Điều khiển truy xuất

Bi 6:
Kin thc c s v iu khin truy cp

Cng c li bi 5
Qun tr mt mng bo mt
Cc giao thc mng ph bin
Cc nguyn tc qun tr mng
Bo mt cho cc ng dng mng (SV t c)
Bo mt mng khng dy
Tn cng vo mng khng dy
Cc im yu trong bo mt 802.1x
Cc gii php bo mt mng khng dy
Qun tr mt mng bo mt
Cc giao thc mng ph bin
Cc nguyn tc qun tr mng
Bo mt cho cc ng dng mng (SV t c)
Bo mt mng khng dy
Tn cng vo mng khng dy
Cc im yu trong bo mt 802.1x
Cc gii php bo mt mng khng dy
Bi 6 - Kin thc c s v iu khin truy cp 2
Mc tiu ca bi hc
nh ngha iu khin truy cp v lit k bn m hnh iu
khin truy cp
M t cc phng php iu khin truy cp l gc
Gii thch cc kiu iu khin truy cp vt l khc nhau
nh ngha cc dch v xc thc
Gii thiu
Nhng c s quan trng trong lnh vc bo mt thng
tin
Kim tra ngi dng c chp thun
iu khin vic truy cp ca h
Chng ny s gii thiu cc nguyn tc v phng
php iu khin truy cp thc tin
Thut ng lin quan ti iu khin truy cp
Bn m hnh iu khin truy cp tiu chun
Phng php iu khin truy cp thc tin tt nht
Chng ny cng cp ti cc dch v xc thc
Nhng c s quan trng trong lnh vc bo mt thng
tin
Kim tra ngi dng c chp thun
iu khin vic truy cp ca h
Chng ny s gii thiu cc nguyn tc v phng
php iu khin truy cp thc tin
Thut ng lin quan ti iu khin truy cp
Bn m hnh iu khin truy cp tiu chun
Phng php iu khin truy cp thc tin tt nht
Chng ny cng cp ti cc dch v xc thc
Bi 6 - Kin thc c s v iu khin truy cp
4
iu khin truy cp l g?
Cp php hoc t chi ph duyt s dng cc ti
nguyn xc nh
C ch ca h thng thng tin cho php hoc hn ch
truy cp n d liu hoc cc thit b
Bn m hnh tiu chun
Cc phng php thc tin thc thi iu khin truy
cp
Cp php hoc t chi ph duyt s dng cc ti
nguyn xc nh
C ch ca h thng thng tin cho php hoc hn ch
truy cp n d liu hoc cc thit b
Bn m hnh tiu chun
Cc phng php thc tin thc thi iu khin truy
cp
Cc thut ng v
iu khin truy cp (1/2)
Trnh din
Xut trnh cc y quyn
V d: ngi vn chuyn hng xut trnh th nhn vin
Xc thc
Kim tra, xc minh cc y quyn
V d: kim tra th ca ngi vn chuyn hng
y quyn
Cp quyn thc hin hnh ng
V d: cho php ngi vn chuyn hng c cht kin
hng ln xe
Trnh din
Xut trnh cc y quyn
V d: ngi vn chuyn hng xut trnh th nhn vin
Xc thc
Kim tra, xc minh cc y quyn
V d: kim tra th ca ngi vn chuyn hng
y quyn
Cp quyn thc hin hnh ng
V d: cho php ngi vn chuyn hng c cht kin
hng ln xe
6
Hnh ng M t V d tnh hung Qu trnh trn
my tnh
Nhn din Xem xt cc y
quyn
Ngi vn chuyn
hng xut trnh th
nhn vin
Ngi dng nhp
tn ng nhp
Xc thc Xc minh cc y
quyn c thc s
chnh xc hay khng
Mia c thng tin
trn th xc nh
nhng thng tin
c thc hay khng
Ngi dng cung
cp mt khu
Cc bc iu khin
truy cp c bn
Xc minh cc y
quyn c thc s
chnh xc hay khng
Mia c thng tin
trn th xc nh
nhng thng tin
c thc hay khng
Ngi dng cung
cp mt khu
y quyn Cp quyn cho php Mia m ca cho
php ngi vn
chuyn hng i vo
Ngi dng ng
nhp hp l
Truy cp Quyn c php
truy cp ti cc ti
nguyn xc nh
Ngi vn chuyn
hng ch c th ly
cc hp cnh ca
Ngi dng c
php truy cp ti
cc d liu c th
Cc thut ng lin quan ti
iu khin truy cp (2/2)
i tng
Ti nguyn c th
V d: file hoc thit b phn cng
Ch th
Ngi dng hoc qu trnh hot ng i din cho mt
ngi dng
V d: ngi dng my tnh
Thao tc
Hnh ng do ch th gy ra i vi mt i tng
V d: xa mt file
i tng
Ti nguyn c th
V d: file hoc thit b phn cng
Ch th
Ngi dng hoc qu trnh hot ng i din cho mt
ngi dng
V d: ngi dng my tnh
Thao tc
Hnh ng do ch th gy ra i vi mt i tng
V d: xa mt file
Vai tr M t Trch nhim V d
Ch s hu Ngi chu trch
nhim v thng tin
Xc nh mc bo
mt cn thit i vi
d liu v giao ph
cc nhim v bo
mt khi cn.
Xc nh rng ch
nhng ngi qun
l ca c quan mi
c th c c
file SALARY.XLSX
Ngi gim
st
C nhn m mi
hnh ng thng
ngy ca anh ta do
ch s hu quy nh
Thng xuyn r
sot cc thit lp
bo mt v duy tr
cc bn ghi truy cp
ca ngi dng
Thit lp v r sot
cc thit lp bo
mt cho file
SALARY.XLSX
Cc vai tr trong
iu khin truy cp
Ngi gim
st
C nhn m mi
hnh ng thng
ngy ca anh ta do
ch s hu quy nh
Thng xuyn r
sot cc thit lp
bo mt v duy tr
cc bn ghi truy cp
ca ngi dng
Thit lp v r sot
cc thit lp bo
mt cho file
SALARY.XLSX
Ngi dng Ngi truy cp
thng tin trong
phm vi trch nhim
c giao ph
Tun th ng cc
ch dn bo mt ca
t chc v khng
c c vi phm
bo mt
M file
SALARY.XSLX
Qu trnh iu khin truy cp
v cc thut ng lin quan
Cc m hnh iu
khin truy cp (1/2)
Cc tiu chun cung cp nn tng c s (framework)
c nh trc cho cc nh pht trin phn cng hoc
phn mm
c s dng thc thi iu khin truy cp trong thit
b hoc ng dng
Ngi gim st c th cu hnh bo mt da trn yu
cu ca ch s hu
Cc tiu chun cung cp nn tng c s (framework)
c nh trc cho cc nh pht trin phn cng hoc
phn mm
c s dng thc thi iu khin truy cp trong thit
b hoc ng dng
Ngi gim st c th cu hnh bo mt da trn yu
cu ca ch s hu
Cc m hnh iu
khin truy cp (2/2)
Bn m hnh iu khin truy cp chnh
iu khin truy cp bt buc
(Mandatory Access Control - MAC)
iu khin truy cp ty
(Discretionary Access Control - DAC)
iu khin truy cp da trn vai tr
(Role Based Access Control - RBAC)
iu khin truy cp da trn quy tc
(Rule Based Access Control - RBAC)
Bn m hnh iu khin truy cp chnh
iu khin truy cp ty
(Discretionary Access Control - DAC)
(Role Based Access Control - RBAC)
- MAC (1/4)
L m hnh iu khin truy cp nghim ngt nht
Thng bt gp trong cc thit lp ca qun i
Hai thnh phn: Nhn v Cp
M hnh MAC cp quyn bng cch i chiu nhn ca
i tng vi nhn ca ch th
Nhn cho bit cp quyn hn
xc nh c m mt file hay khng:
So snh nhn ca i tng vi nhn ca ch th
Ch th phi c cp tng ng hoc cao hn:
i tng c cp php truy cp
L m hnh iu khin truy cp nghim ngt nht
Thng bt gp trong cc thit lp ca qun i
Hai thnh phn: Nhn v Cp
M hnh MAC cp quyn bng cch i chiu nhn ca
i tng vi nhn ca ch th
Nhn cho bit cp quyn hn
xc nh c m mt file hay khng:
So snh nhn ca i tng vi nhn ca ch th
Ch th phi c cp tng ng hoc cao hn:
i tng c cp php truy cp
- MAC (2/4)
Hai m hnh thc thi ca MAC
M hnh mng li (Lattice model)
M hnh Bell-LaPadula
M hnh mng li
Cc ch th v i tng c gn mt cp bc trong
mng li
Nhiu mng li c th c t cnh nhau
M hnh Bell-LaPadula
Tng t m hnh mng li
Cc ch th khng th to mt i tng mi hay thc
hin mt s chc nng nht nh i vi cc i tng c
cp thp hn
Hai m hnh thc thi ca MAC
M hnh mng li (Lattice model)
M hnh Bell-LaPadula
M hnh mng li
Cc ch th v i tng c gn mt cp bc trong
mng li
Nhiu mng li c th c t cnh nhau
M hnh Bell-LaPadula
Tng t m hnh mng li
Cc ch th khng th to mt i tng mi hay thc
hin mt s chc nng nht nh i vi cc i tng c
cp thp hn
- MAC (3/4)
V d v vic thc thi m hnh MAC
Windows 7/Vista c bn cp bo mt
Cc thao tc c th ca mt ch th i vi phn hng
thp hn phi c s ph duyt ca qun tr vin
Hp thoi User Account Control (UAC) trong Windows
15
iu khin truy cp
ty (DAC) (1/3)
iu khin truy cp ty (DAC)
M hnh t hn ch nht
Mi i tng u c mt ch s hu
Ch s hu c ton quyn iu khin i vi i tng
ca h
Ch s hu c th cp quyn i vi i tng ca mnh
cho mt ch th khc
c s dng trn cc h iu hnh nh Microsoft
Windows v hu ht cc h iu hnh UNIX
iu khin truy cp ty (DAC)
M hnh t hn ch nht
Mi i tng u c mt ch s hu
Ch s hu c ton quyn iu khin i vi i tng
ca h
Ch s hu c th cp quyn i vi i tng ca mnh
cho mt ch th khc
c s dng trn cc h iu hnh nh Microsoft
Windows v hu ht cc h iu hnh UNIX
16
iu khin truy cp
ty (DAC) (2/3)
Nhc im ca DAC
Ph thuc vo quyt nh ca ngi dng thit lp cp
bo mt ph hp
Vic cp quyn c th khng chnh xc
Quyn ca ch th s c tha k bi cc chng trnh
m ch th thc thi
Trojan l mt vn c bit ca DAC
Nhc im ca DAC
Ph thuc vo quyt nh ca ngi dng thit lp cp
bo mt ph hp
Vic cp quyn c th khng chnh xc
Quyn ca ch th s c tha k bi cc chng trnh
m ch th thc thi
Trojan l mt vn c bit ca DAC
iu khin truy cp
ty (DAC) (3/3)
iu khin truy cp
da trn vai tr (RBAC)
(Role Based Access Control RBAC)
Cn c gi l iu khin Truy cp khng ty
Quyn truy cp da trn chc nng cng vic
RBAC gn cc quyn cho cc vai tr c th trong t chc
Cc vai tr sau c gn cho ngi dng
(Role Based Access Control RBAC)
Cn c gi l iu khin Truy cp khng ty
Quyn truy cp da trn chc nng cng vic
RBAC gn cc quyn cho cc vai tr c th trong t chc
Cc vai tr sau c gn cho ngi dng
iu khin truy cp
da trn quy tc (RBAC)
T ng gn vai tr cho cc ch th da trn mt tp quy
tc do ngi gim st xc nh
Mi i tng ti nguyn cha cc thuc tnh truy cp da
trn quy tc
Khi ngi dng truy cp ti ti nguyn, h thng s kim
tra cc quy tc ca i tng xc nh quyn truy cp
Thng c s dng qun l truy cp ngi dng ti
mt hoc nhiu h thng
Nhng thay i trong doanh nghip c th lm cho vic p
dng cc quy tc thay i
T ng gn vai tr cho cc ch th da trn mt tp quy
tc do ngi gim st xc nh
Mi i tng ti nguyn cha cc thuc tnh truy cp da
trn quy tc
Khi ngi dng truy cp ti ti nguyn, h thng s kim
tra cc quy tc ca i tng xc nh quyn truy cp
Thng c s dng qun l truy cp ngi dng ti
mt hoc nhiu h thng
Nhng thay i trong doanh nghip c th lm cho vic p
dng cc quy tc thay i
Tn Hn ch M t
iu khin truy cp bt
buc (MAC)
Ngi dng khng th
thit lp iu khin
L m hnh nghim ngt
nht
iu khin truy cp ty
(DAC)
Ch th c ton quyn
i vi cc i tng
L m hnh ci m nht
Tm tt cc m hnh
iu khin truy cp
iu khin truy cp da
trn vai tr (RBAC)
Gn quyn cho cc vai
tr c th trong t chc,
sau ngi dng s
c ch nh vai tr
c coi l phng php
thc t hn
iu khin truy cp da
trn quy tc (RBAC)
T ng gn vai tr cho
cc ch th da trn tp
cc quy tc do ngi
gim st qui nh
c s dng qun l
truy cp ngi dng ti
mt hoc nhiu h thng
Cc bi thc hnh tt nht
i vi iu khin truy cp
Thit lp cc th tc ti u hn ch truy cp
C th gip m bo an ton cho h thng v d liu
Cc v d v phng php ti u
Tch nhim v (separation of duties)
Lun chuyn cng vic (job rotation)
c quyn ti thiu (least privilege)
T chi ngm nh (implicit deny)
Cc ngy ngh l bt buc (mandatory vacation)
Thit lp cc th tc ti u hn ch truy cp
C th gip m bo an ton cho h thng v d liu
Cc v d v phng php ti u
Tch nhim v (separation of duties)
Lun chuyn cng vic (job rotation)
c quyn ti thiu (least privilege)
T chi ngm nh (implicit deny)
Cc ngy ngh l bt buc (mandatory vacation)
Tch nhim v
Hnh vi gian ln c th bt ngun t vic tin cy vo
mt c nhn v cho php h ton quyn iu khin mt
qu trnh
Yu cu phi c t nht hai ngi chu trch nhim cho
cc hot ng lin quan ti qun l tin
Gip h thng khng b xm hi do hnh vi ca mt c
nhn n l
Hnh vi gian ln c th bt ngun t vic tin cy vo
mt c nhn v cho php h ton quyn iu khin mt
qu trnh
Yu cu phi c t nht hai ngi chu trch nhim cho
cc hot ng lin quan ti qun l tin
Gip h thng khng b xm hi do hnh vi ca mt c
nhn n l
Lun chuyn cng vic
Lun chuyn cng vic
Lun chuyn trch nhim cng vic ca cc c nhn theo
nh k
Cc nhn vin c th c thuyn chuyn cng vic ngay
trong phng ban ca h hoc gia cc phng ban vi nhau
u im ca vic lun chuyn cng vic
Hn ch thi gian ti v ca cc c nhn h khng th
thao tng cc cu hnh bo mt
Gip vch trn cc con ng tim n dn n gian ln
Mi c nhn c mt quan im khc nhau v iu c th
gip pht hin ra cc l hng
Gim bt cng thng mt mi cho nhn vin
Lun chuyn cng vic
Lun chuyn trch nhim cng vic ca cc c nhn theo
nh k
Cc nhn vin c th c thuyn chuyn cng vic ngay
trong phng ban ca h hoc gia cc phng ban vi nhau
u im ca vic lun chuyn cng vic
Hn ch thi gian ti v ca cc c nhn h khng th
thao tng cc cu hnh bo mt
Gip vch trn cc con ng tim n dn n gian ln
Mi c nhn c mt quan im khc nhau v iu c th
gip pht hin ra cc l hng
Gim bt cng thng mt mi cho nhn vin
24
u tin t nht
Gii hn truy cp ti thng tin da trn nguyn tc ch
c bit nhng g phc v cho cng vic
Gip gim thiu b mt tn cng thng qua vic loi b
cc c quyn khng cn thit
Nn p dng cho ngi dng v tin trnh trn h
thng
Cc tin trnh nn hot ng cp bo mt ti thiu
cn thit hot ng chnh xc
Cm d gn cc mc u tin cao hn cng rt ln
Gii hn truy cp ti thng tin da trn nguyn tc ch
c bit nhng g phc v cho cng vic
Gip gim thiu b mt tn cng thng qua vic loi b
cc c quyn khng cn thit
Nn p dng cho ngi dng v tin trnh trn h
thng
Cc tin trnh nn hot ng cp bo mt ti thiu
cn thit hot ng chnh xc
Cm d gn cc mc u tin cao hn cng rt ln
25
Kin thc c s v iu khin truy cp
Th thch Gii thch
Cc ng dng k tha Nhiu ng dng c pht trin trong ni b t
chc v khng cn c bo tr hoc l ng dng
ca mt bn th ba khng cn c h tr. Vic
xy dng li cc ng dng ny c th mt chi ph
ln; mt cch thay th l chy cc ng dng trn
mt mi trng o
Nhng th thch ca
phng php u tin t nht
26
Nhiu ng dng c pht trin trong ni b t
chc v khng cn c bo tr hoc l ng dng
ca mt bn th ba khng cn c h tr. Vic
xy dng li cc ng dng ny c th mt chi ph
ln; mt cch thay th l chy cc ng dng trn
mt mi trng o
Cc nhim v qun tr
chung
Nhng cng vic qun tr h thng c bn c
thc hin bi ngi dng; nu khng c c quyn
cao, ngi dng phi lin h vi tr l k thut
thc hin nhng nhim v ny
Ci t/Nng cp phn
mm
Vic cp nht phn mm khng c trin khai tp
trung c th i hi c quyn cao, ngha l cn ti
s h tr t tr l k thut; iu ny thng dn ti
lm gim nng sut v tng chi ph h tr
T chi ngm
Nu mt iu kin khng p ng r rng, yu cu truy
cp s b t chi
V d: b nh tuyn mng t chi cc truy cp ngoi tr
khi iu kin ph hp vi cc quy tc gii hn
Nu mt iu kin khng p ng r rng, yu cu truy
cp s b t chi
V d: b nh tuyn mng t chi cc truy cp ngoi tr
khi iu kin ph hp vi cc quy tc gii hn
27
Cc k ngh bt buc
Hn ch gian ln v th phm phi c mt hng ngy
che du hnh vi gian ln ca mnh
Ln k hoch kim tra hnh vi ca nhn vin gi chc
v nhy cm trong sut thi gian ngh
Hn ch gian ln v th phm phi c mt hng ngy
che du hnh vi gian ln ca mnh
Ln k hoch kim tra hnh vi ca nhn vin gi chc
v nhy cm trong sut thi gian ngh
28
Thc thi iu khin truy cp
Danh sch iu khin truy cp
(Access Control List - ACL)
Chnh sch nhm (Group Policy)
Gii hn ti khon
(Access Control List - ACL)
Chnh sch nhm (Group Policy)
Gii hn ti khon
29
Danh sch iu
khin truy cp (1/2)
Tp cc quyn gn vi mt i tng
Xc nh ch th no c th truy cp ti i tng v
cc thao tc no m ch th c th thc hin
Khi ch th yu cu thc hin mt thao tc:
H thng kim tra danh sch iu khin truy cp i vi
mc c duyt
Danh sch iu khin truy cp thng c xem xt
trong mi lin h vi cc file ca h iu hnh
Tp cc quyn gn vi mt i tng
Xc nh ch th no c th truy cp ti i tng v
cc thao tc no m ch th c th thc hin
Khi ch th yu cu thc hin mt thao tc:
H thng kim tra danh sch iu khin truy cp i vi
mc c duyt
Danh sch iu khin truy cp thng c xem xt
trong mi lin h vi cc file ca h iu hnh
30
File cha cc quyn
truy cp trong UNIX
31
Danh sch iu
khin truy cp (2/2)
Mi mt mc trong bng danh sch iu khin truy cp
c gi l mt mc iu khin (ACE)
Cu trc ACE (trong Windows)
Nhn dng bo mt (Access identifier) cho ti khon ngi
dng hoc ti khon nhm hoc phin ng nhp
Mt n truy cp (access mask) xc nh quyn truy cp do
ACE iu khin
C (Flag) cho bit kiu ca ACE
Tp cc c (Set of flags) xc nh i tng c th k tha
cc quyn hay khng
Mi mt mc trong bng danh sch iu khin truy cp
c gi l mt mc iu khin (ACE)
Cu trc ACE (trong Windows)
Nhn dng bo mt (Access identifier) cho ti khon ngi
dng hoc ti khon nhm hoc phin ng nhp
Mt n truy cp (access mask) xc nh quyn truy cp do
ACE iu khin
C (Flag) cho bit kiu ca ACE
Tp cc c (Set of flags) xc nh i tng c th k tha
cc quyn hay khng
32
Chnh sch nhm
Tnh nng ca Microsoft Windows
Cho php s dng Active Directory (AD) qun l v
cu hnh tp trung cho cc my tnh v ngi dng t xa
Thng c s dng trong cc mi trng doanh
nghip
Cc thit lp c lu tr trong cc GPO (Group Policy
Objects i tng chnh sch nhm)
Local Group Policy
C t ty chn hn so vi Group Policy
c s dng cu hnh cc thit lp cho cc h thng
khng phi l mt phn ca AD
Tnh nng ca Microsoft Windows
Cho php s dng Active Directory (AD) qun l v
cu hnh tp trung cho cc my tnh v ngi dng t xa
Thng c s dng trong cc mi trng doanh
nghip
Cc thit lp c lu tr trong cc GPO (Group Policy
Objects i tng chnh sch nhm)
Local Group Policy
C t ty chn hn so vi Group Policy
c s dng cu hnh cc thit lp cho cc h thng
khng phi l mt phn ca AD
33
Gii hn ti khon (1/3)
Gii hn thi gian trong ngy (time of day restriction)
Gii hn s ln ngi dng ng nhp vo h thng
trong mt ngy
Cho php chn khi thi gian chn i vi cc truy cp
c cho php
C th c thit lp trn tng h thng ring l
Hn s dng ti khon (account expiration)
Cc ti khon m ci (orphaned account): ti khon
vn cn hot ng sau khi mt nhn vin ri khi t chc
Ti khon khng hot ng (dormant account): khng
truy cp trong mt khong thi gian di
C hai kiu ti khon trn l nhng nguy c i vi bo
mt
Gii hn thi gian trong ngy (time of day restriction)
Gii hn s ln ngi dng ng nhp vo h thng
trong mt ngy
Cho php chn khi thi gian chn i vi cc truy cp
c cho php
C th c thit lp trn tng h thng ring l
Hn s dng ti khon (account expiration)
Cc ti khon m ci (orphaned account): ti khon
vn cn hot ng sau khi mt nhn vin ri khi t chc
Ti khon khng hot ng (dormant account): khng
truy cp trong mt khong thi gian di
C hai kiu ti khon trn l nhng nguy c i vi bo
mt
34
Gii hn thi gian trong
ngy ca h iu hnh
35
Gii hn i vi im
truy cp khng dy
36
Cc khuyn co x l i vi ti khon m ci v ti
khon ng ng
Thit lp mt qui trnh chnh thc
Chm dt truy cp ngay lp tc
Qun l nht k (file log)
Cc ti khon m ci vn l mt vn nan gii i
cc t chc hin nay
Account expiration (thi gian hiu lc ca ti khon)
Thit lp ht hn cho mt ti khon ngi dng (ht hiu
lc)
Cc khuyn co x l i vi ti khon m ci v ti
khon ng ng
Thit lp mt qui trnh chnh thc
Chm dt truy cp ngay lp tc
Qun l nht k (file log)
Cc ti khon m ci vn l mt vn nan gii i
cc t chc hin nay
Account expiration (thi gian hiu lc ca ti khon)
Thit lp ht hn cho mt ti khon ngi dng (ht hiu
lc)
37
Password expiration (thi gian hiu lc ca mt khu)
thit lp khong thi gian m ngi dng phi thay i
mt mt khu mi
Khc vi account expiration (thi gian hiu lc ca ti
khon)
Account expiration c th c thit lp bng s ngy
m ngi dng khng c bt c hnh ng truy cp no
Password expiration (thi gian hiu lc ca mt khu)
thit lp khong thi gian m ngi dng phi thay i
mt mt khu mi
Khc vi account expiration (thi gian hiu lc ca ti
khon)
Account expiration c th c thit lp bng s ngy
m ngi dng khng c bt c hnh ng truy cp no
38
Cc dch v xc thc
Xc thc (Authentication)
Qu trnh xc minh thng tin
Cc dch v xc thc c cung cp trn mt mng
My ch xc thc chuyn dng
Cn gi l my ch AAA nu n thc hin ng thi c
nhim v y quyn (authorization) v k ton (accounting)
Cc kiu xc thc v my ch AAA thng dng
RADIUS
Kerberos
TACACS
LDAP
Xc thc (Authentication)
Qu trnh xc minh thng tin
Cc dch v xc thc c cung cp trn mt mng
My ch xc thc chuyn dng
Cn gi l my ch AAA nu n thc hin ng thi c
nhim v y quyn (authorization) v k ton (accounting)
Cc kiu xc thc v my ch AAA thng dng
RADIUS
Kerberos
TACACS
LDAP
39
RADIUS (1/2)
RADIUS (Remote Authentication Dial In User Service -
B quay s xc thc t xa trong dch v ngi dng)
c gii thiu vo nm 1992
Tr thnh mt tiu chun cng nghip
Ph hp cho cc ng dng kim sot dch v c ln
V d nh truy cp quay s ti mng doanh nghip
Hin nay xn ang c s dng
RADIUS client
Thng l mt thit b nh im truy cp khng dy (AP)
C nhim v gi cc thng tin v ngi dng cng vi cc
tham s kt ni ti my ch RADIUS
RADIUS (Remote Authentication Dial In User Service -
B quay s xc thc t xa trong dch v ngi dng)
c gii thiu vo nm 1992
Tr thnh mt tiu chun cng nghip
Ph hp cho cc ng dng kim sot dch v c ln
V d nh truy cp quay s ti mng doanh nghip
Hin nay xn ang c s dng
RADIUS client
Thng l mt thit b nh im truy cp khng dy (AP)
C nhim v gi cc thng tin v ngi dng cng vi cc
tham s kt ni ti my ch RADIUS
40
Xc thc RADIUS
41
RADIUS (2/2)
H s ngi dng RADIUS c lu tr trong c s d
liu trung tm
Tt c cc my ch t xa u c th chia s thng tin
u im ca dch v trung tm
Tng cng bo mt do ch c duy nht mt im qun l
trn mng
D dng theo di v truy vt vic s dng thanh ton
v lu gi cc s liu thng k mng
H s ngi dng RADIUS c lu tr trong c s d
liu trung tm
Tt c cc my ch t xa u c th chia s thng tin
u im ca dch v trung tm
Tng cng bo mt do ch c duy nht mt im qun l
trn mng
D dng theo di v truy vt vic s dng thanh ton
v lu gi cc s liu thng k mng
42
Kerberos
H thng xc thc c pht trin ti MIT
S dng m ha v xc thc m bo tnh bo mt
Thng c s dng ci t trong cc thit lp gio
dc v chnh ph
Hot ng ging nh vic s dng giy php li xe
thanh ton sc.
V Kerberos
Cha cc thng tin lin quan ti ngi dng
Ngi dng trnh din v vo mng cho mt dch v
Rt kh sao chp
Ht hiu lc sau mt vi gi hoc sau mt ngy
H thng xc thc c pht trin ti MIT
S dng m ha v xc thc m bo tnh bo mt
Thng c s dng ci t trong cc thit lp gio
dc v chnh ph
Hot ng ging nh vic s dng giy php li xe
thanh ton sc.
V Kerberos
Cha cc thng tin lin quan ti ngi dng
Ngi dng trnh din v vo mng cho mt dch v
Rt kh sao chp
Ht hiu lc sau mt vi gi hoc sau mt ngy
43
TACACS
TACACS (Terminal Access Control Access Control
Systems - H thng iu khin truy cp iu khin truy
cp thit b u cui)
Dch v xc thc tng t nh RADIUS
Do Cisco Systems pht trin
Thng c s dng trn cc thit b UNIX
Giao tip bng cch chuyn tip thng tin xc thc
ngi dng ti mt my ch trung tm
Phin bn hin ti l TACACS+.
TACACS (Terminal Access Control Access Control
Systems - H thng iu khin truy cp iu khin truy
cp thit b u cui)
Dch v xc thc tng t nh RADIUS
Do Cisco Systems pht trin
Thng c s dng trn cc thit b UNIX
Giao tip bng cch chuyn tip thng tin xc thc
ngi dng ti mt my ch trung tm
Phin bn hin ti l TACACS+.
44
So snh gia RADIUS
v TACACS+
45
LDAP (1/2)
LDAP (Lightweight Directory Access Control - Giao thc
truy cp th mc hng nh)
Dch v th mc
C s d liu c lu trn mng
Cha cc thng tin v ngi dng v cc thit b mng
Lu vt theo di cc ti nguyn mng v c quyn ca
ngi dng i vi nhng ti nguyn
Cho php hoc t chi truy cp da trn thng tin lu tr
Tiu chun cho cc dch v th mc
X.500
DAP (Directory Access Protocol - Giao thc truy cp th
mc )
LDAP (Lightweight Directory Access Control - Giao thc
truy cp th mc hng nh)
Dch v th mc
C s d liu c lu trn mng
Cha cc thng tin v ngi dng v cc thit b mng
Lu vt theo di cc ti nguyn mng v c quyn ca
ngi dng i vi nhng ti nguyn
Cho php hoc t chi truy cp da trn thng tin lu tr
Tiu chun cho cc dch v th mc
X.500
DAP (Directory Access Protocol - Giao thc truy cp th
mc )
46
LDAP (2/2)
LDAP
Mt tp con n gin hn ca DAP
c thit k hot ng trn b giao thc TCP/IP
C cc chc nng n gin hn
M ha cc thnh phn giao thc theo cch n gin hn
so vi X.500
L mt giao thc m
Nhc im ca LDAP
C th l mc tiu ca tn cng tim nhim LDAP
Tng t nh tn cng tim nhim SQL
Xy ra khi d liu do ngi dng cung cp khng c lc
ng cch
LDAP
Mt tp con n gin hn ca DAP
c thit k hot ng trn b giao thc TCP/IP
C cc chc nng n gin hn
M ha cc thnh phn giao thc theo cch n gin hn
so vi X.500
L mt giao thc m
Nhc im ca LDAP
C th l mc tiu ca tn cng tim nhim LDAP
Tng t nh tn cng tim nhim SQL
Xy ra khi d liu do ngi dng cung cp khng c lc
ng cch
47
Tng kt (1/2)
iu khin truy cp l qu trnh trong cc ti nguyn
c th b t chi hoc c cp php truy cp
C bn m hnh iu khin truy cp chnh
Cc bi thc hnh tt nht thc thi iu khin truy
cp bao gm
Tch nhim v
Lun chuyn cng vic
u tin t nht
T chi ngm
K ngh bt buc
iu khin truy cp l qu trnh trong cc ti nguyn
c th b t chi hoc c cp php truy cp
C bn m hnh iu khin truy cp chnh
Cc bi thc hnh tt nht thc thi iu khin truy
cp bao gm
Tch nhim v
Lun chuyn cng vic
u tin t nht
T chi ngm
K ngh bt buc
48
Tng kt (2/2)
Thc thi cc phng php iu khin truy cp bao gm
Chnh sch nhm
Gii hn ti khon
Cc dch v xc thc c th c server AAA chuyn bit
hoc server xc thc cung cp trn mng
RADIUS
Kerberos
TACACS
LDAP
Thc thi cc phng php iu khin truy cp bao gm
Chnh sch nhm
Gii hn ti khon
Cc dch v xc thc c th c server AAA chuyn bit
hoc server xc thc cung cp trn mng
RADIUS
Kerberos
TACACS
LDAP
49

Điều khiển truy xuất

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Điều khiển truy xuất

Uploaded by

Copyright:

Available Formats

Bi 6:

Kin thc c s v iu khin truy cp

You might also like