thc inh ng hm lp 2 ( L2TP Overview)......................38 3.5 ng dng L2TP trong VPN..............................................................................42 3.6 So snh gia PPTP v L2TP............................................................................42 3.6.1 u im ca L2TP.......................................................................................43 3.6.2 u im ca PPTP.........................................................................................43 1. M ho trong VPN.....................................................................................................45 1.1 Thut ton m ho DES........................................................................................45 1.1.1 M t DES.....................................................................................................46 1.1.2 u v nhc im ca DES.........................................................................47 1.1.3 ng dng ca thut ton DES trong thc t..................................................47
L Anh Hng K49DB
1
Kho lun tt nghip
i hc Cng ngh
1.2 Thut ton m ho 3DES......................................................................................47 1.2.1 M t 3DES...................................................................................................48 1.2.2 u v nhc im ca 3DES........................................................................48 1.3 Gii thut hm bm (Secure Hash Algorithm)....................................................49 1.4 Gii thut RSA......................................................................................................49 2.1 Password Authentication Protocol (PAP): Giao thc chng thc bng mt khu. ....................................................................................................................................51 2.2 Challenge Handshare Authentication Protocol (CHAP).....................................52 3 Firewall.......................................................................................................................52 3.1 Khi nim v Firewall..........................................................................................52 3.2 Cc thnh phn ca Firewall................................................................................53 3.2.1 B lc gi (Packet Filtering Router).............................................................53 3.2.2 Cng ng dng (Application-level gateway).................................................55 3.2.3 Cng vng (Circuit-level Gateway)...............................................................57 3.3 Nhng hn ch t Firewall..................................................................................58 3.5 Mt s loi Firewall.............................................................................................59 3.5.1 Screened Host Firewall..................................................................................60 3.5.2 Screened-Subnet Firewall..............................................................................61 3.6 M hnh kt hp Firewall vi VPN.....................................................................62 1. M hnh Site to Site VPN v Extranet VPN........................................................64 1.1 Kch bn Site to site VPN...............................................................................64 1.1.1 Phn chia cc thnh phn a ch vt l ca m hnh site to site VPN.....64 1.1.2 Bng a ch chi tit cho m hnh mng Site to Site VPN.......................64 2.1 Kch bn Extranet.................................................................................................65 2.1.1 Phn chia cc thnh phn a ch vt l ca m hnh Extranet VPN.............65 2.1.2 Bng a ch chi tit cho m hnh mng Extranet VPN................................66 2 Cu hnh ng hm (tunnel)......................................................................................66 2.1 S nh cu hnh mt GRE Tunnel.......................................................................67 2.1.1 S cu hnh giao din ng hm, Ngun, v ch......................................68 2.1.2 Kim tra giao din ng hm, Ngun, v ch...........................................70 2.2 Cu hnh mt IPSec Tunnel:.................................................................................70 3 Cu hnh NAT (Network Address Translation)..........................................................71 3.1 Cu hnh Static Inside Source Address Translation.............................................73 3.2 Kim tra Static Inside Source Address Translation.............................................73 4 Cu hnh s m ho v IPSec......................................................................................74 4.1. Cu hnh nhng chnh sch IKE:.........................................................................75 4.1.1 To ra nhng chnh sch IKE........................................................................75 4.1.2 Cu hnh b xung thm yu cu cho nhng chnh sch IKE:........................77 4.1.3 Cu hnh Nhng kho dng chung................................................................78 4.2 Cu hnh cng vo cho s thao tc gia chng ch s..........................................79 4.2.1 Kim tra IKE Policies....................................................................................81 4.2.2 Cu hnh kho dng chung khc...................................................................81 4.3 Cu hnh IPSec v ch IPSec tunnel................................................................82 4.3.1 To ra nhng danh sch truy nhp mt m....................................................82 4.3.2 Kim tra nhng danh sch mt m................................................................83 4.4 nh ngha nhng tp hp bin i v cu hnh ch IPSec tunnel..................83
L Anh Hng K49DB
2
Kho lun tt nghip
i hc Cng ngh
4.4.1 Kim tra nhng tp hp bin i v ch IPSec tunnel.............................85 4.5 Cu hnh Crypto Maps..........................................................................................85 4.5.1 To ra nhng mc Crypto Map......................................................................85 4.5.2 Kim tra nhng mc Crypto map..................................................................88 4.5.3 p dng Crypto map vo Interface................................................................88 4.5.4 Kim tra s kt hp Crypto Map trn interface.............................................89 5. Cu hnh nhng tnh nng Cisco IOS Firewall...........................................................89 5.1 To ra Access list m rng v s dng s Access list..........................................90 5.3 p dng Access-list ti Interface.........................................................................90 5.4 Kim tra Access-list c p dng chnh xc......................................................91 1. Gii thiu chung........................................................................................................92 2. Ci t VPN Server....................................................................................................92 3. Cu hnh VPN Server.................................................................................................99 3.1. Route and Remote Access Properties..................................................................99 3.2. Ports Properties..................................................................................................102 3.3. Remote Access Policies.....................................................................................103 4. To User trn Windows cho php s dng VPN.....................................................104 5. VPN Client trn Windows XP.................................................................................106 6. Qun l kt ni trn VPN Server.............................................................................113 Kt lun.........................................................................................................................115 Ti liu tham kho........................................................................................................116 CC THUT NG VIT TT...................................................................................117
Li m uTrc kia, cch truy cp thng tin t xa trn my tnh c thc hin l s dng mt kt ni quay s. Cc kt ni RAS dial-up lm vic trn cc ng in thoi POTS (Plain Old Telephone Service) thng thng v c tc t vo khong 56kbps. Tc l mt vn ln i vi cc kt ni dial-up RAS, tuy nhin mt vn ln hn l chi ph cho cc kt ni i vi khong cch di cn c cho vic truy cp Ngy nay vi s pht trin bng n, mng Internet ngy cng c m rng, kh kim sot v km theo l s mt an ton trong vic trao i thng tin trn mng, cc thng tin d liu trao i trn mng c th b r r hoc b nh cp khin cho cc t chc nh: Cc doanh nghip, Ngn hng, Cng ty v cc doanh nhn lo ngi v vn an ton v bo mt thng tin d liu trong cc mng cc b ca mnh (LAN) khi trao i thng tin qua mng cng cng Internet. VPN ( Virtual Private Network) l gii php c a ra cung cp mt gii php an ton cho cc: T chc, doanh nghip v cc doanh nhn trao i thng tin t mng cc b ca mnh xuyn qua mng Internet mt cch an ton v
L Anh Hng K49DB
3
Kho lun tt nghip
i hc Cng ngh
bo mt. Hn th na n cn gip cho cc doanh nghip gim thiu c chi ph cho nhng lin kt t xa v a bn rng (trn ton quc hay ton cu). L mt sinh vin cng ngh, phn no em cng hiu c s bn khon v lo lng v s mt an ton bo mt khi trao i thng tin ca cc t chc, c nhn. Vi s hng dn, v gip ca thy c v bn b, em chn ti mng ring o (VPN) nghin cu v cc gii php cng ngh cho vn xy dng mng ring o. Nghin cu cc m hnh truy cp, cc phng php xc thc v ng dng trin khai ci t trn cc h thng mng.
Chng 1 TNG QUAN V VPN 1. Tng Quan Trong thi i ngy nay. Internet pht trin mnh m v mt m hnh cho nn cng nghip, p ng cc nhu cu ca ngi s dng. Internet c thit k kt ni nhiu mng khc nhau v cho php thng tin chuyn n ngi s dng mt cch t do v nhanh chng m khng xem xt n my v mng m ngi s dng ang s dng. lm c iu ny ngi ta s dng mt my tnh c bit gi l Router kt ni cc LAN v WAN vi nhau. Cc my tnh kt ni vo Internet thng qua nh cung cp dch v (ISP Internet service Provider), cn mt giao thc chung l TCP/IP. iu m k thut cn tip tc phi gii quyt l nng lc truyn thng ca cc mng vin thng cng cng. Vi Internet, nhng dch v nh gio dc t xa, mua hang trc tuyn, t vn y t,v rt nhiu iu khc tr thnh hin thc. Tuy nhin do Internet c phm vi ton cu v khng mt t chc, chnh ph c th no qun l nn rt kh khn trong vic bo mt v an ton d liu cng nh trong vic qun l cc dch v. T ngi ta a ra mt m hnh mng mi nhm tho mn nhng yu cu L Anh Hng K49DB4
Kho lun tt nghip
i hc Cng ngh
trn m vn c th tn dng li nhng c s h tng hin c ca Internet, chnh l m hnh mng rin o (Virtual Private Network VPN ). Vi m hnh mi ny, ngi ta khng phi u t thm nhiu v c s h tng m cc tnh nng nh bo mt, tin cy vn m bo, ng thi c th qun l ring c s hot ng ca mng ny. VPN cho php ngi s dng lm vic ti nh ring, trn ng i hay cc vn phng chi nhnh c th kt ni an ton n my ch ca t chc mnh bng c s h tng c cung cp bi mng cng cng. N c th m bo an ton thng tin gia cc i l, ngi cung cp, v cc i tc kinh doanh vi nhau trong mi trng truyn thng rng ln. Trong nhiu trng hp VPN cng ging nh WAN (Wire Area Network), tuy nhin c tnh quyt nh ca VPN l chng c th dng mng cng cng nh Internet m m bo tnh ring t v tit kim hn nhiu 1.1 nh ngha VPN VPN c hiu n gin nh l s m rng ca mt mng ring ( Private Network) thng qua cc mng cng cng. V cn bn, mi VPN l mt mng ring r s dng mt mng chung (thng l Internet) kt ni cng vi cc site (cc mng ring l) hay nhiu ngi s dng t xa. Thay cho vic s dng kt ni thc, chuyn dng nh ng leased-line, mi VPN s dng cc kt ni o c dn ng qua Internet t mng ring ca cc cng ty ti cc site hay cc nhn vin t xa. c th gi v nhn d liu thng qua mng cng cng m vn bo m tnh an ton v bo mt VPN cung cp cc c ch m ho d liu trn ng truyn to ra mt ng ng bo mt gia ni nhn v ni gi (Tunnel) ging nh mt kt ni point-to-point trn mng ring. c th to ra mt ng ng bo mt , d liu phi c m ho hay c ch giu i, ch cung cp phn u gi d liu (header) l thng tin v ng i cho php n c th i n ch thng qua mng cng cng mt cch nhanh chng. D liu c m ho mt cch cn thn do nu cc packet b bt li trn ng truyn cng cng cng khng th c c ni dng v khng c kho gii m. Lin kt vi d liu c m ho v ng gi c gi l kt ni VPN. Cc ng kt ni VPN thng c gi l ng ng VPN (Tunnel)
L Anh Hng K49DB
5
Kho lun tt nghip
i hc Cng ngh
Hnh 1: M hnh mng VPN 1.2 Li ch ca VPN VPN cung cp nhiu c tnh hn so vi nhng mng truyn thng v nhng mng leased-line. Nhng li ch u tin bao gm: Chi ph thp hn nhng mng ring: VPN c th gim chi ph khi truyn ti 20-40% so vi nhng mng thuc mng leased-line v gim vic chi ph truy cp t xa t 60-80% Tnh linh hot cho kh nng kinh t trn Internet: VPN vn c tnh linh hot v c th leo thang nhng kin trc mng hn l nhng mng c in, bng cch no n c th hot ng kinh doanh nhanh chng v chi ph mt cch hiu qu cho vic kt ni t xa ca nhng vn phng, nhng v tr ngoi quc t, nhng ngi truyn thng, nhng ngi dng in thoi di ng, nhng ngi hot ng kinh doanh bn ngoi nh nhng yu cu kinh doanh i hi n gin ha nhng gnh nng Nhng cu trc mng ng, v th gim vic qun l nhng gnh nng: S dng mt giao thc Internet backbone loi tr nhng PVC tnh hp vi kt ni hng nhng giao thc nh l Frame Relay v ATM Tng tnh bo mt: Cc d liu quan trng s c che giu i vi nhng ngi khng c quyn truy cp v cho php truy cp i vi nhng ngi dng c quyn truy cp H tr cc giao thc mng thng dng nht hin nay nh TCP/IP Bo mt a ch IP: Bi v thng tin c gi i trn VPN c m ho do cc a ch bn trong mng ring c che giu v ch s dng cc a ch bn ngoi Internet
L Anh Hng K49DB
6
Kho lun tt nghip 1.3 Chc nng ca VPN
i hc Cng ngh
VPN cung cp 4 chc nng chnh S tin cy (Confidentiality): Ngi gi c th m ho cc gi d liu trc khi truyn chng ngang qua mng. Bng cch lm nh vy, khng mt ai c th truy nhp thng tin m khng c php, m nu ly c thng tin th cng khng c c v thng tin c m ho Tnh ton vn d liu (Data Integrity): Ngi nhn c th kim tra rng d liu c truyn qua mng Internet m khng c s thay i no Xc thc ngun gc (Origin Authentication): Ngi nhn c th xc thc ngun gc ca gi d liu, m bo v cng nhn ngun thng tin 2 nh ngha ng hm v m ho
Chc nng chnh ca mt mng ring o VPN l cung cp s bo mt thng tin bng cch m ho v chng thc qua mt ng hm (tunnel) 2.1 nh ngha ng hm: Cung cp cc kt ni logic, im ti im vn chuyn cc gi d liu m ho bng mt ng hm ring bit qua mng IP, iu lm tng tnh bo mt thng tin v d liu sau khi m ho s lu chuyn trong mt ng hm c thit lp gia ngi gi v ngi nhn cho nn s trnh c s mt cp, xem trm thng tin, ng hm chnh l c tnh o ca VPN. Cc giao thc nh ng hm c s dng trong VPN nh sau: L2TP (layer 2 Tunneling Protocol): Giao thc nh ng hm lp 2 PPTP (Point-to-Point Tunneling Protocol) L2F (Layer 2 Forwarding) Cc VPN ni b v VPN m rng c th s dng cc cng ngh: IP Sec (IP security) GRE (Genenic Routing Encapsulation)
2.2 Cu trc mt gi tin IP trong ng hm: Tunnel mode packet IP AH ESP Header Data
L Anh Hng K49DB
7
Kho lun tt nghip
i hc Cng nghOriginal packet
Hnh 2: Cu trc mt gi tin IP trong ng hm 2.3 M ho v gii m (Encryption/Deccryption): Bin i ni dng thng tin nguyn bn dng c c (clear text hay plain text) thnh mt dng vn bn mt m v ngha khng c c (cyphertex), v vy n khng c kh nng c c hay kh nng s dng bi nhng ngi dng khng c php. Gii m l qu trnh ngc li ca m ho, tc l bin i vn bn m ho thnh dng c c bi nhng ngi dng c php 2.4 Mt s thut ng s dng trong VPN: H thng m ho (Crysystem): l mt h thng thc hin m ho hay gii m, xc thc ngi dng, bm (hashing), v cc qu trnh trao i kho, mt h thng m ho c th s dng mt hay nhiu phng thc khc nhau tu thuc vo yu cu cho mt vi loi traffic ngi dng c th. Hm bm (hashing): l mt k thut ton vn d liu m s dng mt cng thc hoc mt thut ton bin i mt bn tin c chiu di thay i v mt kho mt m cng cng vo trong mt chui n cc s liu c chiu di c inh. Bn tin hay kho v hash di chuyn trn mng t ngun ti ch. ni nhn vic tnh ton li hash c s dng kim tra rng bn tin v kho khng b thay i trong khi truyn trn mng. Xc thc (Authentication): L qu trnh ca vic nhn bit mt ngi s dng hay qu trnh truy cp h thng my tnh hoc kt ni mng. Xc thc chc chn rng c nhn hay mt tin trnh l hon ton xc nh Cho php (Authorization): L hot ng kim tra thc th c c php thc hin nhng quyn hn c th no Qun l kho (Key management): Mt kho thng tin, thng l mt dy ngu nhin hoc trng ging nh cc s nh phn ngu nhin, c s dng ban u thit lp v thay i mt cch nh k s hot ng trong mt h thng mt m. Qun l kho l s gim st v iu khin tin trnh nh cc kho c to ra, ct gi, bo v, bin i, ti ln, s dng hay loi b. Dch v chng thc CA (Certificate of Authority): Mt dch v m c tin tng gip bo mt qu trnh truyn tin gia cc thc th mng hoc cc ngi dng bng cch to ra v gn cc chng nhn s nh cc chng nhn kho
L Anh Hng K49DB
8
Kho lun tt nghip
i hc Cng ngh
cng cng, cho mc ch m ho. Mt CA m bo cho s lien kt gia cc thnh phn bo mt trong chng nhn. 2.5 Cc thut ton c s dng trong m ho thng tin: DES (Data Encryption Security) 3DES (Triple Data Encryption Security) SHA (Secure Hash Algorithm) AH ( Authentication Header): La giao thc bo mt gip xc thc d liu, bo m tnh ton vn d liu v cc dch v anti-replay (dch v bo m tnh duy nht ca gi tin). AH c nhng vo trong d liu bo v. ESP (Encapsulation Security Payload): L mt giao thc bo mt cung cp s tin cy d liu, bo m tnh ton vn d liu, v xc thc ngun gc d liu, cc dch v anti-replay. ESP ng gi d liu bo v. Oakley v Skeme mi ci nh ngha mt phng thc thit lp mt s trao i kho xc thc, ci bao gm cu trc ti tin, thng tin m cc ti tin mang, th t m cc kho c s l v cc kho c s dng nh th no. ISAKMP (Internet Security Association and Key Management): IKE (Internet Key Exchange): L giao thc lai m trin khai trao i kha Oakley v trao i kho Skeme bn trong khung ISAKMP (Protocol): L mt khung giao thc m nh ngha cc nh dng ti tin, cc giao thc trin khai mt giao thc trao i kho v s trao i ca mt SA (Security Association) SA (Security Association): L mt tp cc chnh sch v cc kho c s dng bo v thng tin. ISAKMP SA l cc chnh sch chung v cc kho c s dng bi cc i tng ngang hang m phn trong giao thc ny bo v thng tin ca chng AAA (Authentication, Authorization v Accouting): l cc dch v bo mt mng m cung cp cc khung chnh qua iu khin truy cp c t trn Router hay cc Server truy cp. Hai s la chn chnh cho AAA l TACACS+ v RADIUS TACACS+ (Terminal Access Controller Access Control System Plus): L mt ng dng bo mt m cung cp s xc thc tp trung ca cc ngi dng c gng truy nhp ti Router hay mng truy cp Server. RADIUS (Remote Authentication Dial-In User Service): L mt h thng phn tn client/server m bo mt cc truy cp khng c php ti mng. L Anh Hng K49DB9
Kho lun tt nghip 3 Cc dng kt ni mng ring o VPN
i hc Cng ngh
3.1 Truy cp VPN (Remote Access VPNs) Remote Access VPNs cho php truy cp bt c lc no bng Remote, mobile, v cc thit b truyn thng ca nhn vin cc chi nhnh kt ni n ti nguyn mng ca t chc Remote Access VPN m t cng vic cc ngi dng xa s dng cc phn mm VPN truy cp vo mng Intranet ca cng ty thng qua gateway hoc VPN concentrator (bn cht l mt server). V l do ny, gii php ny thng c gi l client/server. Trong gii php ny, cc ngi dng thng thng s dng cc cng ngh WAN truyn thng to li cc tunnel v mng HO ca h Mt hng pht trin kh mi trong remote access VPN l dng wireless VPN, trong mt nhn vin c th truy cp v mng ca h thng qua kt ni khng dy. Trong thit k ny, cc kt ni khng dy cn phi kt ni v mt trm wireless (Wireless terminal) v sau v mng ca cng ty. Trong c hai trng hp, phn mm client trn my PC u cho php khi to cc kt ni bo mt, cn c gi l tunnel Mt phn quan trng ca thit k ny l vic thit k qu trnh xc thc ban u nhm m bo l yu cu c xut pht t mt ngun tin cy. Thng th giai on ban u ny da trn cng mt chnh sch v bo mt ca cng ty. Chnh sch ny bao gm: quy trnh (Procedure), k thut, server (such as Remote Authentication Dial-In User Service [RADIUS], Terminal Access Controller Access Control System Plus [TACACS+] ). 3.1.1 Mt s thnh phn chnh Remote Access Server (RAS): c t ti trung tm c nhim v xc nhn v chng nhn cc yu cu gi ti. Quay s kt ni n trung tm, iu ny s lm gim chi ph cho mt s yu cu kh xa so vi trung tm. H tr cho nhng ngi c nhim v cu hnh, bo tr v qun l RAS v h tr truy cp t xa bi ngi dng.
L Anh Hng K49DB
10
Kho lun tt nghip
i hc Cng ngh
Hnh 3 Thit lp mt non-VPN remote access Bng vic trin khai Remote Access VPNs, nhng ngi dng t xa hoc cc chi nhnh vn phng ch cn ci t mt kt ni cc b n nh cung cp dch v ISP hoc ISPs POP v kt ni n ti nguyn thng qua Internet. Thng tin Remote Access Setup c m t bi hnh v sau:
L Anh Hng K49DB
11
Kho lun tt nghip
i hc Cng ngh
Hnh 4 Thit lp mt VPN remote access 3.1.2 Thun li chnh ca Remote Access VPNs: S cn thit ca RAS v vic kt hp vi modem c loi tr. S cn thit h tr cho ngi dng c nhn c loi tr bi v kt ni t xa c to iu kin thun li bi ISP. Vic quay s t nhng khong cch xa c loi tr, thay vo , nhng kt ni vi khong cch xa s c thay th bi cc kt ni cc b. Gim gi thnh chi ph kt ni vi khong cch xa. Do y l mt kt ni mang tnh cc b, do vy t kt ni s cao hn so vi kt ni trc tip n nhng khong cch xa. VPNs cung cp kh nng truy cp n trung tm tt hn bi v n h tr dch v truy cp mc ti thiu nht cho d c s tng nhanh chng cc kt ni ng thi n mng.
3.1.3 Ngoi nhng thun li trn, VPNs cng tn ti mt s bt li khc nh: v-
Remote Access VPNs cng khng m bo c cht lng dch Kh nng mt d liu l rt cao, thm na l cc phn on ca gi d liu c th i ra ngoi v b tht thot.
L Anh Hng K49DB
12
Kho lun tt nghip -
i hc Cng ngh
Do phc tp ca thut ton m ho, protocol overhead tng ng k, iu ny gy kh khn cho qu trnh xc nhn. Thm vo , vic nn d liu IP v PPP-based din ra v cng chm chp v ti t. Do phi truyn d liu thng qua Internet, nn khi trao i cc d liu ln nh cc gi d liu truyn thng, phim nh, m thanh s rt chm. 3.2 Site To Site VPN
Site to site : c p dng ci t mng t mt v tr ny kt ni ti mng ca mt v tr khc thng qua VPN. Trong hon cnh ny th vic chng thc ban u gia cc thit b mng c giao cho ngi s dng. Ni m c mt kt ni VPN c thit lp gia chng. Khi cc thit b ny ng vi tr nh l mt gateway, v m bo rng vic lu thng c d tnh trc cho cc site khc. Cc Router v Firewall tng thch vi VPN, v cc b tp trung VPN chuyn dng u cung cp chc nng ny.
Hnh 5 Site to site VPN Site to Site VPN c th c xem nh l Intranet VPN hoc Extranet VPN. Nu chng ta xem xt chng di gc chng thc n c th c xem nh l mt intranet VPN, ngc li chng c xem nh mt extranet VPN. Tnh cht ch trong vic truy cp gia cc site c th c iu khi bi c hai (Intranet v Extranet VPN) theo cc site tng ng ca chng. Gii php Site To Site VPN khng phi l mt remote access VPN nhng n c thm vo y v tnh cht hon thin ca n. S phn bit gia remote access VPN v Site To Site VPN ch n thun mang tnh cht tng trng v xa hn l n c cung cp cho mc ch tho lun. V d nh l cc thit b VPN da trn phn cng mi (Router Cisco L Anh Hng K49DB13
Kho lun tt nghip
i hc Cng ngh
3002 chng hn) y phn loi c, chng ta phi p dng c hai cch, bi v harware-based client c th xut hin nu mt thit b ang truy cp vo mng. Mc d mt mng c th c nhiu thit b VPN ang vn hnh. Mt v d khc nh l mt ch m rng ca gii php Ez VPN bng cch dng Router 806 v 17xx Site to Site VPN l s kt ni hai mng ring l thng qua mt ng hm bo mt, ng hm bo mt ny c th s dng cc giao thc PPTP, L2TP, hoc IPSec, mc ch ca Site to Site VPN l kt ni hi mng khng c ng ni li vi nhau, khng c vic tho hip tch hp, chng thc, s cn mt ca d liu, bn c th thit lp mt Site to Site VPN thng qua s kt hp ca cc thit b VPN concentrators, Router, v Firewalls. Kt ni Site to Site VPN c thit k to mt kt ni mng trc tip, hiu qu bt chp khong cch vt l gia chng. C th kt ni ny lun chuyn thng qua Internet hoc mt mng khng c tin cy. Bn phi m bo vn bo mt bng cch s dng s m ho d liu trn t c cc gi d liu ang lun chuyn gia cc mng . 3.2.1 Intranet
Hnh 6 Thit lp Intranet s dng WAN backbone Intranet VPNs hay cn gi l cc VPN ni b s kt ni cc mng ca tr s chnh, vn phng v cc chi nhnh t xa qua mt c s h tng mng dng chung nh Internet thnh mt mng ring t ca mt tp on hay mt t chc L Anh Hng K49DB14
Kho lun tt nghip
i hc Cng ngh
gm nhiu cng ty v vn phng lm vic m cc kt ni ny lun lun c m ho thng tin Intranet VPN c s dng kt ni n cc chi nhnh vn phng ca t chc n Corporate Intranet (Backbone Router) s dng campus router (Hnh 7) Theo m hnh bn trn s rt tn chi ph do phi s dng 2 Router thit lp c mng, thm vo , vic trin khai, bo tr v qun l mng Intranet Backbone s rt tn km cn tu thunc vo lng lu thng trn mng i trn n v phm vi a l ca ton b mng Intranet. gii quyt vn trn, s tn km ca WAN backbone c thay th bi cc kt ni Internet vi chi ph thp, iu ny c th mt lng chi ph ng k ca vic trin khai mng Intranet (Hnh 1-5)
Hnh 7 Thip lp Intranet da trn VPN Nhng thun li chnh ca Intranet setup da trn VPN theo hnh 7. Hiu qu chi ph hn do gim s lng router c s dng theo m hnh WAN backbone.
L Anh Hng K49DB
15
Kho lun tt nghip
i hc Cng ngh
Gim thiu s lng h tr yu cu ngi dng c nhn qua ton cu, cc trm mt s remote site khc nhau. Bi v Internet hot ng nh mt kt ni trung gian, n d dng cung cp nhng kt ni mi ngang hang. Kt ni nhanh hn v tt hn do v bn cht kt ni n nh cung cp dch v, loi b vn khong cch xa v thm na gip t chc gim thiu chi ph cho vic thc hin Intranet.
Nhng bt li chnh kt hp vi cch gii quyt: Bi v d liu vn cn tunnel trong qu trnh chia s trn mng cng cng-Internet v nhng nguy c tn cng, nh tn cng bng t chi dch v (denial-of service), vn cn l mt mi e do an ton thng tin. Kh nng mt d liu trong lc di chuyn thng tin cng rt cao Trong mt s trng hp, nht l khi d liu l loi high-end, nh cc tp tin multimedia, vic trao i d liu s rt chm chp do c truyn thng qua Internet. Do l kt ni da trn Internet, nn tnh hiu qu khng lin tc, thng xuyn, v QoS cng khng c bo m.-
3.2.2 Extranet VPNs (VPN m rng)
Hnh 8 Extranet VPN
L Anh Hng K49DB
16
Kho lun tt nghip
i hc Cng ngh
Extranet l s m rng t nhng Intranet lin kt cc khch hng, nhng nh cung cp, nhng i tc hay nhng nhn vin lm vic trong cc Intranet qua c s h tng dng chung chia s nhng kt ni. Khng gin nh intranet v Remote Access based, Extranet khng an ton cch ly t bn ngoi (outer-world), Extranet cho php truy nhp nhng ti nguyn mng cn thit k ca cc i tc kinh doanh, chng hn nh khch hang, nh cung cp, i tc nhng ngi gi vi tr quan trng trong t chc.
Hnh 9 Thit lp mng Extranet theo truyn thng Nh hnh trn, mng Extranet rt tn km do c nhiu on mng ring bit trn intranet kt hp li vi nhau to ra mt Extranet. iu ny lm cho kh trin khai v qun l do c nhiu mng, ng thi cng kh khn cho c nhn lm cng vic bo tr v qun tr. Thm na l mng Extranet d m rng do iu ny s lm ri tung ton b mng Intranet v c th nh hng n cc kt ni bn ngoi mng. S c nhng vn bn gp phi bt thnh lnh khi kt ni mt Intranet vo mt mng Extranet. Trin khai v thit k mt mng Extranet c th l mt cn c mng ca cc nh thit k v qun tr mng.
L Anh Hng K49DB
17
Kho lun tt nghip
i hc Cng ngh
Hnh 10: Thit lp Extranet Mt s thun li ca Extranet: Do hot ng trn mi trng Internet, bn c th la chn nh phn phi khi la chn v a ra phng php gii quyt tu theo nhu cu ca t chc. Bi v mt phn Internet-connectivity c bo tr bi nh cung cp ISP nn cng gim chi ph bo tr khi thu nhn vin bo tr. D dng trin khai, qun l v chnh sa thng tin. Mt s bt li: S e do v tnh an ton, nh b tn cng bng t chi dch v vn cn tn ti Tng thm nguy him s xm nhp i vi t chc trn Extranet. Do da trn Internet nn khi d liu l cc loi high-end data th vic trao i din ra chm chp. Do da trn Internet, QoS cng khng c bo m thng xuyn. 4. VPN v cc vn an ton bo mt trn Internet. Nh chng ta bit, s pht trin bng n v m rng mng ton cu Internet ngy cng tng, hng thng c khong 10.000 mng mi kt ni vo Internet km theo l vn lm sao c th trao i thng tin d liu mt cch an ton qua mng cng cng nh Internet. Hng nm s r r v mt cp
L Anh Hng K49DB
18
Kho lun tt nghip
i hc Cng ngh
thng tin d liu gy thit hi rt ln v kinh t trn ton th gii. Cc ti phm tin tc hacker lun tm mi cch nghe trm, nh cp thng tin d liu nhy cm nh: th tn dng, ti khon ngi dng, cc thng tin kinh t nhy cm... ca cc t chc hay c nhn. Vy gii php s dng mng ring o VPN s gii quyt vn an ton v bo mt thng tin trn Internet nh th no ? Cu tr li cc t chc, cc doanh nghip, c nhn cm thy yn tm khi trao i thng tin d liu qua mng Internet l s dng cng ngh mng ring o VPN. Thc cht cng ngh chnh c s dng trong mng ring o VPN l to ra mt ng hm (tunnel) m ho v chng thc d liu gia hai u kt ni. Cc thng tin d liu s c m ho v chng thc trc khi c lu chuyn trong mt ng hm ring bit, qua s trnh c nhng cp mt t m mun nh cp thng tin 4.1 An ton v tin cy. S an ton ca h thng my tnh l mt b phn ca kh nng bo tr mt h thng ng tin cy c. Thuc tnh ny ca mt h thng c vin dn nh s ng tin cy c. C 4 yu t nh hng n mt h thng ng tin cy: Tnh sn sang: Kh nng sn sang phc v, p ng yu cu trong khon thi gian. Tnh sn sang thng c thc hin qua nhng h thng phn cng d phng. S tin cy: N nh ngha xc xut ca h thng thc hin cc chc nng ca n trong mt chu k thi gian. S tin cy khc vi tnh sn sang , n c o trong c mt chu k ca thi gian. N tng ng ti tnh lin tc ca mt dch v. S an ton: N ch bo hiu mt h thng thc hin nhng chc nng ca n chnh xc hoc thc hin trong trng hp tht bi mt ng x khng thit hi no xut hin. S an ninh: Trong trng hp ny s an ninh c ngha nh mt s bo v tt c cc ti nguyn h thng Mt h thng my tnh ng tin cy mc cao nht l lun m bo an ton bt k thi gian no. N m bo khng mt s v chm no m khng cnh bo thng tin c cm gic, lu tm n d liu c cm gic c 2 kha cnh xem xt: Tnh b mt. Tnh ton vn
L Anh Hng K49DB
19
Kho lun tt nghip
i hc Cng ngh
Thut ng tnh bo mt nh c xc nh c ngha rng d liu khng thay i trong mt ng x khng hp php trong thi gian tn ti ca n. Tnh sn sang, s an ton v anh ninh l nhng thnh phn ph thuc ln nhau. S an ninh bo v h thng khi nhng mi e do v s tn cng. N m bo mt h thng an ton lun sn sang v ng tin cy. 4.2 Hnh thc an ton S an ton ca h thng my tnh ph thuc vo tt c nhng thnh phn ca n C 3 kiu khc nhau ca s an ton: S an ton phn cng S an ton thng tin S an ton qun tr An ton phn cng: Nhng mi e do v tn cng c lin quan ti phn cng ca h thng. N c th c phn ra vo 2 phm tr: S an ton vt l An ton bt ngun S an ton vt l bo v phn cng trong h thng khi nhng mi e do vt l bn ngoi nh s can thip, mt cp thng tin, ng t v nc lm ngp lt. Tt c nhng thng tin nhy cm trong nhng ti nguyn phn cng ca h thng cn s bo v chng li tt c nhng s bo v ny. An ton thng tin: Lin quan n tnh d b tn thng trong phn mm, phn cng v s kt hp ca phn cng v phn mm. N c th c chia vo s an ton v truyn thng my tnh. S an ton my tnh bao trm vic bo v ca cc i tng chng li s phi by v s d b tn thng ca h thng, bao gm cc c ch iu khin truy nhp, cc c ch iu khin bt buc chnh sch an ton, c ch phn cng, k thut m ho S an ton truyn thng bo v i tng truyn. An ton qun tr: An ton qun tr lin quan n tt c cc mi e do m con ngi li dng ti mt h thng my tnh. Nhng mi e do ny c th l hot ng nhn s. S an ton nhn s bao bao trm vic bo v ca nhng i tng chng li s tn cng t nhng ngi dng u quyn.
L Anh Hng K49DB
20
Kho lun tt nghip
i hc Cng ngh
Mi ngi dng ca h thng c nhng c quyn truy nhp nhng ti nguyn nht nh. S an ton nhn s cha ng nhng c ch bo v chng li nhng ngi dng c tnh tm kim c nhng c quyn cao hn hoc lm dng nhng c quyn ca h, cho nn s gio dc nhn thc rt quan trng n thc s l mt c ch bo v s an ton h thng. Thng k cho thy nhng ngi dng u quyn c t l e do cao hn cho mt h thng my tnh so vi t bn ngoi tn cng. Nhng thng tin c thng k cho thy ch c 10% ca tt c cc nguy hi my tnh c thc hin t bn ngoi h thng, trong khi c n 40% l bi nhng ngi dng trong cuc v khong 50% l bi ngi lm thu c
L Anh Hng K49DB
21
Kho lun tt nghip
i hc Cng ngh
Chng 2 GIAO THC TRONG VPN Trong VPN c 3 giao thc chnh xy dng ln mt mng ring o hon chnh l IP Sec (IP Security) PPTP (Point-to-Point Tunneling Protocol) L2TP (Layer 2 Tunneling Protocol) Tu theo tng lp ng dng c th m mi giao thc u c u v nhc im khc nhau khi trin khai vo mng VPN 1 B giao thc IPSec (IP Security Protocol):
IPSec thc cht khng phi l mt giao thc, n ch l mt khung ca cc tp giao thc chun m rng c thit k cung cp tnh xc thc v ton vn d liu. Giao thc IPSec c lm vic ti tng Network Layer- Layer 3 ca m hnh OSI. Cc giao thc bo mt trn Internet khc nh SSL, TLS v SSH, c thc hin t tng transport layer tr ln (T tng 4 n tng 7 ca m hnh OSI). iu ny to ra tnh mm do cho IPSec, giao thc ny c th hot ng ti tng 4 vi TCP, UDP, hu ht cc giao thc s dng ti tng ny. IPSec c mt tnh nng cao cp hn SSL v cc phng thc khc hot ng ti cc tng trn ca m hnh OSI. Vi mt ng dng s dng IPSec m (code) khng b thay i, nhng nu ng dng bt buc s dng SSL v cc giao thc bo mt trn cc tng trn trong m hnh OSI th on m ng dng s b thay i ln. 1.1 Cu trc bo mt IPSec c trin khai (1) s dng cc giao thc cung cp mt m (cryptographic protocols) nhm bo mt gi tin (packet) trong qu trnh truyn, (2) phng thc xc thc v (3) thit lp cc thng s m ho. Xy dng khi nim v bo mt trn nn tng IP. Mt s kt hp bo mt n gin khi kt hp cc thut ton v cc thng s (v d nh cc kho-keys) l nn tng trong vic m ho v xc thc trong mt chiu. Tuy nhin trong cc giao tip hai chiu, cc giao thc bo mt s lm vic vi nhau v p ng qu trnh giao tip. Thc t la chn cc thut ton m ho v xc thc li ph thuc vo ngi qun tr IPSec bi v IPSec bao gm mt nhm cc giao thc bo mt p ng m ho v xc thc cho mi gi tin IP. L Anh Hng K49DB22
Kho lun tt nghip
i hc Cng ngh
Trong cc bc thc hin phi quyt nh ci g cn bo v v cung cp cho mt gi tin outgoing (i ra ngoi), IPSec s dng cc thng s Security Parameter Index (SPI), mi qu trnh Index ( nh th t v lu trong d liu Index v nh mt cun danh b in thoi) bao gm Security Association Database (SADB), theo sut chiu di ca a ch ch trong header ca gi tin, cng vi s nhn dng duy nht ca mt tho hip bo mt cho mi gi tin. Mt qu trnh tng t cng c lm vi gi tin i vo (incoming packet), ni IPSec thc hin qu trnh gii m v kim tra cc kho t SADB. Cho cc gi multicast, mt tho hip bo mt s cung cp cho mt group, v thc hin cho ton b cc receiver trong group . C th c hn mt tho hip bo mt cho mt group, bng cch s dng cc SPI khc nhau, tuy nhin n cng cho php thc hin nhiu mc bo mt cho mt group. Mi ngi gi c th c nhiu tho hip bo mt, cho php xc thc, trong khi ngi nhn ch bit c cc keys c gi i trong d liu. Ch cc chun khng miu t lm th no cc tho hip v la chn vic nhn bn t group ti cc c nhn. 1.1.1 Hin trng IPSec l mt phn bt buc ca IPv6, c th c la chn khi s dng IPv4. Trong khi cc chun c thit k cho cc phin bn IP ging nhau, ph bin hin nay l p dng v trin khai trn nn tng IPv4. Cc giao thc IPSec c nh ngha t RFCs 1825 -1829, v c ph bin nm 1995. Nm 1998, c nng cp vi cc phin bn RFC 2401-2412, n khng tng thch vi chun 1825-1829. Trong thng 12 nm 2005, th h th 3 ca chun IPSec, RFC 4301-4309. Cng khng khc nhiu so vi chun RFC 2401-2412 nhng th h mi c cung cp chun IKE second. Trong th h mi ny IP security cng c vit tt li l IPSec. 2 Ch lm vic ca IPSec
2.1 Ch chuyn vn (Transport mode) Ch ny h tr truyn thng tin gia cc my hoc gia my ch vi my khc m khng c s can thip no ca cc gateway lm nhim v an ninh mng. Trong Transport mode, ch nhng d liu bn giao tip cc gi tin c m ho v hoc xc thc. Trong qu trnh Routing, c IP header u khng b chnh sa hay m ho; tuy nhin khi authentication header c s dng, a ch IP khng th chnh sa ( v d nh port
L Anh Hng K49DB
23
Kho lun tt nghip
i hc Cng ngh
number). Transport mode s dng trong tnh hung giao tip host-tohost. iu ny c ngha l ng gi cc thng tin trong IPSec cho NAT traversal c nh ngha bi cc thng tin trong ti liu ca RFC bi NAT-T 2.2 Ch ng hm ( Tunnel Mode ): Ch ny h tr kh nng truy nhp t xa v lin kt an ton cc Website. Ch chuyn vn s dng AH v ESP i vi phn ca tng chuyn vn trong mt gi tin IP. Phn d liu thc ca giao thc IP ny l phn duy nht c bo v trong ton gi tin. Phn header ca gi tin IP vi a ch ca im truyn v im nhn khng bo v. Khi p dng c AH v ESP th AH c p dng sau tnh ra tnh ton vn ca d liu trn tng lng d liu. Mt khc ch ng hm cho php m ho v tip nhn i vi ton b gi tin IP. Cc cng bo mt s dng ch ny cung cp cc dch v bo mt thay cho cc thc th khc trn mng. Cc im truyn thng u cui c bo v bn trong cc gi tin IP n trong khi cc im cui m ho li c lu trong cc gi tin IP truyn i. Mt gateway bo mt thc hin phn tch gi tin IP n cho im nhn cui cng sau khi IPSec hon thnh vic s l ca mnh. Trong ch ng hm, a ch IP ca im n c bo v. Trong ch ng hm, c mt phn header IP ph c thm vo, cn trong ch chuyn vn th khng c iu ny. IPSec nh ra ch ng hm p dng cho AH v ESP. Khi host 1 mun giao tip vi host 2, n c th s dng ch ng hm cho php cc gateway bo mt c th cung cp cc dch v m bo an ton cho vic lin lc gia hai nt mng trn mng cng cng. IPSec cho php ch bo mt theo nhiu lp v theo nhiu tuyn truyn. Trong , phn header ca gi tin ni ti c hon ton bao bc bi phn header ca gi tin c pht i. Tuy vy, phi c mt iu kin l cc tuyn truyn khng c gi chng ln nhau. i vi vic s l lung d liu truyn i, tng IP s tham chiu n SPD (Security Policy Database ) quyt nh cc dch v bo mt cn p dng. Cc b chn lc c ly ra t cc phn header s dng ch ra mt cch thc hot ng cho SPD. Nu hot ng ca SPD l p dng tnh nng bo mt th s c mt con tr, tr n SA trong SADB ( Security Association Database ) c tr v. Trng hp SA khng c trong SADB th IKE s c
L Anh Hng K49DB
24
Kho lun tt nghip
i hc Cng ngh
kch hot. Sau cc phn header AH v ESP c b xng theo cch m SA nh ra v gi tin s c truyn i. Vi vic s l lung d liu gi n, sau khi nhn c mt gi tin, tng c nhim v bo mt s kim tra danh mc cc phng thc bo mt a ra cc hnh ng sau y: hu b, b qua hoc p dng. Nu hnh ng l p dng m SA khng tn ti th gi tin s b b qua. Tuy nhin, nu SA c trong SADB th gi tin s c chuyn n tng tip theo x l. Nu gi tin c cha cc phn header ca dch v IPSec th stack ca IPSec s thu nhn gi tin ny v thc hin s l. Trong qu trnh s l, IPSec ly ra phn SPI, phn a ch ngun v a ch ch ca gi tin. ng thi, SADB c nh s theo cc tham s chn ra SA nht n s dng: SPT, a ch ch hoc l giao thc.IP HDR DATA Encrypted Transport Mode ESP HDR IP HDR DATAAuthenticated
ESP Trailer
ESP Auth
Encrypted Tunnel Mode New IP HDR ESP HDR IP HDR DATA ESP Trailer ESP Auth
Authenticated
Hnh 11 + IPSec cho php thit lp cc mi truyn thng ring bit v m bo tnh b mt trn mng internet m khng cn bit n cc ng dng ang chy trn my hay cc giao thc tng cao hn nh tng vn chuyn ( Transport layer).Application TransportD ata Data c reated fromupper lay er Trans port inform ation is applied for end to end c m ation om unic N ork inform etw ation is applied Data IP ec is S olates IP H eader fromupper lay data er
TC P H eader IP header IP header
Data
TC P H eader
D ata TC P H eader TC P H eader
Network
IP header IP header IP H eader EP / S A H E P /A S H
Data
IP ec enc S rypts upper lay data er
TC P H eader TC P H eader
Data
E P S TR L EP S TR L
IP ec applies the s urity protoc S ec ol
D ata
The pac is reas em ket s bled
Hnh 12 L Anh Hng K49DB25
Kho lun tt nghip
i hc Cng ngh
+ IPSec l b giao thc c kh nng thm nh d liu c hai pha ngi gi v ngi nhn, m bo tnh b mt v ton vn d liu bng cch m ho chng thc. IPSec c kh nng thch ng vi tt c cc trnh ng dng chy trn mng IP. + IPSec hot ng hiu qu v nhanh hn cc ng dng bo mt hot ng tng ng dng ( Application layer)IPSec operations within tunnel mode
Application Transport
Data
Data created from upper layer Transport inform ation is applied for end to end comm unication Network inform ation is applied IPSec encrypts datagram
TCP Header IP header IP header
Data
TCP Header TCP Header IP header ESP / AH ESP /AH
Data
Data
Network
ESP / AH IP header IP Header
TCP Header IP Header IP Header
Data
ESP TRL
IPSec applies the security protocol
TCP Header TCP Header
Data
ESP TRL ESP TRL
IPSec buil new IP header
Data
The packet is reassem bled
Hnh 13 + IPSec c th c coi nh l mt lp di ca giao thc TCP/IP, lp ny kim sot cc ngi dng truy nhp da vo mt chnh sch an ton v mi my tnh v mt t chc m phn an ninh gia ngi gi v ngi nhn. Giao thc ng gi an ton ESP ( Encapsulation Security Payload): l giao thc s 50 c gn bi IANA. ESP l mt giao thc bo mt c th c s dng cho vic cung cp tnh bo mt v xc thc cc gi d liu khi s nhm ng ca ngi dng khng c php. ESP cung cp phn ti tin ca gi d liu, ESP cung cp s xc thc cho gi tin IP ni b v phn tiu ESP. S xc thc cung cp s xc thc v ngun gc v tnh ton vn ca gi d liu. ESP l giao thc h tr v kiu m ho i xng nh: Blowfish, DES. Thut ton m ho d liu mc nh s dng trong IPSec l thut ton DES 56 bit. Trong cc sn phm v thit b mng ca Cisco dng trong VPN cn s dng vic m ho d liu tt hn bng cch s dng thut ton 3DES( Triple Data Encryption Security ) 128 bit.
L Anh Hng K49DB
26
Kho lun tt nghip
i hc Cng ngh
+ Giao thc ESP c th c s dng c lp hoc kt hp vi giao thc chng thc u mc AH ( Authentication Header ) tu thuc vo tng mi trng. Hai giao thc ESP v AH u cung cp tnh ton vn, xc thc cc gi d liu. + Giao thc ESP cng c th bo v c tnh duy nht ca gi tin bng cch yu cu bn nhn t bit replay trong tiu ch ra rng gi tin c gi.
Giao thc chng thc mc u AH ( Authentication Header Protocol).
Trong h thng IPSec c mt u mc c bit: u mc chng thc AH c thit k cung cp hu ht dch v chng thc cho d liu IP. Vi IP v4Before applying AH O riginal IP Header After applying AH O riginal IP Header AH TCP Data TCP Data
Authenticated
Hnh 14.1 Vi IP v6Original IP Header Extra Header if present TCP Data
After applying AH Original IP Header Hop-to-hop Destination Routing AH Destination Options TCP Data
Authenticated
Hnh 14.2
Giao thc trao i cha kho Inernet ( IKE ).
AH v ESP l nhng giao thc m IPSec yu cu nhng b mt dng chung trong vic phn phi kho, do cc cha kho c th mt cp khi trao i qua li. Do mt c ch trao i cha kho an ton cho IPSec phi tho mn yu cu sau Khng ph thuc vo cc thut ton c bit. Khng ph thuc vo mt nghi thc trao i kho c bit, S chng thc ca nhng thc th qun l kho Thit lp cc SA trn cc tuyn giao thng khng an ton. S dng hiu qu cc ngun ti nguyn. L Anh Hng K49DB27
Kho lun tt nghip
i hc Cng ngh
Giao thc IKE da trn khung ca Hip hi qun l cha kha trn Internet v Giao thc phn phi kho Oakley Giao thc IKE c cc c tnh sau: + Cc cha kho pht sinh v nhng th tc nhn bit. + T ng lm mi li cha kho. + Gii quyt vn mt kho. + Mi mt giao thc an ton ( AH, ESP ) c mt khng gian ch s an ton ca chnh mnh + Gn sn s bo v. + Chng li cc cuc tn cng lm nghn mch ti nguyn nh: Tn cng t chi dch v DoS ( Denial- of- Service ). + Tip cn hai giai on Thit lp nhng SA cho kho trao i. Thit lp SA cho d liu chuyn. + S dng ch k s. + Dng chung kho. Giao thc IKE thit k ra cung cp 5 kh nng: Cung cp nhng phng tin cho hai bn v s ng nhng giao thc, thut ton v nhng cha kho s dng. m bo trao i kho n ng ngi dng. Qun l nhng cha kho sau khi c chp nhn. m bo rng s iu khin v trao i kho an ton. Cho php s chng thc ng gia cc i tng ngang hang. thit lp mt hip hi kho IKE bt u t mt im, ch nh hay cng vo an ton mt Intranet tp on, ta cn thit k 4 khon. Mt gii thut m ho d liu. Mt gii thut hm bm gim bt d liu trn. Mt phng php chng thc d liu. Thng tin v nhm ngi dng khi trao i Diffie-Hellman Trc khi IPSec gi xc nhn hoc m ho d liu IP, gia hai ngi gi v ngi nhn phi thng nht v gii thut m ho v cha kho m ho hoc nhng cha kho s dng. IPSec s dng giao thc IKE t thit lp nhng giao thc m phn v nhng cha kho m ho, thut ton s dng. Giao thc IKE cung cp s chng thc s cp: vic xc minh s nhn bit cc h thng t xa trc khi bn bc, thng lng v cha kho v gii thut. Giao thc IKE l giao thc lai ghp ca 3 giao thc: ISAKMP ( Internet Security Association and Key Management Protocol ), Oakley, SKEME. L Anh Hng K49DB28
Kho lun tt nghip
i hc Cng ngh
Giao thc ISAKMP cung cp mt khung cho s trao i chng thc v cha kho. Giao thc Oakley m t nhng kiu trao i cha kho. Giao thc SKEME inh ngha k thut trao i cha kho. Trong ISAKMP c hai knh thnh lp SA ( Security Association - Hip hi an ton ). Giao thc IKE c hai lung chung: ISAKMP thc hin ln mt ( kiu chnh): m phn thit lp Hip hi an ton ISAKMP, mt knh an ton truyn thng t xa hn na cho IKE, hai h thng pht sinh mt cha kho dng chung Diffie-Ellman. Xc minh nhn bit h thng t xa ( Chng thc s cp ).AStep 1 Node A A&B select Diffie-Hellman Group
BNode B
AStep 2 Public Value
BPublic Value
Private Value Private Value combined with Public Value B
Private Value Private Value B combined with Public Value A
AStep 3
B
Shared Secret Value
=
Shared Secret Value
Hnh 15: S hnh thnh kho dng chung Diffie-Hellman ISAKMP thc hin ln 2 ( Kiu nhanh). S dng knh truyn thng an ton ca ISAKMP SA cho s m ho IPSec AH hoc ESP.
L Anh Hng K49DB
29
Kho lun tt nghip
i hc Cng ngh
IS A K M P P 1 a s e h IS A K M P P 2 a s e h
IP S e c
IS A K M P SA
In b o u n d O u tb o u n d IP S e c S A s
O u tb o u n d In b o u n d
IS A K M P SA
IP S e c S A s S e c (u r e d b y IP S eSc)PA H /E
IP T r a ffi c
N ode B
Hnh 16: Thit lp SA + S chng thc s cp IKE ( IKE Primary Authentication ): IKE phi xc nhn nhng h thng s dng thut ton Diffie-Hellman, qui trnh ny c gi l chng thc s cp. IKE c th s dng hai phng php chng thc s cp: Ch k s ( Digital Signatures). Kho dng chung ( Pre-shared keys) Ch k s v s m ho cha kho cng cng l c s v s m ho cha kho bt i xng v yu cu mt c ch phn phi nhng cha kho cng cng. S chng thc ch k s ( IKE Digital Signature Authentication ): Mt ch k s tng t nh mt gi tr hm bm cha kho i xng. S khc nhau gia chng l ch c mt ngi nm gi cha kho ring mi c th pht sinh ra ch k s, trong khi mi ngi gi cha kho i xng c th pht sinh mt gi tr hm bm cha kho i xng, S chng thc kho dng chung ( IKE Pre-Shared Key Authentication ): Vi s chng thc kho dng, gia ngi gi v ngi nhn phi trao i bng tay v nh hnh mt cha kho dng chung i xng. Kho dng chung ch c s dng chng thc s cp.
L Anh Hng K49DB
30
Kho lun tt nghip 3 Giao thc PPTP v L2TPApplication Presentation Secsion Transport Network Data Link Physical Application Proxy Server HTTPS SSL
i hc Cng ngh
SO CKS IPSecL 2F (Layer 2 Forwarding PPP (Point to Point Tunneling Protocol ) )
L2TP (Layer 2 Tunneling Protocol )
Hnh 17 3.1 Giao thc nh ng hm im ti im (Point-to-Point Tunneling Protocol) PPTP l mt trong s nhiu k thut c s dng thit lp ng hm cho nhng kt ni t xa. Giao thc PPTP l s m rng ca giao thc PPP c bn cho nn giao thc PPTP khng h tr nhng kt ni nhiu im lin tc m n ch h tr kt ni t im ti im.Network Access Server (ISP POP )
PPTP Server
`PPP Connection
InternetServer Server
PPTP Connection (VPN)
Hnh 18 PPTP ch h tr IP, IPX, NetBIOS, NetBEUI, PPTP khng lm thay i PPP m n ch l gii php mi, mt cch to ng hm trong vic chuyn ch giao thng PPP.
L Anh Hng K49DB
31
Kho lun tt nghip
i hc Cng ngh
Encrypted
IP Header
GRE header
PPP Header
PPP Payload (IP Datagram, IPX NetBEUI Frame)
PPP Frame
Hnh 19R m teC n e o lie t `
Ap a n p lic tio o n
U e D ta sr a
T P /IPS c C ta k
IPGE R
T P /U P C D
U e D ta sr a
P T S fw re PP o a
PP P
IP
T P /U P C D
U e D ta sr a
T P /IPS c C ta k P PD v e P e ic D e riv r
IP
U P D
PP P
IP
T P /U P C D
U e D ta sr a
PP P
IP
U P D
PP P
IP
T P /U P C D
U e D ta sr a
T n e In rn tw rk u n l te e o
T rg t N tw rk a e e o
S rve e r
N tw rkA c s e o ces S rv r e e
T n e S rv r unl e e
S rv r e e
Hnh 20
3.1.1 Quan h gia PPTP v PPP PPP tr thnh giao thc quay s truy cp Internet v cc mng TCP/IP rt ph bin hin nay. Giao thc ny lm vic lp th 2 trong m hnh OSI. PPP bao gm cc phng php ng gi cho cc loi gi d liu khc nhau truyn ni tip. PPTP da trn PPP to ra cc kt ni quay s gia khch hng v my ch truy cp mng. PPTP da trn PPP thc thi cc chc nng. Thit lp v kt thc kt ni vt l. Xc thc cc ngi dng. To ra gi d liu PPP. Sau khi PPP thit lp kt ni, PPTP s dng cc quy lut ng gi ca PPP ng gi cc gi truyn trong ng hm nh di y:
L Anh Hng K49DB
32
Kho lun tt nghip
i hc Cng ngh
C u nm c tru n txa h y h y h p c aIS P
`Hs ot
Hs ot
`
C n Dn lie t i g
S rv r e e
` L N A
T u m i tr gp p i n h n h i (IP,A M ,X.2 ) T 5 T u IP i T u i M Kug T hn PP P
T u G E i R v
2
G i t P P i P IP , IP v g i d li N T E I X u EB U
K u gE e e h n th rn t
Hnh 21 tn dng u im ca kt ni to ra bi PPP, PPTP nh ngha hai loi gi: Gi iu khin v gi d liu ri gn chng vo hai knh ring. Sau , PPTP phn tch cc knh iu khin v knh d liu thnh lung diu khin vi giao thc TCP v lung d liu vi giao thc IP. Kt ni TCP c to ra gia client PPTP vi my ch PPTP c s dng chuyn thng bo iu khin. Sau khi ng hm c thit lp th d liu c truyn t client sang my ch PPTP cha cc gi d liu IP. Gi d liu IP c ng gi tiu nh hnh sau:
M trng i
IP
G RE
PPP
Ti PPP
Hnh 22 Khi ng gi n c s dng s ID ca host cho iu khin truy cp. ACK cho gim st tc truyn d liu trong ng hm PPTP cng c c ch iu khin tc nhm gii hn s lng d liu truyn i. Ch ny lm gim ti thiu kch thc d liu phi truyn li do mt gi. PPTP cho php ngi dng v cc ISP c th to ra nhiu loi ng hm khc nhau. Ngi dng c th ch nh im kt thc ca ng hm ngay ti my tnh ca mnh nu nh c ci client PPTP, hay ti my ch ISP nu nh my tnh ca h ch c PPP m khng c PPTP. ng hm c chia ra lm hai loi: L Anh Hng K49DB33
Kho lun tt nghip
i hc Cng ngh
ng hm t nguyn c to ra theo yu cu ca ngi dng cho mc ch xc nh. ng hm bt buc c to ra khng thng qua ngi dng cho nn n trong sut i vi ngi dng u cui. 3.2 Giao thc chuyn tip lp 2 (Layer 2 Forwarding Protocol) Giao thc L2F l mt k thut c nghin cu v pht trin trong cc h thng mng ca Cisco trong lc giao thc PPP ang pht trin, n l mt giao thc cho php mt my tnh ca ngi dng truy nhp vo mt intranet ca mt t chc xuyn qua c s h tng mng cng cng Internet vi s an ton v iu khin c bo tr. Tng t nh giao thc nh ng hm im ti im PPTP, giao thc L2F cho php s truy nhp mng ring o an ton xuyn qua c s h tng mng cng cng Internet bng cch to ra mt ng hm gia hai im kt ni. S khc nhau c bn gia hai giao thc PPTP v L2F l PPTP ch h tr IP, IPX, NetBIOS, NetBEUI, cn L2F nh ng hm khng tu thuc vo mng IP, L2F c th lm vic vi nhiu th tc mng khc nhau nh: Frame Relay, ATM, FDDI. Mt L2F h tr vic nh ng hm cho hn mt kt ni, gii hn ca giao thc PPTP. L2F c th lm c iu ny trong khi n nh ngha nhng kt ni bn trong ng hm, y l mt c im hu ch ca L2F. Trong tnh trng ni c nhiu mt ngi ang dng truy nhp t xa m ch c duy nht mt kt ni c tho mn yu cu.Laptop
Laptop
L 2F Tunnel PSTN
Internet Service Provider
Eterprise Customer
Laptop
Access VPN
Hnh 23
L Anh Hng K49DB
34
Kho lun tt nghip
i hc Cng ngh
POPClient
InternetL2F Tunnel
IntranetHost Local Network
PPD
ISP Network
Hnh 24 L2F s dng giao thc PPP cho s chng thc khch hang nh giao thc PPTP, tuy nhin L2F cn h tr chng thc ngi dng quay s t xa RADIUS ( Remote Authentication Dial-up User Service ) v h thng iu khin gim st u cui TACACS+ ( Terminal Access Controller Access Control System ). S chng thc L2F th hin hai mc: u tin khi ngi dng t xa kt ni ti nh cung cp dch v ISP qua giao thc bu in POP sau kt ni c chuyn ti cng vo mng Intranet ca t chc. L2F chuyn nhng gi d liu xuyn qua mt ng hm ring o gia hai u cui ca mt kt ni im ti im, L2F lm iu ny ti giao thc. L2F l mt lp hai giao thc cho nn L2F c th s dng cho nhng giao thc khc IP nh: IPX, NetBEUI Vi giao thc L2F, mt s an ton y gia hai u im cui VPN c th c to ra v s dng, n l mt gii php bin i c v ng tin cy. 3.3 Giao thc nh ng hm lp 2 (Layer 2 Tunneling Protocol) L2TP l mt k thut ny sinh cung cp mt kt ni t xa ti mt Intranet tp on hay t chc. L2TP l giao thc c pht trin ho trn gia hai giao thc PPTP v L2F.IP Header UDP Header L2TP Header PPP Header PPP Payload (IP Datagram , IPX Datagram) PPP Frame L 2TP Frame UDP Frame
Hnh 25 L Anh Hng K49DB35
Kho lun tt nghip
i hc Cng ngh
L2TP cung cp mt k thut xy dng cho mt kt ni ng hm qua giao thc im ti im PPP. ng hm c th v u c to ra gia ngi dng t xa ti nh cung cp dch v.R ote C em lient `
Ap a n p lic tio o n
U e D ta sr a
TC /IPS c P ta k
IPG E R
TC /U P P D
U r D ta se a
P T S fw re PP o a
PP P
IP
TC /U P P D
Ue D s r ata
T P /IPS ck C ta P PD v e P e ic D e riv r
IP
U P D
P P P
IP
TC /U P P D
U e D ta sr a
PP P
IP
U P D
P P P
IP
T P /U P C D
U e D ta sr a
Tu e In rn tw rk nn l te e o
T rg t N o a e etw rk
S rve e r
N tw rk A c s e o ces S rv e er
T n e S rv r unl e e
S rve e r
Hnh 26 Giao thc L2TP khng nhng cung cp cc kt ni t xa ca ngi dng trong mt mng ring o VPN m cn c th h tr cc giao thng a th tc, l tt c cc giao thc lp mng h tr bi giao thc PPP ng tin cy. Hn na, L2TP cung cp s h tr cho bt k s nh v cho bt k lp mng no ln s kt ni qua Internet. 3.3.1 Quan h gia L2TP vi PPP Giao thc nh ng hm lp 2, L2TP l s kt hp gia hai giao thc l PPTP v L2F. Ging nh PPTP, L2F l giao thc ng hm, n s dng tiu ng gi ring cho vic truyn cc gi lp 2. im khc bit gia PPTP v L2F l L2F khng ph thuc vo IP v GRE. Cho php n c th lm vic cc mi trng vt l khc. L2TP mang c tnh ca PPTP v L2F. Tuy nhin, L2TP nh ngha ring mt giao thc ng hm da trn hot ng ca L2F. L2TP da trn PPP to kt ni quay s gia client v my ch truy cp mng ( NAS ). L2TP s dng PPP to kt ni vt l, tin hnh xc thc u, to gi d liu PPP v ng kt ni khi kt thc phin lm vic. L2TP c th to nhiu ng hm gia ISP v cc my ch mng client.
L Anh Hng K49DB
36
Kho lun tt nghipChuyn mch truy nhp t xa ca ISP
i hc Cng ngh
`Host
Host
`
Client Di ng
Server
` LAN
Tiu mi trng phn phi (IP,ATM,X.25) Tiu IP Tiu MT Khung PPP
Tiu GREv 2
Gi ti PPP IP, IPX v gi d liu NETBEUI
Khung Ethernet
Hnh 27 L2TP cng ging vi PPTP l n cng c 2 thng bo: Thng bo iu khin Thng bo d liu Cng tng t nh PPP, sau khi ng hm c thit lp th d liu c truyn t client sang my ch PPTP cha cc gi d liu IP. Gi d liu IP c ng gi tiu nh hnh sau.
Mi trng
L2TP
PPP
Ti PPP
Hnh 28: B lc gi L2TP L2TP cng s dng nhng lp ng hm nh PPTP. ng hm t nguyn: To theo yu cu ca ngi dng ng hm bt buc: c to t ng ( Ngi dng khng c la chn ).
L Anh Hng K49DB
37
Kho lun tt nghip 3.4
i hc Cng ngh
Tng quan giao thc inh ng hm lp 2 ( L2TP Overview).
Giao thc L2TP c th h tr s truy cp mng LAN t xa s dng bt k giao thc lp mng no c h tr bi giao thc PPP qua cc phin ng hm v ci trc tip c qun l bi vic kt thc kt ni PPP trong s truy nhp cng vo mng Intranet ca mt t chc hay mt tp on.Client Di ngHost Kt ni LAN - LAN B tp trung truy nhp L 2TP ca ISP Host
Host My ch mng L 2TP
InternetMy ch mng L 2TP Kt ni LAN - Client
Host
Client Di ng NAS khng PPTP
Hnh 29 Trong giao thc L2TP c mt s phn t tham gia vo vic thit lp ng hm: L2TP Access Concentrator (LAC): B tp trung truy nhp giao thc. B tp trung truy nhp LAC c inh v ti nh cung cp dch v ISP qua giao thc POP cung cp cc kt ni vt l ca ngi dng t xa. Trong LAC phng tin truyn thng vt l c kt thc v n c th c ni ti mng in thoi chuyn mch cng cng PSTN hoc mng s tch hp a dch v ISDN. Qua b tp trung LAC ny, ngi ta c th thit lp kt ni ng hm L2TP qua b nh tuyn LAC router ti ngi dng u cui ni ng hm c kt thc. L2TP Network Server ( LNS): My ch phc v L2TP LNS tip nhn cc phin kt ni ca ngi dng t xa, ch c mt kt ni n c s dng trn LNS kt thc cc knh kt ni gi n t nhng ngi dng t xa t cc phng tin truyn thng khc nhau nh ISDN, V120 B tp trung a truy nhp cng c th c s dng nh LNS khi n c s dng nh cng vo truy nhp Intranet tp on. Network Access Server (NAS): My ch truy cp mng.
L Anh Hng K49DB
38
Kho lun tt nghip
i hc Cng ngh
NAS l mt thit b truy nhp t im ti im p ng nhng yu cu truy nhp ca ngi dng t xa qua ISDN hay PSTN. NAS thnh lp v iu khin cc phin hp v ng hm + Ngi dng t xa bt u mt kt ni PPP ti NAS + NAS chp nhn cuc gi + S chng thc ngi dng u cui c my ch u nhim cho php ti NAS + Ngi dng u cui thit lp kt ni vi LNS to ra ng hm ti Intranet tp on. Cc phin kt ni c LAC qun l v cc gi d liu c gi qua ng hm LAC LNS, mi LAC v LNS theo di tnh trng cc kt ni ca ngi dng.LN S Internet IS P L2TP Tunnel P P P connection LA C D ial connectionC om puter
Hnh 30 + Ngi dng t xa cng c xc nhn bi my ch chng thc ca cng ra vo LNS trc khi c chp nhn kt ni ng hm. + LNS chp nhn kt ni v thit lp ng hm L2TP v NAS chng thc. + LNS trao i vi ngi dng t xa qua giao thc PPP. L2PT c th h tr cc hm sau: Thit lp ng hm ca ngi dng n quay s trong nhng khch hang S xuyn ng hm bng cc chng trnh chuyn vn nh. u vo ca mt kt ni gi ti LNS t LAC. Thit lp a ng hm. U nhim chng thc cho PAP v CHAP S chng thc im cui ca ng hm. Che du cp thuc tnh truyn mt mt khu PAP u nhim. S xuyn ng hm s dng mt lookup table. S xuyn ng hm s dng tn lookup ngi dng PPP trong h thng AAA. Nhng kiu ng hm L2TP: Nhng ng hm L2TP bt buc: Vi kiu ng hm L2TP bt buc ny th ng hm L2TP c thit lp gia LAC, nh cung cp dch v ISP v mt LNS ti mng Intranet ca tp on.
L Anh Hng K49DB
39
Kho lun tt nghip
i hc Cng ngh
L2T P T u n n e lP P P C lie n t
IS P (L A C )
In te rn e t
G a te w a y (L N S )
C o p o ra te N e tw o rk
P P P C o n n e c tio n L A C= L2T P A c c e s s C o n c e n t ra t o rL N S= L2T P N e t w o rk S e rv e r
Hnh 31 Mt ng hm bt buc c thit lp nh sau: Ngi dng t xa bt u mt kt ni PPP ti nh cung cp dch v ISP Nh cung cp dch v ISP chp nhn kt ni v mi lin kt PPP c thnh lp ISP thit lp mt ng hm L2TP ti LNS, nu LNS chp nhn kt ni th LAC ng gi PPP vi L2TP v chuyn vo ng hm, LNS chp nhn khung ny, tc b L2TP v s l u vo PPP. LNS s dng chng thc lm cho c hiu lc vi ngi dng sau gn a ch IPL2T P T u n n e lL2T P C lie n t
IS P (L A C )P P P c o n n e c t io n t o I S P
In te rn e t
G a te w a y (L N )S
C o p o ra te N e tw o r k
L NS P P P C o n n e c ti o n to ALC= L2T P A c c e s s C o n c e n t ra t o r L N S L2T P N e t w o rk S e rv e r =
Hnh 32
L Anh Hng K49DB
40
Kho lun tt nghip
i hc Cng ngh
LN S
D ial C onnectionC om puter
LA C L2P T C ode
L2TP C ode
R outer C ode
PPP Data PPP Data IP UDP L2TP PPP Data
PPP C onnecton
Hnh 33 : ng gi d liu trong ng hm L2TP Thit lp kt ni mng ring o t xa s dng L2TP v IPSec.P P P C lient
IS P (LA C )
Internet
Gatew ay (LN S )
C oporate N etw ork
IP S ec A H L2TP PPP IP S ec E S P IP
C ompulsory Tunnels
Hnh 34: S dng IPSec bo v L2TP trong ng hm bt buc gia ngi dng t xa vi mt cng vo tp onL2TP Client
ISP (LAC) PPP
Internet
Gateway (LNS)
Coporate Network
IPSec AH/ESP L2TP PPP IP
Voluntary Tunnels
Hnh 35
L Anh Hng K49DB
41
Kho lun tt nghip 3.5 ng dng L2TP trong VPN.
i hc Cng ngh
V d: Cng ty c h tr bi nh cung cp dch v VPN. C ngha l ISP cung cp kt ni Internet cho cng ty c my ch Proxy RADIUS v LAC. Cn ti cng ty duy tr my ch RADIUS v LNSVn phng chnhNDS My ch RADIUS ca ISP My ch RADIUS
NT Domain
`
Server
`
Ngi dng NT
`
`
My ch mng L2TP
`B tp trung truy cp L2TP ca ISP
Ngi dng Novell
Hnh 36:Quay s L2TP truy nhp VPN L2TP l mt th h giao thc quay s truy cp mi ca VPN. N phi hp nhng c im tt nht ca PPTP v L2F. Hu ht cc nh cung cp sn phm PPTP u a ra cc sn phm tng thch L2TP hoc gii thiu sau ny. Mc d n chy ch yu trn mng IP nhng n cng khng c kh nng chy trn mng Frame Relay, ATM iu ny cng lm cho n cng tr nn ph bin. 3.6 So snh gia PPTP v L2TP
C hai PPTP v L2TP\IPSec s dng giao thc kt ni im - im cung cp mt v bc c s cho d liu, v sau ni thm phn header vo truyn qua cc mng lm vic. Tuy nhin c nhng ci khc sau y: Vi PPTP, d liu c bt u m ho sau khi PPP kt ni x l ( v, bi vy, PPP c xc thc ) l hon thnh. Vi L2TP\IPSec, d liu c bt u m ho trc khi PPP kt ni x l bng m phn mt IPSec lin kt bo mt. PPTP kt ni s dng MPPE, mi chui mt m l mt c bn trn RSA RC-4 thut ton m ho s dng 40, 56, hoc 128 bit cc kho m ho. Chui mt m m ho d liu nh mt bit cc chui kt ni L2TP\IPSec s dng DES, ci no l mt khi mt m m s dng hoc mt kho 56 bit cho DES, hoc 3 kho 56 bit cho 3-
L Anh Hng K49DB
42
Kho lun tt nghip
i hc Cng ngh
DES. Cc khi mt m m ho d liu trong cc khi ring bit ( cc khi 64 bit, trong trng hp ca DES). Cc kt ni PPTP yu cu ch s dng mc chng thc qua mt giao thc chng thc PPP c bn. Cc kt ni L2TP\IPSec yu cu nh s dng mc chng thc v thm mc my tnh chng thc s dng my tnh cp chng nhn. 3.6.1 u im ca L2TP. Sau y l nhng thun li s dng L2TP\IPSec hn PPTP trong Windows 2000: IPSec cung cp cho mi gi d liu chng thc ( Chng minh d liu c gi bi ngi dng cho php), ton ven d liu (Chng minh l d liu khng b sa i trong qu trnh truyn ), replay protection ( Ngn cn t vic gi li mt chui ca cc gi ly c ), v d liu tin cy ( Ngn cn t vic phin dch cc gi ly c vi ngoi cc kho m ho). Bi tri ngc, PPP cung cp ch cho mi gi d liu tin cy. Cc kt ni L2TP/IPSec cung cp chng thc chc chn bng yu cu c hai chng thc mc my tnh qua giy chng nhn v mc chng thc ngi dng qua mt giao thc chng thc PPP. Cc gi PPP thay i trong thi gian mc chng thc ngi dng l khng bao gi gi dng khng phi bng m v kt ni PPP x l cho L2TP/IPSec xut hin sau khi IPSec lin kt bo mt (SAs) c thit lp. Nu chc, xc thc PPP thay i mt vi kiu ca cc giao thc xc thc PPP c th s dng thc thi cc tn cng t in ngoi tuyn v quyt nh s dng cc mt khu. Bi m ho thay i xc thc PPP, cc tn cng t in ngoi tuyn l ch c th thc hin c sau khi cc gi m ho hon thnh gii m. 3.6.2 u im ca PPTP Sau y l nhng thun li ca PPTP hn L2TP/ IPSec trong Windows 2000.
PPTP khng yu cu mt chng nhn c s h tng. L2TP/IPSec yu cu mt chng nhn c s h tng a ra cc chng nhn my tnh ti my ch VPN v tt c cc my khch. PPTP c th s dng bng cc my tnh chy Windows XP, Windows 2000 vi mng Windows quay s thc thi v cp nht bo mt. L2TP/IPSec c th ch s dng vi Windows XP v Windows 2000 cc my khch VPN. Ch cc khch h tr giao thc L2TP/IPSec, v s dng cc chng nhn. L Anh Hng K49DB43
Kho lun tt nghip
i hc Cng ngh
Cc my khch v cc my ch PPTP c th t gia mt my truyn a ch mng (NAT) nu NAT c my ph trch thch hp cho giao thng PPTP. Cc my khch hoc my ch L2TP/IPSec c bn khng th t gia mt NATunnless c hai h tr IPSec NAT traversal (NAT-T). IPSec NAT-T l h tr bi Windows Server 2003
Chng 3
L Anh Hng K49DB
44
Kho lun tt nghip
i hc Cng ngh
M HA V CHNG THC TRONG VPN
Ngy nay mng my tnh tr nn ph bin v l thnh phn khng th thiu i vi mi ngi trong chng ta cng nh cc quc gia. Cc ng dng, dch v trn mng my tnh: th in t, chuyn v nhn tin, thng mi in t, chnh ph in t tr nn ph bin, thun li v quan trng th yu cu v an ton mng, v an ninh d liu trn mng ngy cng tr nn cp bch v cn thit. T chc Interpol khuyn co v cc nguy c i vi mng my tnh nh: S truy nhp tri php v n cp thng tin. Sa i d liu my tnh. Sao chp tri php. Lm t lit mng my tnh. Nhng tn cng khc Do , thng tin trn mng, d ang truyn hay c lu tr u cn c bo v hoc cc thng tin cn c gi b mt hoc chng phi c cho php ngi ta kim tra tin tng rng chng khng b sa i so vi dng nguyn thu ca mnh v chng ng l ca ngi gi cho ta, hn na nim tin phi c php lut h tr. Do rt nhiu quc gia trn th gii rt quan tm n vn ny, cc nh khoa hc nghin cu v a ra cc thut ton m ho bo mt thng tin ngy mt tt hn trnh nguy c r r, mt mt thng tin cho ngi dng, cc doanh nghip v cc quc gia khi giao dch, trao i thng tin qua mng ton cu Internet. Trong ng dng cng ngh Mng ring o VPN, cc thut ton m ho c ng dng trong tng lp giao thc m ngi dng tu chn cch m ho thng tin bng thut ton m ho nh DES, 3-DES .. 1. M ho trong VPN. 1.1 Thut ton m ho DES Thut ton m ho DES c IBM pht trin vo nhng nm 1970 sau c U ban tiu chun Quc gia Hoa K (The National Bureau of Standard). Ngy nay l NIST chp nhn ngy 15-5-1973. DES tr thnh chun m ho d liu chnh thc cho Chnh ph Hoa K v nm 1977 v tr thnh h mt c s dng rng ri nht trn th gii. Thut ton m ho DES c th tho mn cc yu cu sau: Thut ton phi c an ton cao. L Anh Hng K49DB45
Kho lun tt nghip
i hc Cng ngh
Thut ton phi c nh ngha y v hon ton d hiu. an ton phi nm kha, khng ph thuc vo tnh b mt ca thut ton. Thut ton phi sn sng cung cp cho mi ngi dng. Thut ton phi thch nghi c vi vic dng cho cc ng dng khc nhau. Thut ton phi c ci t c mt cch tit kim trong cc thit b in t. Thut ton khi s dng phi pht huy ti a hiu qu. Thut ton phi c kh nng hp thc ho. Thut ton phi c tnh thng mi. 1.1.1 M t DES Mt m t y v DES c nu ra trong Cng bo v chun x l thng tin Lin bang s 46 ngy 15-1-1977. DES m ho mt dng bit r x c di 64 vi kho K l dng 56 bit, a ra bn m y cng l mt dy bit c di 64.D S E k y
Hnh 37 M t DES | x | =64; | y | = 64; | k | = 56 Thut ton DES gm 3 giai on: Cho bn r x, ta tnh c x0 qua vic hon v cc bt ca x theo hon v u IP: X0 = IP(x)=L0R0 L0 l 32 bit u tin ca x0, R0 l 32 bit cn li v IP l hon v u c nh Lp 16 vng. 1 i 16 Li = Ri-1; Ri = Li-1 f(Ri-1,k); Du th hin php ton hoc loi tr hai dy bit, f l mt hm, ki l nhng dy di 48 bit c to t kho k bi thut ton ring. Li-1 Ri-1
L Anh Hng K49DB
46
f
Kho lun tt nghip
i hc Cng ngh ki+
Li
Ri
Hnh 38: Mt vng ca DES
Bn m y c tnh ton bi hon v IP-1 ca R16L16, ch o ngc v tr ca L16 v R16 Y= IP-1 (R16L16) L16 R16 R16 L16
Cc mu hot ng ca DES: nh ta thy, u vo ca DES ch c 8 byte, vy m vn bn cn m li c th rt di, c vi kbyte chng hn. gii quyt vn ny, ngi ta ra 4 mu hot ng cho DES l: Electronic CodeBook mode (ECB). Cippher FeedBack mode (CFB). Cipher Block Chaining mode (CBC). Output FeedBack mode (OFB). 1.1.2 -
u v nhc im ca DES u im: Thut ton m ho DES tc m ho d liu rt nhanh. Nhc im: Do DES c kch c ca khng gian kho 256 l qu nh, khng an ton, cho nn nhng my c mc ch c bit c th s b gy v d ra kho rt nhanh.
1.1.3 ng dng ca thut ton DES trong thc t. Mt ng dng rt quan trng ca DES l ng dng cho cc vn bn trong giao dch ngn hang s dng cc tiu chun c hip hi cc ngn hang M pht trin. DES c s dng m ho cc s nhn dng c nhn (Pins) v cc vn bn v ti khon c my thu ngn t ng thc hin (ATMs) 1.2 Thut ton m ho 3DES.
L Anh Hng K49DB
47
Kho lun tt nghip
i hc Cng ngh
Thut ton m ho 3DES l mt bin th ph ca DES, nh ta bit DES vn tn ti nhiu nhc im nh: C th b gy bng nhng my c mc ch c bit tm ra kha. 1.2.1 M t 3DES. Thut ton m ho 3DES gm 3 cha kho 64 bit, tc l ton b chiu di kho l 192 bit Trong khi m ho rin t, chng ta n gin l nhp ton b 192 bit kho n l vo mi 3 cha kho c nhn.Plaintext
Key 1 Des Encryption Des Encryption Des Encryption Key 2 Key 3
Ciphertext
Hnh 39: M t 3DES Th tc m ho cng tng t DES nhng n c lp li 3 ln tc l tng ln 3 ln DES. D liu c m ho vi cha kho u tin, v c gii m vi cha kho 2, sau m ho ln na vi cha kho th 3 thu c d liu m ho cui cng. + Cc mu hot ng ca 3DES: Triple ECB (Triple Electronic Code Book): Sch m ho in t. Triple CBC (Triple Cipher Chaining): Mc ni khi k s. 1.2.2 u v nhc im ca 3DES
L Anh Hng K49DB
48
Kho lun tt nghip-
i hc Cng ngh
-
u im: Khc vi DES, thut ton m ho 3DES c m ho 3 ln DES vi kch c khng gian kho 168 bit cho nn an ton hn rt nhiu so vi DES. Nhc im: V 3DES s dng 3 ln m ho DES cho nn tc m ho s chm hn rt nhiu so vi DES. Phn mm ng dng t ra rt chm i vi hnh nh s v mt s ng dng d liu tc cao v kch thc khi 64 bit vn cn l mt nhc im i vi nhng h c tc ca th k 21.
1.3 Gii thut hm bm (Secure Hash Algorithm). i vi cc s ch k thng thng, ta ch c th k cc bc in nh. Chng hn khi dng chun ch k s DSS, mt ti liu di 160 bit s c k bng ch di 320 bit. Trn thc t ta cn k cc ti liu di hn nhiu ( Chng hn, mt ti liu v php lut c th di nhiu Megabyte ). Gii php gii quyt cc vn ny l dng hm Hash m kho cng khai nhanh. Hm ny da trn ni dng mt ti liu c di tu to ra mt bn tm tt ca ti liu vi kch thc quy nh (160 bit nu dng DSS). Sau , bn tm tt ca ti liu ny (d liu ra ca hm Hash) s c k. Vic dng hm Hash vi DSS c biu din nh sau. Bc in: m: di tu Tnh bn tm lc thng bo: z=h(m) 160 bit Khi B mun k bc in x, trc tin B to mt bn tm tt z ca ti liu bng cch s dng hm bm h v sau dng kho b mt ca mnh tm ch k s (s=Sigk(z); trong Sigk l hm m ho RSA vi kho b mt ca B). Tip theo, B gi cp (m,s) n cho A. xc thc trc ht A phi khi phc bn tm tt ca ti liu bng hm h (z=h(m)) v sau thc hin kim tra xem Verk(m,s) c bng true hay khng. 1.4 Gii thut RSA RSA l mt h mt m kho cng khai ph bin v cng a nng nht trong thc t, c pht minh bi Rivest, Shamir v Adleman c coi nh l mt h chun i vi cc h mt m kho cng khai. RSA da trn tnh kh ca bi ton phn tch cc s ln thnh ra tha s nguyn t: bit mt s nguyn t nhn chng vi nhau thu c mt hp s l bi ton d. Cn khi bit hp s, phn tch n ra thnh tha s nguyn t l
L Anh Hng K49DB
49
Kho lun tt nghip
i hc Cng ngh
bi ton rt kh m hu nh khng thc hin c nu 2 nguyn t l nhng s ln. Gi s n l mt s nguyn t v l tch ca hai s nguyn t ln khc nhau p v q (n=p.q). Ta chn mt s nguyn t vi (n)=(p-1)(q-1),v tnh b=a-1 Mod (n), tc l a.b 1 mod (n). H RSA c m t nh sau: Ly n=p.q, trong p v q l hai s nguyn t.t P=C=Zn: K={(n,b,a):ab 1 mod (n)}, Trong (n, b) l kho cng khai, cn a l kho b mt Vi K = (K,K), K = (n,b), K = a, ta nh ngha ek(x) = xb mod n dk(y) = yb mod n Vi x, y Zn Ta thy rng vi mi x Zn* (Tc l x Zn v x l nguyn t vi n) Dk (ek(x))= (xb)a = xab = xt.(n) + 1 = x mod n Vi x Zn\Zn* ta vn c ng thc ni trn, v khi hoc x chia ht cho p v x nguyn t vi q hoc x chia ht cho q v x nguyn t vi p. Trong c hai trng hp ta u c: xt.(n) + 1 = x mod p xt.(n) + 1 = x mod q T suy ra ta c xt.(n) + 1 = x mod n. 2 Chng thc trong VPN. S chng thc l mt b phn cu trc ca s an ton mng ring o VPN, c th ta c mt h thng ng tin cy xc nhn nhng mng, ngi dng v dch v mng nhng nh vy cha hn l mt h thng an ton tuyt i, ta khng th kim sot c cc truy nhp vo h thng ti nguyn mng tp on ca ta trc nhng ngi dng bt hp php. Cho nn mt gii php c th iu khin v ngn cn ngi dng bt hp php c tnh truy nhp h thng l ta s dng phng php chng thc.1. C alle h nge 2.R o esp nse 3.A utho tio riza n A uthe nticatio S n erve r C t lien :1 234 :B 3 X 4 `
Hnh 40: Kch bn ca s chng thc S chng thc th da vo mt trong ba thuc tnh sau: Something you have : Cha kho hay mt th du hiu Something you know: Mt khu
L Anh Hng K49DB
50
Kho lun tt nghip
i hc Cng ngh
Something you are: Ting ni hay qut vng mc Ngi dng c th chng thc bng: Password. One-time Password (s/key). USB ikey. Smart card. PKI/ certificate IP. Tuy nhin ch l nhng phng php chng thc n, khng thch hp hay cha mnh m bo v nhng h thng, thay vo cc chuyn gia an ton gii thiu phng php chng thc mnh m, p dng hai trong nhng thuc tnh trc cho s chng thc. S a dng ca nhng h thng mng VPN sn c hin thi ph thuc vo nhng phng php khc nhau ca s chng thc hoc nhng s kt hp ca chng, Ngoi cc phng php chng thc n, trong mng ring o VPN cn s dng s chng thc bng giao thc. Giao thc chng thc: Password Authentication Protocol (PAP). Challenge Handshare Authentication Protocol (CHAP). Extensible Authentication Protocol (EAP). Remote Authentication Dial-up User Services (RADIUS). My ch chng thc: Radius. Kerberos. LDAP. NT domain. Solaris Pluggable Authentication Modules (PAM). Novell Directory Services (NDS). 2.1 Password Authentication Protocol (PAP): Giao thc chng thc bng mt khu. Giao thc chng thc mt khu PAP trc kia c thit k ra chnh l mt my tnh xc nhn my tnh khc thng qua giao thc t im ti im PPP c s dng nh th tc truyn tin. S chng thc PAP c th c s dng ti ni bt u mt mi lin kt PPP tc l khi mt my trm truy nhp t xa ti h thng mng tp on n phi gi ID (tn ngi dng) v mt khu ti h thng mng ch, my ch iu khin truy nhp NAS c nhim v chng thc
L Anh Hng K49DB
51
Kho lun tt nghip
i hc Cng ngh
my trm ca ngi dng c c php truy nhp ti ti nguyn mng ca tp on hay khng. Tuy nhin, s chng thc bng giao thc chng thc bng mt khu cha s an ton v tin cy v thng tin chng thc c trao i khng an ton trong mi trng mng cng cng Internet nn cc ti phm tin hc c th nghe trm, nh cp thng tin t on ra c mt khu truy nhp vo h thng. 2.2 Challenge Handshare Authentication Protocol (CHAP). Giao thc CHAP c thit k tng t giao thc PAP nhng c an ton cao hn nhiu. Cng nh giao thc PAP, giao thc CHAP cng c th c s dng ti ni bt u mt mi lin kt PPP v sau lp li sau khi mi lin kt c thit lp. 3 Firewall
3.1 Khi nim v Firewall. Firewall l mt thut ng c ngun gc t mt k thut thit k trong xy dng ngn chn, hn ch ho hon. Trong cng ngh mng thng tin, Firewall l mt k thut c tch hp vo h thng mng nhm mc ch: Ngn chn v hn ch cc truy nhp tri php, nhm bo v cc ngun ti nguyn , thng tin d liu. Cm truy nhp t bn trong (Intranet) ti mt s a ch nht nh trn Internet Cng c th hiu Firewall l mt c ch bo v mt mng tin cy khi cc mng khng tin cy nh mng cng cng Internet. Thng thng Firewall c t gia mng tin cy bn trong nh mng Intranet ca mt cng ty hay mt t chc v mng khng tin cy nh Internet. M hnh Firewall` ` S c reIn rn l eu te a n tw rk e o C m a yA o pn ` ` F w ll ire a U tru te n tw rk n s d e o (In rn t te e ) F w ll ire a ` ` S c reIn rn l eu te a n tw rk e o C m a yB o pn ` `
Hnh 41
L Anh Hng K49DB
52
Kho lun tt nghip
i hc Cng ngh
Chc nng ca tng la Firewall: L kim sot lung thng tin ra, vo gia mng tin cy (Intranet) v mng khng tin cy Internet. Thit lp c ch iu khin cc lung thng tin c th l: Cho php hoc cm nhng dch v truy nhp t mng tin cy ra ngoi mng khng tin cy (T mng Intranet ti mng Internet). Cho php hoc cm nhng dch v truy nhp t mng khng tin cy vo trong mng tin cy. Theo di v iu khin cc lung d liu gia Internet v Intranet. Kim sot cc a ch truy nhp hoc cm a ch truy nhp. Kim sot ngi dng v vic truy nhp ca ngi dng. 3.2 Cc thnh phn ca Firewall. Firewall c th phn loi thnh 3 dng c bn: B lc gi (Packet Filters) My phc v u nhim (Proxy Server) bao gm 1. Cng ng dng (Application Gateway). 2. Cng mch (Circuit level gateway). B lc gi c trng thi (Statefull Packet Filters)Firewalls
Packet Filters
Proxy Servers
Stateful Packet Filters
Application Gateways
Circuit-Level Gateways
Hnh 42 xy dng Firewall hot ng c hiu qu nht, nn s dng kt hp tt c cc thnh phn trn
3.2.1 B lc gi (Packet Filtering Router).
L Anh Hng K49DB
53
Kho lun tt nghip
i hc Cng ngh
F r ilte
C n lie t
1
C n lie t
2
C n lie t
3
C n lie t
4
T s dN tw rk ru te e o
U tr s dN tw rk n u te e o
Hnh 43 Khi ni n vic lu thng d liu gia cc mng vi nhau thng qua Firewall th iu c ngha rng Firewall hot ng cht ch vi giao thc TCP/IP. Nguyn l: B lc packet cho php hay t chi mi packet m n nhn c. N kim tra ton b on d liu quyt nh xem on d liu c tho mn mt trong s cc lut l ca b lc packet hay khng. Cc lut l lc packet ny l da trn cc thng tin u mi packet (Packet header) dng cho php truyn cc packet trn mng. l: a ch IP ni xut pht (IP Source address) a ch IP ni nhn (IP Destination address) Nhng th tc truyn tin (TCP,UDP. ICMP, IP tunnel) Cng TCP/UDP ni xut pht Cng TCP/UDP ni nhn Dng thng bo ICMP (ICMP message type) Giao din packet n (Incomming interface of packet) Giao din packet i (outcomming interface of packet) Nu lut l lc packet c tho mn th packet c chuyn qua Firewall.Nu khng tho mn, packet s b b i. Nh vy m Firewall c th ngn cn c cc kt ni vo cc my ch hoc mng no c xc nh, hoc kho vic truy cp vo h thng mng ni b t nhng a ch khng cho php. Hn na, vic kim sot cc cng lm cho Firewall c kh nng ch cho php mt s loi kt ni nht nh vo cc loi my ch no , hoc ch c nhng dch v (Telnet, SMTP, FTP ) c php mi chy c trn h thng mng cc b. u im
L Anh Hng K49DB
54
Kho lun tt nghip
i hc Cng ngh
a s cc h thng Firewall u s dng b lc packet. Mt trong nhng u im ca phng php dng b lc packet l chi ph thp v c ch lc packet c bao gm trong mi phn mm Router. Ngoi ra, b lc packet l trong sut i vi ngi s dng v cc ng dng, v vy n khng yu cu s hun luyn, o to c bit no c. Hn ch Vic nh ngha cc ch lc packet l mt vic kh phc tp, i hi ngi qun tr mng cn c hiu bit chi tit v cc dch v Internet, cc dng packet header, v cc gi tr c th c th nhn trn mi trng. Khi i hi v s lc cng ln, cc lut lc cng tr nn di v phc tp, rt kh qun l v iu khin. Do lm vic da trn header ca cc packet, r rang l b lc packet khng kim sot c ni dng thng tin ca packet. Cc packet chuyn qua vn c th mang theo nhng hnh ng vi ly cp thng tin hay ph hoi ca k xu. 3.2.2 Cng ng dng (Application-level gateway)
A p aio L v l Gt w y p lic t n e e ae a
T ln t ee
T ln td ee
T ln t ee
T ln td ee
F tp
Fd tp
F tp
Fd tp
H ttp
H ttp Sr e ev r
H ttp
H ttp Sr e ev r
T ln td ee
T ln t ee
T ln td ee
T ln t ee
C n lie t
1
C n lie t
2
C n lie t Nn o
3
C n lie t
4
S c r Ntwr e ue e ok
-S c r Ntw r e ue e ok
Hnh 44 Nguyn l: L Anh Hng K49DB55
Kho lun tt nghip
i hc Cng ngh
y l mt loi Firewall c thit k tng cng chc nng kim sot cc loi dch v, giao thc c php truy cp vo h thng mng. C ch hot ng da trn cch thc gi l Proxy service. Proxy service l cc b m c bit ci t trn gateway cho tng ng dng. Nu ngi qun tr mng khng ci t Proxy code cho mt ng dng no , dch v tng ng s khng c cung cp v do khng th chuyn thng tin qua Firewall. Ngoi ra, Proxy code c th c nh cu hnh h tr ch mt s c im trong ng dng m ngi qun tr mng cho l chp nhn c trong khi t chi nhng c im khc. Mt cng ng dng thng c coi nh mt pho i (bastion host), bi v n c thit k c bit chng li s tn cng t bn ngoi. Nhng bin php m bo an ninh mng ca mt bastion host l: Bastion host lun chy cc version an ton (Secure version) ca cc phn mm h thng. Cc version an ton ny c thit k chuyn cho mc ch chng li s tn cng vo Openrating System, cng nh m bo s tch hp Firewall. Ch nhng dch v m ngi qun tr mng cho l cn thit mi c ci t trn bastion host, n gin ch v nu mt dch v khng c ci t, n khng th b tn cng. Thng thng, ch mt s gii hn cc ng dng cho cc dch v Telnet, DNS, FTP, SMTP v xc thc user l c ci t trn bastion host Bastion host c th yu cu nhiu mc xc thc khc nhau, v d nh: user name, password hay smart card. Mi mt proxy c t cu hnh cho php truy nhp ch mt s cc my ch nht nh. iu ny c ngha rng b lnh v c im thit lp cho mi proxy ch ng vi mt s my ch trn ton h thng. Mi proxy duy tr mt quyn nht k ghi chp li ton b chi tit ca giao thng qua n, mi s kt ni, khong thi gian kt ni. Nht k ny rt c ch trong vic tm theo du vt hay ngn chn k ph hoi. Mi proxy c lp vi cc proxies khc trn bastion host. iu ny cho php d dng qu trnh ci t mt proxy mi, hay tho g mt proxy ang c vn . u im: Cho php ngi qun tr mng hon ton iu khin c tng dch v trn mng, bi v ng dng proxy hn ch b lnh v quyt nh nhng my ch no c th truy cp c bi cc dch v.
L Anh Hng K49DB
56
Kho lun tt nghip
i hc Cng ngh
Cho php ngi qun tr mng hon ton iu khin c nhng dch v no cho php, bi v s vng mt ca cc proxy cho cc dch v tng ng c ngha l cc dch v y b kho Cng ng dng cho php kim tra xc thc rt tt, v n c nht k ghi chp li thng tin v truy nhp h thng. Lut l lc Filltering cho cng ng dng l d dng cu hnh v kim tra hn so vi b lc packet. Hn ch: Yu cu cc user thay i thao tc, hoc thay i phn mm ci t trn my client cho truy nhp vo cc dch v proxy. Chng hn, dch v telnet truy nhp qua cng ng dng i hi hai bc ni vi my ch ch khng phi ch mt bc. Tuy nhin, c mt s phn mm client cho php chy ng dng trn cng ng dng l trong sut, bng cch cho php user ch ra my ch ch khng phi cng ng dng trn Telnet. 3.2.3 Cng vng (Circuit-level Gateway)SOCKSified Client Program SOCKS Server Unmodified Server Program
Client 1
Client 2
Client 3 Client 4 Non-Secure Network
Secure Network
Hnh 45 Nguyn l:
L Anh Hng K49DB
57
Kho lun tt nghip
i hc Cng ngh
Cng vng l mt chc nng c bit c th thc hin c bi mt cng ng dng. Cng vng n gin ch chuyn tip (relay) cc kt ni TCP l khng thc hin bt k mt hnh ng x l hay lc packet no. Cng vng lm vic nh mt si dy sao chp cc byte gia kt ni bn trong (inside connection) v cc kt ni bn ngoi (outside connection). Tuy nhin, v s kt ni ny xut hin t h thng Firewall, n che du thng tin v mng ni b. Cng vng thng c s dng cho cc kt ni ra ngoi, ni m cc ngi qun tr mng tht s tin tng nhng ngi dng bn trong. u im ln nht l mt bastion host c th c cu hnh nh l mt hn hp cung cp cng ng dng cho nhng kt ni n, v cng vng cho cc kt ni i. iu ny lm cho h thng bc tng la d dng s dng cho nhng ngi trong mng ni b mun trc tip truy nhp ti cc dch v Internet, trong khi vn cung cp chc nng bc tng la bo v mng ni b t nhng s tn cng bn ngoi. 3.3 Nhng hn ch t Firewall Firewall khng thng minh c th hiu c tng loi thng tin v phn tch ni dng tt hay xu ca n. Firewall ch c th ngn chn s xm nhp ca nhng ngun thng tin khng mong mun nhng phi xc nh r cc thng s a ch. Firewall khng th ngn chn mt cuc tn cng nu cuc tn cng ny khng i qua n. Mt cch c th, Firewall khng th chng li mt cuc tn cng t mt ng Dial-up, hoc s d r thng tin do d liu b sao chp bt hp php ln a mm. Firewall cng khng th chng li cc cuc tn cng bng d liu. Khi c mt s chng trnh c chuyn theo th in t, vt qua Firewall vo trong mng c bo v v bt u hot ng y. Mt v d l cc virus my tnh. Firewall khng th lm nhim v qut virus trn cc d liu c chuyn qua n, do tc lm vic, s xut hin lin tc ca cc virus mi v do c rt nhiu cch m ho d liu, thot khi kh nng kim sot ca firewall. Tuy nhin, Firewall vn l gii php hu hiu c s dng rng ri. 3.4 Thit lp chnh sch cho Firewall.
L Anh Hng K49DB
58
Kho lun tt nghip
i hc Cng ngh
Cc chnh sch c thng bo trc ngi qun l mng v ngi dng mng bit c mnh c th lm c nhng g, c th truy cp hay khng th truy cp ti nhng Webside no trn mng. Mt s im ch khi thit lp chnh xch c bn ca Firewall: Ngn chn tt c lu lng vo ra, sau ch cho php mt s c i qua. Tt c lu lng vo ra khi mng u phi chuyn qua bc tng la kim tra v sang lc nhng lu lng c th qua c. Khng dng firewall nh l ni lu tr thng tin chung a chc nng hoc chy chng trnh. Khng cho php mt m hay cc a ch bn trong mng qua tng la. Nu nh mng cn phi cung cp dich v cho mng Internet th t dch v ra ngoi tng la. Lu tr li cc thng tin d liu quan trng ca dch v cng cng bng cch to ra my ch Stand-by. 3.5 Mt s loi Firewall Packet-Filltering Firewall Dual-Homed Gateway Firewall Screened Host FirewallU tr s dN tw r n u te e ok
Ine n t tre
In r a ten l DS N ad n M il a Sr e ev r S c r N tw r e ue e ok O a iz tio rg n a n .c m o
Ru r o te Pc e ak t F r ilte
` C n lie t 1 C n lie t
` 2
Hnh 46 u im: Tc cao L Anh Hng K49DB59
Kho lun tt nghip
i hc Cng ngh
Hn ch:
D dng thch ng vi cc dch v mi xut hin Gi thnh thp, cu hnh v qun tr n gin Trong sut i vi user
C tt c hn ch ca mt packet-filltering router: D b tn cng vo cc b lc m cu hnh c t khng hon ho, hoc b tn cng nhm di nhng dch v c php (gi mo a ch IP). Bi v cc packet c trao i trc tip gia hai mng thng qua router, nguy c b tn cng c quyt nh bi cc host v dch v c php.iu dn n mi mt host c php truy nhp trc tip vo Internet cn phi c cung cp mt h thng xc thc phc tp, v ngi qun tr phi thng xuyn kim tra xem c du hiu ca s tn cng no khng. Mt s packet-filltering khng m bo yu cu v trng thi dng an ton. Khi c ch kim sot cc gi tin khng lm vic, nhng h ny s lm vic nh mt router, chuyn tt c cc kt ni gia hai mng: mng ni b v mng bn ngoi dn n tt c h thng trn mng ni b c th b tn cng. 3.5.1 Screened Host Firewall. H thng ny bao gm mt Packet-filltering router v mt bastion host. H thng ny cung cp bo mt cao hn h thng trn, v n thc hin bo mt c tng Network v tng ng dng. ng thi, k tn cng phi ph b c hai tng bo mt tn cng vo mng ni b
In r e ten t
B s nH s Gte a tio o t a w
In r a ten l D Sa d N n Mil a Sr e ev r
Po y rx Sr e ev r
S CS OK Sr e ev r
Ru r o te Pc e ak t Fte il r
P ce ak t F r i lte S c reN tw r eu e ok O ai a n r n tio g z
Ete a x rn l DS N
.c m o
` C n lie t 1 C n lie t
` 2
Pb u lic Sr e ev r
W W W FP T
Hnh 47: Screened Host Firewall
L Anh Hng K49DB
60
Kho lun tt nghip
i hc Cng ngh
Information Server
D ual- H ome Host
Internet
Other Host on Corporate N etw ork
Proxy Traffic(Telnet, FTP,HTTP) Other Traffic
Hnh 48 3.5.2 Screened-Subnet FirewallUntru sted Network
Internet
Bastion Host G ateway
Internal DNS and M ail S erver
P roxy S erver S ecure Network P rivate .O rganization RouterP k ac et Filter
S CK O S S er erv
Router P acket Filter
.c om
P acket Filter
E xternal DNS
` Client 1 Client
` 2
M dem o s
Public Server
W W W FTP
Hnh 49 H thng bao gm hai packet-filltering router v mt bastion host. H thng c an ton cao nht v n cung cp bo mt c lp mng v lp ng dng, trong khi nh ngha mt mng phi qun s. Mng DMZ ng vi tr nh mt mng nh, c lp t gia mng cng cng Internet v mng ni b. C bn, mt DMZ c cu hnh sao cho cc h thng trn Internet v mng ni b ch c th truy nhp c mt s gii hn cc h thng trn mng DMZ v s truyn trc tip qua mng DMZ l khng th c. Vi nhng thng tin n, router ngoi chng li nhng s tn cng (nh gi mo a ch IP), v iu khin truy nhp ti DMZ. H thng ch cho php bn ngoi truy nhp vo bastion host. Router trong cung cp s bo v th hai bng cch iu khin DMZ truy nhp mng ni b vi nhng truyn thng bt u t bastion host. L Anh Hng K49DB61
Kho lun tt nghip
i hc Cng ngh
Vi nhng thng tin i, Router trong iu khin truy nhp mng ni b truy nhp ti DMZ. N ch cho php cc h thng bn trong truy nhp bastion host v c th c Information server. Quy lut Filltering trn router ngoi yu cu s dng dch v proxy bng cch ch cho php thng tin ra bt ngun t bastion host. u im: Mun tn cng cn ph v ba tng bo v: Router ngoi, bastion host v router trong. Bi v Router ngoi ch qung co DMZ network ti Internet, h thng mng ni b l khng th nhn thy (invisible). Ch c mt s h thng c chn ra trn DMZ l c bit n bi Internet qua routing table v DNS information exchange. Bi v Router bn trong ch qung co DMZ network ti mng ni b, cc h thng trong mng ni b khng th truy cp trc tip vo Internet. iu ny m bo rng nhng user bn trong bt buc phi truy nhp Internet qua dch v proxy. 3.6 M hnh kt hp Firewall vi VPN. Nh chng ta bit tng la l mt thit b bao gm c hai phn cng v phn mm c t gia mt mng tin cy cn c bo v ti mng khng tin cy bn ngoi nh mng cng cng Internet bo v mng ring o VPN ca mt cng ty hay mt tp on thot khi s nguy him n t cc mng khng tin cy cng nh nhng ngi dng khng hp php c tnh truy nhp vo mng khai thc ti nguyn thng tin.
Branch Network
Internet
Corporate Network
Firewall Bra
![[Laptrinh.vn]-Wimax_mang Truy Nhap](https://img.pdfslide.tips/doc/110x75/5571fc884979599169976fb0/laptrinhvn-wimaxmang-truy-nhap.jpg)
![[Laptrinh.vn]-Ly Thuyet Anten](https://img.pdfslide.tips/doc/110x75/5571fc884979599169976fa2/laptrinhvn-ly-thuyet-anten.jpg)
![[Laptrinh.vn]-Bộ điều chế qam](https://img.pdfslide.tips/doc/110x75/5571fc884979599169976f96/laptrinhvn-bo-dieu-che-qam.jpg)
![[Laptrinh.vn] lap trinh Spring Framework 3](https://img.pdfslide.tips/doc/110x75/55a2314e1a28abfb698b4674/laptrinhvn-lap-trinh-spring-framework-3.jpg)
![[Laptrinh.vn]-vi điều khiển dsPic30F4011](https://img.pdfslide.tips/doc/110x75/5571fc884979599169976fac/laptrinhvn-vi-dieu-khien-dspic30f4011.jpg)
![[Laptrinh.vn]-NC Wimax](https://img.pdfslide.tips/doc/110x75/577d26191a28ab4e1ea045ca/laptrinhvn-nc-wimax.jpg)
![[Laptrinh.vn]-KyThuatMIMO Va FPGA](https://img.pdfslide.tips/doc/110x75/577d26191a28ab4e1ea045c0/laptrinhvn-kythuatmimo-va-fpga.jpg)
