Upload
ga-mo
View
227
Download
0
Embed Size (px)
DESCRIPTION
VPN
Citation preview
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr 1
1Ha Noi, thang 4 nam 2004
MNG RING O(Virtual Private Network - VPN)
2
Ni dung trnh by
Ni dung:
I. Gii thiu tng quan v VPN
II. VPN v bo mt INTERRNET VPN
III. Thit k cc khi ca mt VPN
IV. Qun l VPN
V. Tng kt
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr 2
3
Nhng kin thc lin quan
L thuyt mng
TCP/IP
M ho thng tin
Firewall
4
I. GII THIU TNG QUAN V VPN
1.MNG RING O L G?
Virtual
Private
Network
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr 3
5
Virtual Private Network gi l mng ring o -VPN c khi s nm
1997
Khi nim mng ring o
L phng php lm cho mt mng cng cng hot ng nh
mt mng cc b kt hp vi cc gii php bo mt trn ng truyn.
VPN cho php thnh lp cc kt ni ring vi ngi dng xa, cc vn
phng chi nhnh ca cng ty v cc i tc ca cng ty ang s dng
chung mt mng cng cng.
Khi nim nh ng hm (Tunneling)
L c ch dng cho vic ng gi mt giao thc trong mt
giao thc khc. nh ng hm cho php che du giao thc lp mng
nguyn thu bng cch m ho gi d liu v cha gi m ho vo
trong mt v bc IP.
6
Khi nim v cht lng dch v
VPN cn cung cp cc tho thun v cht lng dch v (QoS), nh
ra mt gii hn trn cho php v tr trung bnh ca gi trong
mng.
VPN= nh ng hm + Bo mt + Cc tho thun QoS
Ti sao phi xy dng VPN ?
Gim chi ph ng truyn: cho php tit kim n 60% chi ph so
vi thu bao ng truyn v gim ng k tin cc.
Gim chi ph u t. VPN khng tn chi ph u t cho my ch,
b nh tuyn, cc b chuyn mch nh khi u t cho mt mng
WAN ca cng ty (c th thu ca cc nh cung cp dch v).
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr 4
7
Gim chi ph qun l v h tr. Vi quy m kinh t ca
mnh cc nh cung cp dch v c th mang li cho cng ty
nhng tit kim c gi tr so vi vi vic t qun l mng
Truy cp mi lc mi ni. VPN khng lm nh hng n
bt k mt dch v trun thng no ca Internet.
8
2.Phn loi mng ring o
Central Site
Site-to-SiteRemote Office
ExtranetBusiness Partner
POP
DSL
Cable
Mobile User
Home Telecommuter
VPNInternet
Truy cp t xa (Remote Access)
Kt ni chi nhnh ca cng ty (Site to Site)
Mng m rng (ExtranetVPN)
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr 5
9
Ba loi lin kt trong mng VPN
Remote User Access
Intranet
Extranet
10
3.Cu trc ca VPN
Tnh tng thch (Compatibility)
H tr nhiu chun giao thc
Tnh bo mt (Sercurity)
Password cho User trong mng
M ho d liu khi truyn
n gin trong qun l, s dng
Tnh kh dng (Availability)
Tc kt ni
Cht lng dch v (QoS)
Kh nng hot ng tng tc
ng b vi thit b s dng
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr 6
11
II. VPN v bo mt internet vpn
Kin trc VPN
Bo mt vi VPN
Giao thc trn VPN
12
1.Kin trc mng VPN
Kin trc ca mt mng VPN
ng hm: phn o trong VPN:
Khng duy tr kt ni thng trc gia cc im cui, thay
vo mt ni ch c to ra gia hai site khi cn thit, khi
khng cn cn thit na th n s b hu b, ti nguyn mng
sn sng cho nhng kt ni khc.
i vi ngi s dng VPN nhng thnh phn vt l ca
mng c cc ISP giu i. Vic che giu c s h tng ca
ISP v Internet c thc hin bi khi nim gi l nh ng
hm (Tunneling)
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr 7
13
Vic to ng hm to ra mt kt ni c bit gia hai im
cui. to ra mt ng hm im cui ngun phi ng cc
gi ca mnh trong nhng gi IP (IP Packet) cho vic truyn
qua Internet. Trong VPN vic ng gi bao gm c vic m
ho gi gc. im cui nhn, cng ni (Gateway) g b tiu
IP v gii m gi nu cn v v chuyn gi n ch ca n.
Vic to ng hm cho php nhng dng d liu v thng tin
ngi dng kt hp c truyn trn mt mng chia s trong
mt ng o (virtual pipe). ng ny lm cho vic nh tuyn trn
mng hon ton tr nn trong sut i vi ngi dng.
14
ip ah Esp Tiu d D liu
A B D liu A B D liu1 2 A B D liu
Gi tin kiu ng hm
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr 8
15
Authemtication:Bo m d liu n c ngun gc r rng.
Access control: ngawnhng ngi dng bt hp php.
Confidentiality:Hn ch vic d liu b ph hoi trn ng truyn.
Data intergity: Bo khng ai c th thay i ni dung d liu trn ng
truyn.
Mc d nhng ng hm c th lm cho vic truyn d liu trn
Internet c bo mt, nhng vic xc thc ngi dng v duy tr tnh
ton vn d liu ph thuc vo cc tin trnh m ho nh: ch k in t,
xc nhn vn bn. Nhng tin trnh ny c s dng thng qua cc kho,
phi c phn phi v qun l cht ch, y l mt cng vic ca mng
VPN. Mt khc cc dch v bo mt d liu c thc hin tng 2 v
tng 3.
Cc dch v bo mt: phn ring trong VPN
16
2. Mt s giao thc cho VPN
a. Point to Point Tunneling Protocol (PPTP)
PPTP l m rng ca giao thc PPP (RFC 1661).
Dch v ng hm m PPTP cung cp chy pha trn ca lp IP, ngc li th
giao thc PPP truyn thng li nm pha di. PPP thch hp cho vic bin i
bi v hot ng ca n cng gn ging nh hot ng m VPN cn, nhng PPP
khng an ton.
Kt ni iu khin PPTP: Khi s dng kt ni ti Internet c thit lp bi
PPP, PPTP thit lp kt ni iu khin, s dng cng TCP 1723, kt ni ny
dng TCP thit lp.
Xc thc: Cc my khch PPTP c nhn thc khi s dng giao thc PPP.
Cc mt khu r rng c s dng cc cch xc thc l PAP Password
Authentication Protocol, CHAP Chalenge Handshake Authentication Protocol.
RFC 1334, RFC1994, RFC2284.
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr 9
17
b. Layer 2 Tunneling Protocol (L2TP)
Giao thc ng hm lp 2 lai ghp (Hybrid Layer 2 tunneling)
- Giao thc xy dng ng hm cho VPN i vi nhu cu truy cp
t xa. L m rng ca giao thc PPP, kt hp c u im ca L2F
ca Cisco v PPTP ca Microsoft.
- H tr cho mi trng a giao thc: Truyn c bt k giao thc no
c nh tuyn gm: IP, IPX, AppleTalk.
- Phng tin c lp: L2PT hot ng trn bt k mng no c kh
nng truyn khung IP, h tr bt k ng trc WAN no: Frame Relay,
ATM, X25, SONET, h tr cc phng tin LAN: Ethernet, TokenRing,
FDDI.
- C th thit lp t my ch truy cp mng (Network Access Server)
hoc t phn mm client ti mt router hot ng nh im u cui ca
ng hm.
18
3. Minh ho kin trc VPN ca Cisco
Khi bo mt
Khi truy cp lm nn cho cc ng dng thng mi, c thit k
tun theo cc yu cu v quy nh ging nh mng ring ca cng ty.
Khi truy cp VPN
@ Kin trc xc thc
Trong mi trng truy cp VPN, kha cnh bo mt quan trng nht lin quan
n vic nhn dng ra mt ngi dng ca cng ty v thit lp mt ng hm
n cng ni ca cng ty. Cng ni ny phi c kh nng xc thc ngi dng, cc
quyn truy cp v tnh cc (AAA).
@ Xc thc n phng
xc thc ngi dng, u tin Client s thit lp kt ni n mng cung cp
dch v thng qua mt POP, sau thit mt kt ni th hai vi mng khch
hng.
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr 10
19
Cc im cui ca ng hm trong truy cp VPN xc thc vi nhau.
K tip ngi dng kt ni n cc thit b u cui khch hng
(CPE) Cc
Cng ni ngi dng s dng giao thc phn tch cht lng thnh
vin hay giao thc Internet tuyn ni tip SLIP (Serial Line Internet
Protocol) v c xc thc thng qua mt giao thc xc nh tn/mt
khu nh : PAP ( Password Authentication Protocol), giao thc xc
thc yu cu bt tay CHAP (Chanllenge Handshake Protocol) hay
mt h thng iu khin truy cp cng.
20
VPN reference architecture
customeredge device
provideredge device
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr 11
21
VPN: logical view
customeredge device
provideredge device
virtual private network
22
Leased-line VPN
customer sites interconnected via static virtual channels (e.g., ATM VCs), leased lines
customer site connects to provider edge
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr 12
23
Customer premise VPN
customer sites interconnected via tunnels tunnels encrypted typically SP treats VPN packets like all other packets
All VPN functions implemented by customer
24
Network-based Layer 3 VPNs
multiple virtual routers in single provider edge device
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr 13
25
Tunneling
27
b- Xc thc song phng
u tin, ngi dng s quay s n im truy cp POP ca ISP, sau
ISP s nhn din ngi gi thng qua mt s nhn din chung.
My ch truy cp mng NAS (Network Access Server) s bit c s
nhn din ny thuc mng khch hng no. K tip, NAS s thit lp
mt ng hm vi cng ni pha khch hng. Cui cng, ngi dng
c xc thc ln th hai bi cng ni pha mng cng ty.
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr 14
29
5. Fire wall - Bc tng la
Cisco IPX Fire wall cho php 64,000 kt ni hot ng cng mt mt lc, hot ng da
trn thut ton bo mt tng thch ASA ( Adaptive Security Algoritm), thut ton ny bo
mt mt cch hiu qu truy cp n cc my mng ni b.
Cc c im chnh:
- iu khin truy cp da trn ng cnh CBAC (Context - based access control): cung cp
bo mt, lc cc ng dng cho lu lng IP, cung cp cc giao thc mi nht.
- Java bloking - bo mt chng li cc Java applet nguy him, ch cho php cc applet t
cc ngun ng tin cy.
- Pht hin v ngn nga t chi dch v (Denial - of - service detection and prevention)
bo mt cc ti nguyn b nh tuyn chng li cc tn cng thng thng.
- Cnh bo thi gian thc (real-time alert) cnh bo trong trng hp ca cc tn cng t
chi dch v v cc tnh trng ac bit khc.
- Theo di, kim tra (Audit trail): d tm ngi truy cp bng thi gian, a ch ngun v
ch, cng, tng s byte c chuyn i.
30
VPN Server nm pha trc Firewall
a- M hnh bc tng la (1)
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr 15
31
VPN Server nm pha sau Firewall
b- M hnh bc tng la (2)
32
6. K thut m ho v xc thc
Mt khung bo mt cho mt t chc, c quan bao gm 7 thnh phn
khc nhau:
Xc thc ( Authentication) Tin cy (Confidentiality)
Ton vn (Integrity) Cho php (Authorization)
Cng nhn (Nonrepudiation) Qun tr (Administration)
Theo di kim ton (Audit trail)
Cng dng ca h thng m ho v xc thc trong VPN
Bo mt d liu khi truyn
Hai bn cng gi b mt v vic lin lc (nhn thc)
Ton vn thng tin
Cng ngh mt m ph bin c dng trong VPN bao gm DES, Triple DES, RC2, RC4, RSA.
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr 16
33
Internet VPN
Xc thc User
Tin cy v
ton vn
Theo di - kim
ton - Qun tr
Cho php Cng nhn
Fire wall
D liu
D liu
a- M hnh xc thc
34
Cc lp ng
dng (5-7)
Cc lp giao vn /
mng (3-4)
Cc lp Vt l/ lin k
d liu (1-2)
M ho lp ng dng
M ho lp mng
M ho lp lin kt d liu
b- M hnh m ho
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr 17
35
7. Cc nguy c an ninh mng
Vic truyn d liu trn cc mng IP c th chu nhiu mi nguy him ,
trong c mt loi thng dng: nh la (spoofing), n cp phin
(session hijacking), nghe trm (sniffing) v tn cng chnh din (the man-
in the-middle-attack)
nh la
Tn cng kiu nh la l mt k tn cng c th s dng a ch IP ca
mt ai trong mng v gi v tr li ngi khc. Sau khi k tn cng
xc nh hai trm A v B ang truyn thng vi nhau keo kiu client /
server, s c gng gi lm mt trong hai trm (A chng hn) bng cch
no trm cn li (trm B) vn tin rng minh ang kt ni vi B.
K tn cng thc hin iu ny bng cch to ra mt bn tin gi vi a
ch ngun l a ch ca A, yu cu kt ni n B. Khi B nhn c bn tin
ny, n s xc thc (Acknowlegment) km theo s tun t cho vic truyn
d liu vi A. Nhng s tun t t my ch A l duy nht i vi kt ni
gia hai my.
36
hon tt mt phin lm vic gia A v B, B s mong ch A xc thc con s
tun t ca B trc khi tin hnh bt c mt s trao i thng tin no,
ngi tn cng ng vai bn A, anh ta phi on s
s tun t m B s s dng v phi ngn chn bn A tr li. Tuy nhin, khng
qu kh xc nh s tun t.
gia cho my A khng p ng c bt k vic truyn d liu no ca B,
ngi tn cng thng xuyn truyn mt s lng ln cc gi n A, lm cho
A b qu ti.
Kiu tn cng nh la tng i d bo mt, bng cch cu hnh cc b nh
tuyn loi b cc gi tin quay v no m bt phi hnh thnh t mt my
tnh trong mng ni b.
n cp phin
K tn cng c gng tip qun mt kt ni sn c gia hai my tnh trong
mng.
u tin, k tn cng iu khin thit b mng trn mng LAN, c th l bc
tng la hay mt my tnh khc, do c th gim st kt ni gia hai my
tnh, k tn cng c th xc nh c s tun t c s dng bi hai bn.
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr 18
37
Sau khi gim st c kt ni, k tn cng c th to ra mt lu lng, lu
lng ny xut hin n t mt trong cc bn truyn thng, chim ly
phin lm vic t mt trong cc c nhn tham gia.
K tn cng s lm cho mt trong cc my tnh truyn thng qu ti bi vic
x l cc gi tin.
trnh vic n cp phin ch cn c mt xc nhn thnh vin trong mt
phin lm vic m bin php an ton nht l m ho.
Nghe trm
Bn cht ca vic nghe ln trn mng to ra mt s Card giao tip gi theo
chun Ethernet c th nhn c mt s gi tin kiu Broadcast. K tn
cng c th dng mt loi phn mm gi l nh hi (sniffer) c th ghi li cc
lu lng mng chuyn qua chng, l mt phn cn thit chn on
mng no lm vic vi mng Ethernet, cho php xc nh mt cch nhanh
chng iu g ang din ra trn mt on mng bt k. Cc sn phm Sniffer
cng l mt cng c ghi li nhng gi ng nhp vo mng v sau s dng
nhng thng tin ny xm nhp vo mt mng m anh ta khng c quyn
truy cp.
Gim st vt l l cch tt nht gim nguy c nghe trm.
38
Tn cng trc din
R rng l vic s dng nhng k thut m ho bo mt v xc thc
d liu l gii php hu hiu cho cc nguy c bo mt
trn, nhng m ho cng c nhng nguy c tim n nh l vic qun l
mt cc cn thn h thng kho. K tn cng c th dng nhiu bin
php thu c cc thng tin v vic trao i kho gia cc thnh
vin trong mng. Kiu tn cng gi l tn cng trc din.
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr 19
39
8. K thut xc thc
Xc thc l mt phn khng th thiu ca kin trc bo mt trn VPN.
Xc thc da trn ba thuc tnh: ci g ta c ( mt kho hay mt card
token), ci g chng ta bit (mt khu) v ci g nhn din (ging ni,
qut vng mc, du vn tay,. . .)
Mt khu truyn thng
Cc loi xc thc n nh ID, mt khu c duy tr trong mt khong
thi gian nht nh khng mnh bo mt truy cp trn mng ngay
c khi ngi dng lun cnh gic.
V vy gii php mt khu mt ln hu hiu hn.
Mt khu mt ln OTP (One Time Password)
H thng mt khu mt ln trong loi S/Key l loi xc thc in hnh.
H thng S/Key to ra mt cch t ng danh sch mt khu cho mi
phin lm vic ca ngi dng.
Nhc im ca phng php ny l kh qun tr danh sch mt khu
cho mt s lng ln ngi dng.
40
Cc giao thc xc thc
Giao thc xc thc mt khu PAP (Password Authentication Protocol)
Giao thc PAP c thit k mt cch n gin cho mt my tnh t
xc thc n mt my tnh khc khi giao thc im - im c s dng lm giao
thc truyn thng.PAP l giao thc bt tay hai chiu my tnh ch to kt ni gi
mt nhn dng ngi dng v mt khu kp n h thng ch m n c gng thit
lp kt ni v sau h thng ch xc thc rng my tnh c xc thc ng v
chp nhn cho vic truyn thng.
PAP khng bo mt bi v thng tin xc thc c truyn i r rng v khng c g
bo mt chng li tn cng tr li hay lp li qu nhiu bi nhng ngi tn cng
nhm on ra mt khu ng.
Giao thc xc thc yu cu bt tay CHAP (Challenge Handshake Authentication
Protocol).
Giao thc CHAP l mt giao thc bt tay ba chiu, xc thc ny gm 3 bc:
1- B xc thc gi mt bn tin thch n my tnh ngang cp
2- My tnh ngang cp tnh ton mt gi tr s dng hm bm 1 chiu gi tr li cho
b xc thc.
3- My tnh xc thc c th p ng chp nhn nu tng ng vi gi tr mong
mun.
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr 20
41
H thng iu khin truy cp b iu khin truy cp u cui TACACS
TACACS (Terminal Access Controller Access System) l mt trong nhng
H thng c pht trin khng ch cung cp c ch xc thc, m cn thm
hai chc nng 2A trong vic bo mt truy cp t xa, l : cho php
(Authorization) v tnh cc (Accouting). Khng nh nhng mi quan h ngang
cp c thit k trong PAP v CHAP,TACACS c thit k c chc nng nh
mt h thng Client/Server, trong mang tnh mm do hn, c bit trong vic
qun l bo mt mng. Trung tm hot ng ca TACACS v RADIUS l mt
my ch xc thc (authentication server)
User quay s vo
my ch truy nhp
DL ND
Giao thc
TACACS/RDIUS
gi yu cu xc
thc v Server
My ch xc thc
kim tra yu cu
nhn dng
My ch xc thc
v thng bo cho
my ch truy nhp
42
Cc h thng phn cng c bn
A- Smart card v PC card
Card thng minh (Smart card) l thit b c kch thc ging nh th tn
dng bao gm: 01 b vi x l v 01 b nh. c cc thng tin t Smart
card cn 01 u c. Smart card c th lu tr mt kho ring ca tng
ngi dng cng vi bt k ng dng no c gi t nhm n gin ho
qu trnh xc thc, c bit i vi ngi dng di ng. Hin nay xut hin
mt s SC gm mt b ng x l m ho v gii m, khi vic m v gii
m d dng v nhanh chng.
Cc h thng chng nhn in t n gin nht yu cu ngi nhp vo s
nhn din c nhn PIN hon tt tin trnh xc thc. Trong rt nhiu h
thng ngi ta kt hp gia PIN ca SC v cc thng tin v sinh trc hc ca
ngi dng nh vn tay. dng h thng ny ngi ta trang b 1 my qut
vn tay, sau so snh vi d liu c lu trn SC.
PC card l mt bo mch nh c cm vo slot m rng trn bo mch ch
ca my tnh. Cc PC card km linh hot hn nhng c b nh ln hn SC
nn c th lu tr lng tng tin xc thc ln hn.
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr 21
43
B- Cc thit b th bi (token Devices)
Th bi c xy dng da trn phn cng ring bit dng hin th cc
m nhn dng (pascode) thay i m ngi dng phi nhp vo my. B x
l bn trong th bi lu gi mt tp cc kho m b mt c dng pht
cc m nhn dng mt ln. Cc m ny c chuyn n mt my ch bo
mt trn mng, my ch ny kim tra tnh hp l v chuyn quyn truy cp
cho ngi dng.
Trc khi ngi dng c xc thc, cc thit b th yu cu mt PIN, sau
s dng mt trong ba c ch sau:
1- C ch p ng thch , my ch bo mt pht ra mt con s ngu nhin
khi ngi dng ng nhp vo mng. Mt con s thch xut hin trn
mn hnh, ngi dng nhp vo s cc s trong th bi. Th bi m ho cc
con s thch ny vi m kho b mt ca n v hin th ln mn hnh LCD,
sau ngi dng nhp kt qu ny vo my tnh. Trong khi , my ch m
ho con s thch vi cng mt kho v nu nh hai kt qu ny ph hp
th ngi dng s c php vo mng.
44
2- C ch ng b thi gian
y th bi hin th mt s c m ho vi kho b mt m kho ny thay
i c 60 giy. Ngi dng c nhc cho con s khi c gng ng nhp vo
my ch. Bi ng h trn my ch v th c ng b, cho nn my ch c
th xc nhn ngi dng bng cch gii m con s th v so snh kt qu.
3- C ch ng b s kin. y, mt b m ghi li s ln vo mng ca
ngi dng. Sau mi ln vo mng, b m c cp nht v mt m nhn
dng khc c to ra cho ln ng nhp k tip.
C- H thng sinh trc hc
H thng sinh trc hc ph thuc vo vic s dng mt du vt c nhn duy
nht xc nh ngi dng. Cc du vt thng c s dng l : vn tay,
ging ni, vng mc.
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr 22
45
9. K thut mt m
M ho i xng
Vn bn gc
Kho K
Vn bn m
Kho K
Vn bn gc
Kho K
M ho phi i xng
Vn bn gc
Kho E
Vn bn m
Kho D
Vn bn gc
Kho E
46
M ho i xng. K thut m ho DES trong 56 bits dng
lm kho v 8 bits dng kim sot li. S thut ton nh
sau:
16
ln
lp
Output
T=t1t2.....t64
Input
T=t1t2.....t64
Hon v khi u
(IP) T0=IP(T)
Tnh ton m ho
Hon v ngc khi u
(IP) T=IP(Tn)
Kho K
K=k1k2.....k64
To kho
Ki(16 la chn)
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr 23
47
M ho phi i xng. K thut m ho Diffie Hellman (DH), c ch
lm vic: hai bn trao i c th s dng k thut DH to
ra mt gi tr b mt dng chung m sau c th c dng nh mt
kho chung cho thut ton m ho kho b mt.
To s ngu
nhin
Tnh ton
kho
Vn bn gc Vn bn m
To s ngu
nhin
Tnh ton
kho
Vn bn gc
48
Phng php m ho cng khai RSA ( Rivest, Shamir, Adleman).
Nm 1978 Rivest, Shamir v Adleman xut phng php m
ho RSA m Cng khai. Thut ton RSA da trn nhn xt sau: c
th d dng sinh ra 2 s nguyn t ln v nhn chng vi nhau,
nhng cc k kh phn tch mt hp s thnh 2 s nguyn t. Thut
gii c m t nh sau:
1- Chn 2 s nguyn t ln p v q
2- Tnh n= pxq v (n)=(p-1)(q-1)
3- Chn ngu nhin D ( 3 < D
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr 24
49
10. Giao thc trong VPN
c im c bn ca IPSec
Giao thc IPSec c chun ho vo nm 1995, IPSec nh ngha 2 loi tiu
cho cc gi tin IP iu khin qu trnh xc thc v m ho: mt l xc
thc tiu IP-AH (IP Authentication Header) iu khin vic xc thc v
hai l bc gi bo mt ti ESP (Encapsulation Security Payload) cho mc
ch m ho. Vic h tr cho IPSec ch yu l cho IPv4 cn IPv6 th c sn
IPSec.
@ Kt hp bo mt SA (Security Association)
@ Xc thc tiu AH (Authentication Header)
@ Bc gi bo mt ti ESP (Encapsulation Security Payload)
@ Ch lm vic
a- Giao thc IPSEC
50
1- Kt hp bo mt SA
Thut gii xc thc s dng cho AH v kho ca n
Thut gii m ho ESP v kho ca n
Dng thc v kch thc ca b m s dng trong thut gii m ho
Giao thc, thut gii m ho, kho s dng cho vic truyn thng
Thi gian sng ca kho ca SA
a ch ngun ca SA
hai bn c th truyn v nhn d liu c bo mt, c bn truyn
v nhn phi cng thng nht s dng gii thut m ho v phng php
qun l v chuyn kho. Vic truyn tin c th i hi mt hoc nhiu SA
v mi gi tin theo giao thc IPSEC c m ho cng yu cu phi c SA.
Mt IPSec SA m t cc vn sau:
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr 25
51
2- Xc thc tiu AH
Xc thc tiu AH trong h thng IPSec c chn vo gia tiu
IP v ni dung, khng lm thay i ni dung ca gi d liu. Xc thc
tiu u AH gm 5 trng: trng tiu k tip (Next Header Field), chiu
di ti (Payload Length), ch s tham s bo mt SPI (Security Parameter
Index), s tun t (Sequence Number), d liu xc thc (Authentication
Data).
ipv4 Tiu ip gc ah Tcp D liu
ipv4 Tiu ip gc TCP D liu
Xc thc khng k cc trng thay i
ipv6 Tiu ip gc ch, nh tuyn,phn mnh ah ch tu chn Tcp D liu
ipv6 Tiu ip gc Cc tiu ph TCP D liu
Xc thc khng k cc trng thay i
52
Cn ch AH khng gi c b mt gi tin m ch lm nhim v xc
thc. bo mt d liu cn s dng thnh phn th 2 l ESP
3- Bc gi bo mt ti ESP
Bc gi bo mt ti ESP c nhim v m ho d liu, nn ni dung ca gi s
b thay i.
ipv4 Tiu ip gc Tiu ESP Tcp D liu ui ESP Cp quyn ESP
ipv4 Tiu ip gc TCP D liu
c m ho
ipv6 Tiu ip
gc
ch, nh tuyn,
phn mnh
Esp ch tu
chnTcp D
liu
ui
ESP
Cp quyn
ESP
ipv6 Tiu ip gc Cc tiu ph nu c TCP D liu
c xc thc
c xc thc
c m ho
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr 26
53
Gng nh tiu AH, ESP gm cc SPI ch cho bn nhn bit c ch
bo mt thch hp cho vic x l gi tin. S tun t trong ESP l b m
tng mi khi gi c gi n cng mt a ch
4- Ch lm vic
C hai ch lm vic trong IPSec:
Ch giao vn (Transport Mode) Ch c on trong lp giao vn trong gi l
c x l.
Ch giao vn s dng cho c cng ni v Host, cung cp c ch bo mt cho
cc giao thc lp trn. Trong ch giao vn, AH c chn vo sau tiu IP
v trc cc giao thc lp trn (TCP, UDP hay ICMP) hoc trc bt k tiu
IPSec c chn vo trc .
Ch ng hm (Tunnel Mode); Ton b gi s c x l cho m kho
xc thc
Trong ch ng hm tiu IP cha a ch ngun, a ch ch. AH bo
mt ton b gi IP.
54
ipv4 Tiu ip mi
ah Tiu ip
gc
tcp D liu
ipv6 Tiu ip
mi
Tiu mi
m rng
Ah Tiu
IP gc
Tiu
m rngtcp D liu
c xc thc khng k cc trng thay i
trong tiu IP mi
Xc thc khng k cc trng thay i trong tiu IP
mi
Ch ng hm AH ch chng li vic thay i ni dung d liu nn cn
phi c phng tin khc bo m tnh ring t ca d liu.
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr 27
55
Ch ng hm ESP bo chng li nghe trm mt cch c hiu qu,
nhng khng bo mt c ton b lu lng.
TCP D
LIU
Tiu
IP gc
ESPTiu
IP miIPV4
c m ho
Phn ui
ESP
Phn cp
quyn ESP
c xc thc
IPV6TCP D
LIU
Tiu
IP gc
ESPTiu
IP mi
c m ho
Phn ui
ESP
Phn cp
quyn ESP
c xc thc
Tiu mi
m rng
Tiu gc
m rng
56
Mun to mt VPN m tt c cc my tnh c th lin lc vi nhau thng qua giao
thc IPSec th phi gi t phn mm IPSecs trn tt c cc my tnh v cc cng bo
mt.
5- S dng IPSec
Internet
Mng LAN
c bo v
Cng ni bo
mt
Cng ni bo
mt
Mng LAN
c bo v
Kt ni LAN - LAN
Kt ni Client - LAN
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr 28
57
c im c bn ca PPTP
Giao thc nh hng ng hm PPTP (Point to Point Tunneling
Protocol) c a ra bi mt nhm cc cng ty gi l PPTP forum.
tng c bn ca giao thc ny l tch cc chc nng chung v ring ca
truy cp t xa, li dng li ch ca cc c s h tng Internet sn c
to kt ni bo mt gia client v mng ring. Ngi dng t xa ch vic
quay s ti nh cung cp dch v Internet a phng l c th to mt
ng hm bo mt ti mng ring ca h.
@ PPTP c th truyn trong ng hm bng nhiu giao thc khc nhau,
trong khi IPSec ch lm vic vi IP;
@ PPTP c thit k hot ng tng lin kt d liu DataLink.
Trong khi IPSec chy tng Network;
@ Thit lp v kt thc kt ni vt l;
b- Giao thc PPTP
58
1- Dng thc ca PPTP
PPTP da trn PP to ra kt ni quay s gia khch hng v my ch
truy cp mng. Sau khi PPP thit lp kt ni, PPTP s dng cc quy lut ng gi
ca PPP ng gi cc gi d liu truyn trong ng hm.
tn dng u im ca kt ni to ra bi PPP, PPTP nh ngha 2 loi gi: gi
iu khin v gi d liu, gn chng vo 2 knh ring. Sau PPTP phn tch cc
knh iu khin v knh d liu thnh lung iu khin vi giao thc TCP v
lung d liu vi giao thc IP. Kt ni TCP c to gia client PPTP v my ch
PPTP c s dng chuyn thng bo iu khin. Cc gi iu khin c gi
i theo chu k ly thng tin v trng thi kt ni v qun l bo hiu gia client
PTP v my ch mng, Cc gi iu khin cng c dng gi thng tin qun
l thit b, thng tin cu hnh gia hai u ca ng hm.
Knh iu khin c yu cu cho vic thit lp mt ng hm gia client PTP
v my ch PPTP. Phn mm client c th nm ngi dng th xa hay nm ti
my ch ISP.
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr 29
59
Sau khi ng hm c thit lp d liu ca ngi dng c truyn t client
n my ch PPTP. Cc goi PPTP cha cc gi d liu IP. Gi d liu IP c
ng gi bi tiu GRE, s dng s ID ca host iu khin truy nhp. ACK
gim st tc truyn DL trong ng hm.
Bi v PPTP hot ng tng lin kt d liu, nn cn phi c tiu mi trng
truyn trong gi cho bit d liu c truyn trong ng hm theo phng
thc no. Tu theo kin trc h tng ca cc nh ISP m cc phng thc ny c
th l: Ethernet, Frame Relay hay kt ni PPP.
2- ng hm
PPTP cho php ngi dng v cc ISP c th to ra nhiu loi ng hm khc
nhau. Ngi dng c th ch nh im kt thc ca ng hm ngay ti my
ca mnh nu nh c ci cc client PTP, hay ti my ch ISP nu nh my tnh
ca h ch c PPP m khng c PPTP. Cc ng hm c th chia lm hai loi t
nguyn v bt buc.
ng hm t nguyn c to ra theo yu cu ca ngi dng cho mc ch
xc nh. Khi s dng ng hm t nguyn, ngi dng c th ng thi m
mt ng hm bo mt thng qua Internet bng giao thc TCP/IP bnh thng.
60
ng hm t nguyn thng c s dng cung cp tnh ring t v
ton vn d liu cho lu lng Intranet thng qua Internet.
ng hm bt buc to ra khng thng qua ngi dng nn n trong sut i ngi
dng u cui. im kt thc ca ng hm bt buc nm my ch truy cp t
xa. Tt c d liu truyn i t ngi dng qua ng hm PPTP thng qua RAS. Bi
v ng hm bt buc nh trc im kt thc v ngi dng khng th truy cp
phn cn li ca Internet nn n iu khin truy cp tt hn hn ng hm t
nguyn. iu c ngha l khng
Internet
Intranet
Cc ng hm t nguyn
ng hm
PPTP
Client PPTP
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr 30
61
Ngi dng truy cp Internet trong khi truy cp VPN, mt khc vn cho truy
cp t Internet vo VPN. ng hm bt buc c th cng mt lc thit lp
c nhiu kt ni.
Mt ng hm bt buc tnh c cu hnh bi thit b hay bng tay. Cu hnh
bng thit b yu cu ngi dng gi mt s in thoi c bit to kt ni.
Cu hnh bng tay, RAS s kim tra mt phn tn ngi dng gi l Realm
quyt nh ni no s lin lc vi ngi dng . ng hm Realm c bn cho
php ngi dng lin kt vi mt Realm cho trc v c i x nh nhau.
Client PPTP
My ch
PPTP
Intranet
Internet
Cc ng hm bt buc
RAS PPTP
client
62
c im ch yu nht ca giao thc PPTP l cung cp phng thc quay s
truy cp bo mt vo VPN v nh ngha im kt thc ca ng hm, mt trong cc
im kt thc ny c th nm thit b ca nh cung cp dch v Internet nn cu
hnh c phi c s h tc gia ISP v ngi qun l mng trong vic xc thc ngi
dng.
3- S dng PPTP
Internet
Mng LAN
c bo v
My ch
PPTP
My ch
PPTP
Mng LAN
c bo v
Kt ni LAN - LAN
Kt ni Client - LANNAS khng
PPTP
NAS ca ISP
c PPTP
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr 31
63
c im c bn ca L2TP
Giao thc nh hng ng hm lp 2 L2TP (Layer 2 Tunneling
Protocol) l s kt hp gia 2 giao PPTP v L2F ( Layer 2 Forwarding) do
vy L2TP k tha cc c tnh ca c PPTP v L2F.
@ L2TP c thit k hot ng tng lin kt d liu DataLink.
@ L2TP c th truyn trong ng hm bng nhiu giao thc khc nhau.
@ Microsoft c k hoch h tr L2TP trong Window NT v Window 98.
1- Dng thc ca L2TP
L2TP da trn PPP to kt ni quay s gia v my ch truy cp NAS.
L2TP s dng PPP to kt ni vt l, tin hnh giai on xc thc u, to gi
d liu PPP v ng kt ni khi ht phin lm vic.
c- Giao thc L2TP
64
Sau khi PPP to kt ni xong, L2TP s xc nh NAS ti site chnh c chp nhn
ngi dng v sn sng ng vai tr l im kt thc ng hm cho ngi dng
. Sau khi ng hm c to, L2TP s ng cc gi PPP ri
truyn ln mi trng m ISP gn cho ng hm . L2TP to ng hm gia
NAS ca ISP v my ch mng ca Client, n c th gn nhiu phin lm vic cho
ng hm. L2TP to ra cc s nhn dng cuc gi Call ID cho mi phin lm vic v
chn Call ID vo tiu L2TP ca mi gi ch ra n thuc phin lm vic no.
L2TP cng c th to ra nhiu ng hm gia NAS ca ISP v my ch mng client.
Bng vic chn gn mt phin lm vic ca ngi dng cho mt ng hm thay v
ghp nhiu phin lm vic vo mt ng hm, cho php gn cc ngi dng khc
nhau vo cc mi trng ng hm tu theo cht lng dch v ca h.
L2TP cng nh ngha 2 loi thng bo: thng bo iu khin v thng bo d liu.
Thng bo iu khin dng cho vic thit lp, qun l v gii phng phin lm vic
trn ng hm.
Thng bo d liu bao gm tiu mi trng ch ra ng hm lm vic mi
trng no.