Đề Xuất Giải Pháp Kỹ Thuật: Công Ty Cổ Phần Đầu Tư Phát Triển Công Nghệ Fpt

CNG TY C PHN U T PHT TRIN CNG NGH FPT
XUT GII PHP K THUT
Gi thu: TRANG B H THNG KIM SOT TRUY CP MNG
Thuc d n:
H THNG KIM SOT TRUY CP MNG
Ch u t: CNG TY THNG TIN DI NG
H ni, thng 12 nm 2008
MC LC
1. HIU BIT V H S THU.............................................................................................4 2. PHN TCH HIN TRNG H THNG............................................................................5 2.1 Hin trng.........................................................................................................................5 2.2 S cn thit u t h thng kim sot truy cp mng.....................................................5 3. XUT GII PHP TRANG B H THNG KIM SOT TRUY CP MNG .....10 3.1 Kin trc gii php ca Symantec..................................................................................13 3.2 Tnh nng h thng kim sot truy cp ca Symantec...................................................14 3.3 C ch kim sot truy cp ca h thng.........................................................................19 3.4 C ch xc thc..............................................................................................................29 3.5 Cc tnh nng khc ca h thng....................................................................................32 4. DANH MC CC SN PHM CHO THU.................................................................33 4.1 Trang b 05 my ch xc thc IBM x3650....................................................................33 4.2 Trang b 05 my ch qun l iu khin truy nhp mng IBM x3650..........................33 4.3 Trang b 05 my ch qun l chnh sch IBM x3650 ...................................................34 4.4 Trang b my tnh xch tay Sony VaiO..........................................................................35 4.5 Trang b phn mm qun l truy cp cho 5000 User bn quyn cp nht trong 3 nm. 35 4.6 Trang b 06 b kim tra truy cp cho VPCT v 5 Trung tm(Min ph).......................36 5. BNG P NG K THUT CHO THU..................................................................37 6. GII THIU CC TNH NNG K THUT CC SN PHM CHO THU............37 6.1 Gii thiu phn mm Symantec Enpoint Protection......................................................37 6.2 Gii thiu phn mm Symantec Network Access Control.............................................41 6.3 Gii thiu phn mm xc thc Cisco ACS 4.2..............................................................46 6.4 Gii thiu my ch IBM System x3650.........................................................................48
H s d thu: Gi thu: Trang b h thng kim sot truy cp mng Thuc d n: H thng kim sot truy cp mng Trang 2/49
7. KT LUN..........................................................................................................................49
1.
-
HIU BIT V H S THU

Tn gi thu: Trang b h thng kim sot truy cp mng thuc d n H thng kim sot truy cp mng Thi gian thc hin hp ng : 13 tun a im trang b: Vn phng Cng ty Thng tin di ng 216 Trn Duy Hng, Cu Giy, H Ni . Vn phng trung tm TTD khu vc I 811A Gii Phng, Hong Mai, H Ni. Vn phng trung tm TTD khu vc II MM18 ng Trng Sn, Qun 10, Tp. HCM. Vn phng trung tm TTD khu vc III 263 Nguyn Vn Linh, Tp. Nng. Vn phng trung tm TTD khu vc IV 51F Nguyn Tri, Ninh Kiu, Tp.Cn Th. Vn phng trung tm TTD khu vc V 332 Ng Gia T, Tp. Hi Phng.
2.
2.1
PHN TCH HIN TRNG H THNG

Hin trng
H thng mng ca VMS hin ti gm VPCT v 5 trung tm (H ni, HCM, nng,
Cn th, Hi Phng) vi khong 3000 my trm ca nhn vin, i l thng xuyn truy cp vo h thng v s lng ln cc my ca i tc, khch hng truy cp khi c nhu cu. Ngoi ra, nhu cu ca nhn vin truy cp ti nguyn mng t nh lm vic hoc khi i cng tc cng l mt vn ng lu tm vi cng ty. S lng my trm truy cp mng ny d kin s tng ln 5000 my vo nm 2010. Cc my trm hin ti s dng ch yu cc h iu hnh Windows 2000, XP, Vista, mt s chy Linux. Cc my trm c kt ni vo h thng mng vi rt nhiu cch thc khc nhau: qua VPN, Wireless, RAS hoc thng qua cc my ch DHCP hay cc switch thng v switch c h tr 802.1x. Hin ti, VMS s dng my ch Mcafee Remediation Manager thc hin vic cp nht cho cc my trm. Cc my trm trong h thng c ci Mcafee RM client, RM client ny s thc hin so snh v ci t cc bn v trn my trm nu cn thit. VMS hin cha c c ch kim sot yu cu truy cp cho cc my trm (phi c cc phn mm security c cp nht thng xuyn, y cc bn v, ...). y khng phi l mt kin trc bo mt chun, bi cc my trm khng m bo cc yu cu v an ninh vn c th truy cp v gy ra nhng tc hi khng mong mun cho h thng.
2.2
S cn thit u t h thng kim sot truy cp mng

Cc chuyn gia nhn nh 2008 l nm tip tc gia tng cc mi e do n an ninh
mng: phishing, spam, botnetwork, trojan, adware, spyware, cc nguy c zero-day, ... Theo cc bo co mi nht tng kt v tnh hnh an ninh mng th so vi nm 2006, s lng cc im yu an ninh tng 25,8 %. Trong s cc hnh vi li dng im yu an ninh th cc hnh vi nhm vt qua tng la, proxy, h thng pht hin xm nhp, h thng qut
virus, ... truy cp c vo h thng v hnh vi tn cng t chi dch v c s thay i r nt theo tng thng.
Hnh 1: Cc hnh vi li dng im yu an ninh trong nm 2007 Cc bo co cng thng k rt nhiu cnh bo v cc im yu an ninh nghim trng ca cc nh cung cp cc sn phm nh Microsoft, Apple, Adobe, VMWare, ... in hnh l nhng im yu an ninh trong cc phn mm Internet Explorer, Microsoft Outlook, Windows DNS Server RPC ca Microsoft.
Hnh 2: Xu hng phishing sp ti Cc bo co v Spam v phishing cho thy Vit Nam l mt trong nhng nc c t l spam cao nht khu vc chu Thi Bnh Dng:
Hnh 3: Bng tng kt v t l spam ca cc nc chu Thi Bnh Dng
Cc phn tch v ni dung web: qua vic phn tch 150 triu trang web v hnh nh mi Nh T l cung cp im yu Microsoft Apple Oracle Cisco Sun IBM Mozilla XOOPS BEA Linux Kernel 4,2% 3,0% 2,0% 1,9% 1,5% 1,3% 1,3% 1,2% 1,1% 0,9%
mi thng (hn 6,9 t trang web v hnh nh t nm 1999), kt qu cho thy hn 10% cc ni dung ca web l cc thng tin khiu dm, bo lc, ma ty.... Cc bo co pht hin phn mm c hi (malware) : theo thng k, s m c xut hin trong 6 thng qua chim ti 25% tng phn mm nguy him ca c 20 nm k t khi virus my tnh u tin ra i. S mu virus c pht hin mi ngy l hn 25.000 mu. D tnh, cc chng trnh c hi s vt ngng 1 triu vo cui 2008. Nhng pht hin ca cc bo co ni trn cng c thm thc t rng cc mi e da v bo mt cng nh cc cuc tn cng mang tnh ton cu ngy cng nhiu hn v tinh vi hn. Khi ngy cng c nhiu cc thit b v ng dng trn nn IP c trin khai, ng thi ngy
cng c nhiu phng thc truyn thng lin lc, th s lng cc cuc tn cng chc chn s tng ln. Do , khi cc doanh nghip ngy cng coi vic kinh doanh thnh cng ph thuc h thng mng, cc nhn vin lm vic di ng cng nh da trn mi hp tc song phng vi cc i tc, cc nh t vn, cung cp dch v, nh thu, khch hng thng xuyn, th iu quan trng l h phi kim sot c vic truy cp ti h thng mng v bo mt h tng CNTT ca mnh. Bng gii php kim sot truy cp mng, mt mi trng bo mt s c to ra bo v cc ti sn trng yu ca doanh nghip, ng thi cung cp c kh nng linh hot cao nht cho vic truy cp ngi dng mi ni, mi lc. Bn cnh y, do h thng h tng ca cc doanh nghip (my ch, my trm, thit b mng, ...) c u t qua nhiu giai on nn i hi gii php kim sot truy cp mng phi thch ng c vi ton b c s h tng hin ti, trnh vic phi u t thm cc thit b khng cn thit. Vic s dng mt gii php kim sot truy cp chun nh vy s cho php cc doanh nghip tn dng c cc u t sn c trong cc thit b v phn mm mng. Ngoi ra, gii php ny cn m bo c th d dng tch hp vo mi trng mng sn c, bao gm c h thng bo mt v thit b mng ca mt doanh nghip, mt cch nhanh chng v hiu qu, mang li linh hot ti u v kh nng hon vn u t cao. Vi nhng phn tch trn v cn c vo thc trng ti VMS, cn thit phi trang b h thng kim sot truy cp mng. H thng kim sot truy cp mng s cho php: 1. Qun l bo mt v bo v ti nguyn h thng m bo my trm tun th ng theo cc chnh sch bo mt Ngn chn truy nhp bt hp php hoc khng an ton ti ti nguyn h thng
2. Gim thiu rc ri v tng thi gian hot ng ca h thng S dng cc chun cng ngh c ng dng ph bin, gim thiu rc ri do phi tch hp nhiu sn phm v nng cao hiu qu u t. Gim thiu ri ro ly nhim v ngn chn s ly lan ca cc my b nhim (virus, spy, malware, )
Tng thi gian v hiu qu hot ng ca h thng vi kh nng t ng cp nht my trm ph hp vi cc yu cu bo mt
3. Tch hp vi cc sn phm bo mt u cui Tch hp vi cc sn phm bo mt u cui nh antivirus, tng la, IPS, qun l ng dng v thit b (USB, Bluetooth, hng ngoi, ) Mt agent duy nht gip n gin cho vic ci t Cung cp kh nng qun l ton b cc sn phm bo mt u cui t mt ca s qun tr duy nht 4. Qun l chi ph v nng cao hiu qu hot ng Gii php bo mt u cui ng b duy nht t mt nh cung cp, gip gim thiu chi ph khi phi tch hp nhiu sn phm khc nhau. Qun l iu kin chp hnh ca my trm (cc phn mm phng chng virus, tng la phi trng thi hot ng) trc khi cho php my truy cp vo h thng
3.
XUT GII PHP TRANG B H THNG KIM SOT
TRUY CP MNG
Trn c s hiu bit v gi thu Trang b h thng kim sot truy cp mng ca Cng ty VMS v cc hng mc hng ha v cc tnh nng k thut ca chng, cng vi nhng kinh nghim, v nhng nghin cu ca chng ti v cc gii php kim sot truy cp mng ca cc hng khc nhau chng ti xut mt gii php tng th trong s dng gii php kim sot truy cp ca Symantec, kt hp vi gii php xc thc ca Cisco p ng cc nhu cu v kim sot mng cho Cng ty thng tin di ng VMS nh sau: H thng kim sot truy cp mng s tng cng tnh nng bo mt cho c s h tng mng v khng nh hng ti hot ng hin ti ca h thng CNTT. Cc my tnh c gim st s cn ci t cc agent kim tra v xc thc iu kin bo mt trc khi mun truy cp vo mng. Cc agent s c trin khai trn 5000 my trm ca VMS trn ton quc.
Cc thit b xc thc thng tin truy cp cho my trm s c t ti cc im truy cp vo mng ni b VMS. D tnh cc thit b ny s t ti 6 im: VPCT, Trung tm TTD KV I (H ni), Trung tm TTD KV II (HCM), Trung tm TTD KV III ( Nng), Trung tm TTD KV IV (Cn Th), Trung tm TTD KV V (Hi Phng). Cc thit b ny s h tr kh nng truy cp qua VPN, Wireless, Remote Access Server (RAS), truy cp qua my ch DHCP v truy cp qua cc switch h tr giao thc 802.1x (trong trng hp ny thit b kim tra c th hot ng nh 1 RADIUS proxy) My ch qun l v thit lp chnh sch s c trin khai VPCT v 4 trung tm (Trung tm TTD KV I, II, III, IV). Trong giai on ny chnh sch ca Trung tm TTD khu vc V s c qun l trc tip bng my ch ca VPCT. Ngoi ra, my ch chnh sch VPCT s lu ton b chnh sch ca h thng, my ch ca cc Trung tm s lu chnh sch lin quan n Trung tm m mnh qun l. Khi my ch ca 1 im gp s c, h thng s cho php xc thc cc my trm im qua my ch chnh sch t ti VPCT. Ngoi ra, m bo kh nng hot ng lin tc, gii php phi h tr c ch sao lu cc cho my ch. ng dng qun tr tp trung c t ti VPCT gim st ton b h thng. T ca s chnh ny, Ngi qun tr h thng s qun l ton b cc chnh sch v hot ng ca c Cng ty, chnh sch ca mi Trung tm s do mt ngi qun tr ca Trung tm qun l.
Hnh 4: M hnh truy cp ti 1 im
M t kin trc v tnh nng tng th ca h thng kim sot truy cp s dng gii php ca Symantec c xut:
3.1
Kin trc gii php ca Symantec

H thng c kh nng h tr kin trc chy trong mi trng ln, c th chy theo ch fail-over m bo kh nng hot ng lin tc. Kin trc h thng m bo c 3 phn chc nng c bn: Chc nng qun l chnh sch: thit lp, qun l v lu tr cc chnh sch cn tun th. Tc nhn (Agent) trn my trm: 1 agent duy nht thu thp ton b thng tin lin quan n cc chnh sch cn tun th ca my trm. B kim tra: trung gian gia Chc nng qun l chnh sch v cc agent. Thc hin vic nhn thng tin do cc agent cung cp, so snh vi cc chnh sch v cp quyn truy cp cho my trm. H tr vic truy cp qua VPN, Wireless LAN, RAS cng nh cc giao thc 802.1x, DHCP.
Hnh 5: Cc thnh phn ca h thng kim sot truy cp
3.2
Tnh nng h thng kim sot truy cp ca Symantec

a. Chc nng qun l chnh sch Chc nng qun l chnh sch m bo y cc yu cu c bn v qun l cu trc cng nh cc chnh sch (policy) s c thc thi ca doanh nghip. Cu trc v chnh sch c m t chi tit nh sau: Cu trc: Gii php qun l chnh sch ca Symantec m bo tun theo cu trc chun v qun l, ngha l c th qun l theo min (domain), nhm (group), ngi dng (user) v thit b (computer). Cu trc qun l chnh sch ca Symantec cu trc tng ng vi cu trc AD ca Windows v c th ng b qua li nhm n gin ha vic qun l. Vic qun l theo nhm gip vic p cc chnh sch s d dng hn, thay v phi p cho tng ngi dng/ thit b, s cho php p theo tng nhm c yu cu truy cp ging nhau. Gii php ny cng cho php vic phn chia nhm da trn nhiu c s khc nhau: theo v tr a l, theo phng ban chc nng, ... hng cu trc ca gii php ti cu trc thc t ca doanh nghip. Cho php thay i cc nhm, ngi dng, thit b bng tay hay t ng np t my ch AD , ng thi, cng cho php my ch qun l c th ng b qua li vi my ch AD tn dng ti nguyn c sn v thun tin cho vic qun tr. Cu trc min: Min bao gm cc nhm, i vi cc doanh nghip ln nh VMS, c th cu trc thnh cc min khc nhau, mi min l cc trung tm chi nhnh v vic qun l s c tin hnh tp trung ti VPCT. Mi mt min s c mt domain administrator qun l ring min v ton b h thng s do mt system administrator qun l chung. Domain administrator ch c th xem thng tin v chnh sa trong phm vi min mnh qun l, trong khi system administrator c ton quyn vi tt c cc min trong h thng. Cu trc nhm: Mc ch ca vic chia thnh min hay nhm l h tr cc nh qun tr mt cng c qun l tp hp cc thit b theo mt quy chun. y, tt c cc thit b/ngi dng c t chc thnh cc nhm vi cc yu cu ging nhau v iu kin bo mt. Nhm c th bao gm cc thnh phn di 2 dng: ngi dng (user) v thit b
(computer). C th t chc cc nhm theo nhiu tiu ch khc nhau: v tr a l hay phng ban chc nng. Cu trc nhm khi thit k gii php kim sot truy cp nn tng ng vi cu trc thc t ca doanh nghip thun tin cho vic qun l. Nh trng hp ca VMS, c th chia mi trung tm thnh cc min, cc phng ban trong mi min (ni cc thit b/ngi dng c yu cu truy cp ging nhau) li chia thnh tng nhm. Clients: Gii php ca Symantec m bo h tr vic thit lp cc client theo c 2 loi: ngi dng (user) v thit b (computer) ty theo nhu cu xy dng chnh sch bo mt. Theo nh ngha, thit b c th bao gm: laptop, desktop, server ; ngi dng l i tng truy cp c xc thc qua username v password. Bn cnh y, qun l vic truy cp ca client di vai tr ca 1 thit b hay 1 ngi dng, agent ci trn my trm phi cho php thit lp my chy theo 1 trong 2 dng user-based hoc computer-based, trnh trng hp xung t xy ra khi mt ngi dng ca nhm ny log in vo mt my khc thuc nhm khc, bi khi chnh sch ca 2 nhm l khc nhau. gii quyt trng hp ny, cn cn c vo ch gn cho my, nu ch ca my l computer-based, chnh sch ca nhm m my thuc v s c p, ngc li, nu ch ca my l user-based th chnh sch ca nhm m ngi dng thuc v s c p. Chnh sch (policy) Chnh sch l phn ct li ca vic qun tr, vic phn quyn truy cp cho cc my trm c thc hin trn c s cc chnh sch chun do doanh nghip xy dng. Cc chnh sch s c my ch qun l p cho tng nhm ngi dng/thit b c yu cu truy cp ging nhau. Khi my trm mun truy cp mng, agent trn my trm s thu thp thng tin v vic cp nht v tun th theo chnh sch ca my ri chuyn cho thit b kim tra, thit b ny s thc hin so snh vi cc yu cu trn my ch qun l v nhn thng tin v quyn truy cp, sau s thc hin cp quyn truy cp cho my trm da trn thng tin ny. n gin trong vic xy dng v trin khai cc chnh sch cho nhm/clients, gii php h tr vic xy dng 2 loi chnh sch: dng chung (shared-policy) v ring (unsharedpolicy). Chnh sch chung l chnh sch c p cho bt k nhm no, mt h thng c th c nhiu chnh sch dng chung. Chnh sch ring l chnh sch c p cho mt
nhm nht nh. Cc chnh sch chung c s dng do tnh d sa i v thay th khi p cho cc nhm, tuy nhin, i vi cc nhm cn cc quyn truy cp ring, duy nht, khi y cn s dng cc chnh sch ring. Tnh nng ca h thng qun l chnh sch: H thng qun l chnh sch c ci t trn cc my ch qun l chnh sch t ti 5 a im: VPCT, Trung tm I, Trung tm II, Trung tm III v Trung tm IV( trong h my ch qun l chnh sch ti VPCT cng ng thi kim sot trc tip chnh sch ca Trung tm V). H tr mi trng mng ln, qun l tp trung chnh sch ti VP trung tm v thc hin ng b chnh sch gia cc trung tm thng qua k thut nhn bn d liu. H tr c ch backup cho my ch chnh sch trung tm m bo tnh hot ng lin tc ca h thng. C kh nng h tr cc chnh sch lin quan n: o Antivirus, antispyware o Firewall (quy nh cc lut v cho php hay ngn chn cc lu thng trong mng) o Ngn chn xm nhp (IPS) o Tnh ton vn ca my trm (m bo chnh xc cc bn v, phin bn, bng thng tin cp nht v virus, ... c ci t trn my trm) o Gim st cc ng dng v thit b (USB, Bluetooth, hng ngoi, hay cc chun kt ni nh: FireWire, ni tip, song song, SCSI, v PCMCIA) o Chnh sch cp nht (xc nh ni m cc my trm cn lin lc ly cc bn v v cp nht, cng nh quy nh tn sut cp nht ca my trm ) b. Tc nhn (agent) trn my trm ca Symantec: Symantec Network Access Control Agent l thnh phn quan trng ca h thng kim sot truy cp. Agent c chc nng thu thp thng tin v trng thi ca vic tun th cc chnh sch
c p cho my trm, sau gi n thit b kim tra xc mnh cc thng tin ny v phn quyn truy cp cho my. Agent m bo c kh nng n gin khi trin khai xung cc my trm, c bit i vi h thng ln tit kim chi ph, thi gian trin khai, cng nh thun tin cho quy trnh bo tr v sau. Cc tnh nng ca Symantec Access Control Agent c th nh sau: - Mt agent duy nht m bo tnh n gin khi trin khai. H tr a h iu hnh (Windows XP, Vista, 2000, 2003), Linux, MacOS. - Trin khai trn 5000 my trm - Agent c kh nng thu thp cc thng tin v: o o o o duyt o Ngoi ra, c th ty bin thu thp thng tin v cc thng s khc ca Phin bn virus ang chy Tn sut v tnh cp nht ca cc bng thng tin virus Phin bn v cu hnh ca tng la c nhn trn cc my trm Cc bn v mi nht v service pack cho h iu hnh cng nh trnh
mi my trm nh: phin bn, bn v ca cc ng dng, cu hnh ca h iu hnh v trnh duyt, cu hnh ca Windows registry, trng thi ca cc thit b lu tr di ng (USB, Bluetooth, hng ngoi) ... - Agent c th chy theo 3 ch : o o Ci c nh trn my trm (s dng cho cc my trong h thng) Ci khi c yu cu v t xa khi my trm ngt kt ni mng (s dng cho
cc my khng b qun l c nh: my khch, my ca i tc, ...). o Khng cn ci t, s dng cng ngh qut thu thp thng tin, p dng
cho my chy cc h iu hnh nh Unix

c. B kim tra( Symantec LAN Enforcer) B kim tra l thnh phn trung gian gia chc nng qun l chnh sch v cc agent. Chc nng ny nhn thng tin thu thp t cc agent ca my trm gi ln, thc hin so snh vi cc chnh sch c quy nh c trn chc nng qun l chnh sch, sau cn c vo kt qu so snh ny phn quyn truy cp cho my trm.. B kim tra s c ci t ti 6 a im: VPCT, Trung tm I, Trung tm II, Trung tm III, Trung tm IV v Trung tm V. Nhn thng tin cp nht v chnh sch t my ch lu tr chnh sch Nhn thng tin do cc agent cung cp, so snh vi cc chnh sch v cp quyn truy cp cho my trm. H tr cc truy cp qua VPN, Wireless, RAS; cc giao thc 802.1x, DHCP H tr la chn ci phn mm trn chnh cc my trm kim tra tnh hp l v phn quyn cho my trm , kh nng ny gip my trm t bo v trong trng hp b kim tra b li. nng cao tnh sn sng ca h thng, cc thit b kim tra c kh nng trin khai theo ch fail-over mi im nh m hnh di. Bo co v log v trng thi hot ng ca cc thit b kim tra c th theo di trc tip t ca s ca h thng my ch qun l chnh sch.
Hnh 6: M hnh fail-over cho cc b kim tra qua DHCP server
3.3
C ch kim sot truy cp ca h thng
Cc my trm c th truy cp vo h thng qua nhiu cch thc khc nhau: wireless, VPN, RAS i vi cc my nm ngoi h thng hay qua my ch DHCP, cc switch h tr chun 802.1x i vi cc my trong h thng. Ty thuc vo nhu cu ca h thng, c th thit k s dng mt (hoc tt c) trong 3 c ch kim sot truy cp sau: a. Truy cp qua gateway Thit b kim sot truy cp qua gateway c s dng nh mt thit b ni tuyn t gia cc my trm ngoi h thng v cc thit b nh my ch VPN, my ch RAS hay thit b wireless. Cc thit b ny c s dng bo v cc my ch trong h thng, m bo ch
cc my trm bn ngoi c xc thc v tin cy c th truy cp vo h thng my ch ny. Thng thng, cc thit b ny c t ti cc a im c: VPN Wireless LAN Dial-up (RAS)
Khch hng hay cc i tc c th c cp quyn truy cp qua VPN hay RAS do cc chnh sch bo mt c th c trin khai trn my ca h. Nu cc my trm ny khng tha mn chnh sch, thit b kim tra s chn vic truy cp ti cc ti nguyn v chuyn kt ni my trm ti mt my ch remediation, ti , my trm c th ti v ci t phn mm virus cng nh cc bn v. Vic kim sot quyn truy cp ca my trm qua gateway c thc hin theo cc bc sau: Khi c mt my trm mun truy cp vo mng, thit b kim tra trc tin s kim tra my trm c ang chy agent khng, nu chy, s tin hnh xc thc cho my . Agent ci trn my trm s thc hin thu thp thng tin lin quan n vic tun th cc yu cu v chnh sch trn my trm, cc thng tin ny sau c s chuyn cho thit b kim tra km vi thng tin nh danh ca thit b . Thit b kim tra s xc minh vi my ch qun l chnh sch v tnh hp l ca agent v tnh cp nhp ca cc chnh sch bo mt. Thit b kim tra tip tc xc minh my trm m bo tun th y cc chnh sch truy cp hay cha. Nu tt c cc bc trn u qua, thit b kim tra s cho php my trm truy cp vo mng. Ngc li, nu my trm cha tun th ng theo cc chnh sch yu cu, thit b kim tra s thc hin cc thao tc sau: o Gim st v ghi li cc s kin xy ra o Chn quyn truy cp ca my trm
o Hng my trm kt ni ti mt vng trong mng my trm c th cp nht y theo ng cc chnh sch xc thc quyn truy cp qua gateway, cho php ngi qun tr cu hnh nhng a ch IP no cn xc thc v nhng a ch no c th cho qua m khng cn xc thc. cp nht my trm nhm tun th ng theo cc chnh sch, cho php cu hnh my trm truy cp ti mt my ch remediation ly cc bn v, bn cp nht, ... Nu my trm cha ci agent, cho php kt ni my trm ti a ch download v ci t agent trc khi thc hin xc thc cc chnh sch truy cp.
Hnh 7: M hnh kim sot truy cp qua gateway b. Truy cp qua switch h tr 802.1x Cc thit b kim sot truy cp qua switch h tr 802.1x hot ng vi vai tr nh mt RADIUS proxy, thit b ny kt ni vi cc switch h tr c ch xc thc EAP/802.1x v thng c cu hnh vi 2 hay nhiu VLANs. Cc agent trn my trm s chuyn thng tin thu thp ti switch qua giao thc EAPOL (EAP over LANs). Switch s chuyn thng tin ny ti thit b kim tra tin hnh xc thc.
Gii php kim sot truy cp cho php cu hnh mt tp cc hnh ng trn thit b kim tra x l my trm trong trng hp xc thc khng m bo cc iu kin. V d: nu s dng cc switch c kh nng cu hnh VLAN ng, thit b kim tra cho php chuyn kt ni my trm ti mt VLAN (remediation VLAN) cp nht cc bn v ,... Vic xc thc quyn truy cp c thc hin thng qua chun 802.1x y l chun c dng xc nh truy cp trong h thng mng LAN c dy hoc khng dy chun ny cung cp mt framework xc thc v gim st ngi dng trong mt h thng mng cn m bo an ton. S dng giao thc EAP v mt my ch xc thc (v d my ch RADIUS) xc thc v cp quyn truy cp cho ngi dng.
Hnh 8: M hnh xc thc vi chun 802.1x Cc thnh phn ca m hnh xc thc vi chun 802.1x bao gm: Authenticator: cc switch h tr 802.1x Authentication server: my ch RADIUS
Supplicant: cc my trm cn truy cp
i vi h thng xc thc qua chun 802.1x, cc thit b kim tra s lm vic vi Authenticator ( y l cc switch h tr chun 802.1x). Thng qua cc switch ny, thit b kim tra s s dng giao thc EAPOL giao tip vi agent trn cc my cn xc thc. Quy trnh xc thc iu kin truy cp s c thc hin nh sau: My trm (c ci agent) yu cu truy cp mng Switch gi mt gi yu cu xc thc EAP Agent nhn gi yu cu v tr li thng tin v m bo yu cu tun th Switch gi cc thng tin ti thit b kim tra
Hnh 9: M hnh kim sot truy cp qua cc switch h tr 802.1x Thit b kim tra s tr li switch v vic phn VLAN truy cp cho my trm da trn kt qu xc thc. Kt qu xc thc s tht bi nu my trm khng m bo tun th theo ng cc chnh sch hoc agent cha cp nht y thng tin v chnh sch mi. Nu cc switch h tr vic cu hnh VLAN ng, switch v thit b kim tra c th cu hnh chuyn my trm ti cc VLAN khc nhau da trn kt qu xc thc. Nu kt qu xc
thc thnh cng th cho php my trm truy cp v lm vic bnh thng, ngc li, s chuyn kt ni my trm ti cc remediation VLAN my trm cp nht y thng tin yu cu trc khi c th truy cp bnh thng. c. H tr truy cp qua my ch DHCP Cc thit b kim sot truy cp qua my ch DHCP c thit k nh cc thit b ni tuyn (inline) t gia cc my trm v my ch DHCP.
Hnh 10: M hnh h tr truy cp qua my ch DHCP Cc my trm mun truy cp vo mng s gi mt yu cu v cp a ch. Cc switch/router s chuyn yu cu ny ti thit b kim tra. Trc khi chuyn yu cu cp a ch ti my ch DHCP, thit b kim tra s tin hnh xc thc vic tun th cc chnh sch trn my trm cn truy cp.
Nu vic xc thc thnh cng, thit b kim tra s chuyn yu cu a ch ti my ch DHCP thng thc hin cp a ch truy cp cho my trm truy cp v lm vic bnh thng. Ngc li, nu xc thc tht bi (do my trm khng m bo cc yu cu v chnh sch cn tun th), thit b kim tra s chuyn yu cu a ch ti mt my ch DHCP cch ly (quarantine DHCP), my ch ny s cp cho my trm mt a ch truy cp vo vng m ti , my trm c th cp nht m bo tun theo ng cc chnh sch trc khi c th truy cp bnh thng. (My ch DHCP thng v DHCP cch ly c th cu hnh trn cng mt my ch vt l). Quy trnh xc thc v phn quyn truy cp qua my ch DHCP s c thc hin nh sau: Khi c mt my trm mun truy cp vo mng, thit b kim tra trc tin s kim tra my trm c ang chy agent khng, nu chy, s tin hnh quy trnh xc thc cho my . Agent ci trn my trm s thc hin thu thp thng tin lin quan n vic tun th cc yu cu v chnh sch trn my trm, cc thng tin ny sau s c chuyn cho thit b kim tra km vi thng tin nh danh ca thit b . Thit b kim tra s xc minh vi my ch qun l chnh sch v tnh hp l ca agent v tnh cp nhp ca cc chnh sch bo mt. Thit b kim tra tip tc xc minh my trm m bo tun th y cc chnh sch truy cp hay cha Nu tt c cc buc trn u qua, thit b kim tra s chuyn yu cu v a ch ti my ch DHCP thng v cp a ch truy cp cho my trm; ngc li, s chuyn yu cu ti my ch DHCP cch ly, my ch ny s cp 1 a ch cho my trm truy cp vo my ch remediation, tin hnh cp nht nhm tun th ng theo cc yu cu trc khi c th truy cp v lm vic bnh thng.
3.4
C ch xc thc
ph hp vi c s h tng hin ti ca VMS (h tr xc thc qua RAS v RADIUS), gii php m bo h tr 3 c ch xc thc sau: Xc thc quyn qun tr
Xc thc ngi dng v thit b Xc thc agent
Xc thc quyn qun tr c thc hin thng qua vic s dng SecureID vi phng php kim tra hai thnh phn (two-factor authentication). thc hin c ch ny, h thng cn m bo c: My ch RSA ACE/Server RSA PIN, token cho ngi truy cp
Gii php m bo h tr cc c ch truy cp RSA sau: RSA SecurID token (not software RSA tokens) RSA SecurID card RSA keypad card (not RSA smart cards)
Xc thc ngi s dng v thit b thng qua my ch xc thc c tch hp sn vi h thng AD qun l ti khon ngi dng hin ti. Vic xc thc gia my trm v my ch xc thc s c m ha v bo mt mt khu ca ngi dng khi ngi dng gi cc mt khu xc nhn. Phn mm xc thc Cisco ACS 4.2 m o cc yu t sau: m bo tnh nng qun l tp chung chnh sch bo mt cho cc Users v thit b truy nhp vo mng. H tr nhiu c ch xc thc v kim sot khc nhau nh: Qun tr thit b: Cho php xc thc, cp quyn v kim tra cc ti khon Admin ng nhp vo thit b mng Remote Accesss: cho php kim sot v xc thc vi cc h thng VPN, Remote Accesss nh (Accesss Servers, Router, Dial-up,) 802.1x LAN: H tr cc tnh nng kim sot truy nhp Accesss List i vi tng users v da trn tnh nng 802.1x cho tng cng mng.
NAC: H tr lm vic vi cc my ch Policy & Audit nhm kim sot cc chnh sch truy nhp.
Cc tnh nng chnh: AAA protocols: h tr cc giao thc xc thc RADIUS v TACACS+ Tch hp LDAPs: Tch hp vi cc h thng Windows Active Directory, Lightweight Directory Access Protocol (LDAP), v Open Database Connectivity (ODBC). H tr vi h thng xc thc mnh a yu t nh RSA SecurID Authentication Manager v RADIUS token servers. Authentication protocols: H tr cc giao thc xc thc nh Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol (CHAP), MS-CHAP, Extensible Authentication Protocol (EAP)-MD5, EAPGeneric Token Card (GTC), Cisco LEAP, Protected EAP (PEAP), EAP-Flexible Authentication via Secure Tunneling (FAST), v EAP-Transport Layer Security (TLS). Chnh sch truy nhp mng : Cho php cu hnh cc chnh sch truy nhp khc nhau bao gm xc thc, cp quyn, hn ch theo thi gian, cho php downloadable access control lists (dACLs), gn cc VLAN v nhiu tham s khc.. Cu hnh v qun tr tp trung
Xc thc agent: agent s dng nh danh GUID (Global Unique Identifier) t xc thc vi b kim tra (enforcer) v my ch qun l. My ch qun l c th tch hp vi AD ng b cc nhm cng nh ngi dng/thit b nhm mc ch n gin ha vic qun tr. OU v users c np t AD hoc LDAP nhn bn sang my ch qun l. Sau khi c xc thc vi my ch qun tr, vic truy nhp vo mng, ng dng v cc ti nguyn khc s c thc hin thng qua cc chnh sch rng buc tng ng cho ngi dng/thit b .
3.5
Cc tnh nng khc ca h thng

Ngoi cc yu cu tnh nng trn, Phn mm gim st truy cp mng ca Symantec m bo cc tnh nng sau: Tng thch hon ton vi h thng c s h tng hin ti ca VMS, h tr cc thit b mng v phn cng t nhiu nh cung cp khc nhau. H tr nng cp v cp nht trong thi gian 3 nm. Ring cc thit b kim tra, h tr ch bo hnh trong 3 nm. H tr tch hp vi phn mm bo mt v qun l tt c t mt ca s tp trung duy nht. Tch hp vi h thng my ch Mcafee Remediation Manager. Gii php kim tra my khi truy cp vo mng c ci McAffee RM client ca h thng khng. Nu khng, phi ci t chng trnh client (ca ng zone y). Vic ci t phi ht sc n gin v trc quan vi ngi s dng. H tr kim sot vic ci t cc phn mm anti-virus ca nhiu hng khc nhau: TrendMicro, Mcafee, Sophos, CA, Symantec H tr vic chy script kim sot cc chnh sch lin quan n vic ci t cc ng dng theo nhu cu ca VMS. C kh nng chy c lp hoc h tr tch hp vi cc gii php Network Access Control ca nhiu hng khc (kh nng m rng tn dng cc tnh nng khc ca cc sn phm Network Access Control khc nhau) Cc chnh sch c th mt trong 2 loi: chnh sch dng chung (shared-policy) dng chung cho nhiu nhm, chnh sch ring (unshared-policy) ring theo yu cu tng nhm. Trong trng hp my trm khng p ng yu cu truy cp, h thng s chuyn kt ni my trm ti cc vng c lu cc bn v, bn cp nht v t ng cp nht my trm p ng ng theo cc chnh sch (auto remediation). m bo tnh linh
hot v trong sut vi ngi s dng, yu cu cc my trm khng nht thit phi c quyn admin thc hin iu ny. C kh nng xut bn bo co: o Theo lch t trc o Ty bin theo nhu cu ngi qun tr o T ng gi qua mail
4.
DANH MC CC SN PHM CHO THU
Trn c s kin trc v tnh nng ca gii php kim sot truy cp ca hng Symantec, cn c vo cc yu cu ca Cng ty thng tin di ng. Chng ti xin xut s dng cc danh mc v s lng sn phm c th nh sau:
4.1
Trang b 05 my ch xc thc IBM x3650

Trang b 05 my ch xc thc IBM x3650 c cu hnh c bn nh sau: CPU RAM LAN Storage DVD-ROM/CD Power 02 x Quad-Core(3.16GHz, 12MB L2 /1333MHz FSB 4GB, up to 48GB Integrated dual Gigabit Ethernet 02 x 146GB 2.5in HDD, RAID 1 Controller Integrated DVD-ROM/CD-RW Redundant/Hotswap AC Power Supply
4.2
Trang b 05 my ch qun l iu khin truy nhp mng IBM x3650

Trang b 05 my ch qun l iu khin truy cp mng IBM x3650 c cu hnh c bn nh sau:
CPU RAM LAN Storage DVD-ROM/CD Power
02 x Quad-Core(3.16GHz, 12MB L2 /1333MHz FSB 4GB, up to 48GB Integrated dual Gigabit Ethernet 02 x 146GB 2.5in HDD, RAID 1 Controller Integrated DVD-ROM/CD-RW Redundant/Hotswap AC Power Supply
4.3
Trang b 05 my ch qun l chnh sch IBM x3650

Trang b 05 my ch qun l chnh sch IBM x3650 c cu hnh c bn nh sau: 02 x Quad-Core(3.16GHz, 12MB L2 /1333MHz FSB 4GB, up to 48GB Integrated dual Gigabit Ethernet 02 x 146GB 2.5in HDD, RAID 1 Controller Integrated DVD-ROM/CD-RW Redundant/Hotswap AC Power Supply
CPU RAM LAN Storage DVD-ROM/CD Power
4.4
Trang b my tnh xch tay Sony VaiO

H thng NAC khi a vo hot ng i hi tnh sn sng (High Avaibility) rt cao v phi m bo sn sng hot ng cho tt c cc kt ni t cc my tnh trn ton Cng ty. iu ny i hi ngi qun tr h thng NAC thng xuyn phi truy cp qun tr h thng, theo di v x l s c. m bo cho vic qun tr h thng 24/7, cn thit trang b my tnh xch tay cho ngi qun tr h thng NAC, cho php ngi qun tr h thng truy cp t xa ti bt c im no c kt ni internet, thc hin kt ni vi a ch ngoi ca h thng qun tr VPN x l, khc phc cc s c. Cu hnh my tnh xch tay phc v qun tr h thng 24/7 c cu hnh ti thiu nh sau: CPU RAM HDD Display DVD Connections OS Duo Processor 2.5 GHz 2 GB DDR2 250 GB 13.3 WXGA DVD-RW Double Layer Wi-Fi 802.11a/b/g/n, BlueTooth Windows Vista Business
4.5
Trang b phn mm qun l truy cp cho 5000 User bn quyn cp nht
trong 3 nm
Chng ti xut trang b phn mm qun l truy cp cho 5000 User vi bn quyn cp nht trong 3 nm vi s lng c th nh sau: STT 1 Hng ha Phn mm qun l truy cp S lng 5000
1.1
Phn mm NAC Agent cho PC/Laptop ( n v tnh l user license) SYMC ENDPOINT PROTECTION 11.0 BNDL STD 12706461 LIC EXPRESS BAND F ESSENTIAL 12MO 12706518 SYMC ENDPOINT PROTECTION 11.0 ESSENTIAL12 MONTHS EXPRESS BAND F SYMC ENDPOINT PROTECTION 11.0 ESSENTIAL12 MONTHS EXPRESS BAND F
12706518 1.2
Phn mm NAC cho my ch ( n v tnh l user license) SYMC NETWORK ACCESS CONTROL 11.0 BNDL 12707006 STD LIC EXPRESS BAND F ESSENTIAL 12MO 12707058 SYMC NETWORK ACCESS CONTROL ESSENTIAL- 12 MONTHS EXPRESS BAND F SYMC NETWORK ACCESS CONTROL ESSENTIAL- 12 MONTHS EXPRESS BAND F 11.0
11.0
12707058 1.3
Phn mm Xc thc Radius & Tacacs (cho VPCT) ( n v tnh l user license) CSACS-4.2WIN-K9 CiscoSecure ACS 4.2 for Windows
4.6
Trang b 06 b kim tra truy cp cho VPCT v 5 Trung tm(Min ph)
tng cng tnh hiu qu v chnh xc ca h thng kim sot truy cp chng ti xut trang b min ph 06 b kim tra truy cp cho VPCT v 5 Trung tm khu vc. C th nh sau:
SKU Description LAN ENFORCER SYMC NETWORK ACCESS CONTROL 6100 SERIES APPLNCE BNDL BASIC 12MO AP S lng
11667118
5.
BNG P NG K THUT CHO THU
Chng ti cam kt s p ng mi yu cu v k thut c t ra trong yu cu ca gi thu: TRANG B H THNG KIM SOT TRUY CP. Xem ti liu Bng p ng k thut
6.
GII THIU CC TNH NNG K THUT CC SN PHM
CHO THU
6.1 Gii thiu phn mm Symantec Enpoint Protection
Symantec Endpoint Protection thay th Symantec AntiVirus Corporate Edition, Symantec Client Security, Symantec Sygate Enterprise Protection v Confidence Online cho PCs. Symantec Endpoint Protection bao gm Symantec AntiVirus vi tnh nng phng chng e da nng cao, cung cp kh nng bo v my tnh xch tay, my tnh bn v my ch trc cc phn mm nguy him. N cung cp cng ngh bo v cao cp nht c th trc cc him ha tinh vi hin hnh cng nh cc him ha cha tng c bit n trc y. N bao gm cng ngh ch ng phng chng cho php t ng phn tch hnh vi ca ng dng v lin lc trong h thng mng pht hin v ch ng ngn chn cc mi him ha. ng thi, n cng cung cp tnh nng iu khin thit b v ng dng qun l hnh ng v bo mt d liu. Symantec Endpoint Protection tch hp hon ton nhng kh nng bo mt cao cp ny trong mt tc nhn duy nht v mt giao din qun tr duy nht gim chi ph, phc tp v kh khn trong vic qun tr vi nhiu sn phm bo mt thit b u cui khc nhau. Dng sn phm Symantec Endpoint Protection
Nhng kh khn ca ngi s dng
Gii php ca Symantec
Kt hp nhiu cng ngh bo mt u cui cao cp Nhiu mi trng bo mt Cung cp giao din qun tr tp trung duy nht, gim gnh u cui phc tp nng qun tr Bo v d liu, email v cc Cung cp kh nng phng chng him ha cao cp t cc thit b Non-window t cc him ha nhn dng hoc cha c nhn dng him ha gia tng Gim chi ph vi vic qun Gim chi ph mua sm, h tr v duy tr vi vic s dng tr nhiu gii php bo mt mt tc nhn v mt giao din qun tr tp trung duy nht u cui khc nhau Minh chng cc nguyn tc/chun ha trong v ngoi p t cc chnh sch bo mt u cui (v d: cc dch v phng chng virus v tng la phi c bt ln trc khi vi cc chnh sch bo mt c php kt ni vo h thng mng ca doanh nghip p t cc chnh sch bo mt email trong doanh nghip
THNG TIN V GII PHP Symantec Endpoint Protection cung cp kh nng bo v khng tng ng t nhng cuc tn cng tinh vi nht bng cch kt hp cng ngh Symantec Antivirus vi kh nng phng chng him ha cp cao v n gin ha vic qun tr bo mt u cui, gip ngi s dng c th tit kim thi gian v chi ph trong khi bo v c thng tin v kinh doanh. Khng ging cc i th cnh tranh khc, Symantec Endpoint Protection cung cp kh nng bo v hng u th gii trong mt tc nhn duy nht m khng cn phi thm vo bt c ti nguyn phc tp no ngi s dng c th qun tr bo mt u cui mt cch d dng v hon ton tin tng rng cc thng tin v d liu kinh doanh c bo v. Symantec Endpoint Protection c th c kt hp vi cc sn phm khc ca Symantec cho ra cc gii php sau y: IT Policy Compliance: cung cp cc cng c qun tr thng dng v d dng, gip qun tr cc quy trnh chun ha h thng IT, m bo tnh ti mt, sn sng v thng nht ca cc thng tin nguyn tc vi mt cch thc ch ng, lin tc v hiu qu. Enterprise Security: cc sn phm hng u vi cc sn phm thuc dng Endpoint Security, Security Management, and Messaging Security s phi hp vi Symantec Endpoint
Protection phc v cho cc i tng c cng mc tiu trong vic qun tr ri ro h thng doanh nghip. Global Consulting and Education Services: cho vic o to, kim tra, thit k v trin khai. Cc c hi ty chn Symantec Network Access Control: Symantec Endpoint Protection v Symantec Network Access Control s dng cng mt tc nhn v giao din qun tr tp trung, cung cp cho doanh nghip cc cng c cn thit gim s phc tp ca qun tr v chi ph u t thp hn cho bo mt u cui. Symantec Critical System Protection: dnh cho cc mi trng c nhiu h iu hnh my ch khc nhau, ngoi cc mi trng ang c h tr trong gii php Symantec Endpoint Protection, Symantec Critical System Protection cung cp cc tnh nng nh Intrusion Prevention cho cc h iu hnh UNIX v Linux; ngoi vic h tr cc my ch Windows. Symantec Mobile Security Suite: phin bn 5.0 m rng kh nng bo v v chun ha cho cc thit b khng s dng Windows Mobile, cung cp tnh nng Symantec Antivirus cho c cc thit b khng chy h iu hnh Windows Mobile nh Symbian v Palm OS. Symantec On-Demand Protection Solution: m rng kh nng bo v u cui cho cc thit b khng c qun tr bng cch bo v h thng trc cc truy nhp thng qua cc ng dng dng web, nh webmail (MS Outlook Web Access), v d liu ti xung u cui trong phin truy nhp ca ngi s dng. CC TNH NNG V LI CH CHNH Nhng tnh nng no mi trong Symantec Endpoint Protection 11.0 TNH NNG LI CH Bo v ton din chng li cc him ha c bit hoc cha bit Bo v a lp Bo v chng li cc him ha tinh vi nh him ha zero-day v rootkit Gip m bo tnh xuyn sut qua cc gi d liu chnh so vi cc sn phm khc loi Kh nng Raw Disk
qut Pht hin v loi tr cc rootkit kh nht m cc nh cung cp khc b qua
Tit kim thi gian, chi ph v hiu nng vi vic khi phi ci t li cc my tnh b nhim Kha cc tn cng Kha tt c cc cuc tn cng thm d l hng bo mt mi vi mt thm d l hng du hiu nhn dng duy nht bo mt thng Kha tt c cc phn mm c trc khi n kp xm nhp vo h dng thng Cho php ngi qun tr ton quyn iu khin cc du hiu nhn Kim tra cc gi dng chng xm nhp tri php v iu chnh mc bo v cho h d liu thng ca h. Pht hin chnh xc cc phn mm c m khng cn thit lp cc Ch ng qut cc cu hnh nguyn tc cng nh lo ngi mc chnh xc him ha Cung cp kh nng bo v chnh xc hn i vi cc phn mm c Ngn chn phn mm c hi pht tn hoc ph hoi u cui iu khin dng ng Phong ta u cui nhm trnh mt d liu Cho php ngi qun tr hn ch cc tc v c nguy c gy nguy him Ngn chn cc thng tin b mt v nhy cm b nh cp t u cui (mt d liu) Ngn chn cc u cui khi b ly nhim virus c pht tn t cc thit b ngoi vi Chi ph u t thp hn cho bo mt u cui Gim tc v qun tr Tc nhn duy nht Cung cp giao din chuyn bit v tp trung cho tc v bo co, qun l license v bo tr Khng c bt c thay i no i vi u cui khi trin khai gii php Symantec Network Access Control Giao din qun tr Chi ph u t thp hn cho bo mt u cui duy nht Gim tc v qun tr
iu khin thit b
Cung cp giao din chuyn bit v tp trung cho tc v bo co, qun l license v bo tr Khng c bt c thay i no i vi u cui khi trin khai gii php Symantec Network Access Control iu khin cc tc v qun tr n gin ha giao Thn thin vi ngi s dng din u cui Di chuyn trc quan H tr Dirctory Qun tr phn quyn Active Gim cc n lc qun tr Tng hiu qu hot ng theo Cung cp kh nng qun tr linh hot Tng hiu qu hot ng Gim cc n lc qun tr
Qun l v trin khai cc bn v li Bao gm cc cng c trin khai ng lot cc bn v li cho cc u cui ca gii php Symantec Endpoint Protection (Ty chn) Symantec Network Nn tng duy nht qun tr bo v v chun ha u cui Access Control
6.2
Gii thiu phn mm Symantec Network Access Control
Tng quan SymantecTM Network Access Control (H thng Kim sot Truy cp Mng ca SymantecTM) l mt gii php kim sot truy cp mng t u n cui, hon chnh m cho php cc t chc kim sot c hiu qu v an ton cc truy cp n cc h thng mng ca cng ty thng qua s hp nht vi h tng mng hin c. Bt k cc thit b u cui c th kt ni nh th no vi h thng mng, SymantecTM Network Access Control pht hin v nh gi tnh trng tun th ca cc thit b u cui, cung cp kh nng truy cp mng thch hp, cung cp kh nng sa cha, nu cn, v lin tc gim st cc thit b u cui i vi nhng thay i v tnh trng tun th. Kt qu l mt mi trng mng ni cc cng ty c th gim ng k cc s c v an ninh v nng cao mc tun th vi chnh sch bo mt CNTT ca cng ty.
SymantecTM Network Access Control gip vic trin khai v qun l kim sot truy cp mng thnh mt mc tiu c th t c v hiu qu chi ph. Cho cc thit b u cui quyn truy cp, khng ch l nhng ngi s dng Trong mi trng s dng my tnh ngy nay, cc t chc v cc nh qun tr mng ang i mt vi thch thc cung cp truy cp n cc ngun ti nguyn ca cng ty cho cng ng ngi s dng ang tng trng. iu ny bao gm c nhn vin cng nh khch hng, nh thu, v cc nhn vin tm thi khc ang ti cng ty v ngoi cng ty. Trc y cha bao gi c mt gnh nng duy tr tnh trng nguyn vn ca mi trng mng thch thc hn hin nay. Khng cn na vic chp nhn cho truy cp vo mng m khng cn kim tra. Vi s gia tng ng k v s lng v loi thit b u cui kt ni truy cp vo h thng ca h, cc t chc phi c kh nng kim tra s lnh mnh v tnh hnh ca cc thit b u cui, c trc khi kt ni n cc ngun ti nguyn v trn c s lin tc sau khi kt ni. SymantecTM Network Access Control gip m bo rng cc thit b u cui tun th vi cc chnh sch CNTT trc khi chng c php kt ni vo h thng mng LAN, WAN, WLAN hoc VPN ca cng ty. Cc li ch ch yu Cc t chc trin khai SymantecTM Network Access Control s tri nghim nhiu li ch c th o lng c nh sau: Gim lan truyn cc on m nguy him nh virus, worm, spyware v cc hnh thc ti phm khc. Gim ri ro profile thng qua s gia tng kim sot cc thit b u cui khng c qun l hoc c qun l truy cp n h thng mng ca cng ty. Tnh trng sn sng ca h thng mng ln hn v gim tnh trng lm gin on cc dch v cho ngi s dng cui cng. Thng tin tun th ca t chc c th kim tra c thng qua d liu tun th ca thit b u cui thi gian thc. Gim thiu tng chi ph s hu nh l kt qu ca kin trc qun l tp trung, hng doanh nghip. Kim tra cc u t an ninh ca thit b u cui nh phn mm chng virus v cc tng la bo v khch hng c th c php mt cch thch hp. S hp nht lin mch vi SymantecTM Endpoint Protection. Cc c im Chnh Quy trnh Kim sot Truy cp Mng ca Symantec Quy trnh hot ng ca SymantecTM Network Access Control (kim sot truy cp mng) Quy trnh SymantecTM Network Access Control l mt quy trnh y nhim vic bao ph kim sot ln tt c cc loi thit b u cui v cc loi mng. Quy trnh ny bt u cng vic kim sot trc khi kt ni mng v tip tc kim sot trong sut thi gian kt ni. Tng t nh cc quy trnh kim sot ca cng ty, chnh sch CNTT l c s nh gi v kim sot.
Quy trnh ny bao gm 4 bc: 1. Pht hin v nh gi cc thit b u cui. iu ny xy ra khi cc thit b u cui c ni mng v trc khi cc thit b u cui ny truy cp vo cc ngun d liu. Thng qua vic tch hp vo h tng mng hin hu v s dng phn mm agent thng minh, nh qun tr mng c th tin chc rng cc thit b mi ang ni mng c nh gi theo cc yu cu ti thiu ca chnh sch CNTT. 2. Cung cp kh nng truy cp mng. Ch cho php truy cp mng ton din sau khi cc h thng c nh gi v xc nh l tun th chnh sch CNTT. Cc h thng khng tun th hoc khng p ng cc yu cu an ton ti thiu cho t chc s b kim tra cho php truy cp c gii hn hoc khng cho truy cp vo mng. 3. Sa cha cc thit b u cui khng tun th chnh sch. Kh nng t ng sa cha cc thit b u cui khng tun th chnh sch cho cc nh qun tr mng quyn nhanh chng a cc thit b u cui ny vo ch tun th chnh v sau thay i kh nng truy cp mng. Nh qun tr mng c th t ng ha hon ton quy trnh sa cha ny, kt qu l to ra mt quy trnh sa cha rt r rng i vi ngi s dng cui cng, hoc cung cp thng tin cho ngi s dng h sa cha theo phng php nhn cng. 4. Ch ng theo di vic tun th chnh sch. Vic tun th chnh sch l vic phi thc hin ton thi gian. V th, SymantecTM Network Access Control ch ng theo di tnh hnh tun th chnh sch ca tt c cc thit b u cui theo lch trnh do nh qun tr mng ci t. Nu, vo bt k thi im no, tnh trng tun th chnh sch ca thit b u cui thay i th quyn truy cp mng ca thit b u cui cng s thay i. bao ph rng i vi thit b u cui Mng bao gm cc h thng mng mi v c ca cng ty, nh thu, khch, public kiosk, i tc kinh doanh v cc h thng khc cha xc nh. Nh qun tr mng thng ch c th kim sot c cht t hoc chng kim sot c h thng qun l ca nhiu thit b u cui ny, song nhim v ca h l phi bo m an ton v kh nng kt ni ca mng. SymantecTM Network Access Control gip cc t chc a quy trnh kim sot truy cp mng vo cc thit b, d c c qun l hay khng, c hay mi, bit hay cha bit. Kh nng trin khai trong bt k loi mng no Ngi s dng in hnh, l cng ty, thc hin ni mng theo nhiu phng php; do , nh qun tr phi linh ng p dng vic nh gi v kim sot kt ni mt cch nht qun, bt k hnh thc ni mng ra sao. L mt trong cc gii php kim sot truy cp mng lu nm nht trn th trng hin nay, SymantecTM Network Access Control cho php nh qun tr mng ch ng trong vic bt buc tun th chnh sch thng qua cc u t hin hu vo h tng mng m khng cn nng cp thit b mng. D s dng mt trong cc gii php SymantecTM Network Access Control Enforcer c tch hp trc tip vo mng hay
khng th ty chn v vic bt buc tun th chnh sch ch p dng cho my ch khng i hi phi tch hp h thng mng hay phi c mt phn mm agent c th c tch hp vo mi trng ng dng Web, cc t chc c th tin chc rng ngi s dng cui cng v cc thit b u cui tng thch vi thit b u cui vo mng ca mnh. Kin trc ca SymantecTM Network Access Control Kin trc ca SymantecTM Network Access Control bao gm 3 thnh phn ct li: qun l chnh sch, nh gi thit b u cui v yu cu tun th chnh sch ca mng. C 3 thnh phn ny hp li thnh mt gii php khng phi ph thuc vo yu t tnh nng bn ngoi. Qun l v bo co v chnh sch tp trung iu c ngha ln nht trong hot ng c hiu qu ca bt k gii php no l bng iu khin vi hng dnh cho doanh nghip. Phn mm SymantecTM Endpoint Protection Manager cung cp mt console da trn cng ngh JavaTM nhm to ra, trin khai, qun l v bo co hot ng ca thit b buc tun th (Enforcer) v phn mm agent mt cch tp trung. Phn mm ny c th cn chnh thch ng vi hu ht cc mi trng c i hi cao trn th gii, ngi qun l chnh sch thc hin kim sot granular trn tt c cc cng tc qun l trong mt kin trc c sn sng cao. nh gi thit b u cui Kim sot truy cp mng gip bo v mng trnh khi cc on m nguy him v cc thit b u cui cha xc nh hoc khng c php, tuy nhin, cng phi kim tra xem cc thit b u cui vo mng c nh cu hnh ng cha chng c bo v trc nhng tn cng trn mng. Bt k mc tiu ra sao, quy trnh ny bt u bng vic nh gi thit b u cui. D vic kim tra kh nng chng virus, chng spyware v cc chng trnh p v c ci t l nhng yu cu chung, ti thiu cn phi c khi cho php truy cp mng nhng hu ht cc t chc nhanh chng pht trin vt ra ngoi cc yu cu ti thiu ny sau khi thc hin vic kim sot truy cp mng ban u. SymantecTM Network Access Control a ra 3 cng ngh nh gi thit b u cui khc hn khi xc nh tnh tng thch ca thit b u cui: Cc agent kin tr hot ng Cc h thng mng ca cng ty v cc h thng mng khc c qun l s dng agent do nh qun tr ci t xc nh tnh trng tng thch. Agent ny kim tra kh nng chng virus, chng spyware v cc chng trnh p v c ci t cng nh cc c im v hin trng ca h thng phc tp, v d: vic truy cp i hi phi ng k trc, cc quy trnh hot ng v cc thuc tnh file. Cc agent kin tr cung cp nhng thng tin ng tin cy, chnh xc v chi tit v tnh tng thch ca h thng ng thi a ra cc gii php sa cha linh hot v nh gi tnh nng sa cha ca h thng. Cc agent t kt thc i vi nhng thit b hoc cc h thng khng phc v cng ty khng c nh qun l qun l, cc agent da trn Java s c cung ng khi c yu cu nhng khng c c quyn qun tr nh gi tnh trng tng thch ca thit b u cui. Khi xong cng vic, cc agent ny t ng xa khi h thng. Qut d t xa bit kh nng d b tn cng (ca h thng) Qut d t xa bit kh nng d b tn cng ca h thng s cung cp cho h tng yu cu tun th ca SymantecTM Network Access Control nhng thng tin v tnh tng thch ca h thng da trn kt qu qut d kh nng d b tn cng ca h thng, c thc hin t xa v cha c cng nhn,
thu c t thit b SymantecTM Network Access Control Scanner. Scan t xa m rng tnh nng thu thp thng tin cho nhng h thng hin cha c cng ngh ny da trn agent. Bt buc tun th chnh sch Mi trng mng ca mi t chc c pht trin rt khc nhau, v kt qu l khng c mt phng php bt buc no c kh nng kim sot mt cch c hiu qu vic truy cp vo cc thit b u cui trn mng. Cc gii php kim sot truy cp mng phi linh hot d tch hp cc phng php bt buc ny vo mi trng mng ang s dng m khng lm tng chi ph qun l v bo dng. SymantecTM Network Access Control cho php bn c chn phng php bt buc (tun th chnh sch) thch hp nht cho cc phn on mng khc nhau m khng lm tng phc tp trong vn hnh hoc tng chi ph. Mi phng php bt buc (tun th chnh sch), c xy dng trn nn tng mng, ch c th tm thy di dng mt phn mm hoc mt b phn thit b. Thit b LAN Enforcer 802.1X l mt gii php proxy 802.1X RADIUS cm ngoi, ph hp vi cc loi switch ph bin, h tr chun 802.1X. Thit b LAN Enforcer c th tham gia vo cu trc qun l nhn dng AAA hin s dng xc nhn ngi s dng v cc thit b u cui, hoc l mt gii php RADIUS c lp dng cho nhng mi trng mng ch i hi phi xc nhn tnh tng thch ca thit b u cui. LAN Enforcer cho php truy cp vo cng chuyn i ty theo kt qu xc nhn ca cc thit b u cui kt ni. Thit b DHCP Enforcer c trin khai cng hng gia cc thit b u cui v h tng dch v DHCP hin c v nh l mt proxy DHCP. Cc ch nh thu DHCP hn ch c gi n tt c cc thit b u cui cho n khi vic tun th chnh sch c kim tra, vo thi im mt DHCP lease c gn cho thit b u cui. S hp nht thit b DHCP Enforcer vi phn mm Microsoft DHCP Server plug-in cho php trin khai nhanh kim sot truy cp mng khng cn trin khai thit b b sung cho mng. Gateway Enforcer l thit b buc tun th cng hng s dng trong cc im b chn ca mng. N kim sot dng thng tin lu thng qua thit b da trn s tun th chnh sch ca ca cc thit b u cui t xa. D im b chn cc im ni mng vng ngoi, nh cc ng ni WAN hoc VPNs, hoc cc phn on bn trong truy cp h thng kinh doanh quan trng, thit b Gateway Enforcer cung cp truy cp c kim sot n cc ngun ti nguyn v cc dch v sa cha. T buc tun th c tc dng n by cc kh nng tng la da trn my ch trong phm vi phn mm Symantec Protection Agent iu chnh cc chnh sch agent cc b theo tnh trng tun th ca thit b u cui. iu ny cho php cc qun tr mng kim sot truy cp n bt k mng no, m hoc tt h thng mng ca cng ty, cho cc thit b nh my tnh xch tay m thng di chuyn gia nhiu mng.
6.3
Gii thiu phn mm xc thc Cisco ACS 4.2

Cisco ACS 4.2 m bo tnh nng qun l tp chung chnh sch bo mt cho cc Users v thit b truy nhp vo mng. H tr nhiu c ch xc thc v kim sot khc nhau nh: Qun tr thit b: Cho php xc thc, cp quyn v kim tra cc ti khon Admin ng nhp vo thit b mng Remote Accesss: cho php kim sot v xc thc vi cc h thng VPN, Remote Accesss nh (Accesss Servers, Router, Dial-up,) 802.1x LAN: H tr cc tnh nng kim sot truy nhp Accesss List i vi tng users v da trn tnh nng 802.1x cho tng cng mng. NAC: H tr lm vic vi cc my ch Policy & Audit nhm kim sot cc chnh sch truy nhp. Cc tnh nng chnh: AAA protocols: h tr cc giao thc xc thc RADIUS v TACACS+ Tch hp LDAPs: Tch hp vi cc h thng Windows Active Directory, Lightweight Directory Access Protocol (LDAP), v Open Database Connectivity (ODBC). H tr vi h thng xc thc mnh a yu t nh RSA SecurID Authentication Manager v RADIUS token servers. Authentication protocols: H tr cc giao thc xc thc nh Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol (CHAP), MS-CHAP, Extensible Authentication Protocol (EAP)-MD5, EAPGeneric Token Card (GTC), Cisco LEAP, Protected EAP (PEAP), EAP-Flexible Authentication via Secure Tunneling (FAST), v EAP-Transport Layer Security (TLS). Chnh sch truy nhp mng : Cho php cu hnh cc chnh sch truy nhp khc nhau bao gm xc thc, cp quyn, hn ch theo thi gian, cho php
downloadable access control lists (dACLs), gn cc VLAN v nhiu tham s khc.. Cu hnh v qun tr tp trung
Xc thc agent: agent s dng nh danh GUID (Global Unique Identifier) t xc thc vi b kim tra (enforcer) v my ch qun l. My ch qun l c th tch hp vi AD ng b cc nhm cng nh ngi dng/thit b nhm mc ch n gin ha vic qun tr. OU v users c np t AD hoc LDAP nhn bn sang my ch qun l.
6.4
Gii thiu my ch IBM System x3650
IBM System x3650
My ch IBM System x3650 c mt s tnh nng k thut ni tri sau y: H tr ti a 2 b vi x l Intel Xeon Dual-Core 5100 Series hoc Intel Xeon QuadCore 5300 Series. B vi x l Dual-Core 5100 Series cho tc ti a ln ti 3.0GHz mi core, 1333MHz FSB v 4MB L2 Cache. B vi x l Quad-Core 5300 series cho tc ti a ln ti 2.66GHz mi core, 1333MHz FSB v 8MB L2 Cache. y l 2 b vi x l Dual-Core v Quad-Core mi nht cho dng my ch 2 processor. B vi x l ny h tr cng ngh EM64T ca Intel (Intel Extended Memory 64 Technology). Vi cng ngh ny, my ch x3650 c kh nng h tr ng thi cc ng dng 32-bit v 64-bit. B nh s dng cng ngh mi vi tc nhanh l PC2-5300 DDR2 tc 5300 MB/s. H tr dung lng b nh ti a ln n 48GB B nh c tnh sn sng cao nh cng ngh Chipkill, Online spare, memory mirroring ca IBM My ch IBM x3650 h tr ti 8 disk-bays chun SAS c tnh nng thay nng (hotswap), cho dung lng ti a ln ti 1.8TB. H tr ti 4 PCI slots chun Active PCI-X 2.0 64-bit v chun PCI-Express. Cc khe Khe cm tc cao rt ph hp vi nhng card i hi tc cao nh cc HBA kt ni vi t a ngoi. Tch hp sn 2 cng mng Gigabit Tnh nng t ng phn tch chn on (Enhanced Predictive Failure Analysis) nhiu thnh phn quan trng ca my ch trc khi chng b hng nh cng, b nh RAM, b vi x l , qut, b iu khin ngun cho CPU, power supplies.
n chn on li (Light path diagnostics) ca cc thnh phn my ch gip pht hin nhanh linh kin b li (thanh RAM, qut, b vi x l, b iu khin ngun cho CPU, ngun) Phn mm qun tr IBM Director Systems Management min ph c nhiu tnh nng ni tri, cho php ngi dng c th qun l h thng my ch mt cch d dng. H tr nhiu mi trng h iu hnh khc nhau nh :Microsoft Windows 2000 Advanced Server, Microsoft Windows 2000 Server, Microsoft Windows Server 2003 Enterprise Edition, Microsoft Windows Server 2003 Standard Edition, Red Hat Enterprise Linux Advanced Server 3.0, SUSE LINUX Enterprise Server 9, Windows Server 2003, Enterprise x64 Edition (64 bit), Windows Server 2003, Standard x64 Edition (64 bit)
7.
KT LUN
Vi gi thu ny, chng ti cam kt hon ton c kh nng p ng c mt cch tt nht vi ng cc yu cu m nh thu a ra.

Đề Xuất Giải Pháp Kỹ Thuật: Công Ty Cổ Phần Đầu Tư Phát Triển Công Nghệ Fpt

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Đề Xuất Giải Pháp Kỹ Thuật: Công Ty Cổ Phần Đầu Tư Phát Triển Công Nghệ Fpt

Uploaded by

Copyright:

Available Formats

CNG TY C PHN U T PHT TRIN CNG NGH FPT

XUT GII PHP K THUT

Gi thu: TRANG B H THNG KIM SOT TRUY CP MNG

Ch u t: CNG TY THNG TIN DI NG

H ni, thng 12 nm 2008

HIU BIT V H S THU

PHN TCH HIN TRNG H THNG

S cn thit u t h thng kim sot truy cp mng

Hnh 3: Bng tng kt v t l spam ca cc nc chu Thi Bnh Dng

Tng thi gian v hiu qu hot ng ca h thng vi kh nng t ng cp nht my trm ph hp vi cc yu cu bo mt

XUT GII PHP TRANG B H THNG KIM SOT

Hnh 4: M hnh truy cp ti 1 im

Kin trc gii php ca Symantec

Hnh 5: Cc thnh phn ca h thng kim sot truy cp

Tnh nng h thng kim sot truy cp ca Symantec

cho my chy cc h iu hnh nh Unix

Hnh 6: M hnh fail-over cho cc b kim tra qua DHCP server

C ch kim sot truy cp ca h thng

Supplicant: cc my trm cn truy cp

Xc thc ngi dng v thit b Xc thc agent

Cc tnh nng khc ca h thng

DANH MC CC SN PHM CHO THU

Trang b 05 my ch xc thc IBM x3650

Trang b 05 my ch qun l iu khin truy nhp mng IBM x3650

CPU RAM LAN Storage DVD-ROM/CD Power

Trang b 05 my ch qun l chnh sch IBM x3650

CPU RAM LAN Storage DVD-ROM/CD Power

Trang b my tnh xch tay Sony VaiO

Trang b phn mm qun l truy cp cho 5000 User bn quyn cp nht

Trang b 06 b kim tra truy cp cho VPCT v 5 Trung tm(Min ph)

BNG P NG K THUT CHO THU

GII THIU CC TNH NNG K THUT CC SN PHM

Nhng kh khn ca ngi s dng

Gii php ca Symantec

qut Pht hin v loi tr cc rootkit kh nht m cc nh cung cp khc b qua

Gii thiu phn mm Symantec Network Access Control

Gii thiu phn mm xc thc Cisco ACS 4.2

Gii thiu my ch IBM System x3650

IBM System x3650

You might also like