Trong t hi gian thc hin kha lun tt nghip, chng t i nghin cu v nhng cng ngh bo mt sau:
Tm hiu cc cng ngh chung ca tng la ti lp Network, T ransport vApplicat ion.
Phn tch cc dng, phng thc hot ng vgiao thc cng nh thut ton trong VPN.
Phn tch nguyn l hot ng, cch pht hin tn cng trn IDS/IPS. Xy dng t ng la h t hng mng t rng i hc Hoa Sen, trin khai VPN vIDS/IPS. Nh vic s dng t hnh cng phn mm m phng cc thit b mng, nhm chng ti c t h t tay xy dng h t hng mng trng i Hc Hoa Sen t giai on phn t ch yu cu, xc nh cc t i khon ngi dng, thit k, phc t ho m hnh mng n khi i vo cu hnh t r n cc phn mm m phng. Qua , chng t i t c nhng kt qu ng khch l sau:
Hiu t hm v tng la, ki n t rc cng nh chc nng t ng la. Ngoi ra, chng t i cn i su phn t ch cc cng ngh chung ca tng la ti lp Networ k, Tr ansport v Applicat ion t rong m hnh OSI.
Nghin cu v VPN, giao t hc s dng t rong VPN ng t hi t m hiu cch thc hot ng VPN. Tm hiu nguyn l hot ng IDS/IPS, phn t ch cc phng t hc pht hin tn cng, li ch cng nh hn ch tng phng t hc.
Hiu c cc bc xy dng h thng mng doanh nghip, t giai on phn t ch yu cu, thit k s mng n bc trin khai cu hnh ng thi ng dng gii php VPN v h t hng IDS/IPS.
i su t m hiu mt s cng ngh trin khai t hm nhm t ng tnh bo mt an ton d liu nhm bo m h thng mng lun sn sng hot ng lin t c ng ay c khi gp s c, tn dng ti a ti nguyn h t hng cng nh phn chia ti mng cho dy tng la kim tr a nh Load Balancing, Failover, HSRP; x c thc ngi dng vi k thut IEEE 802. 1x vcng ng h VOIP nhm cung cp dch v t hoi cho ngi dng.
Bng 26 Bng so snh tnh nng tng la trn cc h t hng khc nhau - - - - - - - - - - - - - - - - - 99
ix
LI CM N
Trc tin, chng ti xin chn thnh cm n ton th Ban Gim Hiu i hc Hoa Sen Thnh ph H Ch Minh to iu kin cho chng ti hon thnh tt bi co co kha lun tt nghip ny.
ng thi, chng ti cng gi n qu thy c trong khoa Khoa Hc v Cng Ngh trng i Hc Hoa Sen li cm n su sc v chn thnh. Cc thy c tn tnh ch bo gip trong sut qu trnh thc hin kha lun. c bit l thy inh Ngc Luyn Ging vin khoa Khoa Hc v Cng Ngh, ngi trc tip hng dn em hon thnh ti ny.
Tuy nhin, do thi gian c hn cng nh kin thc v kinh nghim cn hn ch nn bo co ny khng trnh khi nhng thiu st. S gp chn thnh ca thy c s gip chng ti hon thin hn bi bo co ny cng nh tch ly thm kin thc v kinh nghim cho bn thn. y s l hnh trang gip chng ti t tin ng u vi cc th thch mi ngoi x hi
x
NHN XT CA GIO VIN HNG DN
Gio vin hng dn k tn
x i
LI M U
Trong thi k hi nhp, khi nhu cu trao i d liu qua h thng mng my tnh ngy cng tng cao, Internet cng tr nn v cng quan trng, nh hng n tt c cc lnh vc kinh t x hi, an ninh quc phng ca quc gia. Thc t Vit Nam, Internet c ng dng v pht trin rng ri (ph cp ti xp x 25% dn s), dn n s ti phm cng ngh cao ngy cng nhiu, c khng t cuc tn cng trn mng gy ra hu qu ht sc nghim trng, lm t lit h thng gim st an ninh hay ph hoi c s d liu quc gia, nh cp thng tin mt Nh nc i vi doanh nghip, vn bo m an ninh, an ton thng tin trn mng l mi quan tm hng u ca hu ht cng ty, t chc v cc nh cung cp dch v. Cng vi s bng n khoa hc k thut, cc phng thc tn cng ngy cng tinh vi hn khin h thng an ninh mng tr nn mt hiu qa.
Bill Archer, Ch tch hng AT&T ti chu u, pht biu "Chng ti nhn thy mt tn cng trong vng 6 thng qua dy hn rt nhiu so vi hai nm trc". c bit Vit Nam, vn trn cng phi u t, xem xt hn bao gi ht. Theo kho st ca Trung tm ng cu khn cp my tnh Vit Nam (VNCERT) da vo cc tiu chun an ton thng tin th 40% doanh nghip Vit Nam khng c h thng tng la, 70% khng c quy trnh x l s c an ton thng tin v 85% khng c chnh sch v an ninh mng. Hn na, theo phn tch ca Kaspersky, nm 2010, Vit Nam ng th 5 th gii trong s nhng quc gia chu nhiu thit hi nht do tn cng trn mng (sau n v M, xp u bng l Trung Quc v Nga). Vic xy dng h thng an ninh mng sao cho va m bo an ton, bo mt thng tin va tn dng hiu nng mng ang tr thnh cu hi au u i vi cc t chc doanh nghip khng nhng Vit Nam m cn trn ton th gii.
Nhn thy nhng nguy c , xut pht t nim say m nghin cu cc k thut bo mt mng, nhm chng ti quyt nh chn ti Xy dng Firewall ASA v IPS bo v mng, vi mong mun em li cho doanh nghip m hnh p ng c cc yu cu v bo mt m vn m bo hiu nng hot ng mng. Qua , chng ti cng trang b cho mnh thm nhiu kin thc chun b th sc vi thch thc mi ngoi x hi.
x ii
PHN 1: TNG QUAN BO CO
1.1 Mc tiu nghin cu
Nh cp, nhm chng t i tp trung nghin cu cc cng ngh chung ca tng la ti lp Network, Tr ansport v Applicat ion ng t hi phn t ch k t hut lin quan VPN, thit k xy dng h thng VPN. Bn cnh , tng cng bo mt mng, chng t i t m hiu IDS/IPS, nguyn l hot ng v cc loi IDS/IPS s dng ph bin ngy nay. Cui cng, nhm chng ti x y dng t hnh cng cc k t hut ny trn h t hng mng i Hc Hoa Sen.
1.2 Gii hn ti
Do thi gian v chi ph u t cn hn ch, nhm chng t i xy dng, trin khai h thng mng da trn phn mm m phng thit b t hc t nh tng la, Swit ch, Routerm y ch yu ltng la Cisco ASA - mt trong nhng tng la ph bin hin nay, h tr:
S kt hp hi ha, b sung cho nhau gia Stateful Packet Filtering v Pr ox y. ASA cung cp ci nhn t on vn lu lng mng nh kim t r a, phn t ch gi t in t lp 3 n lp 7.
Nh vic kt hp s dng cc phng php bn giy, phng php t hc nghim xy dng cc bi thc hnh nghin cu t nh nng ca tng la v phng php t ng hp phn t ch da trn c s l t huyt bo mt v cc kt qu rt ra t t hc t , chng t i hiu t hm c nhiu cc cng ngh t ng la vcc k t hut bo mt khc nhau t rong h t hng mng.
1.4 Cu trc trnh by
Phn 1: Tng quan bi bo co kha lun t t nghip, gii thiu l do chn ti, gii hn ti cng cc phng php nghin cu.
Phn 2: Cng ngh k t hut chung ca tng la lp Network, Transport vApplicat ion. Phn 3: Xy dng VPN gia hai c s ca i Hc Hoa Sen.
Phn 4: Xy dng IDS/IPS.
Phn 5: Xy dng t ng la cho h thng mng t rng i Hc Hoa Sen.
PHN 2: CNG NGH K THUT CHUNG CA TNG
LA TI LP NETWORK, TRANSPORT V APPLICATION
2.1 Tm quan trng ca vic bo mt van ton thng tin
T hng tin ng vai tr v cng quan trng i vi hu ht t chc doanh nghip, nht l trong mi trng kinh doanh cnh t ranh hin nay. S tin b vt bc ca khoa hc k t hut dn n cc t h on tn cng ngy cng t inh vi.
Tp on Symant ec ngy 10/03/2010 chnh t hc cng b kt qu Nghin cu ton cu v Hin trng bo mt doanh nghip nm 2010, thng qua kho st 2.100 gim c thng tin, gim c bo mt t hng t in v cc nh qun tr CNTT t 27 nc khc nhau trn t h gii vo thng 1/2010. Nghin cu cho bit cc doanh ng hip ngy cng phi chu nhng cuc tn cng thng xuyn hn. T r ong vng 12 t hng t r li y, 75% t chc c kho st b tn cng mng t nht mt ln v mc tn t ht tr ung bnh l2 triu USD mi nm.
Hnh 1 Biu th hin s gia tng mc hi
Hnh 2 Biu th hin cc loi tn cng nhiu nht hin nay
Do , vic bo mt t hng tin ngy cng t r nn kh khn, bi l thng tin lun chu s e da t rt nhiu ng un khc nhau - bn t rong t chc, bn ngoi, cc thm ha hay cc m c hi trn mng. Cng vi vic gia tng s dng cc cng ng h mi cho lu tr, tr uyn dn vt hu thp t hng tin, ls gia tng tng ng v s lng vchng loi cc mi e da.
An ton bo mt thng tin khng ch l cng ng h m cn tc ng trc tip danh t i ng, qu trnh hot ng cng nh s tn ti ca t chc. Chng t i d dng t hng nht rng vic xy dng h t hng bo mt t hng tin lqutr nh, i hi u t nhiu t hi gian vtin bc.
2.2 Tng quan v tng la
2.2.1 Gii thiu
Tng la l thit b c s dng nhm hn ch s tn cng, bo v cc ngun t hng tin quan trng bi cc chnh sch an ninh do c nhn, doanh nghip hay cc t chc chnh ph t r a.
Hnh 3 H thng tng la
t sau Router bin, gia hai vng mng bo m vic lc lu lng r a vo h thng mng nhm kha lung d liu c hi i vo t rong khi vn cho php d liu cn thit i qua. Tng la ng vai tr v cng quan t rng v cn thit i vi hu ht t chc doanh nghip ngy nay, nht lkhi cc cuc xm nhp phhoi h thng mng ngy cng tng. Ds dng bt k ki n trc no t tng la c nhn (Personal Firewall) chuyn bo v my t nh c nhn n dy tng la tr ong h t hng mng cc cng t y ln hay t chc chnh ph (Network Fir ewall) th mc tiu cui cng l x y dng h thng mng bn vng, chng li s xm nhp tri php ng t hi bo m an ton d liu.
Hnh 4 Tng la trong h thng mng (Network Firewall)
Hnh 5 Tng la cnhn (Personal Firewall hay Desktop Firewall)
2.2.2 Chc nng
Kim sot vthit lp c ch iu khin lung d liu gia mng cc b vInternet, c t h:
Cho php hoc cm nhng dch v tr uy cp r a ngoi hay t ngoi t ruy cp vo.
T heo di cc lung d liu di chuyn qua tng la.
Kim sot a ch tr uy nhp, cm a ch t r uy nhp.
Xc nhn ngi dng hp l vcc quy n c cp cho ngi .
Kim sot ni dung t hng t in lu chuyn t rn mng.
Tng la kho st tt c cc lung lu lng r a vo h thng mng xem c ph hp vi chnh sch t r a hay khng.
Hnh 6 Chc nng ca tng la
Nu ph hp, lung d liu c nh t uy n gia cc mng, ngc li b hy. Ngoi ra, tng la cn qun l vic tr uy cp t bn ngoi vo ngun ti nguyn mng bn trong, ghi
li t t c c gng xm nhp mng r ing v a r a cnh bo nhanh chng khi pht hin tn
cng. Tng la cn lc cc gi d liu da vo a ch ng un, a ch ch v s cng. Hn na, mc cao hn, t ng la cn lc c ni dung thng tin lun chuyn trn h t hng.
2.3 Cng ngh k thut chung ca tng la ti cc lp
chng li cc phng t hc t n cng ngy cng t inh vi, con ngi khng ngng nghin cu sng t o cc cng ng h mi nhm tng bo mt tng la. Hin nay, d tng la cng hay mm, u c sn x ut da trn cc cng ngh sau:
Packet filter ing
NAT Firewall
Stateful packet filter ing
Prox y firewalls (hay Applicat ion Layer Gat eways)
Stateful Inspection Fir ewall (SIF)
Nhn chung, cc cng ng h ny xy dng trn m hnh OSI (Open Systems Interconnect ion Reference Model), bi hu ht giao t hc mng u hot ng da trn m hnh ny. Do , kim sot cht ch cc lu lng r a vo, tng la cng ng dng cng ng h khc nhau cc lp khc nhau, ch yu ti ba lp chnh sau:
2.3.1 Lp Network vT ransport
2.3.1.1 K Thut Lc Gi Tin (Packet Filtering)
Lc bt u, tng la ch x c nh ngun gc v ch g i tin lp Network, s cng hay kiu giao thc TCP/UDP lp Tr ansport m khng x c nh trng thi hay ni dung g i t in. Vic kim sot tr uy cp mng t hc hin bng danh sch iu khin t ruy cp (Access Control List ACL) lc mt cch c bn chng x m nhp tr i php. T , gii hn lu lng c hi i vo, gi l K t hut lc gi tin (Packet Filter ing) - mt trong cc k thut n gin nht s dng ph bin trn tng la mm v cng, cung cp chc nng khng th thiu cho hu ht tng la. V trc khi kim tr a ni dung hay t rng t hi gi tin, cn bo m gi t in ny tr uyn t i trn kt ni tin cy.
Hnh 7 C ch hot ng ca Packet Filtering
Vi k t hut ny, t ng la cho php (Per mit) hay t chi (Deny) truy cp da trn kiu ca gi tin vcc trng khc nh ngha bi danh sch tr uy cp (ACL Access Cont rol List) quyt nh xem on d liu c t ho mn cc iu kin lc hay khng, da trn cc t hng tin u mi gi tin (Packet Header) vcc trng:
a ch IP ngun (IP Sour ce Address)
a ch IP ch (IP Destinat ion Address)
Nhng t h t c truy n t in (TCP, UDP, ICMP, IP Tunnel)
Cng T CP/UDP ngun (T CP/UDP Sour ce Port)
Cng T CP/UDP ch (TCP/UDP Destinat ion Port)
Dng t hng bo ICMP (ICMP Message T ype)
Cng giao tip gi tin n (Incoming Interface of Packet)
Cng giao tip gi tin i (Outgoing Interface of Packet)
Khi nhn c gi t in, t ng la ln lt so snh vi chnh sch r a nhm kim tr a tnh hp l ca gi tin. Nu hp l, gi t in chuyn qua tng la, ngc li, b b i. Nh vy, tng la ngn cn kt ni vo my ch hay vng tin cy, kho tr uy cp h thng mng ni b t cc a ch khng cho php. Ngoi ra, tng la so snh header hin ti v header gi t in trc , gip phn t ch nhiu thng tin hn cng nh xem xt cng giao t ip g i t in r a vo.
u im Hnh 8 - Cch kim tra gi tin ca Packet Filtering
Tc x l nhanh nn s dng ph bin bi hu ht tng la hin nay.
D trin khai, ci t v bo t r, chi ph t rin khai t hp v c ch lc gi t in c t ch hp sn t rn cc Router.
ng dng c lp, t tc ng n hiu nng mng.
T rong sut i vi ngi s dng vcc ng dng.
Khng yu cu ngi qun t r phi c kin t hc cao.
Nhc im: Mt s vn vi Packet Filter ing:
T t c gi t in u c t h v t qua tng la nu ph hp cc chnh sch r a. K tn cng c th li dng im ny bng cch chia nh d liu lng vo gi t in hp l.
Mi chnh sch t h hin bng ACL (Access Cont rol List), do x y dng h t hng hon chnh i hi vic cu hnh nhiu chnh sch. T uy nhin, vn tng hp, thng nht vti u cc chnh sch mi lmi quan t m hng u hu ht doanh nghip.
Vic trin khai k t hut ny cho cc dch v c s cng khng xc nh lkhng kh thi, i hi ng dng cc k t hut kim t r a cc lp cao hn (t lp Transport tr ln).
Khng h tr tnh nng x c thc ngi dng.
Khng ngn chn t n cng gi mo a ch.
Mc an ninh t hp. Do cc tiu chun lc da trn cc trng u mi gi tin (Packet Header) nn khng kim sot c ni dung thng tin vt rng t hi gi t in.
2.3.1.2 T ng la NAT (NAT Firewall)
Hot ng lp Networ k vT r ansport . NAT (Network Addr ess T ranslat ion) thay i a ch IP gi t in nu cn thit v t h NAT cho php ngi dng bn t rong s dng a ch cng cng tr uy cp Int ernet m n i a ch tht s bn trong. Ngoi ra, NAT qun l vic tr uy cp Internet bng cch quyt nh ngi dng no c php s dng. C th hn, khi ngi dng khi to kt ni r a ngoi, NAT thay i IP ng un g i tin v gi i, ng thi ghi li trng t hi t rong bng chuyn i (T r anslat ion T able). Khi gi t in t ngoi v, NAT tra bng vt hay i IP n ca gi t in t hnh IP ban u gi t in t r v ng ni xut pht. Ngoi r a,
k t hut thay i cng ngun vch gi t in gi l PAT (Port and Address T ranslat ion).
Nh cp, NAT s dng bng chuyn i (T ranslation T able) lu gi t rng thi kt ni chuyn i, v t h ngi dng bn ngoi khng th ch ng khi t o kt ni vo bn trong.
u im
Bo v mng bn t rong khi s "dm ng" t bn ngoi.
Xc nh c th dch v no dng NAT , nh i vi cc my tr ong h thng.
Ch vi mt a ch IP cng cng cc my t nh ni b u tr uy cp c Internet.
Nhc im
Vi TCP, vic xc nh khi no ngng chuyn i a ch IP ht sc d dng v TCP lgiao t hc bt t ay ba bc. T uy nhin vi UDP, li lvn v UDP khng t hit lp kt ni. Do NAT phi on khi no kt ni kt thc, nu sai dn n mt kt ni.
2.3.1.3 K Thut Lc Gi Tin Ghi Nh T rng Thi (Stateful Packet Filtering)
Hot ng lp Networ k, Tr asport v Session, theo di v ghi nhn trng t hi kt ni (lu lng T CP/UDP) ra vo h t hng nhm phn bit gi t in hp l cho nhng kt ni khc nhau. Cch thc kim tr a nh Packet Filter ing, tuy nhin k t hut ny cho php duy t r trng t hi kt ni. Mi khi kt ni TCP/UDP khi to t mng bn trong hay bn ngoi, thng t in trng thi kt ni c lu li trong bng trng thi (Stateful Session Flow T able). Vi mi phin lm vic c khi t o, cc t hng s phin ny phi chnh x c so vi cc t hng tin t rong bng trng t hi t h phin ny mi c thit lp. Vi cch hot ng nh t h, k t hut ny ch y u hot ng trn kt ni ch khng ch lm vic trn tng gi t in r ing l.
Bng t rng t hi cha a ch IP ngun, IP ch, s cng, cc c t rng t hi ng vi mi kt ni vs t h t (sequence number) ngu nhin t rc khi gi t in chuyn i vhon tt kt ni. Do , tt c gi tin t trong r a (Out bound) hay t ngoi vo (Inbound) c so snh i chiu cn thn trc khi chuyn t ip, m bo kt ni thc hin t mt hng t trong r a ngoi (Inside to Outside), ch khng theo hng ngc li nhm ngn chn g i t in c hi i vo h t hng cng nh ngn cn my t nh bn ngoi gi d liu vo cc my bn t rong.
Hnh 9 C ch hot ng ca St atef ul Packet Filtering
y lphng t hc t n t in hn so vi th h trc vi ba l do sau:
Kim sot c kt ni vgi t in, hiu sut hot ng cao hn.
Lu gi t rng t hi kt ni TCP/UDP trong bng t rng t hi, dng t ham kho, xc nh xem gi t in ny t huc v kt ni c thit lp t trc hay do tr uy cp t ri php.
Kh nng phn t ch cng hot ng giao thc FT P, t cp nht bng trng thi gip lu lng FTP c t h i qua tng la. Hn na, n cn t o ra s th t (sequence number) ng cho gi t in T CP v truy vn DNS. Nhng t nh nng ny gim nguy him t n cng T CP RST flood vDNS cache poisoning.
u im
Phng t hc bo v chnh tr ong mi t rng hp, lc lu lng vo r a h t hng mng.
Bo v vng ngoi, ni Router giao tip vng mng khng t in t ng.
Phng t in t ng cng kh nng lc gi t in.
Phng thc ti u chng tn cng gi mo (Spoofing) v t chi dch v (Denial of Service DoS) v trng t hi t t c kt ni u c ghi nhn li vo bng trng t hi, ch nhng gi t in ph hp mi c php i qua, ngc li t h b b i.
Nhc im: Stateful Packet Filter ing khng th:
Chn cc cuc t n cng lp Applicat ion do khng t h phn t ch ni dung d liu.
H tr xc thc ngi dng.
2.3.2 Lp Application
2.3.2.1 Prox y Firewall
Khi cng ngh cng pht trin, nhu cu qun l t ruy cp mng cng c ch t rng. Tn cng vo cc hn ch ca k t hut lc gi t in, ngi dng d dng t rnh cc bin php canh phng bo mt ca tng la m xm nhp h t hng t ri php. Do , gia tng mc bo mt ca tng la, k t hut Prox y Firewall th h tng la t h hai - hot ng lp Network, Tr ansport, Session v Application, thay mt mng bn tr ong (Inside Network) giao tip bn ngoi (Outside Network), nh , che du mi d liu quan t rng. Khi tng la nhn c yu cu t pha ngi dng, n ti n hnh x c t hc t hng qua cc quy nh c cu hnh. Nu ti khon ngi dng hp l, tng la thay mt ngi dng
bn t rong giao tip vi cc my ngoi Int ernet . Prox y Fir ewall ch chuyn t ip gi t in c lp Networ k vTr ansport ph hp vtr v gi tin c lp Session v Applicat ion thch hp.
Hnh 10 C ch hot ng ca Proxy Firewall
Prox y Firewall ngn cn tr ao i gi t in trc tip gia hai t hit b. Mi giao tip gia cc thit b u phi thng qua Pr ox y, gip kim tra gi t in nhanh v su hn so vi k t hut tr uy n thng, gm hai dng:
Circuit Level Gateway
Hot ng tng i phc tp hn Packet Filter ing, ngoi kh nng lc cc lu lng mng bi a ch IP vs cng, n cn kim t r a qutrnh bt t ay ca g iao thc T CP lp Session.
Hnh 11 Circuit Level Gateway
Qutrnh hot ng
Bc 1: My t nh ngun bt u kt ni, sau , tng la kim tr a t hng tin kt ni da tr n lut l ra, nu kt ni c cho php, tng la cho php kt ni i qua.
Bc 2: T hay mt my bn t rong, tng la kt ni n my bn ngoi v gim st cht ch qu tr nh bt t ay T CP. Qu trnh bt t ay lin quan n vic trao i gi tin cha c (SYN hay ACK). Bc 3: Tng la xc thc my bn tr ong v my bn ngoi l t hnh phn mt
phin lm vic. Sau , tng la sao chp vchuyn t ip d liu gia hai kt ni.
Tuy nhin, my ch s nhn t hy kt ni ny n t h thng t ng la, che du t t c thng tin bn trong. Khng c bt k d liu no c chuyn qua cho n khi tng la x c nhn tnh hp l kt ni ny. Tng la xc nh mt phin lm vic hp l nu c SYN, ACK v Sequence Number t rong qutrnh bt tay gia cc kt ni lhp l.
Application Level Gateway (ALG)
Nh tn gi, Prox y Fir ewall lp ng dng (Applicat ion Level Pr ox y Firewall) ch yu hot ng lp Applicat ion, dng kim tra cc ng dng hay cc dch v c ch nh nh HTT P, FT P, DNS, telnet,... Ngoi ra, ALG cn pht hin nhng giao t hc khng mong mun trn cc cng khng nm trong s cng tiu chun (Non- st andar d Port).
Da trn dch v i din (Prox y ser vice - chng tr nh c bit ci trn gateway tng ng dng). Quy t rnh kt ni s dng dch v t hng qua tng la din r a t heo 5 bc sau y:
Hnh 12 Quy trnh hot ng ca k thut Application Level Gateway
Bc 1: My trm gi yu cu ti my ch x a qua tng la.
Bc 2: Tng la xc thc ngi dng. Nu xc thc t hnh cng chuyn sang bc 3, ngc li qutrnh kt thc.
Bc 3: Tng la chuyn yu cu my t rm n my ch xa.
Bc 4: My ch xa tr li chuyn n t ng la.
Bc 5: Tng la chuyn t r li ca my ch x a n my t rm.
nhn bit ng dng cn kim t ra, ALG lu gi trng thi dch v ch nh t trc. Khi ngi dng kt ni trc tip n Applicat ion- Level Pr ox y yu cu cc dch v cn t hit nh
web (HT T P/HTT PS), mail (SMTP) prox y ln lt thay mt ngi dng kt ni cc ser ver bn trong. V prox y phi lu thng tin t t c dch v trong h t hng nn gy hn ch t rong vic bo v an t on tt c ng dng.
Cung cp s bo mt vt in cy hn so vi Packet Filtering bi v n c t h qun l, gim st, kim t ra, a r a cc chnh sch quy nh ni dung su bn t rong lung d liu i qua da trn k t hut DPI (Deep Packet Inspect ion). Do , vic trin khai ALG trn h thng mng cn xem xt cn t hn bi t nhiu nh hng hiu nng hot ng ca mng. V vy, cn lu l ch t rin khai pr ox y khi t nng vn bo mt an ton thng tin hn lhiu nng mng.
Hnh 13 Deep Packet Inspection
Nh p dng DPI, tng la c t h kim tr a cc gi tin i qua. hnh 10a, ngi dng gi gi t in HELO cho Mail Ser ver thit lp kt ni SMTP. Sau khi kim t r a t nh hp l gi t in, tng la t hay ngi dng tr uy cp Mail server bn t rong v tr li li cho ngi dng. Khi nhn t r li t tng la, ngi dng t ip t c gi cc cu lnh khc.
Ngc li, hnh 10b, ngi dng nh lnh VRFY ly thng tin t i khon trn ser ver. Tng la kim t r a gi t in vnhn t hy khng t ha chnh sch nn lp t c t chi kt ni.
u im
iu khin t ng dch v trn mng (quyt nh my ch no tr uy cp dch v no).
Xc thc ngi dng ch khng phi thit b, tng la ch chuyn t ip d liu sau khi
chng t hc vy quyn t hnh cng.
Kh t n cng gi mo (Spoofing) vt chi dch v (Denial of Service DoS).
Cho php gim st v lc d liu. Bt c yu cu no ca ngi dng u c ghi nhn r rng, d dng t hng k ghi nhn ni dung tr uy cp ca bt k ngi dng no mi thi im. Ngoi ra, prox y cn cho php y quyn ai c lm g, khng c lm g t hng qua kh nng xc t hc (Authenticat ion) v y quy n (Authorization).
T heo di v gim st chi t it mi lung thng t in i qua, thm ch xc nh c kiu tn cng cng nh mc t iu b tn cng. Hn na, cn gim st thng tin tr uy cp ngi dng nh t i nguyn c tr uy xut, bng t hng s dng vt hi im tr uy cp.
C mi yu cu n pr ox y lu li thng tin trong b nh m, khi c yu cu khc tr uy cp t hng t in ny pr ox y s tr uy x ut trc tip t b nh m cung cp cho ngi dng, khng cn gi yu cu r a bn ngoi, gip t ng hiu nng ca mng.
T hay mt ngi dng t r uy vn bn ngoi, che du IP vcc thng tin nhy cm khc.
Nhc im
Tc chm, hiu sut thp do x l t rn nhiu tng.
Kh nng thay i m rng (scalabilit y) hn ch.
Nu prox y b t n cng t h mng bn t rong cng b nh hng.
Cc dch v h tr b hn ch, ch h t r vic kim sot mt s dch v quen thuc nh web (HT T P/HTTPS), FTP gy kh khn trong cu hnh t hm dch v khc.
Kim t ra tn su bn t rong gi tin nn t nhiu lm gim hiu nng mng.
Ci t vbo tr phc tp do x l gi t in bng chng t rnh ng dng.
H tr s lng nh ngi dng.
2.3.2.2 Statef ul Inspection Firewall (SIF)
Ch yu s dng k t hut SPI (Stat eful Packet Inspect ion) th h ci t in ca k thut lc gi t in (Packet Filter ing), c pht trin bi Checkpoint vo nm 1993. SPI kt hp sc mnh ca cc k t hut trc :
Packet Filtering : hot ng tng mng, lc gi tin i v n da trn cc tham s kt ni nh a ch ngun, a ch ch, cng ng un, cng ch
Circuit Level Gateway: x c nh gi t in trong phin lm vic hp l da t rn c ACK, SYN
vSequence Number.
Application Level Gateway: SIF a g i t in ln tng ng dng v kim tr a ni dung d liu ph hp vi cc chnh sch an ninh h t hng. SFI c t h cu hnh loi b gi t in cha nhng
cu lnh xc nh (nh FT P PUT , FT P GET ...). Ngoi ra, ci thin t nh nng ca k t hut Applicat ion Level Gateway, SFI cho php ngi dng kt ni trc tip vi ser ver .
2.4 T rin khai tng la trong h thng mng doanh nghip
Ty mc ch, s kin tr c h t hng mng mnhqun tr la chn m hnh ph hp, t y kin thc, kinh nghim ngi qun t r . Nhn chung, cc m hnh kin tr c tng la v cng a dng nhng khi qut li th bao gm ba dng s au:
2.4.1 Bastion Host
Bation Host , thut ng chung ch mt h t hng c xc nh bi ngi qun tr tng la nh lmt im an ninh cc k v ng chc t rong h thng mng
y l mu kin tr c tng la n gin nht, tng la t gia mng ni b (Inside Network) v mng bn ngoi (Outside Network) lc cc gi tin vo r a t hng qua hai cng giao tip: cng kt ni trc tip Internet (Untrusted) v cng kt ni vi Intr anet (Trust ed), tn ti hai vng vi bo mt (securit y level) khc nhau.
Ch yu dng cng ng h cng ng dng (Application Level Gateway), cng vng (Circuit Level Gateway) hay kt hp c hai. Dual homed host lv d in hnh v Bation Host.
Hnh 14 - Bastion Host
M hnh Bastion Host thch hp cho h t hng mng n gin, khng c nhu cu qung b cc dch v r a Internet, v nh vy nu ser ver b kim sot, ton b h t hng bn trong cng b nh hng. Hn na, m hnh ny to r anh gii mng manh gia mng tin cy v khng tin cy. Nu r anh gii ny ph v, ton b h thng mng, ngun ti nguyn bn trong b khai thc.
u im
Chi ph t r in khai thp.
D qun l, cu hnh.
Nhc im
bo mt t hp, nu tng la b tn cng, ton b ti nguyn h t hng mng bn trong s b khai t hc.
M hnh tng la c bn, so vi Bastion Host, h tr thm nhu cu qung b dch v r a Internet, nh vic nh ngha vng phi qun s (Demilit ar ized Zone DMZ) - mng con bit lp gia Internet v mng ni b. M hnh ny thch hp vi cng t y va v nh, va p ng nhu cu bo mt h t hng bn trong va cho php ngi dng bn ngoi t ruy cp cc dch v cn thit vnht lph hp t i t in nn y lm hnh c t rin khai nhiu nht.
Ging vi Bast ion Host , scr eened subnet ch s dng mt tng la duy nht, vi ba car d mng nhm phn bit r rng Outside, Inside v DMZ. Nh ni, m hnh ny cung cp gii php cho php ngi dng bn ngoi tr uy cp cc dch v c qung b trong vng DMZ. bo mt cao hn so vi Bast ion Host , kh nng mng bn t rong b t n cng t ng i t hp v t bn ngoi ngi dng ch c t h tr uy cp cc dch v t rong DMZ, mkhng th khi t o kt ni vo bn t rong.
u im Hnh 15 - Screened subnet
Nu vng DMZ b t n cng, h t hng mng bn t rong cng khng b nh hng.
bo mt t ng i cao so vi Bast ion Host v ngi dng bn ngoi ch tr uy cp c cc dch v qung bt rong DMZ mkhng th kt ni trc tip mng ni b.
Nhc im
Nh m hnh Bastion host, nu lp bo v duy nht ny b phv th ton b h thng
mng bn t rong s gp nguy him.
2.4.3 Dual firewall
H thng bao gm hai tng la, t an ton cao nht so vi hai m hnh trn. T uy chi ph trin khai cao ng thi i hi nhiu s quan tm ca qun tr vin dnh cho h t hng, vic cu hnh cng t ng i phc tp nhng h t hng t tin cy cao, kh nh sp.
Hnh 16 - Dual Firewall
Cng ging vi m hnh 03 chn, DMZ c tch bit vo mt vng r ing nn cho d c b khai t hc th cng khng tc ng n inside. Vic s dng 02 firewall s rt tn km, nhng nu so snh gia vic u t v tm quan trng ca d liu th s thy rt ng trin khai. t bit , m hnh ny s c c s an t on nht khi s dng mi firewall mi hng khc nhau. Nu fir ewall vng ngoi b x uyn thng th hacker cng khng t h x uyn t hng firewall vng t rong, hay t nht cng lm hacker mt mt khong t hi gian nhn nh n v vt qua, vi khong thi gian t a dng li fir ewall vng ngoi v i ph vi hacker.
Ngoi r a, s dng nhiu firewall ng ngha vi vic c nhiu inter face. iu ny c ngha l ta c th c nhiu vng vi nhiu level khc nhau do t a la chn, gip d dng qung l cng nh cu hnh.
Nhn chung, cc mu t hit k trn u c nhng u v nhc im trn. Vic la chn m hnh tng la no ch yu ph thuc nhu cu ca cc t chc doanh nghip v ngn sch d tr dnh cho vic u t bo mt r a sao. T , la chn ra cc m hnh ph hp va p ng nhu cu doanh nghip va ph hp chi ph u t ca cc t chc doanh nghip.
u im
Mc bo mt cao hn so vi hai m hnh trc. x m nhp h t hng mng ni b, k tn cng phi vt qua hai tng bo mt: Tng la bn ngoi (Outside Fir ewall) vtng la bn t rong (Outside Firewall).
Cho php ngi dng bn ngoi t ruy cp cc dch vu qung bt rong vng DMZ.
So vi screened subnet, nu vng DMZ b t n cng, mng bn t rong vn c bo v.
Nhc im
Chi ph t r in khai cao.
Vic qun l h t hng tng la i hi nh qun tr phi c kinh nghim cng nh kin t hc nht nh.
PHN 3: XY DNG VPN GIA HAI C S CA I HC
HOA SEN
3.1 S cn thit ca VPN trong doanh nghip
3.1.1 Ti sao VPN ra i
Vi s pht trin nhanh chng ca cng ng h tin hc v vin thng, th gii ngy cng t hu nh vtr nn gn gi. Nhiu cng t y ang vt qua r anh gii cc b v khu vc, vn r a t h trng t h gii. Nhiu doanh nghip tri rng khp ton quc thm ch vng quanh t h gii vt t c u i mt vi mt nhu cu thit thc: cch t hc duy t r nhng kt ni t hng t in kp thi, an t on vhiu qu cho d vn phng t ti bt c ni u.
Cng vi s ln mnh ca Internet c v m hnh ln cng ng h, p ng phn no nhu cu ngi s dng. Internet kt ni nhiu mng khc nhau v cho php t hng t in chuyn n ngi dng t do v nhanh chng m khng xem x t n tnh bo mt thng tin. Ngy nay, th t rng ngy cng pht trin, ko theo l hng lot cc cng ng h, k thut, ng dng mi ln lt r a i. Cc dch v nh gio dc t x a, mua hng trc t uy n, t vn y t dn dn t r nn quen t huc vi hu ht tt c mi ngi.
Tuy nhin, chnh s rng ln ca Internet th mnh ng t hi l im yu duy nht gy r a khng t ri ro v tn t ht cho doanh nghip. Vic qun l cng nh bo mt, an ton d liu trn Internet v cng kh khn bi Int er net c phm vi ton cu, khng t huc s qun l ca bt k t chc no. T , vi mc ch t ho mn yu cu t rn m vn t n dng c s h tng Internet hin c, m hnh mng r ing o (Virt ual Pr ivate Networ k - VPN) r a i.
3.1.2 VPN tht s cn thit i vi doanh nghip
Vi m hnh mi ny, khng phi u t thm nhiu c s h t ng m tin cy vn m bo, ng t hi qun l c hot ng mng ny. VPN cung cp cho ngi s dng kt ni bo mt an ton khi lm vic ti nh, trn ng hay cc vn phng chi nhnh t hng qua Internet. VPN m bo an t on thng tin gia cc i l, ng i cung cp v cc i t c kinh doanh vi nhau trong mi trng tr uyn t hng rng ln. T r ong nhiu trng hp VPN cng ging nh WAN (Wide Ar ea Network), t uy nhin c t nh quyt nh ca VPN l chng c th dng mng cng cng nh Inter net mm bo tnh r ing t vtit kim hn nhiu.
Trong t h t rng cnh tr anh ngy nay, vic xy dng mng VPN cho cc nhn vin xa c th tr uy cp d liu cc my bn tr ong h t hng thng qua mng cng cng Internet ngy cng
cn thit i vi cc t chc doanh nghip, gip tng nng sut lm vic ca nhn vin cng t y cng nh khi i cng tc. Mt mng VPN in hnh bao gm mng LAN chnh ti tr s (Vn phng chnh), cc mng LAN khc ti nhng vn phng t x a, cc im kt ni hay ngi s dng (Nhn vin di ng) truy cp n t bn ngoi.
Hnh 17 Mng VPN
3.2 Tng quan VPN
3.2.1 Khi nim
S m rng mng r ing (pr ivate net work) t hng qua mng cng cng. V cn bn, VPN l mng r ing l s dng mng chung (Internet) kt ni cng cc site (cc mng r ing l) hay nhiu ngi dng t x a. T hay v s dng kt ni t hc, chuyn dng nh leased line, mi VPN dng kt ni o qua Internet t mng r ing ca cng ty ti cc chi nhnh hay nhn vin x a.
Cung cp cc c ch m ha d liu trn ng t ruyn to r a mt ng ng bo mt gia ni nhn v ni gi (VPN T unnel) ging nh kt ni point - to- point trn mng r ing. bo m an tan d liu trong khi truyn dn, d liu phi c m ha hay che giu i ch cung cp t hng t in ng i n my ch t hng qua Internet. Do , nu cc gi tin b bt li trn ng th k tn cng cng khng t h c c ni dung v khng c kha gii m.
3.2.2 Li ch VPN: So vi trin khai cc mng tr uyn t hng, VPN mang li:
Chi ph t hp hn.
n gin hom hnh kin t rc mng.
Cung cp nhng c hi kt ni t on cu.
Qun l d dng: so vi vic s dng cc giao t hc nh Fr ame Relay v AT M kt ni cc site vi nhau, VPN cung cp gii php n gin v linh hot hn trong vic qun l s lng ngi dng (thm, x oknh kt ni lin t c, nhanh chng).
Tng cng an ninh mng.
Cung cp kh nng tng thch vi mng li bng thng r ng.
H tr cc giao t hc mng t hng dng nht hin nay nh T CP/IP.
Bo mt a ch IP: t hng t in c gi i trn VPN c m ha do cc i ch bn t rong mng r ing c che giu vch s dng cc a ch bn ngoi Internet.
3.2.3 C s h tng k thut xy dng VPN
3.2.3.1 K thut mt m
a. Vai tr ca k thut mt mtrong bo v thng tin
Che du t hng tin mt. Ngy nay, vic nghe trm hay ly cp t hng t in t rn ng tr uyn kh ph bin. Hng nm, s lng cuc tn cng h thng mng doanh ngy cng t ng. Do , k thut mt m cng quan t rng v cn thit vi hu ht t chc doanh nghip, tr t hnh iu kin tin quyt nhm bo mt d liu khi t ruyn dn t rn cc knh t ruyn t hng cng cng.
b. Cc dng mt mhc
Ngnh khoa hc mt m c hai nhnh chnh l mt m hc (cr ypt ography) v phn t ch mt m (cr ypt analysis). Tr ong , mt m hc nghin cu thut ton, gii php mt m v chia lm hai nhnh con l encr ypt ion (mc t iu confident ial it y) v hashing (chc nng aut hent icat ion, ver ificat ion); phn tch mt m nghin cu cch ph mt m (cr ack).
Khng phi mi y, ngnh khoa hc mt m ra i t lu vo th k 18, tri qua thi gian, i t thp n cao, t n gin n phc tp. Bt u bng vic m ha ch n gin bng vic thay k t ny bng mt k t, hoc mt s khc; ri hon i v t r cc k t cho nhau, hay dng ma trn ta . Cho n nay, cc thut ton m ha phc tp m c siu my tnh cng phi mt vi t nm gii mc r a i, v mt c bn chia lm hai dng:
ng b (Symmetric): dng chung mt kha cho m ha, gii m v t h ngi gi v ngi nhn yu cu phi c kha ging nhau mi gii m c. Ngoi ra, thut ton ny hot ng nhanh hn, n gin hn, dng kha ngn hn so vi thut ton bt ng b (Asymmetr ic) v t hng s dng kha c di t 40 - 256 bit. V d nh DES, 3DES, AES, IDEA, RCx, Blowfis h.
Bt ng B (Asymmetric): cn gi t hut ton public key, chm hn khong 1000 ln so vi t hut t on ng b (Symmetric) v phi tin hnh nhng bc t nh ton kh
khn vi cc con s hng chc ch s. Chnh v vy, t hut ton ny t hng dng cho ch k s. Tuy nhin, n li n gin hn t hut ton ng b (Symmet r ic) nhiu trong qun l kha bi thng t hng mt trong hai kha c cng khai gi l kha cng khai (public key), cn li lkha r ing t (private key). Vic tnh t on chiu di chnh
xc ca kha lkhng th, c lng t 512 - 4096 bit vkhng t h trc t ip so snh chiu di kha gia t hut ton ng b (Symmet ric) vbt ng b (Asy mmetric).
im ging nhau l u yu cu kha m ha hay gii m. Tuy nhin, thut ton ng b (Symmetr ic) dng chung mt kha cho m ha v gii m, cn bt ng b (As ymmet r ic) dng mt kha m ha v mt kha gii m, ty ng dng m hai kha ny c gi l kha cng khai (publ ic key) hay r ing t (pr ivate key), ch yu ty thuc hai trng hp sau:
Public key Confidentiality Scenario: kha cng khai (public key) dng m ha v kha ring t (pr ivat e key) gii m. V mi h thng c mt kha ring t (pr ivate key) khc nhau nn nu dng kha cng khai (public key) ca h thng ny m ha t h m bo khng h t hng no khc gii mr a c, thng dng t r ao i kha.
Public key (Encrypt) + Private key (Decrypt) = Confident iality
Hnh 18 S Public key Confidentiality Scenario
Public key Authentication Scenario: kha r ing t (pr ivate key) dng m ha v kha cng khai (public key) gii m. V kha r ing t (private key) mi h t hng l khc nhau nn khi dng kha ring t (pr ivate key) ca h thng ny m ha th ch c kha cng khai (public key) ca h thng mi gii mr a, t hng dng x c thc.
Private key (Encrypt) + Public key (Decrypt) = Authentication
Hnh 19 S Public key Authentication Scenario
c. Phng thc mha
M ha theo khi (Block cipher): d liu c chia lm tng khi c chiu di c nh v c m ha, nu chiu di ca d liu t h (plaint ext) t hn so vi khi t h d liu r c c t hm vo cho mt khi, v th thng t hng chiu di ca d liu m ha (cipher text) ln hn chiu di d liu th (plaintext ). Mt s t hut ton ng dng cch t hc mha ny nh AES, IDEA....
M ha theo dng (Stream cipher): x l trn bit, khng thay i kch thc d liu m ha (ciphertext) so vi d liu th (plaintext) ban u v nhanh hn so vi phng thc trn. Mt s t hut ton ng dng cch thc ny nh RC4, SEAL
3.2.3.2 C s h tng kha cng khai (PKI Public Key Infrastructure)
a. Gii thiu
H thng cng ng h mang tnh t iu chun v ng dng dng khi to, lu tr vqun l cc chng t hc in t (digital cert ificate) cng nh cc m kho cng khai v r ing t. PKI r a i nm 1995, khi cc t chc cng nghip v chnh ph xy dng t iu chun chung da trn phng php m ho h tr h tng bo mt t rn mng Internet. Ti thi im , mc t iu l xy dng b tiu chun bo mt tng hp cng cc cng c vl t huyt cho php ngi dng vt chc to lp, lu tr vtr ao i thng tin an t on trong phm vi cnhn vcng cng.
Hnh 20 S C S H Tng Kha Cng Khai (PKI)
Trong mt m hc, PKI l s sp xp gn cc kha cng khai (public key) cho ngi dng
tng ng, xc nh bi nh cung cp chng t hc s (CA - Certif icat e Authorit y) m nh danh mi ngi dng phi l duy nht trong ton CA. Cc qu trnh ny t hng c thit
lp t hng qua vic ng k v cp pht chng nhn ty vo mc m bo m c th c thc hin bi phn mm t t i t rung t m hoc ldi s gim st ca con ngi.
Public Keys Certificates (Digital Certificate hay Identity Certificate)
Ti liu in t s dng ch k s (Digital Sigant ure) xc thc cc bn tr ao i, cp pht bi CA, nhm cp pht an ton khocng khai t ngi gi (mho) n ngi nhn (gii m).
Tr c tin CA cp pht public key cert ificate, ngi dng phi ng k vi CA, gm cc qu tr nh: ng k, kch hot vchng nhn vi PKI (CAs vRAs) din r a nh sau:
Ngi dng ng k vi CA hay RA. Tr ong qu trnh ng k, a r a cch nhn bit n CA, CA s x c t hc u cui, gi public key ca mnh n u cui. Ngi dng t o r a cp kha public/privat e v chuyn kha cng khai (public key) cng vi yu cu chng nhn n Registr at ion Author it y (RA). RA s chu t rch nhim chp nhn hay t chi yu cu ngi dng. Sau , RA gi yu cu n CA xc nhn cc chnh s ch v x in ch k t CA. CA k ln public key certificate vi kha r ing t (pr ivate key) ca mnh to public key certificate cho ngi dng
Lc ny, ngi dng u cui c t h yu cu public key certif icate cho ngi khc, s dng CAs public key gii m nhm bo m t nh hp l ca chng nhn.
b. Cc thnh phn ca PKI: bo m cc kho cng khai c qun l an t on, CA phi qun l cc nhim v sau:
Chng t hc v ng k mt m u cui.
Kim t ra tnh ton vn ca kho cng khai.
Chng t hc yu cu t rong qu trnh bo qun cc kho cng khai.
B mt cp pht kho cng khai.
Hu b kho cng khai khi n khng c gi tr di.
Duy tr vic t hu hi cc thng tin v kho cng cng (CRL) v phn b thng tin (t hng qua CRL cp pht hoc p ng n Online Certificate Status Protocol [ OCSP] messages).
m bo an ton v ln ca kho.
n gin ha chc nng v gim bt vic qun l kha cho CA, cc chc nng trn ln lt c chia cho ba b phn sau:
Registration Authorities
Trong nhiu trng hp, CA s cung cp t t c cc dch v cn thit ca PKI qun l cc kha cng khai bn trong mng. Tuy nhin c nhiu trng hp CA u nhim cng vic RA. Mt s chc nng CA c th u nhim thay th RA nh:
Kim tr a ngi dng u cui ng k kha cng khai (public key) vi CA c kha r ing t (private key) dng kt hp vi kha cng khai (public key).
Pht cp kha cng khai v kha r ing t (public/private keypairs) dng khi to qu tr nh ng k.
Xc nhn cc t hng s ca kha cng khai (public key).
Pht gin t ip cc Certif icate Revocat ion List (CRL).
Certi ficate Authorities
Cp pht chng nhn, x c t hc PKI clients v khi cn thit t hu hi chng nhn, i din ng un tin cy chnh ca PKI. CA l yu t duy nht pht Public Key Cert ificates n ngi dng u cui p ng s duy tr CRL v phc v CRL Issuer. PKI c th thit lp nhiu CA.
Gip thit lp vic nhn dng cc thc t h giao t ip vi nhau c ng n. CA khng ch chng t hc PKI client m cn cho nhng CA khc bng cch cp pht nhng chng nhn s n chng. Nhng CA c chng t hc ln lt c th chng nhn cho nhng CA khc n khi mi thc t h c th u nhim nhng t hc t h khc c lin quan t rong qu trnh giao dch.
Validation Authorities: m bo xc nhn an ton, t in cy ca cc chng nhn s.
Mc ch: cho php
Nhng ngi tham gia x c thc ln nhau v s dng cc t hng tin t chng nhn m ho v gii m thng t in t rong qu trnh t rao i.
Cc giao dch in t din r a b mt, ton vn v x c thc ln nhau m khng cn tr ao i thng tin bo mt t rc.
Cung cp kho cng khai v x c nh mi lin h gia kho v nh dng ngi dng. Nh vy, ngi dng c th s dng trong mt s ng dng nh:
o M ho Email hay x c t hc ngi gi Email.
o M ho hoc chng t hc vn bn.
o Xc t hc ngi dng ng dng.
o Cc giao t hc tr uyn t hng an t on: trao i bng kho bt i xng, m ho bng kho i x ng.
cung cp kh nng m ha v xc thc, PKI s dng:
Thut ton bm
Bo m t nh ton vn ca d liu, nu c t hay i nh cng pht hin ngay. N hot ng mt chiu, vi bt k gi t r u vo no th bm vn cho gi tr u r a c chiu di c nh. Tuy nhin, t hut ton bm khng m ha d liu, tiu biu l MD5 v SHA- 1.
tng t nh bo mt, HMAC ra i. i vi t hut ton bm, tuy d liu thay i b pht hin nhng nu gi t r bm cng thay i th khng t h nhn r a, HMAC dng kha b mt (secrect key) cho qu trnh bm, tng kh nng x c t hc v chng t n cng Man - in - the - middle.
Ch k s (Digit al Signature)
Trong qu trnh giao tip, khng ch m bo d liu khng t hay i khi truy n m cn phi c gi t ng un t in cy. Ch k s cung cp gii php cho vn ny bng vic a r a bng chng duy nht d liu gc, pht hin nu c bt c thay i no, xc thc bng kha r ing t (pr ivate key) k ln d liu, chng minh tnh x c t hc v ton vn chng nhn.
V c bn ch k s hot ng nh sau: khi A gi t in nhn cho B, t in nhn ny c k vi kha r ing t (pr ivate key) ca A (sig nat ure key) t o r a ch k s m ch c kha ring t (pr ivate key) ca A mi c t h to r a ch k ny. Sau , n c nh km t in nhn ban u v gi cho B. Sau khi nhn c, B dng kha cng khai (public key) ca A (ver ification key) gii m phn ch k ca A, nu khc vi tin nhn th ni dung t hng ip thay i v ngc li; ng t hi A khng t h t hoi t hc tr ch nhim khi gi t in nhn ny, v ch c A mi to r a c ch k nh vy.
Ch k s RSA (RSA Digital Signature): t hut ton bt ng b ph bin nht do Ron Rivest , Adi Shar mi v Len Adlemen xy dng vo 1977. Hot ng da t rn nhng php tnh phc t p vi con s ln n hng chc, hng t rm ch s. RSA s dng kha cng khai (public key) c qung b r ng r i v kha r ing t (private key) gi b mt tuyt i.
Hot ng
u tin tin nhn c bm, to r a gi tr bm; gi tr ny c k (m ha) vi kha r ing t (private key) ca A to r a ch k. Ch k ny nh km vi t in nhn gi cho B. Sau khi B nhn c tin hnh hai cng on, ly ch k gii m vi public key ca A c
gi tr H1 v ly t in nhn em i bm to r a H2. Nu H1 = H2 tin nhn khng b chnh sa tr n ng i v gi t A; nu khng ngc li.
Hnh 21 S hot ng
3.2.4 Cc giao thc VPN
3.2.4.1 PPT P (Point- t o- Point T unneling Protocol)
Nh giao t hc L2F (Layer 2 For war ding), giao thc to ng hm im ni im (PPT P) ban u c thit k v pht trin to v duy tr ng hm VPN trn mng cng cng da vo TCP/IP nh s dng PPP - kt qu n lc chung ca tp on Microsoft v hng lot nhcung cp gm Ascend Communicat ions, 3Com/Pr imar y Access, ECI T elemat ics
S dng trn cc my ngi dng vi h iu hnh Microsoft NT4.0 vWindows 95+ , dng mha d liu lu thng trn Mng LAN. PPT P c pht trin da trn chun RSA RC4 v h tr bi s m ha 40- bit hoc 128- bit. PPT P c dng bao bc cc khung PPP trong cc gi IP tr uy n trn Internet hoc bt k mng khc T CP/IP c th t ruy cp cng cng.
Nu h t hng t x a h tr PPT P, t h c th kt ni t rc t ip vi VPN Server.
Ngc li, c th s dng PPP ni kt vi my khi to kt ni VPN (L2T P Access Concent r ator LAC) ca nh cung cp dch v Internet v sau s dng PPT P kt ni vi VPN Server.
Hnh 22 Kt ni VPN qua giao thc PPTP
PPT P khng pht trin trn LAN- to- LAN, gii hn 255 kt ni ti server v ch c mt ng hm VPN t rn mt kt ni. Ngoi ra, PPT P khng cung cp kh nng m ha cho cc cng vic ln nhng li d ci t v trin khai v l gii php truy cp t xa ch c th lm c trn mng Micr osoft. Giao t hc ny th c dng tt trong Window 2000...
3.2.4.2 L2TP (Layer 2 Tunneling Protocol)
Ra i vo nm 1999 v c nh ngha trong RFC 2661, xut pht t vic k tha nhng im mnh ca cc giao t hc trc l L2F (Layer 2 For war ding) ca Cis co v PPT P ca Microsoft. Phin bn mi hn ca giao t hc ny- L2T Pv3 c pht hnh vo nm 2005, cung cp nhng t nh nng bo mt khc nh kh nng mha, c t h mang nhng lin kt d liu khc ngoi kt ni PPP trn mng IP nh lFr ame Relay, Ethernet, AT M,
Hnh 23 L2TP VPN
To kt ni c lp, a giao t hc cho mng r ing o quay s (Virt ual Private Dail- up Network), cho php ngi dng kt ni thng qua chnh sch bo mt (securit y policies) to VPN hay VPDN. Tuy nhin, giao t hc ny khng cung cp m ha.
Hiu qu t rong kt ni mng quay s, ADSL, v cc mng tr uy cp t xa khc. Giao t hc m rng ny s dng PPP cho php tr uy cp VPN bi nhng ngi s dng t x a. Mt ng hm L2T P c thit lp t hng qua ba dng:
Volunt ar y T unnel.
Compulsor y t unnel (cho cc kt ni i t i vcho dng quay s t xa).
L2TP mult i- hop connection.
3.2.4.3 GRE
a giao t hc tr uyn t hng ng gi IP, CLNP v cc gi d liu bn t rong ng ng IP (IP tunnel). Vi GRE Tunnel, Cisco Router ng gi mi v tr mt giao thc c t rng ch nh trong gi IP header, to ng kt ni o (virtual point - to- point) ti Cisco Router cn n v khi gi d liu n ch IP header s c m ra.
Bng vic kt ni nhiu mng con vi cc giao t hc khc nhau trn giao t hc chnh. ng hm (GRE t unneling) cho php cc giao t hc khc t hun li trong vic nh t uyn cho gi IP.
3.2.4.4 IPSec (Internet Protocol Security)
a. Gii thiu
Pht trin bi IET F nh ngha trong RFC 2401 - 2412, quy nh phng t hc thit lp VPN (Virt ual Pr ivate Network) s dng IP address protocol nhm cung cp c cu bo mt lp Networ k. Do , IPSec h tr tt c ng dng, bo v v xc t hc gi t in IP gia cc bn. IPSec khng r ng buc bt k thut ton m ha, xc t hc c t h no m l t hp nhiu chun m.
Hnh 24 IPSec trong m hnh OSI
Nh , IPSec cho php ng dng cc thut ton mi hn, tt hn m khng cn sa i
chun c. IPSec cung cp kh nng bo mt (Encr yption Algorithm), ton vn d liu (Dat a Integrit y), kh nng xc thc (Authenticat ion) cc bn lp Network, to nn ng tr uyn bo mt gia mt cp Gat eway hay cp Host t hm ch gia Gat eway vHost.
Hnh 25 Cc thnh phn trong IPSec
Encryption: Mc bo mt, kh t hi ty vo chiu di kho m ha v thi gian x l t hut ton. Do , vn t r a l chn la t hut ton no vi di kha nh t h no h thng va bo mt va khng t iu tn qunhiu hiu sut x l. Sau y l mt s thut ton v ln ca kha khuyn khch dng: DES (56 bit), 3DES (112 bit, 168 bit), AES (128 bit, 192 bit, 256 bit), RSA (512 bit, 768 bit, 1024 bit), SEAL (160 bit).
Data Integrity: d liu tr uyn trn Inter net c th b chnh s a. V th, IPSec s dng t hut ton HMAC - MD5 hoc HMAC - SHA - 1 bo ton d liu.
Authentication: xc t hc i tng giao tip l iu ht sc quan t rng trc khi bt u thit lp kt ni gia hai bn. IPSec cung cp ba phng thc xc thc:
Pre- shared Key: git r nhp bng t ay vo mi bn, dng xc t hc vi nhau.
RSA signature: tr ao i nhau chng nhn, sau mi bn sinh r a mt gi tr bm t tin nhn vm ha vi kha r ing t (private key) ca mnh, nh km t in nhn vgi cho nhau. Sau khi nhn c, mi bn dng kha cng khai (public key) gii m gi tr bm mha. Nu trng git r bm t in nhn nhn c th xc t hc t hnh cng.
RSA encrypted nonce: t ng t RSA signat ure. Tuy nhin khng dng chng nhn (cer tificate), t hay vo , kha cng khai (public key) nhp bng t ay mi bn. IPSec hot ng hai mode: Transport mode: ch bo v payload ca gi t in, t ip header tr i vn khng i. Tuy nhin, nu nh AH c s dng th ip header khng t h t hay i. Vic thay i
ip header s dn n g i t in b dr op. V t h ch hot ng tt gia host vhost. Vn ny c gii quyt khi s dng NAT Tr aversal, s c cp sau.
Hnh 26 Transport mode
Tunnel mode: bo mt ton vn g i t in IP nh t uyn (Rout able IP) trn Internet. So vi T r ansport mode, Tunnel mode hot ng tt hn, h tr c Gat eway t o Gateway. Tuy nhin, v hiu nng mng th T unnel mode khng bng Tr ansport mode v Tunnel mode pht sinh t hm t rng IP header mi, cn T r ansport mode th khng.
Hnh 27 Tunnel Mode
b. Tng hp cc giao thc v thut ton c s dng
Cc giao thc s dng
ESP (Encapsulating Security Payload)
Mt trong hai giao t hc chnh cu thnh IPSec. ESP bo mt cao, h tr nhiu thut ton m ha i x ng nh DES v 3DES. Ngoi ra, ESP h tr tnh t on vn d liu (Int egrit y) v
chng t hc (Authent icat ion).
Hot ng hai mode: transport mode vt unnel mode.
Tr ansport mode, ESP ch m ha vxc t hc ni dung ca d liu vmt s thnh phn khc nh hnh 28.
Hnh 28 ESP Transport mode packet
i vi Tunnel Mode, ESP m ha ton b d liu gc v x c t hc phn d liu m ha ny cng vi ESP Header c thm vo cng vi IP header mi.
Hnh 29 ESP Tunnel mode packet
Cc trng trong gi tin ESP
Hnh 30 ESP fields
ESP thm mt header v tr ailer vo x ung quanh ni dung mi gi tin. ESP Header c cu thnh bi hai t rng:
SPI (32 bits): u cui mi kt ni IPSec t u chn gi tr SPI. Pha nhn dng gitr SPI vi IP ch v giao t hc IPSec xc nh chnh sch SA duy nht m n c p cho gi t in.
Sequence Number: cung cp dch v ant i- r eplay. Khi SA c t hit lp, ch s ny khi u v 0. T r c khi mi gi t in c gi, ch s ny t ng ln 1 v t t rong ESP Header.
Phn k t ip ca gi t in l Payload, n c to bi Payload dat a (c m ho) v Init ialization Vect or (IV) khng m ho. Gi tr IV trong sut qu t rnh m ho l khc nhau t rong mi gi t in.
Phn t h ba ca g i t in lESP T r ailer , n cha t nht lhai t rng:
Padding ( 0- 255 bytes): c th c thm vo cho kch t hc ca mi gi t in.
Pad length: chiu di ca Padding.
Next header: xc nh kiu giao t hc cha t rong t rng payload. Nu l IP th cha gi t r l 4, nu l TCP t h 6, UDP th 17. Mi ESP Trailer cha mt gi tr Next Header.
V cui cng l Authent icat ion dat a cha gi tr Int egrit y Check Value (ICV) cho gi tin ESP. ICV c tnh ln ton b gi t in ESP cng nhn cho trng d liu x c thc ca n.
ICV bt u trn r anh gii 4 byt e vphi l bi s ca 32- bit (n v t).
AH (Authentication Header)
Cng ESP, AH l hai giao t hc chnh cu t hnh IPSEC, cung cp t nh t on vn d liu, xc thc. AH bm cc trng d liu trong gi t in k c IP header , ngoi t r nhng t rng t hay i trn ng i nh TT L (T ime To Live), trng AH header do hm bm sinh r a c thm vo gi t in. V trng IP header c bm nn nu trn ng i c NAT (Network Address Tr anslat ion) t h AH khng hot ng c. AH hot ng nh ch k s m bo gi tin khng b gi mo nhng li khng cung cp kh nng mha vgii m. Cng nh ESP, AH c hai mode: transport mode vt unnel mode.
Hnh 31 AH Transport mode
Hnh 32 AH T unnel mode
i vi c hai mode, AH xc thc ton b gi tin (t dat a n IP header). S t hay i ip trn ng tr uyn dn n AH khng hot ng c.
AH Header gm cc trng sau:
Hnh 33 AH header
Next Header: di 8 bits, xc nh kiu giao thc cha t rong trng payload.
Payload Length: cha chiu di AH Header.
Reserved: dnh s dng t rong tng lai (cho n thi im ny n c biu th bng cc ch s 0).
Security parameter Index (SPI): u cui mi kt ni IPSec t u chn gi tr SPI, dng nhn dng kt ni. Bn nhn s dng gi tr SPI cng vi a ch IP ch v loi giao thc IPSec (t rng hp ny l AH) xc nh chnh sch SA dng cho gi t in (ngha lgiao thc IPSec vcc thut ton no c dng p cho gi t in).
Sequence Number: tng ln 1 cho mi AH dat agram khi mt host gi c lin quan n chnh sch SA. Gi t r bt u ca b m l 1, chui s ny khng bao gi cho php ghi ln l 0 v khi host gi yu cu kim tra m n khng b ghi v n s tho t hun chnh sch SA mi nu SA ny c thit lp. Host nhn s dng chui s pht hin replayed dat agr ams. Nu kim tr a bn pha host nhn, bn nhn c t h ni cho bn gi bit rng bn nhn khng kim t r a chui s, nhng i hi n phi lun c trong bn gi t ng vgi chui s.
Authentication Data: cha kt qu ca gi tr Integrit y Check Value (ICV), lun l bi ca 32- bit (t ) vphi c m vo nu chiu di ICV trong cc bytes cha y.
Trong qu trnh hot ng, vic xc thc IPSec mang li li ch rt cao. Tuy nhin bn cnh , n cng mang li khng t s phin toi.
AH x c t hc gi t in da vo t hng t in IP header . Do vy, n s khng t ng t hch vi cc t hay i do c ch NAT mang li. V gi tr ICV ca AH c tnh ton trc NAT nn khi gi tin gi t i ch, vic kim t ra t nh ton vn s t ht bi.
Trong ch transport, ESP vNAT khng t ng t hch vi nhau v cc thng t in ca
phn header gi tin b NAT t hay i. Khi NAT thc hin thay i phn t hng tin v IP, n cng t nh li gi t r checksum trong TCP header v v TCP checksum c tnh t on khng ch da vo TCP header, m cn da vo cc t hng tin t IP header,
nh a ch ngun/ch ca gi t in nn NAT ph v tnh t on vn gi t in. Trong ch T r ansport ESP, ton b TCP header c m ho, NAT box khng th t nh ton li TCP checksum (tng t i vi UDP packets khi UDP checksum c t nh n). Kt qu ltrc khi gii m, gi t in s b hy v khng bo m t nh t on vn.
gii quyt cc vn trn, NAT T raversal r a i vo nm 2001, lkt qu ng hp nht hai phng php tip cn cnh tr anh c x ut vi IET F ca SSH Communicat ions vcc ng tc gi F- Secure, Microsoft, Cisco, Nortel.
Gii php lg i t in sau khi c m ha, xc thc t h c ng gi t heo giao t hc UDP vi s xut hin ca hai t rng b sung lUDP header vZeropad.
Hnh 34 Gi tin h tr NAT- Traversal
Hin ti, AH khng tng thch NAT Tr aversal v khng s dng rng r i nn khng c u tin pht trin. SSH Communicat ions cng x ut pht trin t hm h tr AH.
Tt nhin, s dng NAT Traversal, c hai thit b u cui (gateway t o gat eway, client to gat eway, client to client) u phi h tr.
IKE (Internet Key Ex change)
Xc thc hai bn, m phn gia IKE vIPSec SA, t o cc kha m ha d liu IPSec, c cng chc nng vi ISAKMP (Internet Securit y Associat ion and Key Management Protocol).
DH (Diffie- Hellman)
To kha b mt (secrect key) gia hai bn trn knh tr uyn khng bo mt, dng bn tr ong
IKE to session key. Hot ng bng cch hai bn t hng nht nhau (c th cng khai) 2 s p v q (s nguyn nh hn p), mi bn gi s b mt ln lt a, b. Sau A gi X = (q^a)
mod p cho B, B cng gi Y = (q^b) mod p cho A. Bng phng php t nh t on r ing, hai bn cng t nh r a gitr K = ((q^b)^a) mod p = ((q^a)^b) mod p lkha b mt (secrect key).
Hnh 35 Cch thc hot ng ca DH
Cc thut ton s dng
Thut ton mho
DES (Data Encryption Standard): cn gi Lucif er, pht trin bi IBM vo nm 1975, t hut ton m ha i xng hot ng dng mha tng khi (block cipher - 64 bit block). DES l s trao i c trnh t v thay th cc bit d liu, kt hp kha m ha, h tr kha c chiu di 64 bit trong 56 bit m ha, 8 bit cn li kim tr a par it y. Tuy nhin, nu dng kha c chiu di nh hn 56 bit v d 40 bit t h mnh t ht s ca kha ch 40 bit.
DES da trn nhng t nh t on c bn nn n c th d dng c trin khai trn phn cng, ch trng n tc mha vgii m, chia lm hai dng con:
Dng ECB (Electronic Code Book): mi d liu th (plaintext) 64 bit dng chung kha 56 bit m ha, nu hai khi d liu t h ging nhau dng chung kha m ha th d liu m ha (ciphert ext) s ging nhau. V th, k tn cng c t h li dng im
ny, bt li cc gi tin, khng quan t m ni dung bn trong v gi li. V d k tn
cng bt li gi t in ng nhp ca ngi qun tr c bo v bi DES - ECB, sau gi li vk tn cng c t h xm nhp h thng. chng li iu ny, CBC r a i.
Dng CBC (Cipher Block Chaining): mi khi 64 bit d liu th (plaintext) u c XOR vi d liu m ha (ciphertext) sau d liu th (plaintext) XOR mi c m ha. V t h nu tt c khi d liu th (plaintext) u ging nhau thi cng khng t h cho r a d liu mha (ciphertext ) ging nhau...
3DES (T riple Data Encryption St andard): dng bi n i ca DES c lp i lp li ba ln vi cc kha khc nhau v th 3DES mnh hn DES gp i, c th chng li tn cng Brute - For ce. 3DES s dng kha c chiu di ln n 168 bit so vi DES (56bit) bao gm ba kha c chiu di 56 bit K1, K2, K3.
M ha: dng K1 mha, dng K2 gii m, dng K3 mha.
Gii m: dng K3 gii m, K2 mha, K1 gii m.
AES (Advanced Encryption Standard): NIST (T he National Inst itute of Standards and Technology) a ra AES t hay th DES trong cc thit b m ha. AES cung cp tnh bo mt cao hn nhiu so vi DES vhiu qu hn so vi 3DES. AES dng kha 128, 192, 256 bit.
RSA (Rivest, Shamir, and Adleman) signature: mha bt ng b, t y mc ch s dng m dng kha mha gii mthch hp, ng dng nhiu nht trong ch k in t.
Thut ton bm
MD5 (Message Digest 5): dng xc thc gi tin d liu, m bo nu gi tin b chnh sa trn ng tr uyn s pht hin ra. HMAC (MD5 Hashed Message Authent icat ion Code) l bin t h ca MD5, cung cp tnh an ton cao hn MD5. Thut ton bm l t hut ton mt chiu. V th, vic chuyn gi tr c bm v gi tr ban u l khng th. Bt k gi tr u vo lbao nhiu t h gitr u r a vn lc nh. IKE vESP dng MD5 xc thc.
SHA- 1 (Secure Hash Algorithm 1): Nh MD5, SHA- 1 l mt thut ton hash dng xc thc d liu gi t in, bin t h lHMAC- SHA- 1vdng xc thc IKE vESP.
c. IPSec hot ng: gm 5 bc chnh
Bc 1 - Xc nh Interesting trafic: lung thng tin c coi l Interesting trafic khi n c nhn r a rng y l d liu cn c bo v, ty t huc vo chnh sch trn t hit b VPN. Mi d liu i qua t hit b (Inbound, Out bound) u c 2 hng x l:
B qua IPSec, d liu c gi dng cleart ext.
p cc chnh sch IPSec c nh t rc.
Bc 2 - IKE Phase 1: Mc ch c bn l m phn cc chnh sch, xc thc peer v thit lp knh bo mt gia cc bn, x y r a trong hai mode:
Aggressive mode: nhanh hn nhng khng h tr kh nng bo v t nh ton vn ca d liu trn ng tr uy n nh main mode. Do , hai bn phi trao i thng tin xc nh trc thit lp secur e CA, bao gm hai bc:
Bc 1: m phn chnh s ch, DH public key khi to, gi cho i t c cng thng tin xc t hc hai bn, sau khi k th gi t in tr v v hon tt qu trnh tr ao i.
Bc 2: ti khng nh qu t rnh tr ao i.
Main mode: gm ba bc t rao i:
Bc 1: dng cc thut ton v hm bm bo mt t hng tin IKE c m phn v chp nhn gia cc bn.
Bc 2: s dng DH to kha b mt (secr ect key) dng sinh r a t t c kha cho qu trnh m ha v xc t hc bc mt k c bc hai (nu cn t hit ).
Bc 3: xc minh tnh xc t hc peer cn li, dng x c thc remote peer. Nu khng t in hnh x c t hc, c kh nng khi to kt ni bo mt vi k tn cng.
Policy set: khi c gng thit lp knh bo mt, chnh sch ngh trao i vi nhau. Cn c chnh sch ny, ln lt kim tr a theo u tin t cao n thp (mt l cao nht), n khi hai bn chn r a chnh sch ph hp m c hai cng h t r (cng thut ton m ha, x c thc, DH v bm) t h qua bc tip t heo, nu khng kt ni b ngt.
DH key exchange: phng t hc tr ao i kha cung cp gii php cho hai bn gip to nn kha b mt (secrect key) trn ng tr uyn khng bo mt m vn m bo an ton ca kha. DH c nhiu nhm (1 - 7) trong nhm 5 khuyn khch dng nht, nhm 7 ch dng cho cc t hit b cm t ay c vi x l yu. Sau khi vic m phn nhm kt t hc, kha b mt (secr ect key) c tnh t on. Kha b mt chia s (Shar ed secrect key - SKEYID) ny c dng tnh ra ba kha khc: SKEYID_a, SKEYID_d, SKEYID_e. Mi kha c mc ch s dng khc nhau. SKEYID_a dng cho qu trnh xc t hc, SKEYID_e dng cho qu trnh m ha (bc 1), SKEYID_d dng sinh kha cho bc 2. Tt c kha trn u c sinh r a sau khi kt thc bc 1.
Authenticate Peer Identity: Trn thit b ni r ing v cuc sng ni chung, vic xc
nh c ngi ang giao tip l iu ht sc quan t rng v khng h d tha. V th trc khi qua bc 2 (lp knh bo mt cho d liu) th cn phi c bc x c t hc hai bn (peer). C 2 cch x c thc: Pr e- shared key hay RSA signature.
Hnh 36 So snh chun mha, thut ton bm, phng thc chng thc
Hnh 37 Cc bc m phn giai on 1
Bc 3 - IKE Phase 2: tha thun tham s bo mt IPSec (IPSec secur it y par ameter ) bo mt ng hm IPSec (IPSec t unnel), thnh lp IPSec SA, nh k m phn IPSec SA bo m bo mt, to kha mi cho qutr nh t ruy n d liu (opt ional).
Hnh 38 i chiu cc tham s bo mt
Bc 4 - Data transfer: d liu c t ruyn gia 2 peer.
Bc 5 - IPSec tunnel termination: IPSec SA b xa hoc time out.
Hot ng c th
i vi IKE phase 1
Pre- shared key
o Vi Main Mode
Hnh 39 IKE giai on 1 s dng Pre- shared key trong main mode
Bc (1) Init iator gi gi ISAKMP c header cha cookie Ci v policy SAi c nh ngha trc (phng t hc xc thc, thut ton mha, thut ton bm, DH, lifet ime)
Bc (2) Responder gi tr li gi ISAKMP cha cookie Ci nhn c km theo cookie Cr vSAr . SAr c la chn t rong s nhng chnh sch c cu hnh mph hp vi SAi, nu tt c u khng ph hp th Responder gi li gi t in t chi.
Bc (3) v (4) xy dng kha b mt (secrect key). Sau qu trnh ny sinh r a bn kha. SKEYID (Shared Key ID) vK c dng sinh r a ba kha cn li:
Hnh 40 IKE giai on 1 s dng Pre- shared key trong aggressive mode
Bc (1) Init iator gi g i ISAKMP cha Ci, gitr public X ca DH cho Responder.
Bc (2) nhn c X, responder c t h nhanh chng t m r a bn kha cn thit : kha, SKEYIDa, SKEYIDe, SKEYIDd. Sau ton b cookie, Y, hash gi li cho Initiator .
Bc (3) Init iator gi gitr bm cng cookie li cho Responder hon tt qutrnh xc thc.
Digital Signature
o Vi Main Mode
Hnh 41 IKE giai on 1 s dng Digital Signature trong main mode
Ging Pr e- s hared key, ch khc bc (5) v (6). Gi tr ngu nhin c bm v m ha bng kha r ing t (pr ivate key) ca chnh mnh, nh km cng chng nhn (cer tif icate) gi i. Vi SIG c tnh nh sau: SIGi= PRIVATEKEY_i (HASHi) SIGr = PRIVATEKEY_r (HASHr) Vkhc cch t nh SKEYID: SKEYID = hash (Ni| Nr | K) Sau khi nhn c, c hai dng kha cng khai (public key) ca i phng gii m ch k c gi t r bm, em gi t r ngu nhin nhn c i bm, nu hai gi tr bng nhau th xc thc t hnh cng.
i vi IKE phase 2
Sau khi t hit lp knh bo mt thnh cng, xt n giai on IKE giai on 2, gm ba bc:
Hnh 42 IKE giai on 2
Bc (1) Init iator gi gi t in ISAKMP cha IPSec SA km theo Ni2. Gitr N ny dng t nh ton kha mi nhm chng li tn cng Replay. Bnh t hng, tt c kha ca IPSec u sinh r a t SKEYIDd ca phase 1. Do , nu k t n cng c trnh hiu bit v cch DH hot ng cng nh c ch sinh kha SKEYIDd s c t h tnh ton ra cc kha hin hnh v nhng kha dng trong t hi gian t i n khi IKE kt thc. V th tng cng bo mt, PFS (Perfect For war d Secrecy) dng tch bit mi quan h gia kha c v mi. Nu kch hot, git r DH (X, Y) c tnh li t sinh r a kha b mt (secr ect key) mi t K:
HASH (1) = hash (SKEYIDa, Mid| SAi| Ni2) khng c PFS HASH (1) = hash (SKEYIDa, Mid| SAi| Ni2| X| IDi| I Dr) vi PFS Bc (2) Responder gi gi tin ISAKMP vi ni dung tng t. HASH (2) = hash (SKEYIDa, Mid| SAr| Ni2| Nr2) khng c PFS HASH (2) = hash (SKEYIDa, Mid| SAr| Ni2| Nr 2| Y| IDi| IDr ) vi PFS Bc (3) Tnh ton HASH (3) kim tr a knh t ruy n t rc khi t hit lp IPSec. HASH (3) = hash (SKEYIDa, 0| Mid| Ni2| Nr2) Sau khi gi t in t h ba c gi th bt u tr uyn IPSec, nu Responder khng nhn c gi tin t h ba ny th mi gi IPSec gi n u b b i. trnh t rng hp ny, Responder thit lp bit cam kt trong qu tr nh trao i gi t in th hai. g i t in t h ba, Responder yu cu thit lp bit cam kt. Mt khi xc thc c gi t in t h ba th Responder gi li thng
bo cho Init iator sn sng cho kt ni IPSec.
3.2.5 Cc loi VPN
3.2.5.1 Easy VPN
Da trn c s IPSec, Eas y VPN khng khc nhiu so vi IPSec VPN. im khc bit ch cc bc lm vic ca client vser ver .
Hnh 43 Easy VPN S lt hot ng
VPN client khi t o kt ni n ser ver (IKE Phase 1).
VPN client thnh lp mt SA (secur it y association) cho ISAKMP.
VPN ser ver chp nhn SA do VPN client ngh.
VPN ser ver yu cu user name vpassword.
Bt u qutrnh cu hnh.
Bt u qu trnh RRI (Reverse Route Inject ion - tnh nng gip cho qu tr nh t hit k VPN d dng hn khi yu cu t nh nng nng cao nh redundancy hay loadbalancing), t ng t hm cc ng nh t uy n t nh (Static Route) ca Remote Client vo ser ver. Mi ng ny c to t cc thuc tnh c bn nh Network v Netmask vi next hop lim u ca t unnel.
Hon t t qutrnh kt ni vi IPSec quick mode.
Main Mode (hot ng giai on 1) m phn IKE nhm thit lp knh bo mt nh ISAKMP Secur it y Association (SA) gia hai my t nh. ISAKMP SA bo v s tha thun cc tham s bo mt. Do , Main Mode gip xc nh tp hp cc b mt m, trao i kha thit lp kha bo mt chia s (shared secr et key) v xc thc mi bn.
Quick Mode (hot ng sau giai on 1 nhng khng giai on 2) thit lp cc t hng s bo mt (SAs) c gi l IPSec SAs. T r ong sut Mode ny, kha lun c t nh t on li, nu cn thit , c t h sinh r a kha mi. Mt b bo v ph hp cng c la chn. Quick Mode khng c xem ls tr ao i hon chnh bi cn t y t huc vo Main Mode.
Bc 1: Ngi dng gi gi tin t ruy vn n ser ver. Nu pre- shared key c dng xc thc th IKE giai on 1 hot ng Aggressive Mode, cc t n nhm dng phn bit gia cc nhm ngi s dng VPN. Cn nu digit al certif icate c s dng xc thc th IKE g iai on 1 hot ng Main Mode, khi trng or ganizat ion c dng x c nh nhm.
Bc 2: Ngi dng gi cc SA cho Server gm thut ton m ha, bm, phng t hc x c thc vnhm DH.
Bc 3: Sau khi nhn cc SA t client, server kim tr a SA ph hp theo mc u t in cao. Sau , Server gi li cho client SA c chn (SA c h tr trn c client vser ver ).
Bc 4: Hon tt ba bc trn, ser ver s yu cu client cung cp user name v passwor d xc thc. Khi nhn c thng tin xc t hc, server dng AAA kim t ra thng tin xc t hc ny.
Bc 5: Nu xc t hc t hnh cng, client yu cu cc thng s cu hnh nh IP address, DNS, split tunnel infor mat ion t rong IP l bt buc.
Bc6: T hc hin qu tr nh RRI. Khi mi IP client c ghi nhn vo bng Routing ca server . T nh nng ny c khuyn khch s dng khi c nhiu hn mt VPN ser ver tr ong h thng va ch c s dng cp cho client thay v dng IP Pool.
Bc 7: n y, IPSec SA s c thit lp sau VPN connect c hon tt.
3.2.5.2 Site to Site VPN
Vic s dng mt m dnh r ing cho nhiu ngi kt ni nhiu im c nh vi nhau t hng qua mng Inter net, da trn:
Intranet: nu cng t y c vi a im t x a mun t ham gia vo mng r ing duy nht, h c th to r a mt VPN Intr anet (VPN ni b) ni LAN vi LAN.
Ex tranet: khi cng ty c mi quan h mt thit vi cng t y khc nh i t c cung cp,
khch hng h c th x y dng VPN extr anet (VPN m rng) kt ni LAN vi LAN nhiu t chc khc nhau c th lm vic trn mt mi t rng chung.
Hnh 44 Kt ni cc doanh nghip qua mng cng cng
S kt ni hai mng r ing l t hng qua ng hm bo mt, dng cc giao t hc L2T P, hay IPsec. Mc ch chnh lkt ni hai mng li vi nhau, c thit k to mt kt ni mng t rc tip, hiu qu bt chp khong cch gia chng.
3.2.5.3 SSL VPN (hay Web VPN)
Giao t hc a mc ch t o cc giao tip gia hai chng t rnh ng dng trn cng nh trc (socket 443) nhm m ho ton b t hng t in i v n m ngy nay s dng rng ri cho giao dch in t nh tr uy n s hiu t h tn dng, mt khu, s b mt cnhn (PIN) trn Internet.
c hnh t hnh v pht trin u tin vo nm 1994 bi nhm nghin cu Netscape dn dt bi Elgammal v ngy nay tr t hnh chun bo mt thc hnh t rn mng Internet. Phin bn SSL hin nay l 3.0 v vn ang tip tc c b sung v hon thin. SSL kt hp nhng yu t sau thit lp c mt giao dch an ton nhm m bo:
Xc thc: tnh xc t hc ca i t ng bn lm vic u kia ca kt ni.
Mho: t hng tin khng t h b tr uy cp bi i t ng th ba. loi tr vic ng he trm thng tin nhy cm tr uyn qua Internet, d liu phi c m ho khng th b c c bi nhng ngi khc ngoi ngi gi vngi nhn.
Ton vn d liu: thng t in khng sai lch, t h hin chnh x c t hng tin gc gi n. Nh IPSec, SSL khng phi giao t hc n l mltp t h tc chun hothc hin nhim v: Xc thc server: Cho php ng i dng xc t hc server kt ni. Lc ny, pha tr nh duyt dng k t hut mhocng khai chc chn chng nhn vpublic ID ca ser ver l c gitr
v c cp pht bi CA (cert ificate aut horit y) trong danh sch CA ng t in cy ca ngi
dng. iu ny r t quan trng vi ngi dng. V d khi gi m s credit card qua mng ngi dng mun kim t ra liu server nhn t hng tin ny ng lser ver h gi n khng.
Xc thc ngi dng: Cho php pha ser ver xc thc ngi dng mun kt ni. Pha ser ver dng cc k thut m ho cng khai kim tr a chng nhn v public ID c gi tr khng v c cp pht bi CA (cert ificate aut horit y) trong danh sch cc CA ng tin cy ca ser ver. iu ny rt quan trng i vi nh cung cp. V d khi ngn hng nh gi cc thng t in ti chnh mang tnh bo mt ti khch hng th h mun kim t r a nh danh ca ngi nhn.
M ho kt ni: Tt c thng tin tr ao i gia client v ser ver c m ho trn ng tr uy n nng cao kh nng bo mt. iu ny rt quan trng vi c hai bn khi c cc giao dch mang tnh r ing t. Ngoi ra, tt c d liu gi i trn kt ni SSL m ho c bo v nh c ch t ng pht hin x o trn, thay i t rong d liu ( lcc t hut ton bm).
SSL bao g m hai giao t hc con:
SSL record: x c nh cc nh dng dng truy n d liu.
SSL handshake (Giao thc SSL bt tay): s dng SSL record t rao i mt s thng tin gia server vclient vo ln u t hit lp kt ni SSL.
Mt s thut ton c s dng: DES, 3DES, KEA, MD5, RSA, SHA- 1
Giao thc SSL handshake: gm cc bc:
Ngi dng s gi server s phin bn SSL ang dng, tham s ca t hut ton m ho, d liu t o r a ngu nhin ( chnh l ch k s - Digit al Signatur e) v mt s thng tin khc mser ver cn thit lp kt ni vi ngi dng.
Ngc li, ser ver gi thng t in tng t cho ngi dng. Ngoi ra, cn gi chng nhn (certif icate) ca n n ngi dng yu cu chng nhn (certificate) ngi dng nu cn.
Ngi dng s dng t hng t in ser ver gi n x c t hc. Nu ser ver khng xc thc th ngi dng s cnh bo vkt ni khng thit lp. Ngc li, s thc hin t ip.
Dng t hng t in t o r a trong giai on bt t ay, ngi dng (cng s cng t c ca ser ver v ph thuc t hut ton s dng) to r a premaster secr et cho phin lm vic, m ho bng kha cng khai mser ver gi n t rong chng nhn bc 2 vgi n ser ver.
Nu ser ver yu cu xc t hc ngi dng th ngi dng nh du vo phn thng tin r ing lin quan qu t rnh bt t ay hai bn u bit. Khi , ngi dng gi c t hng tin nh du vchng nhn (cert if icate) cng vi premaster secret mhoti ser ver.
Ser ver s xc thc ngi dng. Tr ng hp ngi dng khng c x c thc, phin lm vic b ngt. Cn nu ngi dng xc thc t hnh cng, ser ver dng kho b mt (pr ivate key) gii mpr emaster secret, sau t hc hin cc bc t o r a master secr et.
Ngi dng vser ver dng master secret t o r a session key - kho i xng dng m hovgii mthng t in t rong phin lm vic vkim tr a ton vn d liu.
Ngi dng gi li nhn n ser ver t hng bo message t ip t heo m hobng session key. Sau gi li nhn mhothng bo ngi dng kt t hc giai on bt t ay.
Ser ver gi ngi dng li nhn t hng bo cc message tip theo m hobng session key. Sau , n gi li nhn m hot hng bo ser ver kt thc giai on bt t ay.
Lc ny giai on bt t ay hon t hnh vphin lm vic SSL bt u. C hai pha ngi dng vser ver s s dng cc session key mhovgii mt hng tin.
SSL VPN c ba mode:
Clientl ess: Cung cp kh nng bo mt tr uy cp ti nguyn cng nh ni dung web, hu dng vi tr uy cp ti nguyn, ni dung website thng qua trnh duyt, yu cu ngi dng s dng Windows 2000, Windows XP hay Linux. Tr nh duyt s dng HTT P hay HTT PS cung cp cc ng link, cho php ngi dng tr uy cp mng hay website ni b (Internal Website) t hng qua lin kt ny. Vi File Shar ing, trnh duyt lit k lin kt cho php ngi dng t ruy cp, t o mi, sa xa ti liu... cho php.
Thin client (cn gi port- forwarding): m rng kh nng m ha trnh duyt web, cho php tr uy cp ng dng bng giao t hc T CP: POP3, SMTP, SSH, IMAP.
T unnel mode: s dng ng hm SSL chuyn d liu lp Network v th Tunnel Mode h tr hu ht tt c cc ng dng.
So snh:
Clientl ess mode
Thin mode
T unnel mode
Ty t rnh duyt web (client less).
H iu hnh Microsoft Windows hay Linux.
H tr Web- enabled applicat ions, f ile s har ing, Outlook Web Access.
Chuyn i IP, giao thc, phn t ch vvit li ni dung ch n hiu.
Yu cu T CP port for war ding.
S dng J ava Applet.
M rng h tr ng dng.
Mt s ng dng c h tr nh T elnet, e- mail, SSH
Lm vic ging client less IPsec VPN.
Tunnel client hot ng trn J AV A hay Act iveX.
H tr tt c ng dng hot ng lp net wor k.
C kh nng m rng.
Cn phi c quy n admin (local) ci t. Bng 1 Bng so snh cc dng SSL VPN
Ngoi ra, m bo cc my t nh ngi dng t c cc tiu chun ti thiu r a trc khi thit lp kt ni VPN, chng t i cn phi cp n t nh nng:
Endpoint Security: tp hp t nh nng nhm bo v, kim t ra, nh gi my t nh ngi dng trc khi cho php gia nhp h t hng mng. Cc tnh nng ny hu ht c h tr trn cc thit b tng la hay i km vi chng, nh Checkpoint, ASA... Ci t t rn my t nh ngi dng, Cisco Secure Desktop (CSD) kim tr a h iu hnh (Operating System OS), ant ivir us, ant ispy, pr ocess, reg istr y ng t hi bo v d l iu cc phin lm vic v cui cng s x a b tt c history nh cookie, ULR hist or y, page cache v nhng file download.
CSD l gii php t uyt vi bo m h t hng lun phng nga t t, nu pht hin ngi dng c vn , n b cch ly ng ay lp t c khng nh hng h thng. Khi ngi dng kt ni web vpn, trc khi kt ni thit lp, CSD kim tra ton b my ngi dng m bo ngi dng khng b vn so vi yu cu t ra.
Host scan: kim tr a thanh ghi (r egist r y), CSD bit c h iu hnh (Operating System OS) cng nh service pack. CSD kim tr a trnh ant ivir us, antispyware cng nh phin bn ca chng vc fir ewall soft war e. T t c t hng tin lu tr trn ASA.
Secure session: m bo d liu t rong phin lm vic Web VPN c mha, khng b phn t ch, khai t hc, ly cp nu ngi dng b chim quy n s dng hay do t hm.
Cache cleaner: x a sch t on b du vt qutrnh tr uy cp ngi dng Web VPN.
CSD Onscreen Keyboard (OSK): chng li keylogger phn cng hay phn mm khi ngi dng ng nhp hay sut qu t rnh dng Web VPN. Hin nay, c nhi u bn keylogger CSD pht hin c. T uy nhin, s pht trin ca mi him ha ny khng lng trc c. V t h vi nhng phin bn mi hn, CSD vn cha pht hin c. Do , OSK s lgii php an t on nht cho vn ny.
PHN 4: XY DNG IPS V IDS
4.1 Tng quan IDS vIPS
4.1.1 Gii thiu
Mng ton cu Inter net ang pht trin vi tc ng kinh ngc trn t on t h gii, n t hay i mnh m cch thc lm vic, trao i thng t in, giao tip, cuc sng.. hu ht cc c quan, t chc, c nhn. Cng u im m n mang li l cc mi nguy him ngy cng t ng v mc , kh nng ly lan, phc t p trong phng thc ti n hnh. Cc mi nguy hi lm nh hng, ph hoi, sai lch, nh cp t hng tin, d liu cc thnh phn hay t on b mng.
Phn mm hay thit b chuyn dng gim st lu lng r a vo h t hng mng, phn t ch du hiu vi phm chnh sch bo mt hay pht hin v phng chng cc ri ro tim n, ph hoi hay cc hnh ng nh su tp, qut cng ng t hi cung cp thng t in nhn bit hnh ng bt t hng va r a cnh bo cho nhqun tr.
y l k t hut an ninh mi, kt hp u im tng la vi h t hng pht hin xm nhp IDS (Intr usion Detection System - IDS) gi IDPS (Int rusion Detection Prevent ion Syst em). C IDS v IPS u c nhiu im chung t h nhng hn hn IDS, IPS khng n gin ch t heo di m cn ngn chn tn cng. Chng cho php t chc u tin, thc hin cc bc ngn chn s xm nhp, t hng t vnh ai mng, kh nng bo v cc thit b t rong mng.
Hnh 45 H thng IPS (Intrusion Prevention System)
IDPS ch yu tp t rung xc nh cc nguy c x m nhp, ghi li thng t in, c gng ngn chn cc nguy c xm hi v a r a bo co cho qun tr vin mng. Ngy nay, IDPS tr thnh mt b phn khng th thiu i vi c s h tng an ninh ca hu ht t chc doanh nghip.
4.1.2 Lch s hnh thnh
Cch y khong 25 nm, khi nim pht hin xm nhp (Int rusion Detection) xut hin qua bi bo ca J ames Anderson. Khi IDS pht tr in vi mc ch t heo di v nghin cu hnh vi v t hi bt t hng ca ngi dng nhm gim s t t i sn h t hng mng, nghin cu chnh t hc t 1983 n 1988 trc khi dng t rong h thng mng khng lc Hoa K.
n nm 1996, cc khi nim IDS vn cha c ph bin, hu ht ch xut hin t rong cc phng t h nghim v vin nghin cu. Tuy nhin, mt s cng ngh IDS bt u pht t rin da tr n s bng n ca cng ngh thng tin.
n nm 1997, IDS mi c bit n rng r i v thc s em li li nhun vi s i u ca cng t y ISS. Mt nm sau , Cisco nhn r a tm quan t rng ca IDS v mua li cng ty Wheel chuyn cung cp gii php IDS.
Vo nm 2003, IPS th h sau ca IDS ra i v sau ph bin rng r i. Hin t i, IDS/IPS vn lmt trong cc cng ngh an ninh c s dng ph bin nht trn th gii.
4.1.3 Nguyn nhn ra i
Vic qun tr v vn hnh h t hng IDS ngy cng kh khn, tn km v khng em li hiu qu. l nhn nh ca hu ht t chc doanh nghip by gi. Vo nm 2003, Gartner - cng t y hng u t rong lnh vc nghin cu v phn t ch t h trng cng ng h thng tin trn ton cu - a r a d on gy chn ng t rong lnh vc bo mt: H thng pht hin xm nhp (IDS) s khng cn na vo nm 2005. Pht biu ny x ut pht t mt s kt qu phn tch vnh gicho thy h t hng IDS ang phi i mt vi cc vn :
T hng xuyn a r a nhiu bo ng gi (False Posit ives).
Gnh nng cho qun tr an ninh h thng bi IDS cn c theo di lin t c.
Km t heo cc cnh bo t n cng lmt quy trnh x l an ninh r t vt v.
Khng t h theo di cc lung d liu c tr uyn vi t c ln hn 600 Mbit/s.
Nhn chung, Gartner a r a nhn xt ny da tr n nhiu phn nh ca khch hng ang s dng IDS rng vic qun tr v vn hnh h thng IDS rt kh khn, tn km v khng em li hiu qu tng x ng so vi u t.
Tuy nhin, mt s kin phn i cho rng, vic h t hng IDS khng em li hiu qu nh mong mun l do cc vn tn ti t rong vic qun l v vn hnh ch khng phi do bn cht cng ng h kim sot v phn tch gi tin ca IDS. C th, h thng IDS hot ng
hiu qu, vai t r cng c, con ngi qun tr rt quan trng, cn p ng c cc tiu ch:
T hu t hp v nh gi tng quan t t c cc s kin an ninh c pht hin bi cc IDS, tng la trnh cc bo ng gi.
Cc t hnh phn qun t r phi t ng hot ng vphn t ch.
Kt hp vi cc bin php ngn chn t ng
Tr c nhng hn ch ca h t hng IDS, nht l sau cc cuc tn cng t quy m ln nh Code Red, NIMDA, SQL Slammer , vn t ra l lm s ao t ng ngn chn c tn cng ch khng ch a r a cnh bo, nhm gim thiu cng vic ca ngi qun t r h thng. Chnh nhng nhu cu , IPS r a i vo nm 2003 vngay s au , c ph bin r ng r i.
Kt hp nng cp thnh phn qun tr, IPS dn thay t h IDS bi n gim bt cc yu cu tc ng ca con ngi cng nh gim bt gnh nng vn hnh. Hn na, trong mt s trng hp c bit, IPS hot ng nh IDS bng vic ng t b tnh nng ngn chn xm nhp.
n nm 2005, th h sau ca IDS- h thng t ng pht hin v ngn chn xm nhp IPS- dn khc phc c cc mt cn hn ch ca IDS v hot ng hiu qu hn nhiu so vi th h trc . Ngy nay cc h t hng mng u hng ti s dng cc gii php IPS.
4.2 Phn loi
Chc nng chnh ca IPS lgim st lu lng t ruyn ti trn mng nhm x c nh cc nguy c x m hi, ghi li cc t hng tin cn thit v a r a bo co nh gih thng. Ty loi hnh mng c gim st mla chn cc dng IPS tng ng, gm bn dng chnh:
4.2.1 Host- based Intrusion Prevention System (HIPS)
Gim st v ghi li ton b kh nng my t rm (gm c h iu hnh v ng dng cng nh ton b dch v). y lthit b bo mt pht hin cc tn cng trc tip ti my t rm.
Hnh 46 H thng HIPS
HIPS trin khai da trn HIDS (Host - based Int rusion Prevent ion) - pht trin t u nhng nm 1980. Ngy nay, HIPS l mt trong nhng cng c mnh m chng t n cng v bo v my trm hiu qu. HIPS phn t ch file nht k (audit logs) gim st h t hng, cc s kin, bn ghi nhn bo mt (secur it y logs) trn Windows NT v syslog t rong Unix. Ngoi r a, HIPS cn can thip cuc gi h iu hnh v ng dng, bo mt h iu hnh v cu hnh ng dng, xc nhn yu cu dch v n, phn tch fil e nht k ni b cho hot ng ng ng. Khi pht hin t hay i, HIPS so snh file nht k mi vi du hiu tn cng c cu hnh trc, nu ph hp HIPS t ng t hng bo qun tr vin va r a hnh ng tng ng.
HIPS dng cc quy lut da trn s kt hp c im tn cng v kin t hc chi t it h iu hnh v ng dng trn my ch, gip HIPS xc nh cc hot ng bt t hng, t a r a hnh ng ngn chn t hch hp. Hn na, HIPS ci t hin t nh bo mt my ch bng cc quy tc km sot hnh vi h iu hnh, b vi x l nh t rn b m, cp nht t hanh ghi (regist r y), ci t chng tr nh ng dng... Cc quy ch kim tr a lu lng mng hn ch s lng kt ni truy cp chng t n cng T Chi Dch V (DoS Denial of Ser vice). HIPS khng quan tm v tr my t nh t rong h t hng. S sau din t my t nh t rong mng s dng HIDS:
Hnh 47 HIDS c ci t trn cc my tnh
H thng HIPS ngy nay yu cu phn mm Agent phi c ci t trn mi my xem xt nhng hoat ng t hc thi trn n, chng li tn cng v thc thi nhng phn t ch v bo v pht hin xm nhp vo my.
u im
Xc minh s thnh cng hay tht bi cuc tn cng: V HIPS ch yu phn t ch bn ghi nhn s kin t hc s x y r a t rong h thng nn xc sut pht hin tn cng cao hn so vi NIPS (Networ k- based Intr usion Prevent ion), t cc cnh bo nhm.
Gim st cc hot ng h thng: theo di ngi dng vcc hot ng tr uy cp tp tin nh thay i quyn trn t p tin, t r uy cp cc dch v c quyn ca h t hng
Thch hp s dng trong mi trng mha v mng chuyn mch: Swit ch chia nh mng ln thnh phn on mng nh hn. Do , gy kh khn t rong xc nh a im tt nht trin khai IPS bao ph ton mng. HIPS cung cp kh nng hin th ln hn trong mng chuyn mch v HIPS ci t trn nhiu my t nh khc nhau trong h t hng. Ngoi ra, HIPS ci thin nhc im NIPS i vi gi t in m ha v ngay khi h iu hnh nhn t hy kt ni n, cc dng d liu u c gii m.
Khng yu cu thm cc thit b phn cng: xy dng t rn c s h tng sn c.
Chi ph trin khai thp: so vi NIPS (Networ k- based Intrusion Prevent ion).
Nhc im
Gii hn tm nhn mng: kh xy dng bc tr anh tng t h h thng mng.
Yu cu h tr nhiu h iu hnh: HIPS cn chy trn cc my trong mng. Do , n i hi h tr xc minh cho cc h iu hnh khc nhau dng t rong mng.
4.2.2 Network- based Intrusion Prevention (NIPS)
Kim tr a cc cng giao tip trn mng vi thi gian thc (r eal- t ime), qut header cc gi tin, v kim tr a ni dung cc gi pht hin cc on mnguy him hay dng tn cng khc nhau. NIPS hot ng tin cy trong vic pht hin cc dng tn cng trn h t hng mng.
Hnh 48 H thng NIPS
NIPS s dng cc thit b theo di, cm bin (sensor) trn ton mng nm bt v phn tch lu lng ra vo h thng nhm pht hin hot ng nguy him v xm nhp tri php m a r a cc hnh ng ph hp. Cc cm bin ny c trin khai t i cc im mng cho php nh qun tr gim st hot ng mng, bt k v tr mc t iu t n cng, t hng iu chnh phn
tch phng chng xm nhp. Cc h iu hnh c bn ci t phn mm IPS cn t t cc dch v mng khng cn thit vbo mt cc dch v t hit yu. V phn cng gm t hit b sau:
Card mng (NIC Network Interface Card): NIPS phi c kh nng kt ni vi bt k mng no (Et her net, Fast Ether net, Gig abit Ether net ).
B x l: Qu tr nh phng chng x m nhp i hi sc mnh ca CPU thc hin phn t ch pht hin xm nhp vso khp cc du hiu t n cng c cu hnh t rc.
B nh: trc t ip nh hng n kh nng ca NIPS trong vic pht hin t n cng.
Hnh 49 Hot ng ca NIPS
Bt k s m rng ca h t hng mng, cc my t nh c t h c t hm vo mng m khng cn ci t hm bt k cm bin no. Cc b cm ng c yu cu ch khi hiu sut ca cc cm bin khng p ng c nhu cu hin ti, khi c bt k thay i no trong chnh sch bo mt hay m hnh h t hng mng i hi b sung cc cm bin.
u im
D dng nhn t hy cc cuc t n cng ang din r a trn ton b mng.
Khng cn tr in khai IDS t rn tt c my t nh tr ong h thng, khng ph thuc h iu hnh my ch.
Nhc im
Khng nhn bit c cc lung t hng tin m ha.
Kh xc nh v t r t NIPS sao cho nm bt t t c lu lng mng nht lkhi mng tr nn ln hn. gii quyt vn ny, i hi s dng thm cc cm bin, t uy nhin, gii php ny lm pht sinh t hm chi ph tr in khai.
Nhn chung, HIPS vNIPS u c thun li cng nh kh khn khc nhau. Vic la chn t y m hnh tr in khai. Nu HIDS cho gii php hon ho i vi my trm th NIDS bo v mng
LAN hiu qu. Vic qun l HIDS yu cu t ki n t hc chuyn su, cn NIDS yu cu nhiu s quan t m ca nhqun t r. Sau y lbng so snh chc nng hai h thng trn:
Chc nng HIDS NIDS nh gi Bo v trong mng LAN **** **** C hai u bo v t rong mng L AN Bo v ngoi mng LAN **** - Ch c HIDS
D dng qun t r
****
**** Tng ng nhau xt v bi cnh qun t r chung Tnh linh hot **** ** HIDS l h t hng linh hot hn Git hnh *** * HIDS tit kim hn D dng b sung **** **** C hai tng ng nhau o to ngn hn cn t hit **** ** HIDS yu cu o to t hn NIDS Tng git hnh *** ** HIDS tiu tn ca bn t hn
Bng t n yu cu t rong LAN
0
2 NIDS s dng bng tn LAN r ng, cn HIDS th khng
Networ k overhead
1
2 NIDS cn hai yu cu bng t n mng i vi bt k mng LAN no
Bng t n yu cu (Internet)
**
** C hai u cn bng t n Internet cp nht kp t hi cc file mu
Cc yu cu v cng m rng
-
**** NIDS yu cu kch hot m rng cng m bo lu lng LAN c qut Chu k nng cp cho ngi dng
****
- HIDS nng cp t t c ngi dng vi file mu t rung tm Kh nng t hch nghi trong cc n n ng dng
**
**** NIDS c kh nng t hch nghi t rong cc n n ng dng hn Ch qut thanh ghi cc b **** - HIDS mi t hc hin kiu qut ny Bn ghi *** *** C hai u c chc nng bn ghi
Chc nng cnh bo
***
*** C hai u c chc nng cnh bo tng c nhn vqun t r vin
Qut PAN **** - HIDS mi qut vng mng cnhn Loi b gi tin - **** NIDS mi c phng t hc ny
Kin t hc chuyn mn
***
**** Cn nhiu kin t hc chuyn mn khi ci t vs dng NIDS vi ton b vn bo mt mng Qun l tp tr ung ** *** NIDS c chim u th hn V hiu ha cc h s r i ro * **** NIDS c h s r i r o nhiu hn HIDS
Kh nng cp nht
***
*** Nng cp phn mm d hn phn cng, thng qua script t p trung Cc nt pht hin nhiu on mng LAN
****
** Pht hin nhiu on mng t on din hn
Bng 2 Bng so snh cc chc nng ca HIPS vNIPS
Ngoi r a, IPS cn dc trin khai trn cc h t hng mng sau:
Wireless Intrusion Prevention System (WIPS): phn t ch hot ng cc giao thc mng khng dy, nhm pht hin cc lung t hng t in kh nghi r a vo mng khng dy.
Network Behavior Analysis (NBA): gim st giao t hng mng xc nh cc ri ro tim n pht sinh lu lng mng bt thng nh DDoS, cc dng malware vxm phm chnh sch.
Perimeter Intrusion Detection System (PIDS): Pht hin v ch r a v t r n lc xm nhp hng ro bin gii quanh c s h tng quan t rng. S dng cp quang, PIDS pht hin ri lon trn hng r o, tn hiu ny c theo di, kch hot cnh bo khi pht hin x m nhp.
VM based Intrusion Detection System (VMIDS): pht hin xm nhp nh gim st trn my o. Nh , trin khai h thng pht hin x m phm vi Virtual Machine Monit or ing. y l mt trong nhng pht minh gn y cn trong giai on nghin cu. Khng cn xy dng h thng IDS ring bit no, chng ti vn gim st c tng th h thng mng.
4.3 Nguyn l hot ng ca h thng
H thng IPS thnh cng nu yu t: thc hin nhanh, chnh xc, a r a t hng bo hp l, phn t ch ton b thng lng, cm bi n ti a, ngn chn t hnh cng v chnh sch qun l
mm do, gm ba module chnh:
4.3.1 Phn tch lung d liu
Ly cc gi tin i n mng phn t ch, thng t hng cc gi tin c a ch khng phi ca card mng t h s b car d mng hy b nhng car d mng IPS t ch t hu nhn tt c. Tt c gi tin qua chng c sao chp, x l, phn t ch n t ng t rng t hng tin. B phn tch c t hng t in tng t rng t rong gi tin, x c nh chng t huc gi t in no, dch v g... Cc t hng tin ny c chuyn n module pht hin t n cng.
4.3.2 Pht hin tn cng
Module quan t rng nht pht hin cc cuc tn cng, bao gm ba phng php t heo di l:
4.3.2.1 Du hiu tn cng (Signature- based Detection hay Misuse Detection)
Tp nguyn tc s dng xc nh nhng hot ng x m nhp thng thng, phn t ch hot ng ca h t hng, theo di s kin vso snh vi mu t n cng c cu hnh t rc:
Da trn s khai thc (exploit- based signature): pht hin cng c d tm l hng nh on passwor d, kch bn shell t ng tn cng hay thc hin th tc n gin tm kim l hng h thng cng nh on mthc t hi
Da trn cc l hng chng trnh (vulnerability- based signature): phn t ch l hng thc thi chng tr nh ng dng, ri ro gy hi bo mt hay chc nng h thng nh password yu, x l u vo khng mong mun hay t r uy n dn khng bo mt
Vic to r a Signat ure- Based yu cu ngi qun t r cc k nng hiu bit t ht r v loi hnh tn cng, mi nguy hi v pht trin du hiu d t m. Khi nhiu phng php tn cng v khai thc c khm ph, nhsn x ut IPS phi cung cp nhng bn cp nht file du hiu.
Nu c nhng lu lng t rng khp bt k du hiu tn cng no, IPS da trn cu hnh t rc m a r a hnh ng thch hp, khng cn t c ng ngi dng. Nh , pht hin t n cng nhanh v chnh xc, khng a r a cnh bo sai lm gim kh nng hot ng mng v gip cc ngi qun tr xc nh cc l hng bo mt h t hng. Tuy nhin, phng php ny c nhc im lkhng pht hin c cc cuc t n cng khng c trong c s d liu, cc kiu t n cng mi, do vy h t hng lun phi cp nht cc mu tn cng mi.
Li ch
t cnh bo nhm: Nhng du hiu da t rn hiu bit v hot ng xm nhp nn xc
sut pht hin t n cng cao.
H thng d hiu: d dng iu chnh hnh ng ph hp vi bt k t n hiu cnh bo no. Ngoi r a, cng c t h bt du hiu ln tin hnh kim t ra ton mng.
Cc tn cng mi cp nht thng x uyn: du hiu t hay i lin t c sau khi ci t.
Hn ch
Khng th pht hin nhng cuc tn cng mi hay cha c bit (f alse negative): Do hot ng da trn cc mu du hiu nh ngha trc, gy kh khn t rong vic nhn ra t tn cng mi cha tng bit hay khm phtrc y.
Khng th pht hin s thay i nhng cuc tn cng bit: Nhng f ile du hiu l nhng f ile t nh do khng thch nghi vi vi h t hng. Nu thay i cch t n cng, k t n cng c t h x m nhp mkhng b pht hin (f al se negat ive).
Kh nng qun tr c s d liu nhng du hiu: Vic bo m c s d liu du hiu lun cp nht vhin hnh cn phi u t nhiu t hi gian vtin bc.
Dung lng b nh ca b cm bin cn hn ch: duy tr t nh t rng t hng tin nhanh chng tm kim t hng t in. B cm bin lu trng t hi t hng t in t rong b nh.
4.3.2.2 Du hiu bt thng (Statistical Anomaly- based Detection)
K t hut d thng minh, nhn dng hnh ng bt thng. Ban u, IPS lu tr bng m t s lc nhm ngi dng hay hot ng bnh thng h t hng (nh phn quyn cc nhm s dng t heo cc hot ng v ng un ti nguyn; web server phi c bng m t s lc hot ng ca n da trn lu lng web, t ng t i vi mail ser ver). Cng nhiu bng m t s lc khc nhau cho mi dng dch v, h t hng IPS cng a r a c cc cnh bo ng. Sau , so snh vi cc lu lng r a vo h thng v nhn dng hot ng no l khc thng, c t h gy hi h thng, gm mt s k t hut sau:
Pht hin mc ngng: nhn mnh vic v t qu mc ngng c t r a i vi cc hot ng bnh thng nh ng nhp vi s ln qu quy nh, s lng cc t in trnh hot ng trn CPU, s lng mt loi gi t in c gi vt qu mc... t h h thng s coi lcc hot ng nguy hi.
Pht hin nh qu trnh t hc: gm hai bc. Khi bt u thit lp, h t hng pht hin t n cng s chy ch t hc v to r a mt h s v cch c x ca mng vi cc hot ng bnh t hng. Sau t hi gian khi t o, h t hng s chy ch lm vic, t in hnh theo di, pht hin cc hot ng bt t hng ca mng bng cch so snh vi h s thit lp. Ch t hc c th chy song song vi ch lm vic cp nht h s ca mnh nhng nu d r a c t n hiu tn cng th ch t hc phi dng li cho ti khi cuc tn cng kt t hc.
Pht hin s khng bnh thng ca cc giao thc: cn c hot ng ca cc giao thc, dch v trong h thng t m r a cc gi t in khng hp l, cc hot ng bt thng vn l du hiu xm nhp, tn cng. K t hut ny hiu qu trong vic ngn chn cc hnh t hc qut mng, qut cng thu t hp t hng tin ca cc tin t c.
Phng php ny hu hiu t rong vic pht hin cc cuc tn cng kiu t chi dch v, pht hin r a cc kiu tn cng mi, cung cp cc t hng t in hu ch b sung cho phng php trn. Tuy nhin i khi t hng to r a cc cnh bo sai lm gim hiu sut hot ng ca mng.
Li ch
Pht hin k tn cng bn ngoi hay k trm ti khon mt cch d dng.
Ci thin nhng hn ch ca phng php theo di du hiu tn cng: Nu nh k tn cng c t h kim tr a t h cc du hiu trn h t hng IPS m chn la cch thc cng nh cng c tn cng ph hp th vi phng php ny, iu v cng kha khn do khng s dng nhng c s d liu du hiu nh dng trc nn k x m nhp khng t h bit chnh xc ci g gy r a cnh bo.
Ph hp cho vic pht hin cc cuc tn cng mi: khng da trn tp nhng du hiu c nh dng hay cc t tn cng c bit , profile l ng v s dng t r tu nhn t o xc nh nhng hot ng bnh t hng.
Hn ch
Thi gian chun b ban u cao ng t hi khng c s bo v sut t hi gian khi to ban u.
Kh khn trong vic to ra cc profile nhm ngi dng: bo m cht lng cc pr ofile ny t ng i phc tp.
Thng xuyn cp nht profile: khi thi quen ng i dng t hay i.
Kh khn trong vic nh ngha cch hnh ng thng thng: H IPS ch t ht s tt khi n nh ngha nhng hnh ng no l bnh thng. y l t h thch khi mmi t rng ni cng vic ngi dng hay nhng trch nhim t hay i t hng xuyn.
Cnh bo nhm: Nhng h thng da trn s bt thng c x u hng c nhiu false posit ive bi v chng t hng tm nhng iu khc thng.
Vic nh ra cc profile ngi dng v hot ng h thng tng i phc tp: Ly mu thng k, da trn nguyn tc, v mng neur al l nhng phng cch nhm to profile mtht kh hiu vgii thch.
4.3.2.3 Giao thc (Statef ul Protocol Analysis Detection)
Nh Signatur e- based Detection, t hc hin phn t ch chiu s u giao t hc c xc nh c th
trong gi t in. V d: Hacker bt u chy chng trnh tn cng Server . Tr c tin hacker phi gi mt gi tin IP cng vi kiu giao thc, c th khng cha d liu t rong t rng payload, phng t hc ny s theo di cc kiu t n cng c bn da tr n mt s giao thc:
Kim t ra kh nng ca giao t hc x c nh gi t in c hp php hay khng.
Kim t ra ni dung trong Payload (pattern mat ching ).
T hc hin nhng cnh co khng bnh t hng.
4.3.2.4 Chnh sch (Policy- based IPS)
a r a cnh bo khi c nhng hnh ng vi phm ca cc chnh sch c cu hnh t rc.
Li ch
nh ra chnh sch ring bit: thit lp chnh sch cho tng thit b t rong h thng.
Xc thc vphn ng nhanh: rt t c nhng cnh bo sai.
Hn ch
i hi kinh nghim vkin thc nht nh: Vic thit lp chnh sch yu cu qun tr vin h t hng phi c kinh nghim v kin t hc nht nh ng t hi qun l cc chnh sch ny t ng i phc tp.
Thng x uyn phi cu hnh li: khi c cc thit b mi thm vo h thng.
Kh khn khi qun tr t x a.
4.3.3 Phn ng
Khi c du hiu tn cng hay t hm nhp, module pht hin tn cng gi tn hiu n module phn ng. Lc module phn ng kch hot tng la t hc hin chc n ng ngn chn cuc tn cng hay cnh bo ngi qun t r. Nu ch a r a cc cnh bo t h h thng ny c gi lh thng phng t h b ng. Di y lmt s k t hut ngn chn:
Kt thc tin trnh: gi cc gi t in ph hu t i n tr nh nghi ng. T uy nhin, thi gian can thip chm hn t hi im t in t c t n cng, dn n tn cng xong ri mi bt u can thip. Ngoi ra, k thut ny khng hiu qu vi giao t hc UDP nh DNS, hn na gi t in can thip phi c trng t h t ng nh g i t in t rong phin lm vic t in trnh t n cng. Nu ti n t rnh tn cng x y r a nhanh kh t hc hin phng php ny.
Hu b tn cng: hy b gi t in hay chn ng gi tin n, phin lm vic hay mt lung t hng t in t n cng, an ton nht nhng d nhm vi cc gi t in hp l.
Thay i cc chnh sch ca tng la: cho php ngi qun t r cu hnh li chnh
sch bo mt t n cng xy ra. S cu hnh li ltm thi thay i cc chnh sch i u khin t ruy nhp bi ngi dng c bit trong khi cnh bo ti ngi qun t r.
Cnh bo thi gian thc: Gi cc cnh bo t hi gian thc n ngi qun t r h nm c chi t it cc cuc t n cng, cc c im v thng t in v chng.
Ghi li vo tp tin: Cc d liu ca cc gi t in s c lu t r trong h t hng cc tp tin log. Mc ch ngi qun tr t in theo di cc lung t hng tin v l ng un thng tin gip cho module pht hin t n cng hot ng.
4.4 Mt s thut ng lin quan
Event horizon
pht hin xm nhp, IPS kim tr a thng tin so snh vi cc du hiu t rong c s d liu. Tuy nhin, thnh thong thng t in ny tr i di qua nhiu gi d liu. Khi du hiu yu cu nhiu mnh d liu, IDS duy tr t nh trng t hng t in v du hiu bt u khi n t hy cc mnh d liu u t in. T nh trng t hng tin duy t r t rong khong t hi gian event hor izon, khc nhau i vi tng dng tn cng. i vi vi tn cng, y l khong thi gian t lc ng nhp (logon) n khi r i khi h t hng (logoff), c th ko di c t n vi cc dng t n cng khc.
False negative
Khi IPS l lcnh bo hnh ng xm nhp. False negat ive miu t tn cng t ht s m IPS b st khi cu hnh. Hu ht ngi pht trin IPS c khuynh hng thit k h t hng trnh khi cc false negat ive ny. Tuy nhin, loi b ton b false negat ive, i hi cp nht du hiu t n cng t hng x uyn, m bo h t hng lun nhn bit cc dng tn cng mi.
False positive
Ngc li false negat ive, false posit ive bit n nh vic a r a cc cnh bo khi khng c bt c cuc tn cng no din ra. Khi IPS a r a qu nhiu cc bo ng gi, gy nh hng hiu nng mng. Vic hn ch cc false negat ive cng nh false posit ive lun l mc t iu hng n ca hu ht cc qun t r vin khi tr in khai h thng IPS.
T rue Positive
M t vic IPS a r a cnh bo ng khi pht hin tn cng hay xm nhp tri php vo h thng mng. y cng lmc tiu hng n ca cc chuyn gia nghin cu pht trin IPS.
T rue Negative
Khng a r a bt k cnh bo no khi khng c tn cng hay x m nhp tri php vo h thng mng. Vic bo m h t hng IPS lun hng n true negative v true posit ive l mong mun ca nhiu t chc doanh nghip. Tuy nhin, iu ny i hi u t nhiu thi gian tin bc vs quan t m ca cc nhqun tr.
PHN 5: XY DNG TNG LA CHO H THNG MNG
TRNG I HC HOA SEN
5.1 Gii thiu
Tr ng H Hoa Sen c tr s chnh ti trung tm T PHCM - trung t m nng ng ca Vit Nam v khu vc. hnh lp vo nm 1991, giai an nn kinh t - x hi chuyn mnh hi nhp quc t , nh t rng xc nh mc t iu gio dc v o to t hc cht, dn t hn vo t hng nhu cu ca x hi, bng cc t rng chng tr nh k thut vin. o to p ng nhu cu x hi t ip tc c duy tr v pht trin khi T r ng t r thnh trng Cao ng vo nhng nm cui th k 20. Tm nhn, s mnh v trit l o to hnh t hnh da trn gi tr ct li ny t ip tc a i hc Hoa Sen pht trin vi t cch trng i hc bt u t nm 2006.
5.2 Yu cu
Vi ch nm hc 2010 - 2011 Cng nhau vn cao hnnhm hng n vic tng cng hp tc thnh cng hn na gia Tr ng H Hoa Sen v cc i tc s phm, i tc doanh nghip v x hi. Tr ong nm hc ny nh trng n cho 2623 tn sinh vin, do , nhm t ha mn nhu cu hc tp cng nh nng cao hiu qu lm vic, nh t rng quyt nh nng cp ton b h thng mng t i cc c s hot ng:
Xy dng h t hng mng ni b gm phng lm vic, phng lab cho sinh vin, cung cp kt ni Wireless gip sinh vin t r a cu ti nguyn mng ngoi gi hc trng.
Cn bo m an ton thng tin, chng s x m nhp h t hng tri php bng vic trin khai h t hng tng la, gii php VPN gip tr uy cp t xa gia cc c s ng t hi theo di vghi nhn cc cuc tn cng qua IDS/IPS.
Cung cp h thng d phng cho tng la khi gp s c, phn chia vic kim tr a cc lung t hng t in qua tng la, tn dng ti a hiu sut hot ng tng la ng thi cn bng ti kt ni r a Internet nhm m bo h thng hot ng tt vlin t c.
Cc yu cu c th i vi tng phng ban:
Thi Gian Lm Vic
Phng Ban i Tng T ruy cp
Yu cu c th
8h30 n 11h30
13h n 17h
Gio vin
Nhn vin
Cho php tr uy cp Web, File Ser ver vgi mail.
Chia s file gia cc phng ban. o To Tuyn Sinh K T on T i Chnh
6h30 n 12h
13h n 17h30 Lab (cho tt c sinh vin)
Sinh vin
Khng cho php truy cp Internet.
Lab T hc Hnh Mng
Cho php tr uy cp Internet, mail v cc dch v khc gip sinh vin t hc hnh t hit k h t hng. T h vin
Ch cho php t r uy cp Web. 10h n 14h Internet
6h30 n 17h30
Wireless Sinh vin
Cho php tr uy cp Internet Nhn vin Khch mi
Bng 3 Bng yu cu i vi cc phng ban
5.3 T rin khai
5.3.1 S h thng mng ti tr s chnh
5.3.1.1 M hnh mng
Da trn cc mu kin t rc tng la t rn, chng t i quyt nh t r in khai h t hng t ng la cho trng i Hc Hoa Sen t heo mt trong hai m hnh sau:
(a)
(b)
Hnh 50 S h thng mng trng i Hc Hoa Sen
S khc bit
Vi s th nht: i km vic ng dng cng ngh d phng tng la Act ive/Act ive Failover , chng t i cn s dng HSRP (Hot Standby Router Protocol) gii php t tn km nht chng t i la chn (s c gii php khc ti u hn c cp trong phn Load Balancing Fir ewall) nhm t n dng ti a ti nguyn thit b. Tuy khai t hc ht ti nguyn h thng nhng cng mang li mt s hn ch sau:
Chi ph u t cao.
i hi qun t ri vin h t hng mng phi c kinh nghim vtrnh nht nh.
Qu trnh trin khai cng nh qun t r tng i phc t p do vic s dng kh nhiu thit b (nht lthit b Swit ch lp 3).
Vi s th hai: s dng cng ngh d phng tng la Act ive/Standby Failover.
Cng vi vic b bt cc t ht b (Switch lp 3), chi ph u t c gim bt ng k. Ngoi ra, vic t r in khai theo m hnh th hai cn gim bt gnh nng cho nh qun
tr, khng gp nhng vn v HSRP hay nhng gii php loadbalancing cho firewall. Tuy nhin, so vi m hnh t h nht, m hnh ny cng mc phi hn ch:
Khng khai t hc t on b ti nguyn h thng (c th lhai t ng la Standby).
T heo hai s trn, h thng mng t rng i hc Hoa Sen ch yu gm bn vng mng chnh, c sp x p theo bo mt gim dn:
Vng mng Lp a ch IP Subnet Mask M t c th Mng bn t rong (Inside Network) 172.16.x.0 (x: VLAN tng ng)
255.255.255.0 Mng ni b tin cy. Mc bo mt cao nht (100)
Ser ver Far m
10.0.0.0
255.255.255.0 t Server quan t rng (gm Database Server). Mc bo mt 100 Vng Phi Qun S (DMZ Demilit ar ized Zone)
11.0.0.0
255.255.255.0 t cc Server qung b r a Internet (gm Web Server, Mail Ser ver). Mc bo mt x p sau Server Far m (50) Mng bn ngoi Internet (Outside Network)
Cc lp IP Public khc dy a ch trn
Mng khng t in cy. Mc bo mt thp nht (0)
Bng 4 Bng cc vng mng trong h thng trng i Hc Hoa Sen
Ngoi ra, i vi cc kt ni im im (point - point) gia cc thit b, chng t i s dng lp a ch IP 193.1.0.0/16, t trong r a ngoi c cu hnh a ch IP nh s au:
Thit b Kt ni Lp a ch IP Subnet Mask
Cp t ng la bn t rong (Inside firewall) Switch lp 3 vi Act ive Firewall 193.1.1.0 255.255.255.0 Swit ch lp 3 vi Standby Firewall (cp Fir ewall Inside)
193.1.2.0
255.255.255.0 Gia hai cp tng la t rong v ngoi (Inside & Outside) Gia hai cp tng la Act ive 193.1.4.0 255.255.255.0
Gia hai cp tng la Standby
193.1.3.0
255.255.255.0
Cp tng la bn ngoi (Outside firewall) Router bin vi Act ive Firewall (cp fir ewall Outside)
193.1.5.0
255.255.255.0 Router bin vi Stanby Firewall (cp Fir ewall Outside)
193.1.6.0
255.255.255.0
Bng 5 Lp a ch IP trn kt ni gia cc thit b
5.3.1.2 Xc nh cc nhm ngi dng
Mi phng ban ng vi tng nhm ngi dng v c phn chia t heo cc VLAN tng ng, bao gm 9 phng ban nh sau:
Phng ban VLAN tng ng Lp IP tng ng
Subnet Mask
Miu t c th
Access Point
1
172.16.1.0
255.255.255.0 Cung cp mng khng dy cho khch mi, nhn vin v sinh vin NetLab 2 172.16.2.0 255.255.255.0 Phng lab sinh vin mng
Lab
3
172.16.3.0
255.255.255.0 Phng t hc hnh cho tt c sinh vin T h vin (Libr ar y)
4
172.16.6.0
255.255.255.0 T h vin cho sinh vin t nghin cu Gio vin (Falcult y)
5
172.16.7.0
255.255.255.0
Phng ngh cho gio vin o To (T raining)
6
172.16.8.0
255.255.255.0 Tnh t on s sch, a r a cc bo co hot ng K T on Ti Chnh (Finance)
7
172.16.9.0
255.255.255.0
Qun l kt qu hc tp Tuyn sinh (Admission)
8
172.16.10.0
255.255.255.0 Cung cp, x l cc t hng tin tuyn sinh IT 9 172.16.11.0 255.255.255.0 Qun t r h t hng
Bng 6 Bng VLAN cc phng ban
Ngoi 9 VLAN c cu hnh t rn, chng ti cn cu hnh t hm 2 VLAN l Rest ricted VLAN (c s dng khi ngi dng ng nhp sai) v Guest VLAN (c dng khi cung cp username vpassword trng ng nhp h t hng).
Ngoi r a, chng t i cn t r in khai h t hng t hoi V OIP cho t ng phng ban. y, chng t i quy nh nh dng s in t hoi ti khon ngi dng lxxxx, t rong :
Hai s u ls c s.
Mt s t ip t heo ls phng ban.
Mt s cui ls t h t ngi dng.
S th t cc c s, phng ban vngi dng t ng ng c quy nh t heo cc bng sau:
C s S th t tng ng Quang T rung 11 Nguyn Vn T rng 22 Cao T hng 77
Bng 7 Cc c s trin khai VOIP
Phng ban S th t tng ng Gio vin (Falcult y) 1 o T o (Tr aining) 2 K T on Ti Chnh (Finance) 3 Tuyn sinh (Admission) 4 T h vin (Libr ar y) 5 NetLab 6 Lab 7
Bng 8 Cc phng ban trin khai VOIP
Ti khon ngi dng S th t tng ng User 1 1 User 2 2
Bng 9 S th t ti khon ngi dng
5.3.1.3 Cc quy nh kim tra gi tin trn tng la
Vic kim t r a cc gi t in r a vo qua h t hng mng lv cng quan t rng, ng vai t r quyt nh trong vic pht hin vngn chn cc cuc t n cng vo h thng. Do , tng cng
bo mt an ton h t hng mng, chng ti x y dng quy nh kim t ra, bao gm hai loi:
Rule lp mng cho tng phng ban: gm ba loi tng ng vi ba vng mng, p dng cho cc lung t hng tin xut pht t:
Mng bn trong: c cu hnh trn tng la bn trong
Phng ban
Hnh ng
Giao thc Thi gian p dng
Miu t Access Point
ALLOW
HTT PS 6h30 sng n 5h30 chiu Cho php thit lp Web VPN tr uy cp Internet
Lab
DENY
ALL
0h n 24h Cm t t c cc tr uy cp r a mng bn ngoi.
NetLab
ALLOW
ALL 6h30 sng n 5h30 chiu Cho php t ruy cp mi giao t hc r a Inter net
IT
ALLOW
ALL
6h30 sng n 5h30 chiu Cho php t r uy cp web server trong DMZ, truy cp web t rn Internet v cc giao t hc qun l mng, h tr ngi dng
Cc phng ban cn li
ALLOW
HTT P, HTTPS, SMTP, FTP, SMB, SKINNY.
6h30 sng n 5h30 chiu Ch cho php t ruy cp web, file ser ver mail server vchia s file, VOIP
Bng 10 Bng quy lut cho cc phng ban trong mng ni b
Ngoi t hi gian hot ng t rn, tng la s kha tt c kt ni t ruy cp t trong r a ngoi.
Vng Server Farm
Cm mi kt ni t vng ny vo mng bn tr ong hay i r a mng bn ngoi. Tuy nhin, nhng kt ni c chng t hc t cc ser ver c t h i vo bn trong t hng qua ng dng web trn cc cng c ch nh t rc, do cc k s lp trnh t hc hin.
Mng phi qun s (DMZ): Cm mi kt ni t vng ny vo mng bn t rong hay i r a mng bn ngoi.
Mng bn ngoi: c cu hnh trn tng la bn ngoi.
Ch cho php t r uy cp web (HT TP) v mail (SMTP) trn vng DMZ.
Cm ping (ICMP) trn t t c cng giao tip ca t ng la.
Chng IP Spoofing v ARP Spoofing.
Rule lp ng dng da vo hng lu lng
T bn trong ra bn ngoi: c cu hnh t rn t ng la bn t rong.
Giao thc Cc phn kim tra
Chi tit
Miu t c th HTT P ur l- lengt h 100 di a ch tr uy cp web l100
Request (host) www.tuoitre.vn, www.dant ri.com
Cm truy cp Tui T r vDn T r
uri r equest union, scr ipt, char() Chn nhng ur i cha ba chui ny
FTP
filename *.exe, *.wav, *.mpg, *.avi,.. Cm ti cc file audio, video, file nn vfile t hc thi IM (Instant Messenger)
pr otocol
msn, yahoo
Cm s dng phn mm chat
Bng 11 Bng quy lut lp ng dng t bn trong ra bn ngoi
T bn ngoi vo mng DMZ: c cu hnh t rn t ng la bn ngoi.
Giao thc Cc phn kim tra Chi tit Miu t c th HTT P Max - conn 1000 Quy nh s kt ni ti a
Embroyic Connect ion 200 Quy nh s kt ni khng hon tt
ur l- lengt h 100 di a ch t ruy cp web l100
ur i request union, scr ipt, char()
Chn nhng ur i cha ba chui ny
spoof- ser ver Ser verPRO Chng Ser ver Finger pr int ing
Bng 12 Bng quy lut lp ng dng t bn ngoi vo DMZ
Rule i vi kt ni VPN
Loi VPN Hnh ng Giao thc Miu t
Site to Site VPN
ALLOW H323
SMB FTP HTT P
Ngi dng cc chi nhnh gi in cho nhau
Cho php chia s file trn Dat abase Ser ver
Cho php ti file, truy cp web t rn cc server trong vng DMZ
Easy VPN
ALLOW
SKINNY SMB FTP HTT P
Voice
Cho php chia s file trn Dat abase Ser ver
T hi gian idle 30 pht
T hi gian kt ni ti a 5h, sau xc thc li
T hi gian t n t i ca kha l1h
Cho php ti f ile, truy cp web trn cc ser ver trong vng DMZ
Web VPN
FT P HTT P
T hi gian idle 30 pht
T hi gian kt ni ti a 5h, sau xc thc li
T hi gian t n t i ca kha l1h
Bng 13 Bng quy lut i vi kt ni VPN
5.3.2 Xy dng cc chnh sch
bo mt cc thng t in t rong h t hng mng, vic thit lp cc chnh sch kim tr a trn t ng thit b v cng quan t rng, c t h g m cc t hit b mng sau:
5.3.2.1 Swit ch Layer 2
Port Security: m bo s tng minh cc t hit b u cui. Khi c thit b l gn vo t h cng s b shutdown ngay lp t c.
Remote SPAN (Switched Port Analyzer): cho php nh qun tr gim st h t hng d dng. Khi t nh nng ny c bt, thit b (Switch) sao chp ton b gi t in i qua n v gi n cng hay VLAN c nh. T , nh qun tr phn tch, gim st, nh gi h t hng t hng qua t hit b gim st, h thng IDS (Intrusion Detect ion System)
BPDU guard: bt trn cc cng mode access ca Swit ch, mt trong cc tnh nng Spanning Tr ee Pr otocol (ST P) nhm chng nhng k tn cng bn t rong c tnh gi gi BPDU (Port Fast Bridge Pr otocol Data Unit ) tr thnh Root Bridge. Nu Switch nhn c g i BPDU t cng bt tnh nng ny t h ngay lp t c cng ny ri vo t rng t hi errdisable, khng th tr uyn hay nhn d liu. Mun s dng li cng ny, cn c s can t hip ca qun t r vin hay i khong thi gian errdisable ht hn.
IEEE 802.1x (dot1x ): cung cp m hnh chng t hc client - ser ver nhm hn ch ngi dng tham gia mng LAN thng qua cng vt l (PNAC - port - based Network Access Control), ch trin khai trn Swit ch c h tr. Cng vic cu hnh trn Switch, cn bt tnh nng ny trn cc my trm u cui. So vi WEP (Wired Equivalent Privacy), 802.1x m bo t nh t in cy, ton vn d liu. Hn na, 802. 1x em li mt s phng php t in tin, nh c ch lc (Filtering). Ngoi thc hin lc SSID vMAC, 802.1x cn h tr kh nng lc giao t hc.
5.3.2.2 Swit ch Layer 3
Xy dng ACL theo hng t trong r a ngoi vi quy nh sau:
Ngn chn s tr uy cp gia hai phng Lab v th vin ti cc phng ban nhn vin (Phng Gio Vin, K T on Ti Chnh, o T o, Tuyn Sinh) vtr uy cp ln nhau.
Cho php cc phng ban nhn vin (Phng Gio Vin, K T on Ti Chnh, o To, Tuyn Sinh) tr uy cp giao t hc SKINNY (s dng dch v VOIP).
Cho php phng NetLab t ruy cp tt c giao thc bn ngoi (Outside).
T h vin ch c php tr uy cp HTT P bn ngoi (Outside).
Cm phng Lab t hng tr uy cp tt c giao t hc cc my ni b vbn ngoi.
Cho php cc kt ni truy cp giao t hc HTT PS t Access Point (AP) n Tng la bn t rong (Firewall Inside).
5.3.2.3 Firewall Inside (T ng la bn trong)
Theo hng lu lng
T trong (Inside) ra ngoi (Outside)
o Xy dng Access Cont rol List (ACL): cho php cc my t nh ni b (Inside) tr uy
cp cc giao thc HTT P, HTT PS, FTP, SMTP, H323 gia cc CCM ser ver . Ngn chn ngi dung wifi kt ni vo c s khc.
time- range NOWORK periodic weekdays 0:00 to 06:30 periodic weekdays 17:00 to 24:00 periodic weekend 0:00 to 24:00 ! access- list IN_OUT extended deny ip 172.16.20.0 255.255.255.0 11.0.0.0 255.0.0.0 access - list IN_OUT ext ended deny ip 172.16.20.0 255.255.255.0 10.0.0.0 255.0.0.0 access- list IN_OUT ext ended per mit ospf any any access- list IN_OUT ext ended deny ip any any t ime- range NOWORK access- list IN_OUT ext ended per mit tcp 172.16.0.0 255.255.0.0 host 10.1.0.2 eq 445 access- list IN_OUT extended per mit t cp 172.16.0.0 255.255.0.0 any eq htt p access- list IN_OUT ext ended per mit t cp 172.16.0.0 255.255.0.0 any eq https access- list IN_OUT extended per mit t cp 172.16.0.0 255.255.0.0 any eq ft p access- list IN_OUT extended per mit t cp 172.16.0.0 255.255.0.0 any eq ftp- dat a access- list IN_OUT extended per mit t cp 172.16.0.0 255.255.0.0 host 11.0.0.2 eq smtp access - list IN_OUT extended permit t cp 172.16.0.0 255.255.0.0 host 11.0.0.2 eq pop3 access- list IN_OUT ext ended per mit tcp host 10.0.0.4 host 10.1.0.4 eq 1720 access- list IN_OUT extended per mit t cp 172.16.0.0 255.255.0.0 any eq domain access- list IN_OUT extended per mit udp 172.16.0.0 255.255.0.0 any eq domain
Bng 14 Cc ACL t trong ra ngoi
o Thit lp chnh sch kim t r a (Inspect ion Policy) lp Application vi giao t hc:
HTTP: cm tr uy cp cc t rang web c ni dung xu, hoc phn ng (v d www.tuoitre.com.vn v www.dant r i.com); ngn chn ti cc f ile c ui m rng nh .exe, .bat, .gif, .vbs), cc file nn, file gii t r ; chn cc ng dng web (c trng header l applicat ion); gii hn chiu di header phi ln hn 100; chn ni dung ti v khng ph hp vi ni dung header , chn ti cc trang web chy Act iveX, J ava Applet; chng CSS (Cross Site Script ing) v SQL Inject ion.
regex UNION ".*[ Uu][ Nn] [Ii][Oo][Nn].*" regex SCRIPT ".*[ Ss][Cc] [Rr][Ii][Pp][ Tt].*" regex CHAR ".*[ Cc] [ H]h[Aa][ Rr] \ (.*\ ).*" regex contenttype "Content- Type" regex applicationheader "application/.*" ! class- map HTTP_MAP match port tcp eq www ! class- map type regex match- any RESTRITED_URLS match regex URL_TUOITRE match regex URL_DANTRI ! class- map type inspect http match- any URI_BLOCK match request header referer regex UNION match request header referer regex SCRIPT match request header referer regex CHAR match request uri regex VIRUS match request uri regex IMAGE match request uri regex VIDEO match request uri regex MUSIC match request uri regex COMPRESS ! class- map type inspect http match- any RESTRICTED_HTTP match request uri length gt 200 match request header host regex class RESTRITED_URLS ! class- map type inspect http match- all AppHeaderClass match response header regex contenttype regex applicationheader ! policy- map type inspect http MY_HTTP_MAP parameters protocol- violation action drop- connection class RESTRICTED_HTTP reset log
class URI_BLOCK reset log class AppHeaderClass
drop- connection log ! policy- map IN_OUT class HTTP_MAP set connection conn- max 1000 embryonic- conn- max 200 per- client- max 10 per- client- embryonic- max 5 inspect http MY_HTTP_MAP ! service- policy IN_OUT interface inside
class- map IM match any ! policy- map type inspect im IM match protocol yahoo- im msn- im drop- connection
policy- map IN_OUT
class IM inspect im IM
! service- policy IN_OUT interface inside
Bng 17: Block Yahoo Messenger v MSN Messenger
T bn ngoi (Outside) vo bn trong (Inside)
o Cu hnh Access Cont rol List (ACL)
M cng 8000 t Web Ser ver n Database Ser ver, x c t hc do lp t rnh vin x l.
Cho php cc c s khc tr uy cp vo Dat abase Server.
Cho php user (Easy VPN) kt ni vo Call Manager v Call Manager kt ni vi nhau
Cho php cc ng dng ca Web VPN hot ng.
Cho php t fir ewall outside connect vo ACS x c t hc.
access- list OUT_IN extended permit tcp 172.17.0.0 255.255.0.0 host 10.0.0.2 eq 445 access- list OUT_IN extended permit tcp host 10.1.0.4 host 10.0.0.4 eq 1720 access- list OUT_IN extended permit tcp host 11.0.0.2 host 10.0.0.2 eq 8000 access- list OUT_IN extended permit ospf any any access- list OUT_IN extended permit udp host 193.1.3.1 host 10.0.0.2 eq radius access- list OUT_IN extended permit tcp host 193.1.3.1 host 10.0.0.2 eq 139 access- list OUT_IN extended permit tcp 12.0.0.0 255.255.255.0 host 10.0.0.4 eq 2000
access- list OUT_IN extended deny ip any any
Bng 18 Cc ACL t ngoi vo Inside
Kt ni VPN
Web VPN: khng cn ci t hm phn mm, s dng trnh duyt web (web browser ) thc hin kt ni VPN. Cho php cc i tng sau tr uy cp Inter net thng qua Anyconnect. Tuy nhin, cc i t ng ny khng th tr uy cp h t hng mng ni b.
Gio vin
Sinh vin
Cng nhn vin
Khch mi
ip local pool WIFI 172.16.20.1- 172.16.20.254 aaa- server RADIUS protocol radius aaa- server RADIUS (inside) host 10.0.0.2 123456 ! webvpn enable inside tunnel- group- list enable onscreen- keyboard logon svc image flash:/anyconnect- win- 2.4.0202- k9.pkg svc enable exit ! http server enable ! group- policy WIFI internal group- policy WIFI attributes vpn- tunnel- protocol svc webvpn svc ask enable svc keep- installer installed svc rekey method ssl svc rekey time 60 ! tunnel- group WIFI type webvpn tunnel- group WIFI general- attributes address- pool WIFI authentication- server- group RADIUS LOCAL default- group- policy WIFI tunnel- group WIFI webvpn- attributes group- alias WIFI_GROUP enable
Bng 19 Cc chnh sch Web VPN trn Firewall Inside
5.3.2.4 Firewall Outside (Tng la bn ngoi)
Theo hng lu lng
T bn ngoi (Outside) vo vng Phi Qun S (DMZ - Demilitarized Zone)
Xy dng Access Control List (ACL) cho php cc my tnh bn ngoi tr uy cp HTT P n Web Server, SMTP n Mail Ser ver trong vng DMZ.
access- list OUT_IN extended permit tcp any host 193.1.5.2 eq http access- list OUT_IN extended permit tcp any host 193.1.5.2 eq https access- list OUT_IN extended permit tcp any host 193.1.5.2 eq smtp access- list OUT_IN extended permit tcp any host 193.1.5.2 eq pop3
Bng 20 Cc ACL cho php t bn ngoi vo DMZ
Gii hn s lng kt ni tr uy cp ti a (Max Connect ion) l 1000, cc kt ni khng hon tt qu trnh bt t ay (Embroyic Connection) l 200.
T hit lp chnh sch kim tr a (Inspection Policy) lp Applicat ion vi giao thc HTT P nhm chng tn cng Web Ser ver Fingerpr inting, Cross Sit e Scr ipt ing v SQL Inject ion t bn ngoi vo web ser ver.
regex UNION ".*[ uU][ nN] [ iI][ oO][nN].*" regex SCRIPT ".*[ Ss][ Cc] [Rr][ Ii][Pp][ Tt] .*" regex CHAR ".*[Cc][ H] h[ Aa][ Rr] \ (.*\ ).*" ! class- map type inspect http match- any HACKING match request uri regex UNION
match request uri regex SCRIPT match request uri regex CHAR
! policy- map type inspect http MY_HTTP parameters spoof- server ServerPRO class HACKING drop- connection log ! policy- map OUT_IN class OUT_IN inspect http MY_HTTP
Xy dng Access List quy nh cc Interesting traf fic, cho php nhn vin chi nhnh khc c th kt ni n Dat abase Ser ver trung tm cng nh truy cp DMZ. Ngoi ra, cho php cc Call Manager Server lin lc vi nhau gip ngi dng cc c s c t h lien lc vi nhau.
access- list NONAT extended permit ip 172.16.0.0 255.255.0.0 10.1.0.0 255.255.255.0
access- list NONAT extended permit ip host 10.0.0.4 host 10.1.0.4
!
nat (inside) 0 access- list NONAT
!
crypto isakmp key 123456 address 192.168.2.3
!
crypto isakmp policy 10
authentication pre- share encryption 3des hash md5 group 2 life 84600 crypto ipsec transform- set TRANFORM esp- aes esp- sha- hmac
!
crypto map IPSEC 10 match address VPN
crypto map IPSEC 10 set peer 192.168.2.3
crypto map IPSEC 10 set transform- set TRANFORM
crypto map IPSEC interface outside
!
crypto isakmp enable outside
Bng 23 Cc chnh sch Site to Site VPN trn Firewall Outside
Easy VPN: Cho php nhn vin tr uy cp h t hng mng ni b khi i cng tc, ch yu s dng ba dch v sau:
Kt ni Database Ser ver tr ung t m.
Tr uy cp web, mail trong DMZ.
Kt ni Call Manager Server t hc hin cc cuc gi.
ip local pool EASY_VPN 12.0.0.1- 12.0.0.254 ! access- list SPLIT stand permit 10.0.0.0 255.255.255.0 access- list NONAT extended permit ip 10.0.0.0 255.255.255.0 12.0.0.0 255.255.255.0 ! aaa- server RADIUS protocol radius aaa- server RADIUS (inside) host 10.0.0.2 123456 exit
!
crypto isakmp policy 10
authentication pre- share encryption 3des hash md5 group 2 life 84600 crypto ipsec transform- set TRANFORM esp- aes esp- sha- hmac
! group- policy POLICY_EASY_VPN internal group- policy POLICY_EASY_VPN attributes split- tunnel- policy tunnelspecified split- tunnel- network- list value SPLIT dns- server value 172.16.5.2 203.113.131.1 vpn- idle- timeout 15 default- domain value lotus.edu.vn ! tunnel- group EASY_VPN type remote- access tunnel- group EASY_VPN general- attributes authentication- server- group RADIUS local address- pool EASY_VPN default- group- policy POLICY_EASY_VPN exit ! tunnel- group EASY_VPN ipsec- attributes pre- shared- key 123456 exit ! crypto dynamic- map DYN_MAP_EASY_VPN 20 set transform- set TRANFORM crypto map IPSEC 60000 ipsec- isakmp dynamic DYN_MAP_EASY_VPN crypto map IPSEC interface outside
Bng 24 Cc chnh sch Easy VPN trn Firewall Outside
Web VPN: Cho php nhn vin tr uy cp h thng mng ni b khi i cng t c, ch yu s dng ba dch v sau:
Kt ni Database Ser ver tr ung t m.
Tr uy cp web, mail trong DMZ. (Port Forwarding).
webvpn enable outside tunnel- group- list enable onscreen- keyboard logon port- forward APPLICATIONS 23 193.1.1.2 23 ! http server enable ! group- policy NHANVIEN internal group- policy NHANVIEN attributes vpn- tunnel- protocol webvpn group- lock value NHANVIEN webvpn functions url- entry file- access file- entry file- browsing url- list value URLs ! tunnel- group NHANVIEN type webvpn tunnel- group NHANVIEN general- attributes authentication- server- group RADIUS LOCAL tunnel- group NHANVIEN webvpn- attributes group- alias NVGroup enable group- policy NHANVIEN attributes group- lock value NHANVIEN ! group- policy ADMIN internal group- policy ADMIN attributes group- lock value ADMIN vpn- tunnel- protocol webvpn webvpn functions port- forward port- forward value APPLICATIONS !
tunnel- group ADMIN type webvpn tunnel- group ADMIN general- attributes authentication- server- group RADIUS LOCAL tunnel- group ADMIN webvpn- attributes
group- alias AdminGroup enable group- policy ADMIN attributes group- lock value ADMIN
Bng 25 Cc chnh sch Web VPN trn Firewall Outside
5.3.2.5 Router bin
Cu hnh chc nng NAT (Networ k Addr ess Tr anslat ion) cc my bn trong h thng mng (Inside) c th tr uy cp bn ngoi Internet (Outside)
Xy dng Access Control List (ACL) cho php cc kt ni t ngoi t ruy cp cc giao thc ISAKMP, ESP i vo Tng la bn ngoi (Firewall Outside) v HTT P, HTT PS, SMTP cho cc my Web Server, Mail Ser ver.
5.3.3 Cc cng ngh s dng
HSRP (Hot St andby Redundancy Protocol): trin khai trn hai Swit ch Layer 3 nhm cn bng t i v d phng khi mt t rong hai Switch gp bt k s c no. Ngoi ra, hai Swit ch ny cn ng vai tr DHCP Server cung cp a ch IP t ng cho cc my t nh trong h thng. Do , vi s h t r cu HSRP, mt s ngi dng ly Swit ch 1 l Default Gat eway ca mnh, trong khi mt s khc nhn t hy Swit ch 2 mi l Default Gateway. Qua , gip phn chia ti mng tr uy cp tr n hai Swit ch ng thi tng kh nng chu li cho h t hng.
Failover (D Phng): cu hnh trn hai cp tng la (Inside v Outside Fir ewall) m bo hot ng lin t c v chnh x c ng thi t n dng ti a hiu nng ca c hai cp t ng la.
Load Balancing: ch yu trin khai trn hai t hit b:
Firewall Load Balancing (Cn bng ti trn tng la): Vic trin khai h thng d phng (Failover ) trn t ng la l cha , cn phi kt hp thm t nh nng cn bng ti gip phn chia kim tr a cc lu lng tr uy cp t rong h t hng. Ch nh vy mi m bo thng t in bo mt an ton ng thi t ng la cng lun sn sng hot ng.
Load balancing ADSL (Cn bng ti trn Router bin): cn bng ti hai hay nhiu kt ni Internet, c nhiu cch khc nhau, ty nhu cu v kh nng kinh t v tt nhin c s cn i gia chi ph v li ch m n mang li.
HSRP/MHSRP: l cch n gin t tn km nht tuy nhin n khng phi l
cch cn bng ti hon ho, v qu trnh phn chia cc ti mng ph thuc vo kt ni c khi to t bn t rong r a bn ngoi. Xt kha cnh ngc li, vic tr uy cp t bn ngoi vo s khng c cn bng ti. Chnh iu ny m gii php
HSRP/MHSRP ch mang tnh t ng i khi khng c iu kin trin khai nhng gii php khc nh BGP hay load balancing bng Vigor ...
i vi BGP: dng t rn Internet, qu tr nh cu hnh tng i phc tp ng thi yu cu ISP phi h tr mi c t h trin khai. So vi HSRP/MHSRP, BGP l gii php tng i hon ho hn. Tuy nhin, BGP i hi kh nng x l ca CPU cng nh RAM ca Router.
Ngoi hai cch trn, cn nhiu cch khc nhau. Tuy nhiu, theo cc nh gi ca nhiu chuyn gia, cn bng ti tr n phn cng (hardwar e load balancing) s l gii php ti u nht so vi cn bng t i t rn phn mm (soft ware load balancing).
S dng thit b Vigor: cho php gp chung hai hay ba ng Internet. Chnh v y l gii php phn cng nn kinh ph u t cao hn hai cch trn, nhng so vi hiu qu m n mang li t h rt ng t rin khai.
V t h, y cng l g ii php chng ti chn la cho m hnh mng trng i Hc Hoa Sen.
VOIP: cung cp h t hng thoi cho ngi dng t rong cng c s hay gia cc chi nhnh v i nhau thng qua kt ni leased line hay t rin khai h t hng VPN (Virtual Pr ivat e Network).
5.4 Mt s cng ngh trin khai thm
5.4.1 Failover
a. Gii thiu
Tnh nng c bit nhm cung cp kh nng d phng cho thit b, m bo h thng lun hot ng t t v lin t c khi gp s c. Mt cp thit b, trong mt ng vai tr Active, mt ng vai t r Standby, bao gm hai loi d phng:
D phng Phn cng (Hardware failover): cung cp kh nng chu li cho thit b phn cng, ch yu ng b cu hnh gia hai thi t b. V t h, gi s t rong khi kt ni thit lp m thit b Pr imar y b s hutdown th mi kt ni u b ngt v phi c khi to li bn t hit b secondar y, iu khng mong mun khi tr in khai h t hng.
D phng Ghi Nh Trng Thi (Stateful failov er): va cung cp kh nng chu li cho t hit b phn cng v kh nng bo ton kt ni. Ngoi vic ng b cu hnh, hai thit b cn ng b bng t rng t hi kt ni, ngy gi, MAC address i vi transparent mode, SIP v VPN connect ion. V th vic b mt kt
ni v phi khi to li thit b secondar y l iu him khi xy ra.
b. Hot ng
Dng Active/Standby: mt trong hai thit b trng t hi Act ive, cn li l Standby ti mt thi im. Mc nh, Pr imar y s Active, t t c lung d liu i qua thit b Act ive v ng b sang Standby. Standby ch gim st t hit b Active, nu nhn t hy Act ive khng hot ng t h n t chuyn s ang Act ive. Mi t hit b c IP v MAC r ing. Nu x y r a vn vi Active t h Standby t chuyn IP v MAC ca mnh t hnh IP v MAC ca act ive v gi i nhng fr ame r a cc cng giao tip cp nht bng MAC ca Swit ch. Ch thit b act ive va rt khng chuyn sang Standby cho n khi s a x ong. Cho d sa xong, thit b ny cng trng t hi Standby ch khng ly li quyn Active. Tuy nhin, s dng dng ny lng ph mt thit b.
Dng Active/Active: Khc phc nhc im ca Act ive/Standby, Act ive/Act ive r a i da tr n n n tng v s kt hp ca Act ive/Standby v Cont ext (cho php x y dng firewall o).T rn mi t hit b s c hai context (CTX1A, CTX1 B, CTX2A, CT X2B), mi cont ext bn ny s kt hp vi cont ext bn kia to nn mt Act ive/St andby, nh vy s c mt cp Act ive/Standby. Cp t h nht CTX1A l Act ive, CTX2A l Standby t h cp th hai CT X1B lm Standby, CT X2B lm Active. Ngoi ra, kt hp vi ng nh t uyn tnh (Static Rout e), hay ng (dynamip r oute) transparent mode t h s c th cn bng ti trn hai thit b. Tuy nhin, trong t hc t quan st th vic dng nh t uyn tnh (Static Route) cn bng t i l khng t i u, v hu ht d liu ch i t heo mt hng nht nh. Ch : mult iple mode (h tr context) khng h tr nh t uyn ng (dynamip routing).
c. Nguyn nhn
C nhiu nguyn nhn dn n Failover nh mt ng un, mt hay nhiu cng giao t ip b h, car d mng li hay vn phn mm nh thiu b nh, tc nhn t rc tip ca ngi qun t r vi cu lnh failover active tr n tng la Standby. Di y l t hi gian pht hin vn :
Hnh 51 Thi gian Failover pht hin li
d. Gim st
V c bn, kt ni d phng ( failover link) v kt ni d liu (dat a link) gim st bi failover. i vi kt ni d phng, t in nhn hello (failover hello message) to r a mi 15s (mt nh), nu ba t in lin t ip u khng t hy phn hi t i phng t h gi tin ARP c to r a vgi i trn tt c cng giao tip. Nu khng nhn c hi p no t cng giao tip no th failover s lm vic, t ng chuyn t hnh t rng thi Act ive. Cn nu khng nhn c hi p t kt ni d phng m nhn c hi p t cc cng giao tip cn li th qu t r nh chuyn i s khng xy r a. Trong trng hp ny, failover kt lun li do kt ni d phng.
i vi kt ni d liu (dat a link), tin nhn hello (failover hello message) to r a vgi i t rn tt c cng giao t ip (ti a l 255), nh tin nhn trn v cng gi i mi 15s. Nu qu na thi gian hold- down m vn khng t hy tr li th thit b s t in hnh kim tra, xc nh c vn g xy r a vi cng giao tip ny. T r c mi ln kim tra, b m s lng gi tin nhn c trn cng giao tip s c x a trng. Sau , thit b s kim tr a xem c nhn c fr ame hay g i tin no hp l khng, nu c kt lun cng giao tip hot ng bnh thng, ngc li ch n ln kim t ra tip t heo, gm bn ni dung:
Link up/down: v hiu ha (Disable) vkch hot li (r e- enable) kim t ra.
Hot ng mng: gim st cc fr ame nhn c t rong vng 5s.
ARP: to hai gi t in tr uy vn ARP (ARP Query) cho hai mc mi nht t rong bng ARP (ARP t able) vch i fr ame hp l tr ong vng 5s.
Broadcast ping test: to gi ping br oadcast vch gi t in phn hi hp l trong 5s
T hng t hng t hit b c kt ni switch layer 2, v t h gim kh nng xy r a li t h phi m bo cc cng giao tip cng VLAN. Nu khng t h phi v hiu ha gim st trn cng giao tip bng lnh [ no] monitor- interface logical_if_name. T ip n m bo vic vn hnh t hut ton ST P khng t c ng hay kha cc cng ny. Ngoi ra nn cu hnh t nh nng PortFast nu dng sn phm ca Cisco. Nu khng lm th, Switch s khng s dng RSTP m thay vo dng chun do IEEE a r a (802.1d), sau ST P li phi t nh t on li, vic ny mt khong 30 45 giy dn n b l ba gi tin hello vnh hng n failover.
5.4.2 HSRP (Hot Standby Redundancy Protocol)
a. Gii thiu
bo m h thng mng sn sng hot ng (Hig h Availabilit y) lin tc khi gp s c, HSRP l mt trong s tnh nng cung cp kh nng d phng lp Network cho cc my trong h t hng mng, gip ti u ha vic cung cp cc ng kt ni khi pht hin lin kt
b h v c ch phc hi sau khi gp s c. Nh HSRP, Virtual Router Redundancy Pr otocol (VRRP) v Gateway Load Balancing Pr otocol (GLBP) cng cung cp nhng chc nng tng t, VRRP l giao t hc chun, c h tr bi hu ht Router khc nhau, cn GLBP l chun ca Cis co, c ci t in t VRRP v b sung t hm t nh nng cn bng t i.
Hnh 52 Giao thc HSRP
HSRP l chun ca Cisco, miu t c t h trong RFC 2281. HSRP cung cp kh nng d phng cho my trm da trn s phi hp ca cc Router a ra mt Rout er o gip nh tuy n lu lng r a vo h t hng. Nh dng chung a ch IP v MAC, Router o ny ng vai tr nh t uyn cc gi t in trong h thng. T rn t hc t , Router o ny hon t on khng tn t i; n c biu din nh t hnh phn chung cc Router vt l cu hnh t nh nng HSRP.
b. Hot ng
a ch IP ca Router o c cu hnh l Default Gateway cho cc my trm trong mng. Khi nhng fr ame c gi t cc my t nh n n default gat eway, chng dng c ch ARP (Address Resolution Pr otocol) phn gii a ch MAC vi IP default gateway. Cc fr ame gi n a ch MAC ny s c x l t ip t c bi Router chnh (Active Router ) hay Router d phng (Standby Router) t huc cng nhm Router o cu hnh. Qutrnh ny din r a hon ton trong sut vi cc my trm u cui. Nh , HSRP gip nh t uyn cc lu lng m khng cn da vo tnh sn sng ca bt k Router n l no.
Hnh 53 Qutrnh hot ng ca HSRP
Trong hnh trn Router A ang vai t r Active v chuyn t ip t t c frame n a ch MAC l0000.0c07.acXX vi XX l s nhm d phng (standby group). a ch IP v MAC tng ng ca Router o c duy t r t rong bng ARP ca mi Router trong nhm.
Hnh 54 Bng ARP ca cc Router thnh vin trong nhm
Hnh t rn hin t h bng ARP ca Router thnh vin nhm d phng 1 thuc VLAN 10. Qua , a ch IP ca Router o l 172.16.10.110 vi MAC tng ng l 0000.0c07. ac01 (01 l s nhm, hin th di h c s thp lc phn).
Cc Router d phng (Standby Router) t rong nhm lun t heo di trng thi hot ng ca Router chnh (Act ive Router) nhanh chng chuyn trng t hi chuyn tip gi tin nu Router chnh gp bt k s c no. Act ive v Standby Router s truyn cc gi tin hello message giao tip vi cc Router khc trong nhm vi a ch ch mult icast 224.0.0.2, kiu tr uy n UDP cng 1985 v a ch IP ngun l a ch IP Router gi i. Ngoi ra trong
nhm cn cha mt s Router khc khng phi Act ive hay Standby, nhng Router ny s
gim st cc gi t in hello message c gi bi Active v Standby Router chc chn Act ive v Standby Router vn ang tn t i. Hn na, cc Router ny ch chuyn t ip nhng g i tin n chnh a ch IP ca n mkhng chuyn tip ch n Router o.
Khi Act ive Router b li, nhng router khc thuc cng HSRP gr oup s khng cn nhn c message t active r outer, Standby Router s gi nh vai tr ca n lc ny l Act ive v iu khin cc lu lng mng, cc Router trong nhm li bu chn r a Standby Router. Lc ny qu trnh tr uyn fr ame ca cc my t rm vn khng b nh hng bi v Router trng thi chuyn t ip vn s dng a ch IP o vMAC o nh lc u.
Hnh 55 Qutrnh chuyn i khi Active Router gp s c
Nu Act ive v Standby Router gp s c th tt c Router trong nhm la chn li Act ive v Standby Router mi. Act ive Router mi nhn ly nhim v chuyn tip gi t in n cc my trong h thng mng.
Cc vai tr ca Router trong HSRP
HSRP nh ngha r a cc nhm d phng (Standby Group), cc Router s c gn vai t r khc nhau t rong nhm ny:
Virtual Router: thc t ch l mt cp a ch IP v MAC m t t c t hit b u cui dng lm IP default gat eway. Active r outer s x l t t c gi t in v fr ame gi ti a ch IP hay MAC ca Router o.
Active Router: bu chn da trn gi tr u t in (1- 255, mc nh l 100) cng nh a ch IP cao nht, chu tr ch nhim chuyn t ip gi t in ng t hi gi a ch MAC o n cc thit b u cui.
Standby Router: d phng khi Act ive Router gp bt c s c no. Khi , Standby
Router s ng vai t r Active, tip tc nh t uyn cc lu lng trong h t hng.
Other router: cc Router khc khng tham gia nhm d phng (Standby Group).
Cc trng thi trong giao thc HSRP: Mt Router trong nhm d phng c t h mt trong s trng thi sau:
Hnh 56 Cc trng thi ca HSRP
Initial: t rng t hi bt u t t c Router trong nhm. trng t hi ny, HSRP khng hot ng.
Learn: Router mong ch nhn cc gi t in HSRP, t nhn thy a ch IP ca Router o vxc nh Act ive Router, Standby Router trong nhm.
Listen: Sau khi nhn gi tin HSRP v bit c a ch IP Router o, n tip t c chuyn sang trng thi listen nhm x c nh x em c s tn ti Act ive hay Standby Router trong nhm khng. Nu nh c th n vn gi nguyn trng t hi, ngc li chuyn sang t rng thi Speak.
Speak: Cc Router ch ng t ham d qu tr nh chn la Act ive Router , Standby Router da vo gi tin Hello.
Standby: ng vin cho v tr Active Router k tip. Standby Rout er nh k gi cc gi tin hello, ng thi cng lng ng he cc hello message t Active Router . Trong mt mng HSRP ch c duy nht mt Standby Router.
Active: chuyn t ip gi tin, gi a ch MAC o ca nhm ng t hi hi p cc g i tin ARP request hng n IP o. Active Router cng nh k gi r a cc hello message. Tr ong mt nhm d phng ch tn t i duy nht mt Active Router.
c. Mt s thut ng trong HSRP
C ba dng t imer dng tr ong HSRP. Nu khng c gi t in hello no c nhn t Act ive Router trong khong t hi gian Act ive th Router chuyn sang trng t hi mi.
Active timer: dng gim st Active Router, t khi ng li vo bt k t hi im no khi bt k Router trong nhm nhn c gi t in hello t Act ive Rout er.
Standby timer: dng gim st st andby r outer , t khi ng li vo bt k t hi im no bt k Router trong nhm nhn c gi t in hello t Standby Router .
Hello timer: thi gian ca gi t in hello. Tt c cc Router t rong nhm d phng bt k trng t hi no ca HSRP u to r a gi t in hello khi mhello t imer quhn.
Ngoi r a, xc nh khong t hi gian ti a gi tin hello, chng t a quan tn hai gitr sau:
Hello Interval Time: khong t hi gian g ia hai gi t in hello thnh cng t mt Router . Mc nh l3 giy.
Hold Interval Time: khong thi gian gia hai gi t in hello c nhn v gi nh Router gi ang gp s c. Mc nh l10 giy.
d. Multiple HSRP (MHSRP)
T phin bn Cis co IOS Release 12.2(18) SE tr ln u c kh nng h tr Mult iple HSRP (MHSRP) c m rng t HSRP cho php cn bng t i gia hai hay nhiu nhm HSRP t cc my t rm n cc ser ver trong h t hng.
Hnh 57 Multiple HSRP
Trong hnh trn, ta t hy c Router A v Router B u t huc hai nhm d phng. i vi nhm 1, Router A mc nh l Act ive Router v n c gi tr u t in cao nht v Router B l
Standby Router. Ngc li nhm 1, trong nhm 2, Router B mc nh lAct ive Router bi v n c gi t r u tin cao nht v Router A l Standby Router . T rong sut qu tr nh hot ng bnh thng, hai Router A v B ln lt phn chia ti mng. Khi hai Router khng hot ng, cc Router khc trong nhm s t bu chn Act ive v Standby bo m h t hng mng lun hot ng lin t c vcn bng t i cc lung lu lng trong mng.
5.4.3 Cn bng ti trn Firewall (Firewall Load Balancing)
Trong mi t rng mng mbo mt ng vai t r sng cn nh hin nay, vic bo m t ng la lun sn sng hot ng (High Availabilit y) rt quan trng. Ngoi vic cu hnh t nh nng d phng cho t ng la (Fir ewall Failover) cung cp kh nng hot ng lin tc v chnh xc, vic phn chia cc lung t hng t in kim t ra trn tng la cng ng vai t r v cng cn thit . T phin bn ASA 7.0 v FWSM 3.1, Cisco a r a khi nim cont ext v h tr tr in khai nhiu cont ext trn cc cp tng la d phng gip chia ti kim tr a cc lu lng r a vo h thng. Tuy nhin, qu t r nh ny i hi cu hnh bng tay v cc tng la t ham gia phi ging nhau v mu, phin bn vcc thng s k t hut khc.
a. Tng quan
Vic tr in khai h t hng tng la c t h t hc hin bng nhiu cch khc nhau. Di y l bng so snh gi thnh, cc t nh nng bo mt cng nh kh nng d phng trn h thng trin khai xy dng mt t ng la n l, mt cp tng la hay nhm cc tng la cu hnh t nh nng Fir ewall Load Balancing (FWLB).
Cc tnh nng T ng la n l (Single Firewall) D phng tng la (Firewall Failover) Cn bng ti trn tng la (FWLB) GiThnh T hp, ch xy dng mt tng la. Va, cn xy dng hai tng la. Cao, t nht hai tng la, km t heo thit b cn bng t i. im d phng (Firewall Point of Failover) Mt: bn thn t ng la Khng: hai tng la vt l r ing bit Khng: Tt c tng la gom t hnh nhm.
Hiu nng Hn ch i vi h thng tng la n l. Hn ch i vi h thng t ng la n l. Ch mt cp tng la chnh kim sot cc lu lng ti t hi im nht nh. T l thun s lng tng la. Tr n l thuyt , mi t ng la tn dng ti a nng lc vi kh nng cn bng t i l t ng. Cn bng ti Khng. Khng, t ng la chnh (active) kim sot mi kt ni truy cp. Kim t ra kt ni t ruy cp giao cho cc tng la, da t heo thut ton bm. Cng mt thi im, t t c tng la kim sot cc lu lng r a vo. Phn ng khi gp s c Khng chuyn t ip hay kim sot bt k lu lng no. Tt c lu lng truy cp y qua tng la d phng (st andby) x l. Kt ni t ruy cp mi giao cho cc tng la khc x l. Ci t thm cc phn cng b sung Khng Khng Mt thit b FWLB phi ci t mi bn nhm tng la. Vi Cat alyst 6500 Content Swit ching Module (CSM), CSM thc t hi trn c hai bn nhm tng la. Bng 26 Bng so snh cc cc tnh nng tng la trn cc h thng khc nhau
phn phi cc kt ni gia cc t hnh vin tr ong nhm, FWLB yu cu t hm mt chc nng cn bng t i trn mi bn nhm tng la. iu ny m bo cc kt ni c phn phi trn cc bc tng la vcc lu lng r a vo h t hng lun gi n cng t ng la.
Hnh 58 Firewall Load Balancing (FWLB)
b. Mt s phng php cn bng ti trn tng la
Vi vic s dng hay kt hp mt trong cc cch sau:
Phn mm: gm cc t nh nng sau:
Phn mm Cisco IOS dng trn cc swit ch Cat alyst 6500 cho IOS Firewall Load Bal ancing (IOS FWLB), mt thnh phn ca Server Load Balancing (IOS SLB).
Cc t ng la c cu hnh nh mt t rang tri tng la (fir ewall far m).
Khi lu lng c nh t uyn qua nng t ri tng la, cc kt ni phn phi cho tng tng la t rong trang tri. Qu tr nh ny din r a t rong sut vi ngi dng.
Phn cng: Cc thit b cn bng ti phn phi cc lu lng tr uy cp cho t hnh vin nng t ri t ng la. Nhng kt ni qua t ng la u c cn bng ti t hng qua cc thit b phn cng vi cc t huc t nh sau:
Cisco Cat alyst 6500 Content Swit ching Module (CSM) dng cn bng ti trn tng la nh l mt t hnh phn ca Acceler ated Ser ver Load Balancing (ASLB).
Tng la c cu hnh nh my ch trang t ri bnh t hng.
Khi lu lng tr uy cp c nhn t rn VLAN trong, CSM phn chia cc kt ni cho cc t ng la t hnh vin x l.
Cc thit b chuy n dng
T hit b chuyn ni dung (Exter nal content - swit ching appliances) t trn mi bn nhm tng la. Cc kt ni tr uy cp phn phi cho cc thnh vin t rong trang tri, da theo:
Tng la c cu hnh r ing, CSS xem chng nh danh sch tng la hu ch hn l mt trang tri tng la.
CSS phn phi cc lung tr uy cp n tng la t heo ng nh t uyn x c nh v t hut ton bm trn a ch IP.
5.4.4 Chng thc 802.1x a. Gii thiu IEEE 802.1x c pht trin bi IEEE, mt trong s nhng giao thc mng IEEE 802.1 nhm cung cp kh nng chng t hc cho ngi dng tr ong mng khng dy. Sau , n cn c dng trong mng Ethernet nh l mt c ch iu khin tr uy cp tr n cc cng vt l.
Chun 802.1x xy dng da trn m hnh chng thc kiu client - server gip hn ch ngi dng tham gia mng LAN thng qua phng php port- based. Bn cnh , 802.1x cn a r a h tng cho vic xc nhn v iu khin lu thng ngi dng t rong mng c bo v cng nh cp pht ng cc kha m ha khc nhau.
b. Kin trc
Supplicant System (hay Client): my t rm hoc cc thit b c nhu cu c chng t hc c thm quy n t ham gia vo mng. Qu trnh x c t hc c kch hot khi ngi dng thc thi chng t r nh cung cp kh nng x c t hc 802.1x m cc ng dng ny t hng i hi phi h t r giao t hc EAPoL (Ext ensible Authentication Protocol over LAN).
Hnh 59 Kin trc 802. 1x
Authenticator System (thng l cc thit b mng h tr xc thc 802.1 x
nh Switch): cung cp cc cng (vt l v lun l) cho my t nh tr uy cp h t hng mng. Ngoi r a, n cn gip trung chuyn cc thng tin chng thc qua li gia client vser ver .
Authentication Server System: cung cp dch v xc t hc cho Authent icator System, thng thng l RADIUS server, AAA server. Ngoi ra, n cn lu tr t hng tin ngi dng nh username, passwor d, VLAN ph thuc dng so snh vi cc thng tin ng i dng gi n nhm xc nhn xem y c phi l ngi dng hp l hay khng.
Authent icator v Authent icat ion Ser ver c t ch hp chung trn mt thit b. Tuy nhin, trnh trng hp ngi dng t ip xc t rc tip gy tn hi ser ver, Authent ication Server v Authent icator System thng kt ni thng qua Switch vtn ti trong sut vi ngi dng.
c. Hot ng: Quy tr nh xc thc (authent icate) v y quy n (authorize) theo chun 802.1x din r a nh sau:
Hnh 60 Hot ng xc thc ngi dng theo chun 802.1x
Initialization: Khi pht hin supplicant mi, cng trn switch (authent icat or) c kch hot trng thi cha c y quyn (unauthorized). trng t hi ny, ch cho php cc lu lng 802.1X, ngoi r a nhng lu lng tr uy cp khc nh DHCP, HTT P u b b i.
Initiation: bt u qu tr nh chng t hc, aut hent icat or s ln lt chuyn cc fr ame EAP- Request/Ident it y n mt a ch c bit lp hai trn phn mng cc b. Supplicant s lng nghe t rn a ch ny v khi nhn c fr ame EAP- Request/Identit y, n s tr li bng fr ame EAP- Response/Ident it y cha cc t hng tin chng t hc ca supplicant nh tn ng nhp (User ID), mt m (password). Sau Authent icator s ng g i cc t hng tin ny t rong gi tin RADIUS Access- Request v chuyn t ip cho Authent icat ion Ser ver. Supplicant cng c th bt u hay khi ng li qu tr nh chng thc bng cch gi fr ame EAPOL- St art cho Authent icator, msau s c tr li vi fr ame EAP- Request Identit y.
Negotiation (hay EAP negotiation): Authent icat ion Server gi tr li (ng g i trong gi t in RADIUS Access- Challenge) cho Authenticator, gm thng s EAP Met hod (loi chng thc da trn EAP Supplicant mun t hc hin). Authent icator ng gi EAP Request trong fr ame
EAPOL vchuyn ti Supplicant. Lc ny, Supplicant c t h NAK yu cu EAP Met hod v tr li vi t hng s EAP Met hods n mun t hc hin hay bt u yu cu EAP Met hod.
Authentication: Nu c Aut henticat ion Ser ver v Supplicant u ng cc thng s EAP Met hod th Supplicant v Authent icat ion Server (thng qua Authenticator) s ln lt tr ao i cc bn t in EAP Requests vResponses cho n khi Authentication Ser ver p ng mt trong hai tin EAP- Success (gi g n t rong gi tin RADIUS Access) hay EAP- Failure (gi gn trong gi t in RADIUS Access- Reject). Nu chng thc thnh cng th Authent icat or s thit lp trng thi cng l "Author ized" v cho php chuyn t ip mi lu lng t ruy cp; ngc li nu t ht bi, cng vn trng t hi "unaut hor ized". Khi Supplicant thot khi h t hng, n gi bn t in EAPOL- logoff cho Authent icator ln na thit lp trng thi cng l "unauthorized", kha mi lu lng t r uy cp ngoi tr cc lu lng EAP.
Hnh 61 Cch thc trao i gia Supplicant, Authenticator vAuthentication Server
Nhn chung, qu trnh tr ao i bn t in gia Supplicant v Authent icat ion Ser ver thc hin thng qua EAP Method dng kt ni im - im, ph thuc loi EAP- Met hod cn Authent icator v Supplicant t rao i cc bn t in t hng qua giao t hc chng thc EAPOL (EAP over LAN). Ngoi ra, trc khi chng t hc thnh cng, ch c mt s giao thc c bn c dng t r ao i qua li gia Supplicant v Aut hent icator nh STP, CDP, EAPOL... Ch sau khi c chng thc, cc fr ame d liu khc mi c trao i bnh t hng.
d. u vnhc im ca 802.1x
u im
m bo tnh tin cy: Hu ht thng t in tr ao i t rong mng u m ha, c mt khu ban u, trnh vic gi mo t hng qua c ch chng t hc ln nhau gia Client vSer ver , p dng cc phng php mha nh SSH (Secure Shell), SSL (Secure Sockets Layer) hay IPSec.
m bo tnh ton vn: dng cc phng thc kim tr a nh Checksum hay Cyclic Redundancy Checks (CRCs) kim t ra tnh ton vn d liu, bn cnh cn dng cc t hut ton ha MD5 vRC4 m bo s ton vn ny.
m bo tnh sn sng: cp nht vi s pht trin thit b cng nh cc vn pht sinh mi nht m bo sn sng khng gp phi t r ng i cng nh tng t hch t hit b hin c.
C ch xc thc: kt hp gia c ch chng t hc ng v qun l cha kha tp trung, 802.1x khc phc c hu ht vn ca cc giao thc khc. EAP - nh ngha tr ong RFC 2284, dng cho kt ni point - to- point (PPP), a ra nhng c t rng ca phng php chng thc gm nh dng ngi dng nh mt m (pas sword), chng nhn (cert ificate), giao t hc c s dng (MD5, T LS, GMS, OTP), h tr sinh kha t ng vchng t hc ln nhau.
Do 802.1x da trn c s iu khin tr uy cp trn cc cng nn ngoi cc phng php bo mt chung, 802.1x cn em li mt s phng php t in ti n, nh c ch lc (Filter ing). Ngoi vic thc hin lc SSID v MAC nh cc chun khc, 802. 1x cn h tr kh nng lc giao t hc. Mng LAN khng dy lc cc g i i qua mng da trn cc giao t hc lp 2 n lp 7. Trong nhiu trng hp, cc nh sn xut lm cc b lc giao thc c t h nh hnh c lp cho c nhng on mng hu t uyn vv tuyn ca Access Point (AP).
Nhc im
Mc d theo nghin cu trn th 802.1x l mt chun bo mt kh an ton. Tuy nhin n vn tn ti nhng hn ch:
Khng t h chng li tn cng T chi dch v (DoS Denial of Service).
Mt s c tnh yu cu c bit v phn cng, do phi kt hp cc phng php bo mt vi nhau, ng t hi a r a cc chnh sch bo mt hp l.
T heo cc vn trn, bn t hn 802. 1x a r a mt s chnh sch khc phc:
Bo mt v mt thit b vt l, phn cp quyn hp l, lun bt tnh nng ti u nht, do mi t nh nng hu nh u c th kch hot hay v hiu ha.
S dng cc thit b qut ph xc nh thit b nghe t rm, cng sut pht hp l trnh t n hiu sng b r r r a ngoi phm vi cn thit .
Tch hp VPN bo mt kt ni WLAN. Khi VPN Ser ver tch hp vo Access Point (AP), ngi dng s dng phn mm VPN Client, cc giao t hc nh PPT P hay IPSec hnh thnh ng hm trc tip ti Access Point (AP). Tr c tin ngi dng kt ni t i im tr uy nhp, sau quay s kt ni VPN. T t c lu lng c qua t hng qua ng hm, vc th c mha t hm mt lp an t on.
5.4.5 H thng thoi VOIP (Voice Over IP)
a. Gii thiu
Hin nay, h t hng voice l yu cu cp thit m bt k doanh nghip hay t chc no cng cn n. Ty nhu cu, doanh nghip c t h trin khai h t hng thoi tr uy n t hng hay Voice Over IP (VOIP). V vy, c nhiu gii php t hoi a r a nh: h t hng tng i 3CX, h thng Asterisk hay CVOICE ca Cisco. L mt trong cc nh sn x ut ln, Cisco cung cp nhiu gii php v thit b phc v lnh vc mng tr uy n t hng, c bit l gii php t ch hp ting ni v hnh nh trn cng mng d l iu AVVID (Architecture for Voice, Video and Integrated Dat a), gm ba thnh phn chnh c bn l c s h tng (Infr astruct ure), thit b u cui (Clients) v chng tr nh ng dng (Applicat ions). Bn cnh , Cisco l hng a r a gii php y vng b gia cc t hnh phn: nh t uyn, Bo mt vChuyn mch.
V vn ng tr uyn, VOIP s dng h tng mng IP thng thng gm LAN, WAN v kt ni PST N. i vi LAN, v hot ng trn nn IP nn VOIP c th s dng chung h tng c sn, khng cn u t li. i vi kt ni WAN, c th dng ng truy n leased- line hay VPN kt ni hai hay nhiu t rung tm. Tuy nhin, gii php no cng tn ti u v nhc ca n. Vi leased- line, m bo cht lng cuc gi nhng gi t hnh cao, cn vi VPN kh m bo cht lng cuc gi. V t h, ty nhu cu mc s chn la thch hp.
Hnh 62 M hnh VOIP n gin
V thit b, cc thit b sau khng t h thiu t r ong h t hng VOIP ca Cisco:
Call Manager: h t hng tch hp phn cng v phn mm do Cisco ch to sn, hot ng nh Ser ver tr ong mng. T uy nhin c t h s dng Ser ver bnh t hng do nh sn x ut khc cung cp (c trong danh sch h tr bi Cisco) ci t Call Manager.
CCM Server: x l nh tuyn cuc gi, qun l in t hoi IP (IP Phone).
IP Phone: t hit b u cui, chuyn m thanh t hnh t n hiu s, ng gi vo g i t in v ngc li. Ngoi r a, Cisco cn a r a phn mm Soft Phone tng t IP Phone.
Voice gateway (hay Voice- enable Router): chuyn t hoi IP thnh Analog mng PST N. Hin nay dng Router 2800 hay 3800 c Card Voice FXO hay Card E1/T1 Pri.
Hn na, Gateway cn lm m nhim chc nng QoS (Qualit y of Service) m bo cht lng m t hoi.
b. Gii php trin khai: bao gm hai phng n:
S dng My ch Call Manager cho h thng c nhiu hn 96 client
Trong gii php ny, t i mi im s dng mt Call Manager Ser ver r ing. Mi Ser ver chu trch nhim x l cuc gi mi chi nhnh. Khi cn thit ngi dng chi nhnh ny c t h gi ngi dng chi nhnh kia thng qua WAN hay PST N ty cu hnh, gm t hit b sau:
S dng hai Voice Gat eway c lp kt ni n PST N.
Ty nhu cu, c t h dng Card E1 PRI (30 knh t hoi ng t hi) hay n ng FXO (n knh t hoi ng t hi). Khi doanh nghip thudch v tng ng t bu in.
Ngoi ra chng ti cn t hu thm ng WAN kt ni hai chi nhnh li vi nhau va t ruyn thoi vd liu. Mi cuc g i cn ti thiu l 30Kb/s nn khuyn ng h lt hung ti thiu khong 128Kb/s.
IP phone c th dng phn cng hay phn mm.
u im
Kh nng m rng ln, mi Ser ver c th x l cho 1000 my.
Nng cp, a r a cc dch v cho IP Phone d hn nh: Conference, IP Cont act Center, Voice mail.
Nhc im: Githnh cao.
S dng My ch Call Manager cho h thng c s my in thoi mi chi nhnh u nh hn 96 Client
Trong gii php ny khng dng CCM Server ti hai chi nhnh, vic x l cuc g i v qun l IP Phone c thc hin bi Voice Gat eway. Mi t hng s khc vn khng i.
u im: Chi ph t hp.
Nhc im:
Kh m r ng, tch hp dch v mi.
t tnh nng hn.
KT LUN
Trong t hi i khoa hc ngy cng pht trin, bo mt an ton d liu t rong h t hng mng ngy cng ng vai tr quan t rng, khon chi ph u t khng t h thiu i vi hu ht t chc doanh nghip. Bo co cp n nhng cng ng h chung ca tng la t i cc lp Networ k, Tr ansport v Applicat ion, nghin cu tr in khai h t hng VPN v IPS/IDS. ng dng cc cng ngh ny t rn s h thng mng t rng i Hc Hoa Sen.
Vic bo m thng tin hon t on bo mt t rn ng t ruyn liu khng t h, bi khng c gii php no l hon ho t rong lnh vc bo mt t hng t in, nht lt rong giai on cng ngh k t hut ngy cng pht t rin nh hin nay. Phng thc t n cng ngy cng tinh vi, cc cng c mi xm nhp, nh cp d liu ngy cng nhiu v kh phng chng. y, nhm chng t i ch a r a mt trong s nhiu li gii cho bi t on bo mt h t hng mng trng i Hc Hoa Sen, cn c nhiu cch trin khai khc nhau t y kin t hc cng nh kinh nghim mi ngi. T uy y khng phi l gii php hon ho v mi mt nhng gii php ny va p ng nhu cu ngi dng va tn dng c ti a t i nguyn h t hng. Vic thit k xy dng h t hng VPN cng nh IDS/IPS cng l iu khng t h thiu i vi cc t chc doanh nghip, gp phn t ng cng an ninh mng.
Vi tc pht trin vt bc ca khoa hc k t hut, vic cp nht thng x uyn cc cng ngh mi phng chng cc cuc x m nhp tri php bo m h t hng mng lun c bo v an ton. Ngoi ra, cn phi khng ngng hon thin cc chnh sch bo mt duy tr an ninh mng lu di.
Nu c t hm t hi gian cng nh chi ph u t cc t hit b mng tht, chng t i hy vng c th nghin cu, ng dng t hm cc cng ngh bo mt mi. Bi l, vn bo mt lun l ti quan tm hng u ca cc cng ty trong vngoi nc.
TI LIU THAM KHO
1. Andrew Mason, CCSP SNAF Quick Reference, Cisco Pr ess, USA, Dec 2008.
2. Brandon Carroll, Cisco Access Control Security: AAA Administrative Services, Cisco Pr ess, USA, May 27, 2004.
3. David Hucaby, Cisco ASA, PIX, and FWSM Firewall Handbook, Cisco Pr ess, USA, Aug 2007.
4. Designing Cisco Network Service Architectures (ARCH) v2.0 Lab Guide, Cisco Systems, Inc., May 03, 2007.
5. Designing Cisco Network Service Architectures (ARCH) v2.0 Student Guide, Cisco Syst ems, Inc., May 08, 2007.
6. Dr. T homas W. Shinder, Cher ie Amon, Robert J . Shimonski & Debra Littlejohn Shinder , The Best Damn Firewall Book Period, Syngress Publishing Inc., Unit ed States, 2003.
7. Earl Carter & J onathan Hogue, Intrusion Prevention Fundamentals, Cisco Pr ess, USA, J an 18, 2006.
8. Edwin Lyle Brown, 802.1x Port- Based Authentication, Auerbach Publication, New York, USA, 2008.
9. Elizabet h D. Zwicky, Simon Cooper & D. Brent Chapman, Building Internet Firewalls Second Edition, OReilly, United States, J un 2000.
10. IOS Router: Authproxy Authentication Inbound with ACS for IPSec and VPN Client Configuration, Document ID 14294, Cisco Systems, Inc., J an 14, 2008.
11. J ames Henr y Car mouche, IPSec Virtual Private Network, Cisco Pr ess, USA, J ul 19, 2006.
12. J azib Fr ahim & Omar Sant os, Cisco ASA: All- in- One Firewall, IPS, and VPN Adaptive Security Appliance, Cisco Pr ess, USA, Oct 21, 2005
13. J eremy Cioara, Michael J. Cavanaugh, Kr is A. Krake, CCNA Voice Official Exam Certification Guide, Cisco Pr ess, USA, Oct 2004.
14. J im Geier, Implementing 802.1X Security Solutions for Wired and Wireless Networks, Wiley Publis hing Inc., Indianapolis, Indiana, 2008.
15. Keit h Hutton & Amir Ranjbar , CCDP Self- Study: Designing Cisco Network Service Architectures (ARCH), Cisco Press, USA, 2007.
16. Matt War nock, An Evaluation of Firewall Technologies, Final Ter m Paper - Bus 503, J an 02 2005.
17. Ralph Tr oupe, Vitaly Osipov, Mike Sweeney & Woody Weaver , Cisco Security Specialists Guide to PIX Firewall, Syngr ess Publishing Inc., United States, 2002.
18. Richar d A. Deal, Cisco ASA Configuration, The McGr aw- Hill Companies, Inc., Unit ed States, 2009.
19. Robert Padjen & T odd Lammle, CCDP: Cisco Internetwork Design Study Guide, SYBEX Inc., Alameda, CA, 2000.
20. Ryan Lindfield, CCSP SNAA Quick Reference, Cis co Pr ess, USA, Feb 2009.
21. Securing Networks with PIX and ASA (SNPA) Lab Guide, Cisco Syst em, Inc., May 04 2007.
22. Securing Networks with PIX and ASA (SNPA) Student Guide, Cisco System, Inc., May 04, 2007.
23. Symantec Internet Security Threat Report trends for 2009, Symantec Cor p, April 2010.
24. Wes Noonan & Ido Dubrawsky, Firewall Fundamentals, Cisco Pr ess, USA, J un 02, 2006.