Professional Documents
Culture Documents
07 Firewall Asa
Uploaded by
Đồng Quảng Phương0 ratings0% found this document useful (0 votes)
176 views211 pagesCopyright
© © All Rights Reserved
Available Formats
PDF, TXT or read online from Scribd
Share this document
Did you find this document useful?
Is this content inappropriate?
Report this DocumentCopyright:
© All Rights Reserved
Available Formats
Download as PDF, TXT or read online from Scribd
0 ratings0% found this document useful (0 votes)
176 views211 pages07 Firewall Asa
Uploaded by
Đồng Quảng PhươngCopyright:
© All Rights Reserved
Available Formats
Download as PDF, TXT or read online from Scribd
You are on page 1of 211
B GIO DC V O T O
TRNG I HC HOA SEN
KHOA KHOA HC V CNG NGH
XY DNG FIREWALL
ASA V IPS BO V
MNG
Ging vin hng dn : T hy inh Ngc Luyn
Nhm sinh vin thc hin: T rn Kim Phng
L T rung Tn
Lp : VT 071
T hng 12 /nm 2010
TRCH YU LUN N
Trong t hi gian thc hin kha lun tt nghip, chng t i nghin cu v nhng cng ngh bo
mt sau:
Tm hiu cc cng ngh chung ca tng la ti lp Network, T ransport vApplicat ion.
Phn tch cc dng, phng thc hot ng vgiao thc cng nh thut ton trong VPN.
Phn tch nguyn l hot ng, cch pht hin tn cng trn IDS/IPS.
Xy dng t ng la h t hng mng t rng i hc Hoa Sen, trin khai VPN vIDS/IPS.
Nh vic s dng t hnh cng phn mm m phng cc thit b mng, nhm chng ti c t h
t tay xy dng h t hng mng trng i Hc Hoa Sen t giai on phn t ch yu cu, xc
nh cc t i khon ngi dng, thit k, phc t ho m hnh mng n khi i vo cu hnh t r n cc
phn mm m phng. Qua , chng t i t c nhng kt qu ng khch l sau:
Hiu t hm v tng la, ki n t rc cng nh chc nng t ng la. Ngoi ra, chng t i cn
i su phn t ch cc cng ngh chung ca tng la ti lp Networ k, Tr ansport v
Applicat ion t rong m hnh OSI.
Nghin cu v VPN, giao t hc s dng t rong VPN ng t hi t m hiu cch thc hot
ng VPN. Tm hiu nguyn l hot ng IDS/IPS, phn t ch cc phng t hc pht hin
tn cng, li ch cng nh hn ch tng phng t hc.
Hiu c cc bc xy dng h thng mng doanh nghip, t giai on phn t ch yu cu,
thit k s mng n bc trin khai cu hnh ng thi ng dng gii php VPN
v h t hng IDS/IPS.
i su t m hiu mt s cng ngh trin khai t hm nhm t ng tnh bo mt an ton d liu
nhm bo m h thng mng lun sn sng hot ng lin t c ng ay c khi gp s c, tn
dng ti a ti nguyn h t hng cng nh phn chia ti mng cho dy tng la kim tr a
nh Load Balancing, Failover, HSRP; x c thc ngi dng vi k thut IEEE 802. 1x
vcng ng h VOIP nhm cung cp dch v t hoi cho ngi dng.
i
MC LC
T r ang
Tr ch yu lun n - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - i Mc
lc - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ii Danh
sch hnh- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - vi Danh sch
bng - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ix Li cm n - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - x Nhn xt ca ging
vin hng dn - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - x i Li m u - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - x ii
Phn 1: T ng quan Bo Co
1.1 Mc t iu nghin cu- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1
1.2 Phng php nghin cu- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1
1.3 Gii hn ti- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1
1.4 Kt cu lun vn - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1
Phn 2: Cng ngh k thut chung ca tng la ti lp
Net wor k, T ransport vApplication
2.1 Tm quan t rng ca vic bo mt van ton thng t in - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2
2.2 Tng quan v tng la - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 3
2.2.1 Gii thiu - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 3
2.2.2 Chc nng - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 4
2.3 Cng ngh k t hut chung ca tng la ti cc lp - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 5
2.3.1 Lp Network vT r ansport - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 5
2.3.1.1 Packet Filtering - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 5
2.3.1.2 NAT Firewall - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 7
2.3.1.3 Stateful Packet Filter ing - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 8
2.3.2 Lp Application - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 9
2.3.2.1 Prox y Firewall - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 9
2.3.2.2 Stateful Inspect ion Fir ewall (SIF) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 13
2.4 Tr in khai t ng la t rong h t hng mng doanh nghip - - - - - - - - - - - - - - - - - - - - - - - - - - - 14
2.4.1 Bast ion Host - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 14
2.4.2 Screened Subnet- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 15
2.4.3 Dual Fir ewall - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 16
Phn 3: Xy dng VPN gia hai c s ca i hc Hoa Sen
3.1 S cn t hit ca VPN t rong doanh nghip - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 18
3.1.1 Ti sao VPN r a i - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 18
3.1.2 VPN t ht s cn thit - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 18
3.2 Tng quan v VPN - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 19
3.2.1 Khi nim VPN - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 19
3.2.2 Li ch VPN - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 19
3.2.3 C s h tng k t hut x y dng VPN - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 20
3.2.3.1 K t hut mt m- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 20
3.2.3.2 Public Key Infr astr uct ure - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 22
3.2.4 Cc giao t hc VPN - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 26
3.2.4.1 PPT P (Point to Point T unneling Pr otocol) - - - - - - - - - - - - - - - - - - 26
3.2.4.2 L2T P (Layer 2 Tunneling Protocol) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 27
3.2.4.3 GRE - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 28
3.2.4.4 IPSec (Inter net Protocol Secur it y) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 28
3.2.5 Cc loi VPN - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 45
3.2.5.1 Easy VPN - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 45
3.2.5.2 Site to Site VPN - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 46
3.2.5.3 SSL VPN - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 47
Phn 4: Xy dng IPS & IDS
4.1 Tng quan IPS vIDS - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 51
4.1.1 Gii thiu - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 51
4.1.2 Lch s hnh thnh - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 52
4.1.3 Nguyn nhn IPS r a i vthay t h IDS - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 52
4.2 Phn loi - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 53
4.2.1 Host - based Intrusion Prevent ion System (HIPS) - - - - - - - - - - - - - - - - - - - - - - - - - - - - 53
4.2.2 Networ k- based Intr usion Pr event ion System (NIPS) - - - - - - - - - - - - - - - - - - - - - - - 55
4.3 Nguyn l hot ng ca h t hng - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 58
4.3.1 Phn tch lung d liu - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 59
4.3.2 Pht hin t n cng - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 59
4.3.2.1 Du hiu t n cng (Signature- based Detection) - - - - - - - - - - - - - - - - 59
4.3.2.2 Du hiu bt thng (Statistical Anomaly- based Detection) - 60
4.3.2.3 Giao t hc - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 61
4.3.2.4 Chnh sch - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 62
4.3.3 Phn ng - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 62
4.4 Mt s thut ng - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 63
Phn 5: Xy dng tng la cho h thng mng trng i hc Hoa Sen
5.1 Gii thiu - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 64
5.2 Yu cu - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 64
5.3 Tr in khai - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 65
5.3.1 S h thng mng ti t r s chnh - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 65
5.3.1.1 M hnh mng - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 65
5.3.1.2 Xc nh cc nhm ngi dng - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 69
5.3.1.3 Cc quy nh kim tr a gi t in t rn t ng la - - - - - - - - - - - - - - - - - - - 71
5.3.2 Xy dng cc chnh sch - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 74
5.3.2.1 Switch Layer 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 74
5.3.2.2 Switch Layer 3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 75
5.3.2.3 Fir ewal l Inside - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 75
5.3.2.4 Fir ewal l Outside - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 83
5.3.2.5 Router bin - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 89
5.3.3 Cc cng ng h s dng - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 89
5.4 Mt s cng ngh trin khai t hm - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 90
5.4.1 Failover - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 90
5.4.2 HSRP (Hot Standby Redundancy Protocol) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 93
5.4.3 Fir ewall Load Balancing - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 98
5.4.4 Chng thc 802. 1x - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 101
5.4.5 H thng VOIP - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 105
Kt lun - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 107
Ti liu t ham kho - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 108
DANH SCH HNH
Hnh 1 - Biu th hin s gia tng mc hi - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2
Hnh 2 - Biu th hin cc loi tn cng nhiu nht hin nay- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2
Hnh 3 - H thng tng la - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 3
Hnh 4 - Tng la t rong h t hng mng (Networ k Firewall) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 3
Hnh 5 - Tng la cnhn (Per sonal Firewall hay Desktop Fir ewall) - - - - - - - - - - - - - - - - - - - - - - - 4
Hnh 6 - Chc nng ca tng la- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 4
Hnh 7 - C ch hot ng ca Packet Filter ing - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 5
Hnh 8 - Cch kim t r a gi t in ca Packet Filter ing - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 6
Hnh 9 - C ch hot ng ca Stat eful Packet Filter ing - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 8
Hnh 10 - C ch hot ng ca Prox y Fir ewall - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 10
Hnh 11 Circuit Level Gat eway - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 10
Hnh 12 Quy t rnh hot ng ca k t hut Application Level Gat eway - - - - - - - - - - - - - - - - - - 11
Hnh 13 Deep Packet Inspection- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 12
Hnh 14 Bastion Host - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 14
Hnh 15 Screened subnet - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 15
Hnh 16 Dual Fir ewall - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 16
Hnh 17 Mng VPN - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 19
Hnh 18 S Public Key Confident ialit y Scenar io - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 21
Hnh 19 S Public Key Authent icat ion Scenario - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 21
Hnh 20 S C S H Tng Kha Cng Khai (PKI) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 22
Hnh 21 S hot ng - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 26
Hnh 22 Kt ni VPN qua giao thc PPTP - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 27
Hnh 23 L2TP VPN - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 27
Hnh 24 IPSec trong m hnh OSI- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 28
Hnh 25 Cc thnh phn trong IPSec- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 29
Hnh 26 T ransport mode- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 30
Hnh 27 T unnel Mode - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 30
Hnh 28 ESP Transport mode packet - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 31
Hnh 29 - ESP Tunnel mode packet - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 31
Hnh 30 ESP fields - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 32
Hnh 31 AH T r ansport Mode - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 33
Hnh 32 AH T unnel Mode - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 33
Hnh 33 AH Header - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 33
Hnh 34 Gi t in h tr NAT- T r aversal- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 35
Hnh 35 Cc thc hot ng ca DH- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 36
Hnh 36 So snh chun mha, thut ton bm, phng t hc chng t hc- - - - - - - - - - - - - - - 39
Hnh 37 - Cc bc m phn giai on 1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 39
Hnh 38 i chiu cc tham s bo mt - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 40
Hnh 39 IKE giai on 1 s dng Pr e- shared key t rong main mode - - - - - - - - - - - - - - - - - - - - - - 41
Hnh 40 - IKE giai on 1 s dng Pre- shared key t rong aggressive mode - - - - - - - - - - - - - - - - 42
Hnh 41 - IKE giai on 1 s dng Digit al Signature trong main mode - - - - - - - - - - - - - - - - - - - - 43
Hnh 42 IKE giai on 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 44
Hnh 43 Easy VPN - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 45
Hnh 44 Kt ni cc doanh nghip qua mng cng cng - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 47
Hnh 45 H thng IPS (Intr usion Prevent ion Syst em) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 51
Hnh 46 H thng HIPS - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 53
Hnh 47 - HIDS c ci t trn my t nh - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 54
Hnh 48 H thng NIPS - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 55
Hnh 49 Hot ng ca NIPS - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 56
Hnh 50 S h thng mng t rng i Hc Hoa Sen - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 67
Hnh 51 T hi gian Failover pht hin li - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 92
Hnh 52 Giao thc HSRP- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 93
Hnh 53 Qutrnh hot ng ca HSRP - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 94
Hnh 54 Bng ARP ca Router thnh vin t rong nhm- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 94
vii
Hnh 55 Qutrnh chuyn i khi Act ive Router gp s c- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 95
Hnh 56 Cc tr ng thi ca HSRP - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 96
Hnh 57 Mult iple HSRP - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 98
Hnh 58 Firewall Load Balancing (FWLB) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 100
Hnh 59 Kin t rc 802.1x- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 101
Hnh 60 Hot ng xc t hc ngi dng t heo chun 802. 1x - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 102
Hnh 61 Cch thc t r ao i Supplicant, Authent icator vAuthent icat ion Ser ver- - - - - - - 103
Hinh 62 M hnh VOIP n gin- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 105
viii
DANH SCH BNG
Bng 1 Bng so snh cc dng SSL VPN - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 49
Bng 2 Bng so snh cc chc nng ca HIPS vNIPS - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 58
Bng 3 Bng yu cu i vi cc phng ban- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 65
Bng 4 Bng cc vng mng t rong h t hng trng i Hc Hoa Sen - - - - - - - - - - - - - - - - - - - 68
Bng 5 Lp a ch IP kt ni gia cc thit b - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 69
Bng 6 Bng VLAN cc phng ban- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 70
Bng 7 Cc c s trin khai VOIP - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 71
Bng 8 Cc phng ban t rin khai VOIP - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 71
Bng 9 S th t ti khon ngi dng - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 71
Bng 10 Bng quy lut cho cc phng ban t rong mng ni b - - - - - - - - - - - - - - - - - - - - - - - - - - - - 72
Bng 11 Bng quy lut lp ng dng t bn t rong r a bn ngoi - - - - - - - - - - - - - - - - - - - - - - - - 73
Bng 12 Bng quy lut lp ng dng t bn ngoi vo DMZ - - - - - - - - - - - - - - - - - - - - - - - - - - - 73
Bng 13 Bng quy lut i vi kt ni VPN - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 74
Bng 14 Cc ACL t trong r a ngoi - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 76
Bng 15 Chnh sch HT TP Inspect ion t rn Fir ewall Inside - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 77
Bng 16 Chnh sch FTP Inspect ion t rn Fir ewall Inside - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 79
Bng 17 Block Yahoo Messenger vMSN Messenger - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 80
Bng 18 Cc ACL t ngoi vo Inside- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 81
Bng 19 Cc chnh sch Web VPN t rn Firewall Inside- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 83
Bng 20 Cc ACL t bn ngoi vo DMZ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 83
Bng 21 Cc chnh sch gii hn kt ni t ngoi vo DMZ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 84
Bng 22 Chnh sch HT TP Inspect ion t rn Fir ewall Outside - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 84
Bng 23 Cc chnh sch Site to Site VPN trn Fir ewall Outside - - - - - - - - - - - - - - - - - - - - - - - - - - 85
Bng 24 Cc chnh sch Eas y VPN t rn Firewall Out side - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 86
Bng 25 Cc chnh sch Web VPN t rn Firewall Outside - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 88
Bng 26 Bng so snh tnh nng tng la trn cc h t hng khc nhau - - - - - - - - - - - - - - - - - 99
ix
LI CM N
Trc tin, chng ti xin chn thnh cm n ton th Ban Gim Hiu i hc Hoa Sen
Thnh ph H Ch Minh to iu kin cho chng ti hon thnh tt bi co co kha lun
tt nghip ny.
ng thi, chng ti cng gi n qu thy c trong khoa Khoa Hc v Cng Ngh trng
i Hc Hoa Sen li cm n su sc v chn thnh. Cc thy c tn tnh ch bo gip
trong sut qu trnh thc hin kha lun. c bit l thy inh Ngc Luyn Ging vin
khoa Khoa Hc v Cng Ngh, ngi trc tip hng dn em hon thnh ti ny.
Tuy nhin, do thi gian c hn cng nh kin thc v kinh nghim cn hn ch nn bo co
ny khng trnh khi nhng thiu st. S gp chn thnh ca thy c s gip chng ti
hon thin hn bi bo co ny cng nh tch ly thm kin thc v kinh nghim cho bn
thn. y s l hnh trang gip chng ti t tin ng u vi cc th thch mi ngoi x
hi
x
NHN XT CA GIO
VIN HNG DN
Gio vin hng dn k tn
x i
LI M U
Trong thi k hi nhp, khi nhu cu trao i d liu qua h thng mng my tnh ngy cng
tng cao, Internet cng tr nn v cng quan trng, nh hng n tt c cc lnh vc kinh
t x hi, an ninh quc phng ca quc gia. Thc t Vit Nam, Internet c ng dng
v pht trin rng ri (ph cp ti xp x 25% dn s), dn n s ti phm cng ngh cao
ngy cng nhiu, c khng t cuc tn cng trn mng gy ra hu qu ht sc nghim trng,
lm t lit h thng gim st an ninh hay ph hoi c s d liu quc gia, nh cp thng tin
mt Nh nc i vi doanh nghip, vn bo m an ninh, an ton thng tin trn mng
l mi quan tm hng u ca hu ht cng ty, t chc v cc nh cung cp dch v. Cng
vi s bng n khoa hc k thut, cc phng thc tn cng ngy cng tinh vi hn khin h
thng an ninh mng tr nn mt hiu qa.
Bill Archer, Ch tch hng AT&T ti chu u, pht biu "Chng ti nhn thy mt tn
cng trong vng 6 thng qua dy hn rt nhiu so vi hai nm trc". c bit Vit
Nam, vn trn cng phi u t, xem xt hn bao gi ht. Theo kho st ca Trung tm
ng cu khn cp my tnh Vit Nam (VNCERT) da vo cc tiu chun an ton thng tin th
40% doanh nghip Vit Nam khng c h thng tng la, 70% khng c quy trnh x l s
c an ton thng tin v 85% khng c chnh sch v an ninh mng. Hn na, theo phn tch
ca Kaspersky, nm 2010, Vit Nam ng th 5 th gii trong s nhng quc gia chu nhiu
thit hi nht do tn cng trn mng (sau n v M, xp u bng l Trung Quc v
Nga). Vic xy dng h thng an ninh mng sao cho va m bo an ton, bo mt thng tin
va tn dng hiu nng mng ang tr thnh cu hi au u i vi cc t chc doanh
nghip khng nhng Vit Nam m cn trn ton th gii.
Nhn thy nhng nguy c , xut pht t nim say m nghin cu cc k thut bo mt
mng, nhm chng ti quyt nh chn ti Xy dng Firewall ASA v IPS bo v mng,
vi mong mun em li cho doanh nghip m hnh p ng c cc yu cu v bo mt m vn
m bo hiu nng hot ng mng. Qua , chng ti cng trang b cho mnh thm
nhiu kin thc chun b th sc vi thch thc mi ngoi x hi.
x ii
PHN 1: TNG QUAN BO CO
1.1 Mc tiu nghin cu
Nh cp, nhm chng t i tp trung nghin cu cc cng ngh chung ca tng la ti
lp Network, Tr ansport v Applicat ion ng t hi phn t ch k t hut lin quan VPN, thit k
xy dng h thng VPN. Bn cnh , tng cng bo mt mng, chng t i t m hiu
IDS/IPS, nguyn l hot ng v cc loi IDS/IPS s dng ph bin ngy nay. Cui cng,
nhm chng ti x y dng t hnh cng cc k t hut ny trn h t hng mng i Hc Hoa Sen.
1.2 Gii hn ti
Do thi gian v chi ph u t cn hn ch, nhm chng t i xy dng, trin khai h thng
mng da trn phn mm m phng thit b t hc t nh tng la, Swit ch, Routerm
y ch yu ltng la Cisco ASA - mt trong nhng tng la ph bin hin nay, h tr:
S kt hp hi ha, b sung cho nhau gia Stateful Packet Filtering v Pr ox y. ASA cung cp
ci nhn t on vn lu lng mng nh kim t r a, phn t ch gi t in t lp 3 n lp 7.
Xc thc (Authent ication) vy quyn (Author ization).
Tr in khai h thng VPN, IPS/IDS.
Kh nng d phng, cn bng t i khi gp s c.
1.3 Phng php nghin cu
Nh vic kt hp s dng cc phng php bn giy, phng php t hc nghim xy dng cc
bi thc hnh nghin cu t nh nng ca tng la v phng php t ng hp phn t ch da
trn c s l t huyt bo mt v cc kt qu rt ra t t hc t , chng t i hiu t hm c
nhiu cc cng ngh t ng la vcc k t hut bo mt khc nhau t rong h t hng mng.
1.4 Cu trc trnh by
Phn 1: Tng quan bi bo co kha lun t t nghip, gii thiu l do chn ti, gii hn
ti cng cc phng php nghin cu.
Phn 2: Cng ngh k t hut chung ca tng la lp Network, Transport vApplicat ion.
Phn 3: Xy dng VPN gia hai c s ca i Hc Hoa Sen.
Phn 4: Xy dng IDS/IPS.
Phn 5: Xy dng t ng la cho h thng mng t rng i Hc Hoa Sen.
PHN 2: CNG NGH K THUT CHUNG CA
TNG
LA TI LP NETWORK, TRANSPORT V APPLICATION
2.1 Tm quan trng ca vic bo mt van ton thng tin
T hng tin ng vai tr v cng quan trng i vi hu ht t chc doanh nghip, nht l
trong mi trng kinh doanh cnh t ranh hin nay. S tin b vt bc ca khoa hc k t hut
dn n cc t h on tn cng ngy cng t inh vi.
Tp on Symant ec ngy 10/03/2010 chnh t hc cng b kt qu Nghin cu ton cu v
Hin trng bo mt doanh nghip nm 2010, thng qua kho st 2.100 gim c thng tin,
gim c bo mt t hng t in v cc nh qun tr CNTT t 27 nc khc nhau trn t h gii vo
thng 1/2010. Nghin cu cho bit cc doanh ng hip ngy cng phi chu nhng cuc tn
cng thng xuyn hn. T r ong vng 12 t hng t r li y, 75% t chc c kho st b
tn cng mng t nht mt ln v mc tn t ht tr ung bnh l2 triu USD mi nm.
Hnh 1 Biu th hin s gia tng mc hi
Hnh 2 Biu th hin cc loi tn cng nhiu nht hin nay
Do , vic bo mt t hng tin ngy cng t r nn kh khn, bi l thng tin lun chu s e
da t rt nhiu ng un khc nhau - bn t rong t chc, bn ngoi, cc thm ha hay cc m c
hi trn mng. Cng vi vic gia tng s dng cc cng ng h mi cho lu tr, tr uyn dn
vt hu thp t hng tin, ls gia tng tng ng v s lng vchng loi cc mi e da.
An ton bo mt thng tin khng ch l cng ng h m cn tc ng trc tip danh t i ng, qu
trnh hot ng cng nh s tn ti ca t chc. Chng t i d dng t hng nht rng vic xy
dng h t hng bo mt t hng tin lqutr nh, i hi u t nhiu t hi gian vtin bc.
2.2 Tng quan v tng la
2.2.1 Gii thiu
Tng la l thit b c s dng nhm hn ch s
tn cng, bo v cc ngun t hng tin quan trng bi
cc chnh sch an ninh do c nhn, doanh nghip hay
cc t chc chnh ph t r a.
Hnh 3 H thng tng la
t sau Router bin, gia hai vng mng bo m vic lc lu lng r a vo h thng mng
nhm kha lung d liu c hi i vo t rong khi vn cho php d liu cn thit i qua.
Tng la ng vai tr v cng quan t rng v cn thit i vi hu ht t chc doanh nghip
ngy nay, nht lkhi cc cuc xm nhp phhoi h thng mng ngy cng tng. Ds dng
bt k ki n trc no t tng la c nhn (Personal Firewall) chuyn bo v my t nh c nhn
n dy tng la tr ong h t hng mng cc cng t y ln hay t chc chnh ph (Network
Fir ewall) th mc tiu cui cng l x y dng h thng mng bn vng, chng li s xm nhp
tri php ng t hi bo m an ton d liu.
Hnh 4 Tng la trong h thng mng (Network Firewall)
Hnh 5 Tng la cnhn (Personal Firewall hay Desktop Firewall)
2.2.2 Chc nng
Kim sot vthit lp c ch iu khin lung d liu gia mng cc b vInternet, c t h:
Cho php hoc cm nhng dch v tr uy cp r a ngoi hay t ngoi t ruy cp vo.
T heo di cc lung d liu di chuyn qua tng la.
Kim sot a ch tr uy nhp, cm a ch t r uy nhp.
Xc nhn ngi dng hp l vcc quy n c cp cho ngi .
Kim sot ni dung t hng t in lu chuyn t rn mng.
Tng la kho st tt c cc lung lu lng r a vo h thng mng xem c ph hp vi
chnh sch t r a hay khng.
Hnh 6 Chc nng ca tng la
Nu ph hp, lung d liu c nh t uy n gia cc mng, ngc li b hy. Ngoi ra, tng
la cn qun l vic tr uy cp t bn ngoi vo ngun ti nguyn mng bn trong, ghi
li t t c c gng xm nhp mng r ing v a r a cnh bo nhanh chng khi pht hin tn
cng. Tng la cn lc cc gi d liu da vo a ch ng un, a ch ch v s cng. Hn
na, mc cao hn, t ng la cn lc c ni dung thng tin lun chuyn trn h t hng.
2.3 Cng ngh k thut chung ca tng la ti cc lp
chng li cc phng t hc t n cng ngy cng t inh vi, con ngi khng ngng nghin
cu sng t o cc cng ng h mi nhm tng bo mt tng la. Hin nay, d tng la
cng hay mm, u c sn x ut da trn cc cng ngh sau:
Packet filter ing
NAT Firewall
Stateful packet filter ing
Prox y firewalls (hay Applicat ion Layer Gat eways)
Stateful Inspection Fir ewall (SIF)
Nhn chung, cc cng ng h ny xy dng trn m hnh OSI (Open Systems Interconnect ion
Reference Model), bi hu ht giao t hc mng u hot ng da trn m hnh ny. Do ,
kim sot cht ch cc lu lng r a vo, tng la cng ng dng cng ng h khc nhau cc
lp khc nhau, ch yu ti ba lp chnh sau:
2.3.1 Lp Network vT ransport
2.3.1.1 K Thut Lc Gi Tin (Packet Filtering)
Lc bt u, tng la ch x c nh ngun gc v ch g i tin lp Network, s cng hay
kiu giao thc TCP/UDP lp Tr ansport m khng x c nh trng thi hay ni dung g i t in.
Vic kim sot tr uy cp mng t hc hin bng danh sch iu khin t ruy cp (Access Control
List ACL) lc mt cch c bn chng x m nhp tr i php. T , gii hn lu lng c
hi i vo, gi l K t hut lc gi tin (Packet Filter ing) - mt trong cc k thut n gin
nht s dng ph bin trn tng la mm v cng, cung cp chc nng khng th thiu cho
hu ht tng la. V trc khi kim tr a ni dung hay t rng t hi gi tin, cn bo m gi t in
ny tr uyn t i trn kt ni tin cy.
Hnh 7 C ch hot ng ca Packet Filtering
Vi k t hut ny, t ng la cho php (Per mit) hay t chi (Deny) truy cp da trn kiu ca
gi tin vcc trng khc nh ngha bi danh sch tr uy cp (ACL Access Cont rol List)
quyt nh xem on d liu c t ho mn cc iu kin lc hay khng, da trn cc t hng
tin u mi gi tin (Packet Header) vcc trng:
a ch IP ngun (IP Sour ce Address)
a ch IP ch (IP Destinat ion Address)
Nhng t h t c truy n t in (TCP, UDP, ICMP, IP Tunnel)
Cng T CP/UDP ngun (T CP/UDP Sour ce Port)
Cng T CP/UDP ch (TCP/UDP Destinat ion Port)
Dng t hng bo ICMP (ICMP Message T ype)
Cng giao tip gi tin n (Incoming Interface of Packet)
Cng giao tip gi tin i (Outgoing Interface of Packet)
Khi nhn c gi t in, t ng la ln lt so snh vi chnh sch r a nhm kim tr a tnh hp
l ca gi tin. Nu hp l, gi t in chuyn qua tng la, ngc li, b b i. Nh vy, tng
la ngn cn kt ni vo my ch hay vng tin cy, kho tr uy cp h thng mng ni b t
cc a ch khng cho php. Ngoi ra, tng la so snh header hin ti v header gi t in
trc , gip phn t ch nhiu thng tin hn cng nh xem xt cng giao t ip g i t in r a vo.
u
im
Hnh 8 - Cch kim tra gi tin ca Packet Filtering
Tc x l nhanh nn s dng ph bin bi hu ht tng la hin nay.
D trin khai, ci t v bo t r, chi ph t rin khai t hp v c ch lc gi t in c t ch hp
sn t rn cc Router.
ng dng c lp, t tc ng n hiu nng mng.
T rong sut i vi ngi s dng vcc ng dng.
Khng yu cu ngi qun t r phi c kin t hc cao.
Nhc im: Mt s vn vi Packet Filter ing:
T t c gi t in u c t h v t qua tng la nu ph hp cc chnh sch r a. K tn cng
c th li dng im ny bng cch chia nh d liu lng vo gi t in hp l.
Mi chnh sch t h hin bng ACL (Access Cont rol List), do x y dng h t hng
hon chnh i hi vic cu hnh nhiu chnh sch. T uy nhin, vn tng hp, thng
nht vti u cc chnh sch mi lmi quan t m hng u hu ht doanh nghip.
Vic trin khai k t hut ny cho cc dch v c s cng khng xc nh lkhng kh thi,
i hi ng dng cc k t hut kim t r a cc lp cao hn (t lp Transport tr ln).
Khng h tr tnh nng x c thc ngi dng.
Khng ngn chn t n cng gi mo a ch.
Mc an ninh t hp. Do cc tiu chun lc da trn cc trng u mi gi tin
(Packet Header) nn khng kim sot c ni dung thng tin vt rng t hi gi t in.
2.3.1.2 T ng la NAT (NAT Firewall)
Hot ng lp Networ k vT r ansport . NAT (Network Addr ess T ranslat ion) thay i a ch
IP gi t in nu cn thit v t h NAT cho php ngi dng bn t rong s dng a ch cng cng
tr uy cp Int ernet m n i a ch tht s bn trong. Ngoi ra, NAT qun l vic tr uy cp
Internet bng cch quyt nh ngi dng no c php s dng. C th hn, khi ngi
dng khi to kt ni r a ngoi, NAT thay i IP ng un g i tin v gi i, ng thi ghi li
trng t hi t rong bng chuyn i (T r anslat ion T able). Khi gi t in t ngoi v, NAT tra bng
vt hay i IP n ca gi t in t hnh IP ban u gi t in t r v ng ni xut pht. Ngoi r a,
k t hut thay i cng ngun vch gi t in gi l PAT (Port and Address T ranslat ion).
Nh cp, NAT s dng bng chuyn i (T ranslation T able) lu gi t rng thi kt ni
chuyn i, v t h ngi dng bn ngoi khng th ch ng khi t o kt ni vo bn trong.
u im
Bo v mng bn t rong khi s "dm ng" t bn ngoi.
Xc nh c th dch v no dng NAT , nh i vi cc my tr ong h thng.
Ch vi mt a ch IP cng cng cc my t nh ni b u tr uy cp c Internet.
Nhc im
Vi TCP, vic xc nh khi no ngng chuyn i a ch IP ht sc d dng v TCP
lgiao t hc bt t ay ba bc. T uy nhin vi UDP, li lvn v UDP khng t hit lp kt
ni. Do NAT phi on khi no kt ni kt thc, nu sai dn n mt kt ni.
2.3.1.3 K Thut Lc Gi Tin Ghi Nh T rng Thi (Stateful Packet
Filtering)
Hot ng lp Networ k, Tr asport v Session, theo di v ghi nhn trng t hi kt ni (lu
lng T CP/UDP) ra vo h t hng nhm phn bit gi t in hp l cho nhng kt ni khc nhau.
Cch thc kim tr a nh Packet Filter ing, tuy nhin k t hut ny cho php duy t r trng t hi
kt ni. Mi khi kt ni TCP/UDP khi to t mng bn trong hay bn ngoi, thng t in trng
thi kt ni c lu li trong bng trng thi (Stateful Session Flow T able). Vi mi phin
lm vic c khi t o, cc t hng s phin ny phi chnh x c so vi cc t hng tin t rong bng
trng t hi t h phin ny mi c thit lp. Vi cch hot ng nh t h, k t hut ny ch y u
hot ng trn kt ni ch khng ch lm vic trn tng gi t in r ing l.
Bng t rng t hi cha a ch IP ngun, IP ch, s cng, cc c t rng t hi ng vi mi kt ni
vs t h t (sequence number) ngu nhin t rc khi gi t in chuyn i vhon tt kt ni. Do
, tt c gi tin t trong r a (Out bound) hay t ngoi vo (Inbound) c so snh i chiu
cn thn trc khi chuyn t ip, m bo kt ni thc hin t mt hng t trong r a ngoi
(Inside to Outside), ch khng theo hng ngc li nhm ngn chn g i t in c hi i vo
h t hng cng nh ngn cn my t nh bn ngoi gi d liu vo cc my bn t rong.
Hnh 9 C ch hot ng ca St atef ul Packet Filtering
y lphng t hc t n t in hn so vi th h trc vi ba l do sau:
Kim sot c kt ni vgi t in, hiu sut hot ng cao hn.
Lu gi t rng t hi kt ni TCP/UDP trong bng t rng t hi, dng t ham kho, xc nh xem
gi t in ny t huc v kt ni c thit lp t trc hay do tr uy cp t ri php.
Kh nng phn t ch cng hot ng giao thc FT P, t cp nht bng trng thi
gip lu lng FTP c t h i qua tng la. Hn na, n cn t o ra s th t
(sequence number) ng cho gi t in T CP v truy vn DNS. Nhng t nh nng ny
gim nguy him t n cng T CP RST flood vDNS cache poisoning.
u im
Phng t hc bo v chnh tr ong mi t rng hp, lc lu lng vo r a h t hng mng.
Bo v vng ngoi, ni Router giao tip vng mng khng t in t ng.
Phng t in t ng cng kh nng lc gi t in.
Phng thc ti u chng tn cng gi mo (Spoofing) v t chi dch v (Denial of
Service DoS) v trng t hi t t c kt ni u c ghi nhn li vo bng trng t hi, ch
nhng gi t in ph hp mi c php i qua, ngc li t h b b i.
Nhc im: Stateful Packet Filter ing khng th:
Chn cc cuc t n cng lp Applicat ion do khng t h phn t ch ni dung d liu.
H tr xc thc ngi dng.
2.3.2 Lp Application
2.3.2.1 Prox y Firewall
Khi cng ngh cng pht trin, nhu cu qun l t ruy cp mng cng c ch t rng. Tn cng
vo cc hn ch ca k t hut lc gi t in, ngi dng d dng t rnh cc bin php canh phng
bo mt ca tng la m xm nhp h t hng t ri php. Do , gia tng mc bo mt
ca tng la, k t hut Prox y Firewall th h tng la t h hai - hot ng lp Network,
Tr ansport, Session v Application, thay mt mng bn tr ong (Inside Network) giao tip bn
ngoi (Outside Network), nh , che du mi d liu quan t rng.
Khi tng la nhn c yu cu t pha ngi dng, n ti n hnh x c t hc t hng qua cc
quy nh c cu hnh. Nu ti khon ngi dng hp l, tng la thay mt ngi dng
bn t rong giao tip vi cc my ngoi Int ernet . Prox y Fir ewall ch chuyn t ip gi t in c lp
Networ k vTr ansport ph hp vtr v gi tin c lp Session v Applicat ion thch hp.
Hnh 10 C ch hot ng ca Proxy Firewall
Prox y Firewall ngn cn tr ao i gi t in trc tip gia hai t hit b. Mi giao tip gia cc thit
b u phi thng qua Pr ox y, gip kim tra gi t in nhanh v su hn so vi k t hut tr uy n
thng, gm hai dng:
Circuit Level Gateway
Hot ng tng i phc tp hn Packet Filter ing, ngoi kh nng lc cc lu lng mng
bi a ch IP vs cng, n cn kim t r a qutrnh bt t ay ca g iao thc T CP lp Session.
Hnh 11 Circuit Level Gateway
Qutrnh hot ng
Bc 1: My t nh ngun bt u kt ni, sau , tng la kim tr a t hng tin kt ni da
tr n lut l ra, nu kt ni c cho php, tng la cho php kt ni i qua.
Bc 2: T hay mt my bn t rong, tng la kt ni n my bn ngoi v gim st
cht ch qu tr nh bt t ay T CP. Qu trnh bt t ay lin quan n vic trao i gi tin
cha c (SYN hay ACK).
Bc 3: Tng la xc thc my bn tr ong v my bn ngoi l t hnh phn mt
phin lm vic. Sau , tng la sao chp vchuyn t ip d liu gia hai kt ni.
Tuy nhin, my ch s nhn t hy kt ni ny n t h thng t ng la, che du t t c thng
tin bn trong. Khng c bt k d liu no c chuyn qua cho n khi tng la x c nhn
tnh hp l kt ni ny. Tng la xc nh mt phin lm vic hp l nu c SYN, ACK v
Sequence Number t rong qutrnh bt tay gia cc kt ni lhp l.
Application Level Gateway (ALG)
Nh tn gi, Prox y Fir ewall lp ng dng (Applicat ion Level Pr ox y Firewall) ch yu hot
ng lp Applicat ion, dng kim tra cc ng dng hay cc dch v c ch nh nh
HTT P, FT P, DNS, telnet,... Ngoi ra, ALG cn pht hin nhng giao t hc khng mong mun
trn cc cng khng nm trong s cng tiu chun (Non- st andar d Port).
Da trn dch v i din (Prox y ser vice - chng tr nh c bit ci trn gateway tng ng
dng). Quy t rnh kt ni s dng dch v t hng qua tng la din r a t heo 5 bc sau y:
Hnh 12 Quy trnh hot ng ca k thut Application Level Gateway
Bc 1: My trm gi yu cu ti my ch x a qua tng la.
Bc 2: Tng la xc thc ngi dng. Nu xc thc t hnh cng chuyn sang bc 3,
ngc li qutrnh kt thc.
Bc 3: Tng la chuyn yu cu my t rm n my ch xa.
Bc 4: My ch xa tr li chuyn n t ng la.
Bc 5: Tng la chuyn t r li ca my ch x a n my t rm.
nhn bit ng dng cn kim t ra, ALG lu gi trng thi dch v ch nh t trc. Khi
ngi dng kt ni trc tip n Applicat ion- Level Pr ox y yu cu cc dch v cn t hit nh
web (HT T P/HTT PS), mail (SMTP) prox y ln lt thay mt ngi dng kt ni cc ser ver
bn trong. V prox y phi lu thng tin t t c dch v trong h t hng nn gy hn ch t rong vic
bo v an t on tt c ng dng.
Cung cp s bo mt vt in cy hn so vi Packet Filtering bi v n c t h qun l, gim st,
kim t ra, a r a cc chnh sch quy nh ni dung su bn t rong lung d liu i qua da trn
k t hut DPI (Deep Packet Inspect ion). Do , vic trin khai ALG trn h thng mng cn xem
xt cn t hn bi t nhiu nh hng hiu nng hot ng ca mng. V vy, cn lu l
ch t rin khai pr ox y khi t nng vn bo mt an ton thng tin hn lhiu nng mng.
Hnh 13 Deep Packet Inspection
Nh p dng DPI, tng la c t h kim tr a cc gi tin i qua. hnh 10a, ngi dng gi
gi t in HELO cho Mail Ser ver thit lp kt ni SMTP. Sau khi kim t r a t nh hp l gi t in,
tng la t hay ngi dng tr uy cp Mail server bn t rong v tr li li cho ngi dng. Khi
nhn t r li t tng la, ngi dng t ip t c gi cc cu lnh khc.
Ngc li, hnh 10b, ngi dng nh lnh VRFY ly thng tin t i khon trn ser ver.
Tng la kim t r a gi t in vnhn t hy khng t ha chnh sch nn lp t c t chi kt ni.
u im
iu khin t ng dch v trn mng (quyt nh my ch no tr uy cp dch v no).
Xc thc ngi dng ch khng phi thit b, tng la ch chuyn t ip d liu sau khi
chng t hc vy quyn t hnh cng.
Kh t n cng gi mo (Spoofing) vt chi dch v (Denial of Service DoS).
Cho php gim st v lc d liu. Bt c yu cu no ca ngi dng u c ghi nhn
r rng, d dng t hng k ghi nhn ni dung tr uy cp ca bt k ngi dng no
mi thi im. Ngoi ra, prox y cn cho php y quyn ai c lm g, khng c lm
g t hng qua kh nng xc t hc (Authenticat ion) v y quy n (Authorization).
T heo di v gim st chi t it mi lung thng t in i qua, thm ch xc nh c kiu
tn cng cng nh mc t iu b tn cng. Hn na, cn gim st thng tin tr uy cp
ngi dng nh t i nguyn c tr uy xut, bng t hng s dng vt hi im tr uy cp.
C mi yu cu n pr ox y lu li thng tin trong b nh m, khi c yu cu khc
tr uy cp t hng t in ny pr ox y s tr uy x ut trc tip t b nh m cung cp cho ngi
dng, khng cn gi yu cu r a bn ngoi, gip t ng hiu nng ca mng.
T hay mt ngi dng t r uy vn bn ngoi, che du IP vcc thng tin nhy cm khc.
Nhc im
Tc chm, hiu sut thp do x l t rn nhiu tng.
Kh nng thay i m rng (scalabilit y) hn ch.
Nu prox y b t n cng t h mng bn t rong cng b nh hng.
Cc dch v h tr b hn ch, ch h t r vic kim sot mt s dch v quen thuc nh
web (HT T P/HTTPS), FTP gy kh khn trong cu hnh t hm dch v khc.
Kim t ra tn su bn t rong gi tin nn t nhiu lm gim hiu nng mng.
Ci t vbo tr phc tp do x l gi t in bng chng t rnh ng dng.
H tr s lng nh ngi dng.
2.3.2.2 Statef ul Inspection Firewall (SIF)
Ch yu s dng k t hut SPI (Stat eful Packet Inspect ion) th h ci t in ca k thut lc
gi t in (Packet Filter ing), c pht trin bi Checkpoint vo nm 1993. SPI kt hp sc
mnh ca cc k t hut trc :
Packet Filtering : hot ng tng mng, lc gi tin i v n da trn cc tham s kt ni nh
a ch ngun, a ch ch, cng ng un, cng ch
Circuit Level Gateway: x c nh gi t in trong phin lm vic hp l da t rn c ACK, SYN
vSequence Number.
Application Level Gateway: SIF a g i t in ln tng ng dng v kim tr a ni dung d liu ph
hp vi cc chnh sch an ninh h t hng. SFI c t h cu hnh loi b gi t in cha nhng
cu lnh xc nh (nh FT P PUT , FT P GET ...). Ngoi ra, ci thin t nh nng ca k t hut
Applicat ion Level Gateway, SFI cho php ngi dng kt ni trc tip vi ser ver .
2.4 T rin khai tng la trong h thng mng doanh nghip
Ty mc ch, s kin tr c h t hng mng mnhqun tr la chn m hnh ph hp, t y kin
thc, kinh nghim ngi qun t r . Nhn chung, cc m hnh kin tr c tng la v cng
a dng nhng khi qut li th bao gm ba dng s au:
2.4.1 Bastion Host
Bation Host , thut ng chung ch mt h t hng c xc nh bi ngi qun tr tng la nh
lmt im an ninh cc k v ng chc t rong h thng mng
y l mu kin tr c tng la n gin nht, tng la t gia mng ni b (Inside
Network) v mng bn ngoi (Outside Network) lc cc gi tin vo r a t hng qua hai cng
giao tip: cng kt ni trc tip Internet (Untrusted) v cng kt ni vi Intr anet (Trust ed),
tn ti hai vng vi bo mt (securit y level) khc nhau.
Ch yu dng cng ng h cng ng dng (Application Level Gateway), cng vng (Circuit
Level Gateway) hay kt hp c hai. Dual homed host lv d in hnh v Bation Host.
Hnh 14 - Bastion Host
M hnh Bastion Host thch hp cho h t hng mng n gin, khng c nhu cu qung b cc
dch v r a Internet, v nh vy nu ser ver b kim sot, ton b h t hng bn trong cng b
nh hng. Hn na, m hnh ny to r anh gii mng manh gia mng tin cy v khng tin
cy. Nu r anh gii ny ph v, ton b h thng mng, ngun ti nguyn bn trong b khai
thc.
u im
Chi ph t r in khai thp.
D qun l, cu hnh.
Nhc im
bo mt t hp, nu tng la b tn cng, ton b ti nguyn h t hng mng bn
trong s b khai t hc.
2.4.2 Screened subnet (hay triple homed host firewall)
M hnh tng la c bn, so vi Bastion Host, h tr thm nhu cu qung b dch v r a
Internet, nh vic nh ngha vng phi qun s (Demilit ar ized Zone DMZ) - mng con bit
lp gia Internet v mng ni b. M hnh ny thch hp vi cng t y va v nh, va p ng
nhu cu bo mt h t hng bn trong va cho php ngi dng bn ngoi t ruy cp cc dch v
cn thit vnht lph hp t i t in nn y lm hnh c t rin khai nhiu nht.
Ging vi Bast ion Host , scr eened subnet ch s dng mt tng la duy nht, vi ba car d
mng nhm phn bit r rng Outside, Inside v DMZ. Nh ni, m hnh ny cung cp
gii php cho php ngi dng bn ngoi tr uy cp cc dch v c qung b trong vng
DMZ. bo mt cao hn so vi Bast ion Host , kh nng mng bn t rong b t n cng t ng
i t hp v t bn ngoi ngi dng ch c t h tr uy cp cc dch v t rong DMZ, mkhng th
khi t o kt ni vo bn t rong.
u
im
Hnh 15 - Screened subnet
Nu vng DMZ b t n cng, h t hng mng bn t rong cng khng b nh hng.
bo mt t ng i cao so vi Bast ion Host v ngi dng bn ngoi ch tr uy cp
c cc dch v qung bt rong DMZ mkhng th kt ni trc tip mng ni b.
Nhc im
Nh m hnh Bastion host, nu lp bo v duy nht ny b phv th ton b h thng
mng bn t rong s gp nguy him.
2.4.3 Dual firewall
H thng bao gm hai tng la, t an ton cao nht so vi hai m hnh trn. T uy chi ph
trin khai cao ng thi i hi nhiu s quan tm ca qun tr vin dnh cho h t hng, vic
cu hnh cng t ng i phc tp nhng h t hng t tin cy cao, kh nh sp.
Hnh 16 - Dual Firewall
Cng ging vi m hnh 03 chn, DMZ c tch bit vo mt vng r ing nn cho d c b
khai t hc th cng khng tc ng n inside. Vic s dng 02 firewall s rt tn km, nhng
nu so snh gia vic u t v tm quan trng ca d liu th s thy rt ng trin khai.
t bit , m hnh ny s c c s an t on nht khi s dng mi firewall mi hng khc
nhau. Nu fir ewall vng ngoi b x uyn thng th hacker cng khng t h x uyn t hng
firewall vng t rong, hay t nht cng lm hacker mt mt khong t hi gian nhn nh n
v vt qua, vi khong thi gian t a dng li fir ewall vng ngoi v i ph vi
hacker.
Ngoi r a, s dng nhiu firewall ng ngha vi vic c nhiu inter face. iu ny c ngha l
ta c th c nhiu vng vi nhiu level khc nhau do t a la chn, gip d dng qung l cng nh
cu hnh.
Nhn chung, cc mu t hit k trn u c nhng u v nhc im trn. Vic la chn m hnh
tng la no ch yu ph thuc nhu cu ca cc t chc doanh nghip v ngn sch d
tr dnh cho vic u t bo mt r a sao. T , la chn ra cc m hnh ph hp va p ng nhu
cu doanh nghip va ph hp chi ph u t ca cc t chc doanh nghip.
u im
Mc bo mt cao hn so vi hai m hnh trc. x m nhp h t hng mng ni
b, k tn cng phi vt qua hai tng bo mt: Tng la bn ngoi (Outside
Fir ewall) vtng la bn t rong (Outside Firewall).
Cho php ngi dng bn ngoi t ruy cp cc dch vu qung bt rong vng DMZ.
So vi screened subnet, nu vng DMZ b t n cng, mng bn t rong vn c bo v.
Nhc im
Chi ph t r in khai cao.
Vic qun l h t hng tng la i hi nh qun tr phi c kinh nghim cng nh kin
t hc nht nh.
PHN 3: XY DNG VPN GIA HAI C S CA I
HC
HOA SEN
3.1 S cn thit ca VPN trong doanh nghip
3.1.1 Ti sao VPN ra i
Vi s pht trin nhanh chng ca cng ng h tin hc v vin thng, th gii ngy cng t hu
nh vtr nn gn gi. Nhiu cng t y ang vt qua r anh gii cc b v khu vc, vn r a t h
trng t h gii. Nhiu doanh nghip tri rng khp ton quc thm ch vng quanh t h gii
vt t c u i mt vi mt nhu cu thit thc: cch t hc duy t r nhng kt ni t hng t in kp thi,
an t on vhiu qu cho d vn phng t ti bt c ni u.
Cng vi s ln mnh ca Internet c v m hnh ln cng ng h, p ng phn no nhu cu
ngi s dng. Internet kt ni nhiu mng khc nhau v cho php t hng t in chuyn n
ngi dng t do v nhanh chng m khng xem x t n tnh bo mt thng tin. Ngy nay,
th t rng ngy cng pht trin, ko theo l hng lot cc cng ng h, k thut, ng dng
mi ln lt r a i. Cc dch v nh gio dc t x a, mua hng trc t uy n, t vn y t dn
dn t r nn quen t huc vi hu ht tt c mi ngi.
Tuy nhin, chnh s rng ln ca Internet th mnh ng t hi l im yu duy nht gy
r a khng t ri ro v tn t ht cho doanh nghip. Vic qun l cng nh bo mt, an ton d
liu trn Internet v cng kh khn bi Int er net c phm vi ton cu, khng t huc s qun l
ca bt k t chc no. T , vi mc ch t ho mn yu cu t rn m vn t n dng c s h
tng Internet hin c, m hnh mng r ing o (Virt ual Pr ivate Networ k - VPN) r a i.
3.1.2 VPN tht s cn thit i vi doanh nghip
Vi m hnh mi ny, khng phi u t thm nhiu c s h t ng m tin cy vn m
bo, ng t hi qun l c hot ng mng ny. VPN cung cp cho ngi s dng kt ni
bo mt an ton khi lm vic ti nh, trn ng hay cc vn phng chi nhnh t hng qua
Internet. VPN m bo an t on thng tin gia cc i l, ng i cung cp v cc i t c kinh
doanh vi nhau trong mi trng tr uyn t hng rng ln. T r ong nhiu trng hp VPN cng
ging nh WAN (Wide Ar ea Network), t uy nhin c t nh quyt nh ca VPN l chng c
th dng mng cng cng nh Inter net mm bo tnh r ing t vtit kim hn nhiu.
Trong t h t rng cnh tr anh ngy nay, vic xy dng mng VPN cho cc nhn vin xa c
th tr uy cp d liu cc my bn tr ong h t hng thng qua mng cng cng Internet ngy cng
cn thit i vi cc t chc doanh nghip, gip tng nng sut lm vic ca nhn vin
cng t y cng nh khi i cng tc. Mt mng VPN in hnh bao gm mng LAN chnh ti
tr s (Vn phng chnh), cc mng LAN khc ti nhng vn phng t x a, cc im kt ni hay
ngi s dng (Nhn vin di ng) truy cp n t bn ngoi.
Hnh 17 Mng VPN
3.2 Tng quan VPN
3.2.1 Khi nim
S m rng mng r ing (pr ivate net work) t hng qua mng cng cng. V cn bn, VPN l
mng r ing l s dng mng chung (Internet) kt ni cng cc site (cc mng r ing l) hay
nhiu ngi dng t x a. T hay v s dng kt ni t hc, chuyn dng nh leased line, mi VPN
dng kt ni o qua Internet t mng r ing ca cng ty ti cc chi nhnh hay nhn vin x a.
Cung cp cc c ch m ha d liu trn ng t ruyn to r a mt ng ng bo mt gia
ni nhn v ni gi (VPN T unnel) ging nh kt ni point - to- point trn mng r ing. bo
m an tan d liu trong khi truyn dn, d liu phi c m ha hay che giu i ch cung
cp t hng t in ng i n my ch t hng qua Internet. Do , nu cc gi tin b bt li trn
ng th k tn cng cng khng t h c c ni dung v khng c kha gii m.
3.2.2 Li ch VPN: So vi trin khai cc mng tr uyn t hng, VPN mang li:
Chi ph t hp hn.
n gin hom hnh kin t rc mng.
Cung cp nhng c hi kt ni t on cu.
Qun l d dng: so vi vic s dng cc giao t hc nh Fr ame Relay v AT M kt
ni cc site vi nhau, VPN cung cp gii php n gin v linh hot hn trong vic
qun l s lng ngi dng (thm, x oknh kt ni lin t c, nhanh chng).
Tng cng an ninh mng.
Cung cp kh nng tng thch vi mng li bng thng r ng.
H tr cc giao t hc mng t hng dng nht hin nay nh T CP/IP.
Bo mt a ch IP: t hng t in c gi i trn VPN c m ha do cc i ch bn
t rong mng r ing c che giu vch s dng cc a ch bn ngoi Internet.
3.2.3 C s h tng k thut xy dng VPN
3.2.3.1 K thut mt m
a. Vai tr ca k thut mt mtrong bo v thng tin
Che du t hng tin mt. Ngy nay, vic nghe trm hay ly cp t hng t in t rn ng tr uyn kh
ph bin. Hng nm, s lng cuc tn cng h thng mng doanh ngy cng t ng. Do , k
thut mt m cng quan t rng v cn thit vi hu ht t chc doanh nghip, tr t hnh iu
kin tin quyt nhm bo mt d liu khi t ruyn dn t rn cc knh t ruyn t hng cng cng.
b. Cc dng mt mhc
Ngnh khoa hc mt m c hai nhnh chnh l mt m hc (cr ypt ography) v phn t ch mt
m (cr ypt analysis). Tr ong , mt m hc nghin cu thut ton, gii php mt m v chia
lm hai nhnh con l encr ypt ion (mc t iu confident ial it y) v hashing
(chc nng aut hent icat ion, ver ificat ion); phn tch mt m nghin cu cch ph mt m
(cr ack).
Khng phi mi y, ngnh khoa hc mt m ra i t lu vo th k 18, tri qua thi
gian, i t thp n cao, t n gin n phc tp. Bt u bng vic m ha ch n gin
bng vic thay k t ny bng mt k t, hoc mt s khc; ri hon i v t r cc k t cho
nhau, hay dng ma trn ta . Cho n nay, cc thut ton m ha phc tp m c siu my
tnh cng phi mt vi t nm gii mc r a i, v mt c bn chia lm hai dng:
ng b (Symmetric): dng chung mt kha cho m ha, gii m v t h ngi gi v
ngi nhn yu cu phi c kha ging nhau mi gii m c. Ngoi ra, thut ton
ny hot ng nhanh hn, n gin hn, dng kha ngn hn so vi thut ton bt
ng b (Asymmetr ic) v t hng s dng kha c di t 40 - 256 bit. V d nh
DES, 3DES, AES, IDEA, RCx, Blowfis h.
Bt ng B (Asymmetric): cn gi t hut ton public key, chm hn khong 1000
ln so vi t hut t on ng b (Symmetric) v phi tin hnh nhng bc t nh ton kh
khn vi cc con s hng chc ch s. Chnh v vy, t hut ton ny t hng dng cho
ch k s. Tuy nhin, n li n gin hn t hut ton ng b (Symmet r ic) nhiu trong
qun l kha bi thng t hng mt trong hai kha c cng khai gi l kha cng
khai (public key), cn li lkha r ing t (private key). Vic tnh t on chiu di chnh
xc ca kha lkhng th, c lng t 512 - 4096 bit vkhng t h trc t ip so snh
chiu di kha gia t hut ton ng b (Symmet ric) vbt ng b (Asy mmetric).
im ging nhau l u yu cu kha m ha hay gii m. Tuy nhin, thut ton ng b
(Symmetr ic) dng chung mt kha cho m ha v gii m, cn bt ng b (As ymmet r ic)
dng mt kha m ha v mt kha gii m, ty ng dng m hai kha ny c gi l kha
cng khai (publ ic key) hay r ing t (pr ivate key), ch yu ty thuc hai trng hp sau:
Public key Confidentiality Scenario: kha cng khai (public key) dng m ha v
kha ring t (pr ivat e key) gii m. V mi h thng c mt kha ring t (pr ivate
key) khc nhau nn nu dng kha cng khai (public key) ca h thng ny m
ha t h m bo khng h t hng no khc gii mr a c, thng dng t r ao i kha.
Public key (Encrypt) + Private key (Decrypt) = Confident iality
Hnh 18 S Public key Confidentiality Scenario
Public key Authentication Scenario: kha r ing t (pr ivate key) dng m ha v
kha cng khai (public key) gii m. V kha r ing t (private key) mi h t hng l
khc nhau nn khi dng kha ring t (pr ivate key) ca h thng ny m ha th ch
c kha cng khai (public key) ca h thng mi gii mr a, t hng dng x c thc.
Private key (Encrypt) + Public key (Decrypt) = Authentication
Hnh 19 S Public key Authentication Scenario
c. Phng thc mha
M ha theo khi (Block cipher): d liu c chia lm tng khi c chiu di
c nh v c m ha, nu chiu di ca d liu t h (plaint ext) t hn so vi
khi t h d liu r c c t hm vo cho mt khi, v th thng t hng chiu di
ca d liu m ha (cipher text) ln hn chiu di d liu th (plaintext ). Mt
s t hut ton ng dng cch t hc mha ny nh AES, IDEA....
M ha theo dng (Stream cipher): x l trn bit, khng thay i kch thc d
liu m ha (ciphertext) so vi d liu th (plaintext) ban u v nhanh hn so vi
phng thc trn. Mt s t hut ton ng dng cch thc ny nh RC4, SEAL
3.2.3.2 C s h tng kha cng khai (PKI Public Key
Infrastructure)
a. Gii thiu
H thng cng ng h mang tnh t iu chun v ng dng dng khi to, lu tr vqun l cc
chng t hc in t (digital cert ificate) cng nh cc m kho cng khai v r ing t. PKI r a
i nm 1995, khi cc t chc cng nghip v chnh ph xy dng t iu chun chung da trn
phng php m ho h tr h tng bo mt t rn mng Internet. Ti thi im , mc t iu l
xy dng b tiu chun bo mt tng hp cng cc cng c vl t huyt cho php ngi dng
vt chc to lp, lu tr vtr ao i thng tin an t on trong phm vi cnhn vcng cng.
Hnh 20 S C S H Tng Kha Cng Khai (PKI)
Trong mt m hc, PKI l s sp xp gn cc kha cng khai (public key) cho ngi dng
tng ng, xc nh bi nh cung cp chng t hc s (CA - Certif icat e Authorit y) m nh
danh mi ngi dng phi l duy nht trong ton CA. Cc qu trnh ny t hng c thit
lp t hng qua vic ng k v cp pht chng nhn ty vo mc m bo m c th c
thc hin bi phn mm t t i t rung t m hoc ldi s gim st ca con ngi.
Public Keys Certificates (Digital Certificate hay Identity Certificate)
Ti liu in t s dng ch k s (Digital Sigant ure) xc thc cc bn tr ao i, cp pht bi
CA, nhm cp pht an ton khocng khai t ngi gi (mho) n ngi nhn (gii m).
Tr c tin CA cp pht public key cert ificate, ngi dng phi ng k vi CA, gm cc qu
tr nh: ng k, kch hot vchng nhn vi PKI (CAs vRAs) din r a nh sau:
Ngi dng ng k vi CA hay RA. Tr ong qu trnh ng k, a r a cch nhn
bit n CA, CA s x c t hc u cui, gi public key ca mnh n u cui.
Ngi dng t o r a cp kha public/privat e v chuyn kha cng khai (public
key) cng vi yu cu chng nhn n Registr at ion Author it y (RA). RA s chu
t rch nhim chp nhn hay t chi yu cu ngi dng. Sau , RA gi yu cu
n CA
xc nhn cc chnh s ch v x in ch k t CA.
CA k ln public key certificate vi kha r ing t (pr ivate key) ca mnh to
public key certificate cho ngi dng
Lc ny, ngi dng u cui c t h yu cu public key certif icate cho
ngi khc, s dng CAs public key gii m nhm bo m t nh hp l
ca chng nhn.
b. Cc thnh phn ca PKI: bo m cc kho cng khai c qun l an t on, CA
phi qun l cc nhim v sau:
Chng t hc v ng k mt m u cui.
Kim t ra tnh ton vn ca kho cng khai.
Chng t hc yu cu t rong qu trnh bo qun cc kho cng khai.
B mt cp pht kho cng khai.
Hu b kho cng khai khi n khng c gi tr di.
Duy tr vic t hu hi cc thng tin v kho cng cng (CRL) v phn b thng tin
(t hng qua CRL cp pht hoc p ng n Online Certificate Status Protocol
[ OCSP] messages).
m bo an ton v ln ca kho.
n gin ha chc nng v gim bt vic qun l kha cho CA, cc chc nng trn ln
lt c chia cho ba b phn sau:
Registration Authorities
Trong nhiu trng hp, CA s cung cp t t c cc dch v cn thit ca PKI qun l cc
kha cng khai bn trong mng. Tuy nhin c nhiu trng hp CA u nhim cng vic
RA. Mt s chc nng CA c th u nhim thay th RA nh:
Kim tr a ngi dng u cui ng k kha cng khai (public key) vi CA c
kha r ing t (private key) dng kt hp vi kha cng khai (public key).
Pht cp kha cng khai v kha r ing t (public/private keypairs) dng khi to
qu tr nh ng k.
Xc nhn cc t hng s ca kha cng khai (public key).
Pht gin t ip cc Certif icate Revocat ion List (CRL).
Certi ficate Authorities
Cp pht chng nhn, x c t hc PKI clients v khi cn thit t hu hi chng nhn, i
din ng un tin cy chnh ca PKI. CA l yu t duy nht pht Public Key Cert ificates n
ngi dng u cui p ng s duy tr CRL v phc v CRL Issuer. PKI c th thit lp
nhiu CA.
Gip thit lp vic nhn dng cc thc t h giao t ip vi nhau c ng n. CA khng
ch chng t hc PKI client m cn cho nhng CA khc bng cch cp pht nhng chng
nhn s n chng. Nhng CA c chng t hc ln lt c th chng nhn cho nhng
CA khc n
khi mi thc t h c th u nhim nhng t hc t h khc c lin quan t rong qu trnh giao dch.
Validation Authorities: m bo xc nhn an ton, t in cy ca cc chng nhn s.
Mc ch: cho php
Nhng ngi tham gia x c thc ln nhau v s dng cc t hng tin t chng
nhn
m ho v gii m thng t in t rong qu trnh t rao i.
Cc giao dch in t din r a b mt, ton vn v x c thc ln nhau m khng cn
tr ao i thng tin bo mt t rc.
Cung cp kho cng khai v x c nh mi lin h gia kho v nh dng ngi
dng. Nh vy, ngi dng c th s dng trong mt s ng dng nh:
o M ho Email hay x c t hc ngi gi Email.
o M ho hoc chng t hc vn bn.
o Xc t hc ngi dng ng dng.
o Cc giao t hc tr uyn t hng an t on: trao i bng kho bt i xng, m ho
bng kho i x ng.
cung cp kh nng m ha v xc thc, PKI s dng:
Thut ton bm
Bo m t nh ton vn ca d liu, nu c t hay i nh cng pht hin ngay. N hot
ng mt chiu, vi bt k gi t r u vo no th bm vn cho gi tr u r a c chiu di c
nh. Tuy nhin, t hut ton bm khng m ha d liu, tiu biu l MD5 v SHA- 1.
tng t nh bo mt, HMAC ra i. i vi t hut ton bm, tuy d liu thay i b pht
hin nhng nu gi t r bm cng thay i th khng t h nhn r a, HMAC dng kha b mt
(secrect key) cho qu trnh bm, tng kh nng x c t hc v chng t n cng Man - in - the -
middle.
Ch k s (Digit al Signature)
Trong qu trnh giao tip, khng ch m bo d liu khng t hay i khi truy n m cn phi
c gi t ng un t in cy. Ch k s cung cp gii php cho vn ny bng vic a
r a bng chng duy nht d liu gc, pht hin nu c bt c thay i no, xc thc bng
kha r ing t (pr ivate key) k ln d liu, chng minh tnh x c t hc v ton vn chng
nhn.
V c bn ch k s hot ng nh sau: khi A gi t in nhn cho B, t in nhn ny c k
vi kha r ing t (pr ivate key) ca A (sig nat ure key) t o r a ch k s m ch c kha
ring t (pr ivate key) ca A mi c t h to r a ch k ny. Sau , n c nh km t in
nhn ban u
v gi cho B. Sau khi nhn c, B dng kha cng khai (public key) ca A
(ver ification key) gii m phn ch k ca A, nu khc vi tin nhn th ni dung t hng ip
thay i v ngc li; ng t hi A khng t h t hoi t hc tr ch nhim khi gi t in nhn
ny, v ch c A mi
to r a c ch k nh vy.
Ch k s RSA (RSA Digital Signature): t hut ton bt ng b ph bin nht do Ron
Rivest , Adi Shar mi v Len Adlemen xy dng vo 1977. Hot ng da t rn nhng php
tnh phc t p vi con s ln n hng chc, hng t rm ch s. RSA s dng kha
cng khai (public key) c qung b r ng r i v kha r ing t (private key) gi b mt
tuyt i.
Hot ng
u tin tin nhn c bm, to r a gi tr bm; gi tr ny c k (m ha) vi kha r ing
t (private key) ca A to r a ch k. Ch k ny nh km vi t in nhn gi cho B. Sau
khi B nhn c tin hnh hai cng on, ly ch k gii m vi public key ca A c
gi tr H1
v ly t in nhn em i bm to r a H2. Nu H1 = H2 tin nhn khng b chnh sa tr n ng
i v gi t A; nu khng ngc li.
Hnh 21 S hot ng
3.2.4 Cc giao thc VPN
3.2.4.1 PPT P (Point- t o- Point T unneling Protocol)
Nh giao t hc L2F (Layer 2 For war ding), giao thc to ng hm im ni im (PPT P)
ban u c thit k v pht trin to v duy tr ng hm VPN trn mng cng cng
da vo TCP/IP nh s dng PPP - kt qu n lc chung ca tp on Microsoft v hng lot
nhcung cp gm Ascend Communicat ions, 3Com/Pr imar y Access, ECI T elemat ics
S dng trn cc my ngi dng vi h iu hnh Microsoft NT4.0 vWindows 95+ , dng
mha d liu lu thng trn Mng LAN. PPT P c pht trin da trn chun RSA RC4 v
h tr bi s m ha 40- bit hoc 128- bit. PPT P c dng bao bc cc khung PPP trong cc
gi IP tr uy n trn Internet hoc bt k mng khc T CP/IP c th t ruy cp cng cng.
Nu h t hng t x a h tr PPT P, t h c th kt ni t rc t ip vi VPN Server.
Ngc li, c th s dng PPP ni kt vi my khi to kt ni VPN (L2T P
Access Concent r ator LAC) ca nh cung cp dch v Internet v sau s dng
PPT P kt ni vi VPN Server.
Hnh 22 Kt ni VPN qua giao thc PPTP
PPT P khng pht trin trn LAN- to- LAN, gii hn 255 kt ni ti server v ch c mt
ng hm VPN t rn mt kt ni. Ngoi ra, PPT P khng cung cp kh nng m ha cho cc
cng vic ln nhng li d ci t v trin khai v l gii php truy cp t xa ch c th lm
c trn mng Micr osoft. Giao t hc ny th c dng tt trong Window 2000...
3.2.4.2 L2TP (Layer 2 Tunneling Protocol)
Ra i vo nm 1999 v c nh ngha trong RFC 2661, xut pht t vic k tha nhng
im mnh ca cc giao t hc trc l L2F (Layer 2 For war ding) ca Cis co v PPT P ca
Microsoft. Phin bn mi hn ca giao t hc ny- L2T Pv3 c pht hnh vo nm 2005,
cung cp nhng t nh nng bo mt khc nh kh nng mha, c t h mang nhng lin kt d
liu khc ngoi kt ni PPP trn mng IP nh lFr ame Relay, Ethernet, AT M,
Hnh 23 L2TP VPN
To kt ni c lp, a giao t hc cho mng r ing o quay s (Virt ual Private Dail- up
Network), cho php ngi dng kt ni thng qua chnh sch bo mt (securit y policies) to
VPN hay VPDN. Tuy nhin, giao t hc ny khng cung cp m ha.
Hiu qu t rong kt ni mng quay s, ADSL, v cc mng tr uy cp t xa khc. Giao t hc m
rng ny s dng PPP cho php tr uy cp VPN bi nhng ngi s dng t x a. Mt ng
hm L2T P c thit lp t hng qua ba dng:
Volunt ar y T unnel.
Compulsor y t unnel (cho cc kt ni i t i vcho dng quay s t xa).
L2TP mult i- hop connection.
3.2.4.3 GRE
a giao t hc tr uyn t hng ng gi IP, CLNP v cc gi d liu bn t rong ng ng IP (IP
tunnel). Vi GRE Tunnel, Cisco Router ng gi mi v tr mt giao thc c t rng ch nh
trong gi IP header, to ng kt ni o (virtual point - to- point) ti Cisco Router cn n v
khi gi d liu n ch IP header s c m ra.
Bng vic kt ni nhiu mng con vi cc giao t hc khc nhau trn giao t hc chnh. ng hm
(GRE t unneling) cho php cc giao t hc khc t hun li trong vic nh t uyn cho gi IP.
3.2.4.4 IPSec (Internet Protocol Security)
a. Gii thiu
Pht trin bi IET F nh ngha trong RFC 2401 - 2412, quy nh
phng t hc thit lp VPN (Virt ual Pr ivate Network) s dng
IP address protocol nhm cung cp c cu bo mt
lp Networ k. Do , IPSec h tr tt c ng dng, bo v v
xc t hc gi t in IP gia cc bn. IPSec khng r ng buc bt k
thut ton m ha, xc t hc c t h no m l t hp nhiu chun
m.
Hnh 24 IPSec trong m hnh OSI
Nh , IPSec cho php ng dng cc thut ton mi hn, tt hn m khng cn sa i
chun c. IPSec cung cp kh nng bo mt (Encr yption Algorithm), ton vn d liu (Dat a
Integrit y), kh nng xc thc (Authenticat ion) cc bn lp Network, to nn ng tr uyn
bo mt gia mt cp Gat eway hay cp Host t hm ch gia Gat eway vHost.
Hnh 25 Cc thnh phn trong IPSec
Encryption: Mc bo mt, kh t hi ty vo chiu di kho m ha v thi gian x l t hut
ton. Do , vn t r a l chn la t hut ton no vi di kha nh t h no h thng
va bo mt va khng t iu tn qunhiu hiu sut x l. Sau y l mt s thut ton v
ln ca kha khuyn khch dng: DES (56 bit), 3DES (112 bit, 168 bit), AES (128 bit, 192
bit, 256 bit), RSA (512 bit, 768 bit, 1024 bit), SEAL (160 bit).
Data Integrity: d liu tr uyn trn Inter net c th b chnh s a. V th, IPSec s dng t hut ton
HMAC - MD5 hoc HMAC - SHA - 1 bo ton d liu.
Authentication: xc t hc i tng giao tip l iu ht sc quan t rng trc khi bt u thit
lp kt ni gia hai bn. IPSec cung cp ba phng thc xc thc:
Pre- shared Key: git r nhp bng t ay vo mi bn, dng xc t hc vi nhau.
RSA signature: tr ao i nhau chng nhn, sau mi bn sinh r a mt gi tr bm t
tin nhn vm ha vi kha r ing t (private key) ca mnh, nh km t in nhn vgi cho
nhau. Sau khi nhn c, mi bn dng kha cng khai (public key) gii m gi
tr bm mha. Nu trng git r bm t in nhn nhn c th xc t hc t hnh cng.
RSA encrypted nonce: t ng t RSA signat ure. Tuy nhin khng dng chng nhn
(cer tificate), t hay vo , kha cng khai (public key) nhp bng t ay mi bn.
IPSec hot ng hai mode:
Transport mode: ch bo v payload ca gi t in, t ip header tr i vn khng i.
Tuy nhin, nu nh AH c s dng th ip header khng t h t hay i. Vic thay i
ip header s dn n g i t in b dr op. V t h ch hot ng tt gia host vhost. Vn ny
c gii quyt khi s dng NAT Tr aversal, s c cp sau.
Hnh 26 Transport mode
Tunnel mode: bo mt ton vn g i t in IP nh t uyn (Rout able IP) trn Internet. So
vi T r ansport mode, Tunnel mode hot ng tt hn, h tr c Gat eway t o Gateway.
Tuy nhin, v hiu nng mng th T unnel mode khng bng Tr ansport mode v
Tunnel mode pht sinh t hm t rng IP header mi, cn T r ansport mode th khng.
Hnh 27 Tunnel Mode
b. Tng hp cc giao thc v thut ton c s dng
Cc giao thc s dng
ESP (Encapsulating Security Payload)
Mt trong hai giao t hc chnh cu thnh IPSec. ESP bo mt cao, h tr nhiu thut ton m
ha i x ng nh DES v 3DES. Ngoi ra, ESP h tr tnh t on vn d liu (Int egrit y) v
chng t hc (Authent icat ion).
Hot ng hai mode: transport mode vt unnel mode.
Tr ansport mode, ESP ch m ha vxc t hc ni dung ca d liu vmt s thnh phn khc nh
hnh 28.
Hnh 28 ESP Transport mode packet
i vi Tunnel Mode, ESP m ha ton b d liu gc v x c t hc phn d liu m ha ny
cng vi ESP Header c thm vo cng vi IP header mi.
Hnh 29 ESP Tunnel mode packet
Cc trng trong gi tin ESP
Hnh 30 ESP fields
ESP thm mt header v tr ailer vo x ung quanh ni dung mi gi tin. ESP Header c cu
thnh bi hai t rng:
SPI (32 bits): u cui mi kt ni IPSec t u chn gi tr SPI. Pha nhn dng gitr
SPI vi IP ch v giao t hc IPSec xc nh chnh sch SA duy nht m n c
p cho gi t in.
Sequence Number: cung cp dch v ant i- r eplay. Khi SA c t hit lp, ch s ny
khi u v 0. T r c khi mi gi t in c gi, ch s ny t ng ln 1 v t t rong ESP
Header.
Phn k t ip ca gi t in l Payload, n c to bi Payload dat a (c m ho)
v Init ialization Vect or (IV) khng m ho. Gi tr IV trong sut qu t rnh m ho l khc
nhau t rong mi gi t in.
Phn t h ba ca g i t in lESP T r ailer , n cha t nht lhai t rng:
Padding ( 0- 255 bytes): c th c thm vo cho kch t hc ca mi gi t in.
Pad length: chiu di ca Padding.
Next header: xc nh kiu giao t hc cha t rong t rng payload. Nu l IP th cha
gi t r l 4, nu l TCP t h 6, UDP th 17. Mi ESP Trailer cha mt gi tr Next
Header.
V cui cng l Authent icat ion dat a cha gi tr Int egrit y Check Value (ICV) cho gi tin
ESP. ICV c tnh ln ton b gi t in ESP cng nhn cho trng d liu x c thc ca n.
ICV bt u trn r anh gii 4 byt e vphi l bi s ca 32- bit (n v t).
AH (Authentication Header)
Cng ESP, AH l hai giao t hc chnh cu t hnh IPSEC, cung cp t nh t on vn d liu, xc
thc. AH bm cc trng d liu trong gi t in k c IP header , ngoi t r nhng t rng t hay
i trn ng i nh TT L (T ime To Live), trng AH header do hm bm sinh r a
c thm vo gi t in. V trng IP header c bm nn nu trn ng i c NAT
(Network Address Tr anslat ion) t h AH khng hot ng c. AH hot ng nh ch k s
m bo
gi tin khng b gi mo nhng li khng cung cp kh nng mha vgii m.
Cng nh ESP, AH c hai mode: transport mode vt unnel mode.
Hnh 31 AH Transport mode
Hnh 32 AH T unnel mode
i vi c hai mode, AH xc thc ton b gi tin (t dat a n IP header). S t hay i ip trn
ng tr uyn dn n AH khng hot ng c.
AH Header gm cc trng sau:
Hnh 33 AH header
Next Header: di 8 bits, xc nh kiu giao thc cha t rong trng payload.
Payload Length: cha chiu di AH Header.
Reserved: dnh s dng t rong tng lai (cho n thi im ny n c biu th bng cc
ch s 0).
Security parameter Index (SPI): u cui mi kt ni IPSec t u chn gi tr SPI,
dng nhn dng kt ni. Bn nhn s dng gi tr SPI cng vi a ch IP ch v loi
giao thc IPSec (t rng hp ny l AH) xc nh chnh sch SA dng cho gi t in
(ngha lgiao thc IPSec vcc thut ton no c dng p cho gi t in).
Sequence Number: tng ln 1 cho mi AH dat agram khi mt host gi c lin quan
n chnh sch SA. Gi t r bt u ca b m l 1, chui s ny khng bao gi cho
php ghi ln l 0 v khi host gi yu cu kim tra m n khng b ghi v n s
tho t hun chnh sch SA mi nu SA ny c thit lp. Host nhn s dng chui s
pht hin replayed dat agr ams. Nu kim tr a bn pha host nhn, bn nhn c t h
ni cho bn gi bit rng bn nhn khng kim t r a chui s, nhng i hi n phi
lun c trong bn gi t ng vgi chui s.
Authentication Data: cha kt qu ca gi tr Integrit y Check Value (ICV), lun l bi
ca 32- bit (t ) vphi c m vo nu chiu di ICV trong cc bytes cha y.
Trong qu trnh hot ng, vic xc thc IPSec mang li li ch rt cao. Tuy nhin bn cnh ,
n cng mang li khng t s phin toi.
AH x c t hc gi t in da vo t hng t in IP header . Do vy, n s khng t ng t hch vi
cc t hay i do c ch NAT mang li. V gi tr ICV ca AH c tnh ton trc
NAT nn khi gi tin gi t i ch, vic kim t ra t nh ton vn s t ht bi.
Trong ch transport, ESP vNAT khng t ng t hch vi nhau v cc thng t in ca
phn header gi tin b NAT t hay i. Khi NAT thc hin thay i phn t hng tin v
IP, n cng t nh li gi t r checksum trong TCP header v v TCP checksum c
tnh t on khng ch da vo TCP header, m cn da vo cc t hng tin t IP header,
nh a ch ngun/ch ca gi t in nn NAT ph v tnh t on vn gi t in. Trong
ch T r ansport ESP, ton b TCP header c m ho, NAT box khng th t nh
ton li TCP checksum (tng t i vi UDP packets khi UDP checksum c t nh
n). Kt qu ltrc khi gii m, gi t in s b hy v khng bo m t nh t on vn.
gii quyt cc vn trn, NAT T raversal r a i vo nm 2001, lkt qu ng hp nht
hai phng php tip cn cnh tr anh c x ut vi IET F ca SSH Communicat ions
vcc ng tc gi F- Secure, Microsoft, Cisco, Nortel.
Gii php lg i t in sau khi c m ha, xc thc t h c ng gi t heo giao t hc UDP vi
s xut hin ca hai t rng b sung lUDP header vZeropad.
Hnh 34 Gi tin h tr NAT- Traversal
Hin ti, AH khng tng thch NAT Tr aversal v khng s dng rng r i nn khng c
u tin pht trin. SSH Communicat ions cng x ut pht trin t hm h tr AH.
Tt nhin, s dng NAT Traversal, c hai thit b u cui (gateway t o gat eway, client to
gat eway, client to client) u phi h tr.
IKE (Internet Key Ex change)
Xc thc hai bn, m phn gia IKE vIPSec SA, t o cc kha m ha d liu IPSec, c cng
chc nng vi ISAKMP (Internet Securit y Associat ion and Key Management Protocol).
DH (Diffie- Hellman)
To kha b mt (secrect key) gia hai bn trn knh tr uyn khng bo mt, dng bn tr ong
IKE to session key. Hot ng bng cch hai bn t hng nht nhau (c th cng khai) 2 s
p v q (s nguyn nh hn p), mi bn gi s b mt ln lt a, b. Sau A gi X = (q^a)
mod p cho B, B cng gi Y = (q^b) mod p cho A. Bng phng php t nh t on r ing, hai bn
cng t nh r a gitr K = ((q^b)^a) mod p = ((q^a)^b) mod p lkha b mt (secrect key).
Hnh 35 Cch thc hot ng ca DH
Cc thut ton s dng
Thut ton mho
DES (Data Encryption Standard): cn gi Lucif er, pht trin bi IBM vo nm 1975, t hut
ton m ha i xng hot ng dng mha tng khi (block cipher - 64 bit block). DES
l s trao i c trnh t v thay th cc bit d liu, kt hp kha m ha, h tr kha c
chiu di 64 bit trong 56 bit m ha, 8 bit cn li kim tr a par it y. Tuy nhin, nu dng
kha c chiu di nh hn 56 bit v d 40 bit t h mnh t ht s ca kha ch 40 bit.
DES da trn nhng t nh t on c bn nn n c th d dng c trin khai trn phn cng, ch
trng n tc mha vgii m, chia lm hai dng con:
Dng ECB (Electronic Code Book): mi d liu th (plaintext) 64 bit dng chung
kha 56 bit m ha, nu hai khi d liu t h ging nhau dng chung kha m ha th
d liu m ha (ciphert ext) s ging nhau. V th, k tn cng c t h li dng im
ny, bt li cc gi tin, khng quan t m ni dung bn trong v gi li. V d k tn
cng bt li gi t in ng nhp ca ngi qun tr c bo v bi DES - ECB, sau
gi li vk tn cng c t h xm nhp h thng. chng li iu ny, CBC r a i.
Dng CBC (Cipher Block Chaining): mi khi 64 bit d liu th (plaintext) u
c XOR vi d liu m ha (ciphertext) sau d liu th (plaintext) XOR mi
c m ha. V t h nu tt c khi d liu th (plaintext) u ging nhau thi cng
khng t h cho r a d liu mha (ciphertext ) ging nhau...
3DES (T riple Data Encryption St andard): dng bi n i ca DES c lp i lp li ba
ln vi cc kha khc nhau v th 3DES mnh hn DES gp i, c th chng li tn cng
Brute - For ce. 3DES s dng kha c chiu di ln n 168 bit so vi DES (56bit) bao gm
ba kha c chiu di 56 bit K1, K2, K3.
M ha: dng K1 mha, dng K2 gii m, dng K3 mha.
Gii m: dng K3 gii m, K2 mha, K1 gii m.
AES (Advanced Encryption Standard): NIST (T he National Inst itute of Standards and
Technology) a ra AES t hay th DES trong cc thit b m ha. AES cung cp tnh bo mt
cao hn nhiu so vi DES vhiu qu hn so vi 3DES. AES dng kha 128, 192, 256 bit.
RSA (Rivest, Shamir, and Adleman) signature: mha bt ng b, t y mc ch s dng m
dng kha mha gii mthch hp, ng dng nhiu nht trong ch k in t.
Thut ton bm
MD5 (Message Digest 5): dng xc thc gi tin d liu, m bo nu gi tin b chnh sa
trn ng tr uyn s pht hin ra. HMAC (MD5 Hashed Message Authent icat ion Code) l
bin t h ca MD5, cung cp tnh an ton cao hn MD5. Thut ton bm l t hut ton mt
chiu. V th, vic chuyn gi tr c bm v gi tr ban u l khng th. Bt k gi tr u
vo lbao nhiu t h gitr u r a vn lc nh. IKE vESP dng MD5 xc thc.
SHA- 1 (Secure Hash Algorithm 1): Nh MD5, SHA- 1 l mt thut ton hash dng xc
thc d liu gi t in, bin t h lHMAC- SHA- 1vdng xc thc IKE vESP.
c. IPSec hot ng: gm 5 bc chnh
Bc 1 - Xc nh Interesting trafic: lung thng tin c coi l Interesting trafic khi n
c nhn r a rng y l d liu cn c bo v, ty t huc vo chnh sch trn t hit b VPN.
Mi d liu i qua t hit b (Inbound, Out bound) u c 2 hng x l:
B qua IPSec, d liu c gi dng cleart ext.
p cc chnh sch IPSec c nh t rc.
Bc 2 - IKE Phase 1: Mc ch c bn l m phn cc chnh sch, xc thc peer v thit
lp knh bo mt gia cc bn, x y r a trong hai mode:
Aggressive mode: nhanh hn nhng khng h tr kh nng bo v t nh ton vn ca
d liu trn ng tr uy n nh main mode. Do , hai bn phi trao i thng tin xc nh
trc thit lp secur e CA, bao gm hai bc:
Bc 1: m phn chnh s ch, DH public key khi to, gi cho i t c cng
thng
tin xc t hc hai bn, sau khi k th gi t in tr v v hon tt qu trnh tr ao i.
Bc 2: ti khng nh qu t rnh tr ao i.
Main mode: gm ba bc t rao i:
Bc 1: dng cc thut ton v hm bm bo mt t hng tin IKE c
m phn v chp nhn gia cc bn.
Bc 2: s dng DH to kha b mt (secr ect key) dng sinh r a t t c
kha cho qu trnh m ha v xc t hc bc mt k c bc hai (nu cn t hit ).
Bc 3: xc minh tnh xc t hc peer cn li, dng x c thc remote peer. Nu
khng t in hnh x c t hc, c kh nng khi to kt ni bo mt vi k tn cng.
Policy set: khi c gng thit lp knh bo mt, chnh sch ngh trao i vi nhau.
Cn c chnh sch ny, ln lt kim tr a theo u tin t cao n thp (mt l
cao nht), n khi hai bn chn r a chnh sch ph hp m c hai cng h t r (cng
thut ton m ha, x c thc, DH v bm) t h qua bc tip t heo, nu khng kt ni b
ngt.
DH key exchange: phng t hc tr ao i kha cung cp gii php cho hai bn gip
to nn kha b mt (secrect key) trn ng tr uyn khng bo mt m vn m bo
an ton ca kha. DH c nhiu nhm (1 - 7) trong nhm 5 khuyn khch dng
nht, nhm 7 ch dng cho cc t hit b cm t ay c vi x l yu. Sau khi vic m phn
nhm kt t hc, kha b mt (secr ect key) c tnh t on. Kha b mt chia s (Shar ed
secrect key - SKEYID) ny c dng tnh ra ba kha khc:
SKEYID_a, SKEYID_d, SKEYID_e. Mi kha c mc ch s dng khc nhau.
SKEYID_a dng cho qu trnh xc t hc, SKEYID_e dng cho qu trnh m ha
(bc 1), SKEYID_d dng sinh kha cho bc 2. Tt c kha trn u c sinh r a
sau khi kt thc bc 1.
Authenticate Peer Identity: Trn thit b ni r ing v cuc sng ni chung, vic xc
nh c ngi ang giao tip l iu ht sc quan t rng v khng h d tha. V th
trc khi qua bc 2 (lp knh bo mt cho d liu) th cn phi c bc x c t hc
hai
bn (peer). C 2 cch x c thc: Pr e- shared key hay RSA signature.
Hnh 36 So snh chun mha, thut ton bm, phng thc chng thc
Hnh 37 Cc bc m phn giai on 1
Bc 3 - IKE Phase 2: tha thun tham s bo mt IPSec (IPSec secur it y par ameter ) bo mt
ng hm IPSec (IPSec t unnel), thnh lp IPSec SA, nh k m phn IPSec SA bo
m bo mt, to kha mi cho qutr nh t ruy n d liu (opt ional).
Hnh 38 i chiu cc tham s bo mt
Bc 4 - Data transfer: d liu c t ruyn gia 2 peer.
Bc 5 - IPSec tunnel termination: IPSec SA b xa hoc time out.
Hot ng c th
i vi IKE phase 1
Pre- shared key
o Vi Main Mode
Hnh 39 IKE giai on 1 s dng Pre- shared key trong main mode
Bc (1) Init iator gi gi ISAKMP c header cha cookie Ci v policy SAi c nh ngha
trc (phng t hc xc thc, thut ton mha, thut ton bm, DH, lifet ime)
Bc (2) Responder gi tr li gi ISAKMP cha cookie Ci nhn c km theo cookie Cr
vSAr . SAr c la chn t rong s nhng chnh sch c cu hnh mph hp vi SAi, nu
tt c u khng ph hp th Responder gi li gi t in t chi.
Bc (3) v (4) xy dng kha b mt (secrect key). Sau qu trnh ny sinh r a bn kha.
SKEYID (Shared Key ID) vK c dng sinh r a ba kha cn li:
SKEYID = hash (Pr e- Shared Key, Ni| Nr)
SKEYIDd= hashfunc (SKEYID, K| CI| CR| 0)
SKEYIDa hashfunc (SKEYID, SKEYIDd| K| CI| CR| 1)
SKEYIDe = hashfunc (SKEYID, SKEYIDa| K| CI| CR| 2). Qua hm hashfunc (key, data) nn
kha c to r a lhon ton khc nhau.
SKEYIDd c dng sinh r a t hm nhng kha khc dng cho giai on 2 (nu cn).
SKEYIDa c dng cho qutrnh Int egrit y ca ISAKMP message.
SKEYIDe dng encr ypt IKE message.
Bc (5) v(6) gi t in mha bng SKEYIDe, xc t hc, kim t ra ton vn bng hm bm:
HASHi = hash (SKEYID, X| Y| Ci| Cr| SAr| IDi)
HASHr = hash (SKEYID, X| Y| Cr| Ci| S Ai| IDr )
Vi Aggressive Mode
Hnh 40 IKE giai on 1 s dng Pre- shared key trong aggressive mode
Bc (1) Init iator gi g i ISAKMP cha Ci, gitr public X ca DH cho Responder.
Bc (2) nhn c X, responder c t h nhanh chng t m r a bn kha cn thit : kha,
SKEYIDa, SKEYIDe, SKEYIDd. Sau ton b cookie, Y, hash gi li cho Initiator .
Bc (3) Init iator gi gitr bm cng cookie li cho Responder hon tt qutrnh xc thc.
Digital Signature
o Vi Main Mode
Hnh 41 IKE giai on 1 s dng Digital Signature trong main mode
Ging Pr e- s hared key, ch khc bc (5) v (6). Gi tr ngu nhin c bm v m ha bng
kha r ing t (pr ivate key) ca chnh mnh, nh km cng chng nhn (cer tif icate) gi
i. Vi SIG c tnh nh sau:
SIGi= PRIVATEKEY_i (HASHi)
SIGr = PRIVATEKEY_r (HASHr)
Vkhc cch t nh SKEYID:
SKEYID = hash (Ni| Nr | K)
Sau khi nhn c, c hai dng kha cng khai (public key) ca i phng gii m ch k
c gi t r bm, em gi t r ngu nhin nhn c i bm, nu hai gi tr bng nhau th xc
thc t hnh cng.
i vi IKE phase 2
Sau khi t hit lp knh bo mt thnh cng, xt n giai on IKE giai on 2, gm ba bc:
Hnh 42 IKE giai on 2
Bc (1) Init iator gi gi t in ISAKMP cha IPSec SA km theo Ni2. Gitr N ny dng t nh
ton kha mi nhm chng li tn cng Replay. Bnh t hng, tt c kha ca IPSec u sinh
r a t SKEYIDd ca phase 1. Do , nu k t n cng c trnh hiu bit v cch DH hot
ng cng nh c ch sinh kha SKEYIDd s c t h tnh ton ra cc kha hin hnh v
nhng kha dng trong t hi gian t i n khi IKE kt thc. V th tng cng bo mt, PFS
(Perfect For war d Secrecy) dng tch bit mi quan h gia kha c v mi. Nu kch
hot, git r DH (X, Y) c tnh li t sinh r a kha b mt (secr ect key) mi t K:
HASH (1) = hash (SKEYIDa, Mid| SAi| Ni2) khng c PFS
HASH (1) = hash (SKEYIDa, Mid| SAi| Ni2| X| IDi| I Dr) vi PFS
Bc (2) Responder gi gi tin ISAKMP vi ni dung tng t.
HASH (2) = hash (SKEYIDa, Mid| SAr| Ni2| Nr2) khng c PFS
HASH (2) = hash (SKEYIDa, Mid| SAr| Ni2| Nr 2| Y| IDi| IDr ) vi PFS
Bc (3) Tnh ton HASH (3) kim tr a knh t ruy n t rc khi t hit lp IPSec.
HASH (3) = hash (SKEYIDa, 0| Mid| Ni2| Nr2)
Sau khi gi t in t h ba c gi th bt u tr uyn IPSec, nu Responder khng nhn c gi
tin t h ba ny th mi gi IPSec gi n u b b i. trnh t rng hp ny, Responder
thit lp bit cam kt trong qu tr nh trao i gi t in th hai. g i t in t h ba, Responder yu
cu thit lp bit cam kt. Mt khi xc thc c gi t in t h ba th Responder gi li thng
bo cho Init iator sn sng cho kt ni IPSec.
3.2.5 Cc loi VPN
3.2.5.1 Easy VPN
Da trn c s IPSec, Eas y VPN khng khc nhiu so vi IPSec VPN. im khc bit ch cc
bc lm vic ca client vser ver .
Hnh 43 Easy VPN
S lt hot ng
VPN client khi t o kt ni n ser ver (IKE Phase 1).
VPN client thnh lp mt SA (secur it y association) cho ISAKMP.
VPN ser ver chp nhn SA do VPN client ngh.
VPN ser ver yu cu user name vpassword.
Bt u qutrnh cu hnh.
Bt u qu trnh RRI (Reverse Route Inject ion - tnh nng gip cho qu tr nh t hit k
VPN d dng hn khi yu cu t nh nng nng cao nh
redundancy hay loadbalancing), t ng t hm cc ng nh t uy n t nh (Static
Route) ca Remote Client vo ser ver. Mi ng ny c to t cc thuc tnh c
bn nh Network v Netmask vi next hop lim u ca t unnel.
Hon t t qutrnh kt ni vi IPSec quick mode.
Main Mode (hot ng giai on 1) m phn IKE nhm thit lp knh bo mt nh
ISAKMP Secur it y Association (SA) gia hai my t nh. ISAKMP SA bo v s tha thun cc
tham s bo mt. Do , Main Mode gip xc nh tp hp cc b mt m, trao i kha
thit lp kha bo mt chia s (shared secr et key) v xc thc mi bn.
Quick Mode (hot ng sau giai on 1 nhng khng giai on 2) thit lp cc t hng s
bo mt (SAs) c gi l IPSec SAs. T r ong sut Mode ny, kha lun c t nh t on li,
nu cn thit , c t h sinh r a kha mi. Mt b bo v ph hp cng c la chn. Quick
Mode khng c xem ls tr ao i hon chnh bi cn t y t huc vo Main Mode.
Bc 1: Ngi dng gi gi tin t ruy vn n ser ver. Nu pre- shared key c dng xc thc
th IKE giai on 1 hot ng Aggressive Mode, cc t n nhm dng phn bit gia cc
nhm ngi s dng VPN. Cn nu digit al certif icate c s dng xc thc th IKE g iai
on 1 hot ng Main Mode, khi trng or ganizat ion c dng x c nh nhm.
Bc 2: Ngi dng gi cc SA cho Server gm thut ton m ha, bm, phng t hc x c
thc vnhm DH.
Bc 3: Sau khi nhn cc SA t client, server kim tr a SA ph hp theo mc u t in cao.
Sau , Server gi li cho client SA c chn (SA c h tr trn c client vser ver ).
Bc 4: Hon tt ba bc trn, ser ver s yu cu client cung cp user name v passwor d xc
thc. Khi nhn c thng tin xc t hc, server dng AAA kim t ra thng tin xc t hc ny.
Bc 5: Nu xc t hc t hnh cng, client yu cu cc thng s cu hnh nh IP address, DNS, split
tunnel infor mat ion t rong IP l bt buc.
Bc6: T hc hin qu tr nh RRI. Khi mi IP client c ghi nhn vo bng Routing ca
server . T nh nng ny c khuyn khch s dng khi c nhiu hn mt VPN ser ver tr ong h
thng va ch c s dng cp cho client thay v dng IP Pool.
Bc 7: n y, IPSec SA s c thit lp sau VPN connect c hon tt.
3.2.5.2 Site to Site VPN
Vic s dng mt m dnh r ing cho nhiu ngi kt ni nhiu im c nh vi nhau t hng
qua mng Inter net, da trn:
Intranet: nu cng t y c vi a im t x a mun t ham gia vo mng r ing duy nht,
h c th to r a mt VPN Intr anet (VPN ni b) ni LAN vi LAN.
Ex tranet: khi cng ty c mi quan h mt thit vi cng t y khc nh i t c cung cp,
khch hng h c th x y dng VPN extr anet (VPN m rng) kt ni LAN vi
LAN nhiu t chc khc nhau c th lm vic trn mt mi t rng chung.
Hnh 44 Kt ni cc doanh nghip qua mng cng cng
S kt ni hai mng r ing l t hng qua ng hm bo mt, dng cc giao t hc L2T P, hay
IPsec. Mc ch chnh lkt ni hai mng li vi nhau, c thit k to mt kt ni mng t rc
tip, hiu qu bt chp khong cch gia chng.
3.2.5.3 SSL VPN (hay Web VPN)
Giao t hc a mc ch t o cc giao tip gia hai chng t rnh ng dng trn cng nh trc
(socket 443) nhm m ho ton b t hng t in i v n m ngy nay s dng rng ri cho giao
dch in t nh tr uy n s hiu t h tn dng, mt khu, s b mt cnhn (PIN) trn Internet.
c hnh t hnh v pht trin u tin vo nm 1994 bi nhm nghin cu Netscape dn dt
bi Elgammal v ngy nay tr t hnh chun bo mt thc hnh t rn mng Internet. Phin bn
SSL hin nay l 3.0 v vn ang tip tc c b sung v hon thin. SSL kt hp nhng yu
t sau thit lp c mt giao dch an ton nhm m bo:
Xc thc: tnh xc t hc ca i t ng bn lm vic u kia ca kt ni.
Mho: t hng tin khng t h b tr uy cp bi i t ng th ba. loi tr vic ng he
trm thng tin nhy cm tr uyn qua Internet, d liu phi c m ho khng
th b c c bi nhng ngi khc ngoi ngi gi vngi nhn.
Ton vn d liu: thng t in khng sai lch, t h hin chnh x c t hng tin gc gi n. Nh
IPSec, SSL khng phi giao t hc n l mltp t h tc chun hothc hin nhim v:
Xc thc server: Cho php ng i dng xc t hc server kt ni. Lc ny, pha tr nh duyt dng
k t hut mhocng khai chc chn chng nhn vpublic ID ca ser ver l c gitr
v c cp pht bi CA (cert ificate aut horit y) trong danh sch CA ng t in cy ca ngi
dng. iu ny r t quan trng vi ngi dng. V d khi gi m s credit card qua mng
ngi dng mun kim t ra liu server nhn t hng tin ny ng lser ver h gi n khng.
Xc thc ngi dng: Cho php pha ser ver xc thc ngi dng mun kt ni. Pha ser ver
dng cc k thut m ho cng khai kim tr a chng nhn v public ID c gi tr khng v
c cp pht bi CA (cert ificate aut horit y) trong danh sch cc CA ng tin cy ca ser ver.
iu ny rt quan trng i vi nh cung cp. V d khi ngn hng nh gi cc thng t in ti
chnh mang tnh bo mt ti khch hng th h mun kim t r a nh danh ca ngi nhn.
M ho kt ni: Tt c thng tin tr ao i gia client v ser ver c m ho trn ng
tr uy n nng cao kh nng bo mt. iu ny rt quan trng vi c hai bn khi c cc giao
dch mang tnh r ing t. Ngoi ra, tt c d liu gi i trn kt ni SSL m ho c bo v
nh c ch t ng pht hin x o trn, thay i t rong d liu ( lcc t hut ton bm).
SSL bao g m hai giao t hc con:
SSL record: x c nh cc nh dng dng truy n d liu.
SSL handshake (Giao thc SSL bt tay): s dng SSL record t rao i mt s thng
tin gia server vclient vo ln u t hit lp kt ni SSL.
Mt s thut ton c s dng: DES, 3DES, KEA, MD5, RSA, SHA- 1
Giao thc SSL handshake: gm cc bc:
Ngi dng s gi server s phin bn SSL ang dng, tham s ca t hut ton m
ho, d liu t o r a ngu nhin ( chnh l ch k s - Digit al Signatur e) v mt s
thng tin khc mser ver cn thit lp kt ni vi ngi dng.
Ngc li, ser ver gi thng t in tng t cho ngi dng. Ngoi ra, cn gi chng
nhn (certif icate) ca n n ngi dng yu cu chng nhn (certificate) ngi dng
nu cn.
Ngi dng s dng t hng t in ser ver gi n x c t hc. Nu ser ver khng xc thc
th ngi dng s cnh bo vkt ni khng thit lp. Ngc li, s thc hin t ip.
Dng t hng t in t o r a trong giai on bt t ay, ngi dng (cng s cng t c ca ser ver
v ph thuc t hut ton s dng) to r a premaster secr et cho phin lm vic, m ho
bng kha cng khai mser ver gi n t rong chng nhn bc 2 vgi n ser ver.
Nu ser ver yu cu xc t hc ngi dng th ngi dng nh du vo phn thng tin r ing
lin quan qu t rnh bt t ay hai bn u bit. Khi , ngi dng gi c t hng
tin nh du vchng nhn (cert if icate) cng vi premaster secret mhoti ser ver.
Ser ver s xc thc ngi dng. Tr ng hp ngi dng khng c x c thc, phin
lm vic b ngt. Cn nu ngi dng xc thc t hnh cng, ser ver dng kho b mt
(pr ivate key) gii mpr emaster secret, sau t hc hin cc bc t o r a master secr et.
Ngi dng vser ver dng master secret t o r a session key - kho i xng dng m
hovgii mthng t in t rong phin lm vic vkim tr a ton vn d liu.
Ngi dng gi li nhn n ser ver t hng bo message t ip t heo m hobng session key.
Sau gi li nhn mhothng bo ngi dng kt t hc giai on bt t ay.
Ser ver gi ngi dng li nhn t hng bo cc message tip theo m hobng session key.
Sau , n gi li nhn m hot hng bo ser ver kt thc giai on bt t ay.
Lc ny giai on bt t ay hon t hnh vphin lm vic SSL bt u. C hai pha
ngi dng vser ver s s dng cc session key mhovgii mt hng tin.
SSL VPN c ba mode:
Clientl ess: Cung cp kh nng bo mt tr uy cp ti nguyn cng nh ni dung web,
hu dng vi tr uy cp ti nguyn, ni dung website thng qua trnh duyt, yu cu
ngi dng s dng Windows 2000, Windows XP hay Linux. Tr nh duyt s dng
HTT P hay HTT PS cung cp cc ng link, cho php ngi dng tr uy cp mng hay
website ni b (Internal Website) t hng qua lin kt ny. Vi File Shar ing, trnh duyt
lit k lin kt cho php ngi dng t ruy cp, t o mi, sa xa ti liu... cho php.
Thin client (cn gi port- forwarding): m rng kh nng m ha trnh duyt web,
cho php tr uy cp ng dng bng giao t hc T CP: POP3, SMTP, SSH, IMAP.
T unnel mode: s dng ng hm SSL chuyn d liu lp Network v th
Tunnel Mode h tr hu ht tt c cc ng dng.
So snh:
Clientl ess mode
Thin mode
T unnel mode
Ty t rnh duyt web
(client less).
H iu hnh Microsoft
Windows hay Linux.
H tr Web- enabled
applicat ions, f ile s har ing,
Outlook Web Access.
Chuyn i IP, giao thc,
phn t ch vvit li ni
dung ch n hiu.
Yu cu T CP port
for war ding.
S dng J ava Applet.
M rng h tr ng dng.
Mt s ng dng c h
tr nh T elnet, e- mail,
SSH
Lm vic ging
client less IPsec VPN.
Tunnel client hot ng
trn J AV A hay Act iveX.
H tr tt c ng dng
hot ng lp
net wor k.
C kh nng m rng.
Cn phi c quy n
admin (local) ci t.
Bng 1 Bng so snh cc dng SSL VPN
Ngoi ra, m bo cc my t nh ngi dng t c cc tiu chun ti thiu r a trc
khi thit lp kt ni VPN, chng t i cn phi cp n t nh nng:
Endpoint Security: tp hp t nh nng nhm bo v, kim t ra, nh gi my t nh ngi dng
trc khi cho php gia nhp h t hng mng. Cc tnh nng ny hu ht c h tr trn cc
thit b tng la hay i km vi chng, nh Checkpoint, ASA... Ci t t rn my t nh ngi
dng, Cisco Secure Desktop (CSD) kim tr a h iu hnh (Operating System
OS), ant ivir us, ant ispy, pr ocess, reg istr y ng t hi bo v d l iu cc phin lm vic v cui
cng
s x a b tt c history nh cookie, ULR hist or y, page cache v nhng file download.
CSD l gii php t uyt vi bo m h t hng lun phng nga t t, nu pht hin ngi dng
c vn , n b cch ly ng ay lp t c khng nh hng h thng. Khi ngi dng kt ni
web vpn, trc khi kt ni thit lp, CSD kim tra ton b my ngi dng m bo ngi
dng khng b vn so vi yu cu t ra.
Host scan: kim tr a thanh ghi (r egist r y), CSD bit c h iu hnh (Operating
System OS) cng nh service pack. CSD kim tr a trnh ant ivir us, antispyware cng
nh phin bn ca chng vc fir ewall soft war e. T t c t hng tin lu tr trn ASA.
Secure session: m bo d liu t rong phin lm vic Web VPN c mha, khng
b phn t ch, khai t hc, ly cp nu ngi dng b chim quy n s dng hay do t hm.
Cache cleaner: x a sch t on b du vt qutrnh tr uy cp ngi dng Web VPN.
CSD Onscreen Keyboard (OSK): chng li keylogger phn cng hay phn mm khi
ngi dng ng nhp hay sut qu t rnh dng Web VPN. Hin nay, c nhi u bn
keylogger CSD pht hin c. T uy nhin, s pht trin ca mi him ha ny khng
lng trc c. V t h vi nhng phin bn mi hn, CSD vn cha pht hin
c. Do , OSK s lgii php an t on nht cho vn ny.
PHN 4: XY DNG IPS V IDS
4.1 Tng quan IDS vIPS
4.1.1 Gii thiu
Mng ton cu Inter net ang pht trin vi tc ng kinh ngc trn t on t h gii, n t hay
i mnh m cch thc lm vic, trao i thng t in, giao tip, cuc sng.. hu ht cc c quan,
t chc, c nhn. Cng u im m n mang li l cc mi nguy him ngy cng t ng
v mc , kh nng ly lan, phc t p trong phng thc ti n hnh. Cc mi nguy hi lm nh
hng, ph hoi, sai lch, nh cp t hng tin, d liu cc thnh phn hay t on b mng.
Phn mm hay thit b chuyn dng gim st lu lng r a vo h t hng mng, phn t ch du
hiu vi phm chnh sch bo mt hay pht hin v phng chng cc ri ro tim n, ph hoi
hay cc hnh ng nh su tp, qut cng ng t hi cung cp thng t in nhn bit hnh ng
bt t hng va r a cnh bo cho nhqun tr.
y l k t hut an ninh mi, kt hp u im tng la vi h t hng pht hin xm nhp IDS
(Intr usion Detection System - IDS) gi IDPS (Int rusion Detection Prevent ion Syst em). C
IDS v IPS u c nhiu im chung t h nhng hn hn IDS, IPS khng n gin ch t heo
di m cn ngn chn tn cng. Chng cho php t chc u tin, thc hin cc bc ngn chn
s xm nhp, t hng t vnh ai mng, kh nng bo v cc thit b t rong mng.
Hnh 45 H thng IPS (Intrusion Prevention System)
IDPS ch yu tp t rung xc nh cc nguy c x m nhp, ghi li thng t in, c gng ngn chn
cc nguy c xm hi v a r a bo co cho qun tr vin mng. Ngy nay, IDPS tr thnh
mt b phn khng th thiu i vi c s h tng an ninh ca hu ht t chc doanh nghip.
4.1.2 Lch s hnh thnh
Cch y khong 25 nm, khi nim pht hin xm nhp (Int rusion Detection) xut hin qua
bi bo ca J ames Anderson. Khi IDS pht tr in vi mc ch t heo di v nghin cu
hnh vi v t hi bt t hng ca ngi dng nhm gim s t t i sn h t hng mng, nghin
cu chnh t hc t 1983 n 1988 trc khi dng t rong h thng mng khng lc Hoa K.
n nm 1996, cc khi nim IDS vn cha c ph bin, hu ht ch xut hin t rong cc
phng t h nghim v vin nghin cu. Tuy nhin, mt s cng ngh IDS bt u pht t rin
da tr n s bng n ca cng ngh thng tin.
n nm 1997, IDS mi c bit n rng r i v thc s em li li nhun vi s i u ca
cng t y ISS. Mt nm sau , Cisco nhn r a tm quan t rng ca IDS v mua li cng
ty Wheel chuyn cung cp gii php IDS.
Vo nm 2003, IPS th h sau ca IDS ra i v sau ph bin rng r i. Hin t i,
IDS/IPS vn lmt trong cc cng ngh an ninh c s dng ph bin nht trn th gii.
4.1.3 Nguyn nhn ra i
Vic qun tr v vn hnh h t hng IDS ngy cng kh khn, tn km v khng em li hiu
qu. l nhn nh ca hu ht t chc doanh nghip by gi. Vo nm 2003, Gartner -
cng t y hng u t rong lnh vc nghin cu v phn t ch t h trng cng ng h thng tin trn
ton cu - a r a d on gy chn ng t rong lnh vc bo mt: H thng pht hin xm
nhp (IDS) s khng cn na vo nm 2005. Pht biu ny x ut pht t mt s kt qu phn
tch vnh gicho thy h t hng IDS ang phi i mt vi cc vn :
T hng xuyn a r a nhiu bo ng gi (False Posit ives).
Gnh nng cho qun tr an ninh h thng bi IDS cn c theo di lin t c.
Km t heo cc cnh bo t n cng lmt quy trnh x l an ninh r t vt v.
Khng t h theo di cc lung d liu c tr uyn vi t c ln hn 600 Mbit/s.
Nhn chung, Gartner a r a nhn xt ny da tr n nhiu phn nh ca khch hng ang s dng
IDS rng vic qun tr v vn hnh h thng IDS rt kh khn, tn km v khng em
li hiu qu tng x ng so vi u t.
Tuy nhin, mt s kin phn i cho rng, vic h t hng IDS khng em li hiu qu nh
mong mun l do cc vn tn ti t rong vic qun l v vn hnh ch khng phi do bn
cht cng ng h kim sot v phn tch gi tin ca IDS. C th, h thng IDS hot ng
hiu qu, vai t r cng c, con ngi qun tr rt quan trng, cn p ng c cc tiu ch:
T hu t hp v nh gi tng quan t t c cc s kin an ninh c pht hin bi cc
IDS, tng la trnh cc bo ng gi.
Cc t hnh phn qun t r phi t ng hot ng vphn t ch.
Kt hp vi cc bin php ngn chn t ng
Tr c nhng hn ch ca h t hng IDS, nht l sau cc cuc tn cng t quy m ln nh
Code Red, NIMDA, SQL Slammer , vn t ra l lm s ao t ng ngn chn c tn
cng ch khng ch a r a cnh bo, nhm gim thiu cng vic ca ngi qun t r h thng.
Chnh nhng nhu cu , IPS r a i vo nm 2003 vngay s au , c ph bin r ng r i.
Kt hp nng cp thnh phn qun tr, IPS dn thay t h IDS bi n gim bt cc yu cu tc
ng ca con ngi cng nh gim bt gnh nng vn hnh. Hn na, trong mt s trng
hp c bit, IPS hot ng nh IDS bng vic ng t b tnh nng ngn chn xm nhp.
n nm 2005, th h sau ca IDS- h thng t ng pht hin v ngn chn xm nhp IPS-
dn khc phc c cc mt cn hn ch ca IDS v hot ng hiu qu hn nhiu so vi
th h trc . Ngy nay cc h t hng mng u hng ti s dng cc gii php IPS.
4.2 Phn loi
Chc nng chnh ca IPS lgim st lu lng t ruyn ti trn mng nhm x c nh cc nguy
c x m hi, ghi li cc t hng tin cn thit v a r a bo co nh gih thng. Ty loi hnh mng
c gim st mla chn cc dng IPS tng ng, gm bn dng chnh:
4.2.1 Host- based Intrusion Prevention System (HIPS)
Gim st v ghi li ton b kh nng my t rm (gm c h iu hnh v ng dng cng nh ton
b dch v). y lthit b bo mt pht hin cc tn cng trc tip ti my t rm.
Hnh 46 H thng HIPS
HIPS trin khai da trn HIDS (Host - based Int rusion Prevent ion) - pht trin t u nhng
nm 1980. Ngy nay, HIPS l mt trong nhng cng c mnh m chng t n cng v bo v
my trm hiu qu. HIPS phn t ch file nht k (audit logs) gim st h t hng, cc s kin,
bn ghi nhn bo mt (secur it y logs) trn Windows NT v syslog t rong Unix. Ngoi r a, HIPS
cn can thip cuc gi h iu hnh v ng dng, bo mt h iu hnh v cu hnh ng
dng, xc nhn yu cu dch v n, phn tch fil e nht k ni b cho hot ng ng ng.
Khi pht hin t hay i, HIPS so snh file nht k mi vi du hiu tn cng c cu hnh
trc, nu ph hp HIPS t ng t hng bo qun tr vin va r a hnh ng tng ng.
HIPS dng cc quy lut da trn s kt hp c im tn cng v kin t hc chi t it h iu
hnh v ng dng trn my ch, gip HIPS xc nh cc hot ng bt t hng, t a r a
hnh ng ngn chn t hch hp. Hn na, HIPS ci t hin t nh bo mt my ch bng cc quy
tc km sot hnh vi h iu hnh, b vi x l nh t rn b m, cp nht t hanh ghi (regist r y),
ci t chng tr nh ng dng... Cc quy ch kim tr a lu lng mng hn ch s lng kt
ni truy cp chng t n cng T Chi Dch V (DoS Denial of Ser vice). HIPS khng quan
tm v tr my t nh t rong h t hng. S sau din t my t nh t rong mng s dng HIDS:
Hnh 47 HIDS c ci t trn cc my tnh
H thng HIPS ngy nay yu cu phn mm Agent phi c ci t trn mi my xem
xt nhng hoat ng t hc thi trn n, chng li tn cng v thc thi nhng phn t ch v bo
v pht hin xm nhp vo my.
u im
Xc minh s thnh cng hay tht bi cuc tn cng: V HIPS ch yu phn t ch
bn ghi nhn s kin t hc s x y r a t rong h thng nn xc sut pht hin tn cng
cao hn so vi NIPS (Networ k- based Intr usion Prevent ion), t cc cnh bo nhm.
Gim st cc hot ng h thng: theo di ngi dng vcc hot ng tr uy cp tp
tin nh thay i quyn trn t p tin, t r uy cp cc dch v c quyn ca h t hng
Thch hp s dng trong mi trng mha v mng chuyn mch: Swit ch chia
nh mng ln thnh phn on mng nh hn. Do , gy kh khn t rong xc nh
a im tt nht trin khai IPS bao ph ton mng. HIPS cung cp kh nng hin
th ln hn trong mng chuyn mch v HIPS ci t trn nhiu my t nh khc nhau
trong h t hng. Ngoi ra, HIPS ci thin nhc im NIPS i vi gi t in m ha v
ngay khi h iu hnh nhn t hy kt ni n, cc dng d liu u c gii m.
Khng yu cu thm cc thit b phn cng: xy dng t rn c s h tng sn c.
Chi ph trin khai thp: so vi NIPS (Networ k- based Intrusion Prevent ion).
Nhc im
Gii hn tm nhn mng: kh xy dng bc tr anh tng t h h thng mng.
Yu cu h tr nhiu h iu hnh: HIPS cn chy trn cc my trong mng. Do , n
i hi h tr xc minh cho cc h iu hnh khc nhau dng t rong mng.
4.2.2 Network- based Intrusion Prevention (NIPS)
Kim tr a cc cng giao tip trn mng vi thi gian thc (r eal- t ime), qut header cc gi tin,
v kim tr a ni dung cc gi pht hin cc on mnguy him hay dng tn cng khc
nhau. NIPS hot ng tin cy trong vic pht hin cc dng tn cng trn h t hng mng.
Hnh 48 H thng NIPS
NIPS s dng cc thit b theo di, cm bin (sensor) trn ton mng nm bt v phn tch
lu lng ra vo h thng nhm pht hin hot ng nguy him v xm nhp tri php m
a r a cc hnh ng ph hp. Cc cm bin ny c trin khai t i cc im mng cho php
nh qun tr gim st hot ng mng, bt k v tr mc t iu t n cng, t hng iu chnh phn
tch phng chng xm nhp. Cc h iu hnh c bn ci t phn mm IPS cn t t cc dch
v mng khng cn thit vbo mt cc dch v t hit yu. V phn cng gm t hit b sau:
Card mng (NIC Network Interface Card): NIPS phi c kh nng kt ni vi
bt k mng no (Et her net, Fast Ether net, Gig abit Ether net ).
B x l: Qu tr nh phng chng x m nhp i hi sc mnh ca CPU thc hin
phn t ch pht hin xm nhp vso khp cc du hiu t n cng c cu hnh t rc.
B nh: trc t ip nh hng n kh nng ca NIPS trong vic pht hin t n cng.
Hnh 49 Hot ng ca NIPS
Bt k s m rng ca h t hng mng, cc my t nh c t h c t hm vo mng m khng
cn ci t hm bt k cm bin no. Cc b cm ng c yu cu ch khi hiu sut ca cc
cm bin khng p ng c nhu cu hin ti, khi c bt k thay i no trong chnh sch
bo mt hay m hnh h t hng mng i hi b sung cc cm bin.
u im
D dng nhn t hy cc cuc t n cng ang din r a trn ton b mng.
Khng cn tr in khai IDS t rn tt c my t nh tr ong h thng, khng ph thuc h iu
hnh my ch.
Nhc im
Khng nhn bit c cc lung t hng tin m ha.
Kh xc nh v t r t NIPS sao cho nm bt t t c lu lng mng nht lkhi mng
tr nn ln hn. gii quyt vn ny, i hi s dng thm cc cm bin, t uy nhin,
gii php ny lm pht sinh t hm chi ph tr in khai.
Nhn chung, HIPS vNIPS u c thun li cng nh kh khn khc nhau. Vic la chn t y
m hnh tr in khai. Nu HIDS cho gii php hon ho i vi my trm th NIDS bo v mng
LAN hiu qu. Vic qun l HIDS yu cu t ki n t hc chuyn su, cn NIDS yu cu
nhiu s quan t m ca nhqun t r. Sau y lbng so snh chc nng hai h thng trn:
Chc nng HIDS NIDS nh gi
Bo v trong mng LAN **** **** C hai u bo v t rong mng L AN
Bo v ngoi mng LAN **** - Ch c HIDS
D dng qun t r
****
****
Tng ng nhau xt v bi cnh
qun t r chung
Tnh linh hot **** ** HIDS l h t hng linh hot hn
Git hnh *** * HIDS tit kim hn
D dng b sung **** **** C hai tng ng nhau
o to ngn hn cn t hit **** ** HIDS yu cu o to t hn NIDS
Tng git hnh *** ** HIDS tiu tn ca bn t hn
Bng t n yu cu t rong LAN
0
2
NIDS s dng bng tn LAN r ng, cn
HIDS th khng
Networ k overhead
1
2
NIDS cn hai yu cu bng t n mng
i vi bt k mng LAN no
Bng t n yu cu (Internet)
**
**
C hai u cn bng t n Internet cp
nht kp t hi cc file mu
Cc yu cu v cng m rng
-
****
NIDS yu cu kch hot m rng cng
m bo lu lng LAN c qut
Chu k nng cp cho ngi
dng
****
-
HIDS nng cp t t c ngi dng vi
file mu t rung tm
Kh nng t hch nghi trong cc
n n ng dng
**
****
NIDS c kh nng t hch nghi t rong cc
n n ng dng hn
Ch qut thanh ghi cc b **** - HIDS mi t hc hin kiu qut ny
Bn ghi *** *** C hai u c chc nng bn ghi
Chc nng cnh bo
***
***
C hai u c chc nng cnh bo tng c
nhn vqun t r vin
Qut PAN **** - HIDS mi qut vng mng cnhn
Loi b gi tin - **** NIDS mi c phng t hc ny
Kin t hc chuyn mn
***
****
Cn nhiu kin t hc chuyn mn khi ci
t vs dng NIDS vi ton b vn
bo mt mng
Qun l tp tr ung ** *** NIDS c chim u th hn
V hiu ha cc h s r i ro * **** NIDS c h s r i r o nhiu hn HIDS
Kh nng cp nht
***
***
Nng cp phn mm d hn phn cng,
thng qua script t p trung
Cc nt pht hin nhiu on
mng LAN
****
**
Pht hin nhiu on mng t on din
hn
Bng 2 Bng so snh cc chc nng ca HIPS vNIPS
Ngoi r a, IPS cn dc trin khai trn cc h t hng mng sau:
Wireless Intrusion Prevention System (WIPS): phn t ch hot ng cc giao thc mng
khng dy, nhm pht hin cc lung t hng t in kh nghi r a vo mng khng dy.
Network Behavior Analysis (NBA): gim st giao t hng mng xc nh cc ri ro tim n pht
sinh lu lng mng bt thng nh DDoS, cc dng malware vxm phm chnh sch.
Perimeter Intrusion Detection System (PIDS): Pht hin v ch r a v t r n lc xm nhp
hng ro bin gii quanh c s h tng quan t rng. S dng cp quang, PIDS pht hin ri
lon trn hng r o, tn hiu ny c theo di, kch hot cnh bo khi pht hin x m nhp.
VM based Intrusion Detection System (VMIDS): pht hin xm nhp nh gim st trn
my o. Nh , trin khai h thng pht hin x m phm vi Virtual Machine Monit or ing.
y l mt trong nhng pht minh gn y cn trong giai on nghin cu. Khng cn xy
dng h thng IDS ring bit no, chng ti vn gim st c tng th h thng mng.
4.3 Nguyn l hot ng ca h thng
H thng IPS thnh cng nu yu t: thc hin nhanh, chnh xc, a r a t hng bo hp l,
phn t ch ton b thng lng, cm bi n ti a, ngn chn t hnh cng v chnh sch qun l
mm do, gm ba module chnh:
4.3.1 Phn tch lung d liu
Ly cc gi tin i n mng phn t ch, thng t hng cc gi tin c a ch khng phi ca
card mng t h s b car d mng hy b nhng car d mng IPS t ch t hu nhn tt c.
Tt c gi tin qua chng c sao chp, x l, phn t ch n t ng t rng t hng tin. B phn
tch c t hng t in tng t rng t rong gi tin, x c nh chng t huc gi t in no, dch v g...
Cc t hng tin ny c chuyn n module pht hin t n cng.
4.3.2 Pht hin tn cng
Module quan t rng nht pht hin cc cuc tn cng, bao gm ba phng php t heo di l:
4.3.2.1 Du hiu tn cng (Signature- based Detection hay
Misuse
Detection)
Tp nguyn tc s dng xc nh nhng hot ng x m nhp thng thng, phn t ch hot
ng ca h t hng, theo di s kin vso snh vi mu t n cng c cu hnh t rc:
Da trn s khai thc (exploit- based signature): pht hin cng c d tm l hng
nh on passwor d, kch bn shell t ng tn cng hay thc hin th tc n gin
tm kim l hng h thng cng nh on mthc t hi
Da trn cc l hng chng trnh (vulnerability- based signature): phn t ch l
hng thc thi chng tr nh ng dng, ri ro gy hi bo mt hay chc nng h thng
nh password yu, x l u vo khng mong mun hay t r uy n dn khng bo mt
Vic to r a Signat ure- Based yu cu ngi qun t r cc k nng hiu bit t ht r v loi hnh
tn cng, mi nguy hi v pht trin du hiu d t m. Khi nhiu phng php tn cng v khai
thc c khm ph, nhsn x ut IPS phi cung cp nhng bn cp nht file du hiu.
Nu c nhng lu lng t rng khp bt k du hiu tn cng no, IPS da trn cu hnh t rc
m a r a hnh ng thch hp, khng cn t c ng ngi dng. Nh , pht hin t n
cng nhanh v chnh xc, khng a r a cnh bo sai lm gim kh nng hot ng mng v
gip cc ngi qun tr xc nh cc l hng bo mt h t hng. Tuy nhin, phng php ny
c nhc im lkhng pht hin c cc cuc t n cng khng c trong c s d liu, cc
kiu t n cng mi, do vy h t hng lun phi cp nht cc mu tn cng mi.
Li ch
t cnh bo nhm: Nhng du hiu da t rn hiu bit v hot ng xm nhp nn xc
sut pht hin t n cng cao.
H thng d hiu: d dng iu chnh hnh ng ph hp vi bt k t n hiu cnh bo no.
Ngoi r a, cng c t h bt du hiu ln tin hnh kim t ra ton mng.
Cc tn cng mi cp nht thng x uyn: du hiu t hay i lin t c sau khi ci t.
Hn ch
Khng th pht hin nhng cuc tn cng mi hay cha c bit
(f alse negative): Do hot ng da trn cc mu du hiu nh ngha trc, gy
kh khn t rong vic nhn ra t tn cng mi cha tng bit hay khm phtrc y.
Khng th pht hin s thay i nhng cuc tn cng bit: Nhng f ile du hiu
l nhng f ile t nh do khng thch nghi vi vi h t hng. Nu thay i cch t n
cng, k t n cng c t h x m nhp mkhng b pht hin (f al se negat ive).
Kh nng qun tr c s d liu nhng du hiu: Vic bo m c s d liu du
hiu lun cp nht vhin hnh cn phi u t nhiu t hi gian vtin bc.
Dung lng b nh ca b cm bin cn hn ch: duy tr t nh t rng t hng tin
nhanh chng tm kim t hng t in. B cm bin lu trng t hi t hng t in t rong b nh.
4.3.2.2 Du hiu bt thng (Statistical Anomaly- based Detection)
K t hut d thng minh, nhn dng hnh ng bt thng. Ban u, IPS lu tr bng m t
s lc nhm ngi dng hay hot ng bnh thng h t hng (nh phn quyn cc nhm s
dng t heo cc hot ng v ng un ti nguyn; web server phi c bng m t s lc hot
ng ca n da trn lu lng web, t ng t i vi mail ser ver). Cng nhiu bng m t
s lc khc nhau cho mi dng dch v, h t hng IPS cng a r a c cc cnh bo ng.
Sau , so snh vi cc lu lng r a vo h thng v nhn dng hot ng no l khc
thng, c t h gy hi h thng, gm mt s k t hut sau:
Pht hin mc ngng: nhn mnh vic v t qu mc ngng c t r a i vi
cc hot ng bnh thng nh ng nhp vi s ln qu quy nh, s lng cc t in
trnh hot ng trn CPU, s lng mt loi gi t in c gi vt qu mc... t h h
thng s coi lcc hot ng nguy hi.
Pht hin nh qu trnh t hc: gm hai bc. Khi bt u thit lp, h t hng pht
hin t n cng s chy ch t hc v to r a mt h s v cch c x ca mng vi
cc hot ng bnh t hng. Sau t hi gian khi t o, h t hng s chy ch lm
vic, t in hnh theo di, pht hin cc hot ng bt t hng ca mng bng cch so
snh vi h s thit lp. Ch t hc c th chy song song vi ch lm vic
cp nht h s ca mnh nhng nu d r a c t n hiu tn cng th ch t hc phi
dng li cho ti khi cuc tn cng kt t hc.
Pht hin s khng bnh thng ca cc giao thc: cn c hot ng ca cc giao
thc, dch v trong h thng t m r a cc gi t in khng hp l, cc hot ng bt
thng vn l du hiu xm nhp, tn cng. K t hut ny hiu qu trong vic ngn
chn cc hnh t hc qut mng, qut cng thu t hp t hng tin ca cc tin t c.
Phng php ny hu hiu t rong vic pht hin cc cuc tn cng kiu t chi dch v, pht
hin r a cc kiu tn cng mi, cung cp cc t hng t in hu ch b sung cho phng php trn. Tuy
nhin i khi t hng to r a cc cnh bo sai lm gim hiu sut hot ng ca mng.
Li ch
Pht hin k tn cng bn ngoi hay k trm ti khon mt cch d dng.
Ci thin nhng hn ch ca phng php theo di du hiu tn cng: Nu nh
k tn cng c t h kim tr a t h cc du hiu trn h t hng IPS m chn la cch thc
cng nh cng c tn cng ph hp th vi phng php ny, iu v cng kha
khn do khng s dng nhng c s d liu du hiu nh dng trc nn k x m
nhp khng t h bit chnh xc ci g gy r a cnh bo.
Ph hp cho vic pht hin cc cuc tn cng mi: khng da trn tp nhng du
hiu c nh dng hay cc t tn cng c bit , profile l ng v s dng t r tu
nhn t o xc nh nhng hot ng bnh t hng.
Hn ch
Thi gian chun b ban u cao ng t hi khng c s bo v sut t hi gian khi to
ban u.
Kh khn trong vic to ra cc profile nhm ngi dng: bo m cht lng cc
pr ofile ny t ng i phc tp.
Thng xuyn cp nht profile: khi thi quen ng i dng t hay i.
Kh khn trong vic nh ngha cch hnh ng thng thng: H IPS ch t ht s
tt khi n nh ngha nhng hnh ng no l bnh thng. y l t h thch khi mmi
t rng ni cng vic ngi dng hay nhng trch nhim t hay i t hng xuyn.
Cnh bo nhm: Nhng h thng da trn s bt thng c x u hng c nhiu false
posit ive bi v chng t hng tm nhng iu khc thng.
Vic nh ra cc profile ngi dng v hot ng h thng tng i phc tp:
Ly mu thng k, da trn nguyn tc, v mng neur al l nhng phng cch nhm
to profile mtht kh hiu vgii thch.
4.3.2.3 Giao thc (Statef ul Protocol Analysis Detection)
Nh Signatur e- based Detection, t hc hin phn t ch chiu s u giao t hc c xc nh c th
trong gi t in. V d: Hacker bt u chy chng trnh tn cng Server . Tr c tin hacker
phi gi mt gi tin IP cng vi kiu giao thc, c th khng cha d liu t rong t rng
payload, phng t hc ny s theo di cc kiu t n cng c bn da tr n mt s giao thc:
Kim t ra kh nng ca giao t hc x c nh gi t in c hp php hay khng.
Kim t ra ni dung trong Payload (pattern mat ching ).
T hc hin nhng cnh co khng bnh t hng.
4.3.2.4 Chnh sch (Policy- based IPS)
a r a cnh bo khi c nhng hnh ng vi phm ca cc chnh sch c cu hnh t rc.
Li ch
nh ra chnh sch ring bit: thit lp chnh sch cho tng thit b t rong h thng.
Xc thc vphn ng nhanh: rt t c nhng cnh bo sai.
Hn ch
i hi kinh nghim vkin thc nht nh: Vic thit lp chnh sch yu cu qun
tr vin h t hng phi c kinh nghim v kin t hc nht nh ng t hi qun l cc chnh
sch ny t ng i phc tp.
Thng x uyn phi cu hnh li: khi c cc thit b mi thm vo h thng.
Kh khn khi qun tr t x a.
4.3.3 Phn ng
Khi c du hiu tn cng hay t hm nhp, module pht hin tn cng gi tn hiu n module phn
ng. Lc module phn ng kch hot tng la t hc hin chc n ng ngn chn cuc
tn cng hay cnh bo ngi qun t r. Nu ch a r a cc cnh bo t h h thng ny c gi
lh thng phng t h b ng. Di y lmt s k t hut ngn chn:
Kt thc tin trnh: gi cc gi t in ph hu t i n tr nh nghi ng. T uy nhin, thi gian
can thip chm hn t hi im t in t c t n cng, dn n tn cng xong ri mi bt u
can thip. Ngoi ra, k thut ny khng hiu qu vi giao t hc UDP nh DNS, hn
na gi t in can thip phi c trng t h t ng nh g i t in t rong phin lm vic t in
trnh t n cng. Nu ti n t rnh tn cng x y r a nhanh kh t hc hin phng php ny.
Hu b tn cng: hy b gi t in hay chn ng gi tin n, phin lm vic hay mt
lung t hng t in t n cng, an ton nht nhng d nhm vi cc gi t in hp l.
Thay i cc chnh sch ca tng la: cho php ngi qun t r cu hnh li chnh
sch bo mt t n cng xy ra. S cu hnh li ltm thi thay i cc chnh sch i u
khin t ruy nhp bi ngi dng c bit trong khi cnh bo ti ngi qun t r.
Cnh bo thi gian thc: Gi cc cnh bo t hi gian thc n ngi qun t r h
nm c chi t it cc cuc t n cng, cc c im v thng t in v chng.
Ghi li vo tp tin: Cc d liu ca cc gi t in s c lu t r trong h t hng cc tp
tin log. Mc ch ngi qun tr t in theo di cc lung t hng tin v l ng un
thng tin gip cho module pht hin t n cng hot ng.
4.4 Mt s thut ng lin quan
Event horizon
pht hin xm nhp, IPS kim tr a thng tin so snh vi cc du hiu t rong c s d liu.
Tuy nhin, thnh thong thng t in ny tr i di qua nhiu gi d liu. Khi du hiu yu cu
nhiu mnh d liu, IDS duy tr t nh trng t hng t in v du hiu bt u khi n t hy cc mnh
d liu u t in. T nh trng t hng tin duy t r t rong khong t hi gian event hor izon, khc nhau
i vi tng dng tn cng. i vi vi tn cng, y l khong thi gian t lc ng nhp
(logon) n khi r i khi h t hng (logoff), c th ko di c t n vi cc dng t n cng khc.
False negative
Khi IPS l lcnh bo hnh ng xm nhp. False negat ive miu t tn cng t ht s m IPS
b st khi cu hnh. Hu ht ngi pht trin IPS c khuynh hng thit k h t hng trnh
khi cc false negat ive ny. Tuy nhin, loi b ton b false negat ive, i hi cp nht du
hiu t n cng t hng x uyn, m bo h t hng lun nhn bit cc dng tn cng mi.
False positive
Ngc li false negat ive, false posit ive bit n nh vic a r a cc cnh bo khi khng c
bt c cuc tn cng no din ra. Khi IPS a r a qu nhiu cc bo ng gi, gy nh hng
hiu nng mng. Vic hn ch cc false negat ive cng nh false posit ive lun l mc t iu
hng n ca hu ht cc qun t r vin khi tr in khai h thng IPS.
T rue Positive
M t vic IPS a r a cnh bo ng khi pht hin tn cng hay xm nhp tri php vo h
thng mng. y cng lmc tiu hng n ca cc chuyn gia nghin cu pht trin IPS.
T rue Negative
Khng a r a bt k cnh bo no khi khng c tn cng hay x m nhp tri php vo h
thng mng. Vic bo m h t hng IPS lun hng n true negative v true posit ive l
mong mun ca nhiu t chc doanh nghip. Tuy nhin, iu ny i hi u t nhiu thi
gian tin bc vs quan t m ca cc nhqun tr.
PHN 5: XY DNG TNG LA CHO H THNG
MNG
TRNG I HC HOA SEN
5.1 Gii thiu
Tr ng H Hoa Sen c tr s chnh ti trung
tm T PHCM - trung t m nng ng ca Vit
Nam v khu vc. hnh lp vo nm 1991, giai
an nn kinh t - x hi chuyn mnh hi nhp
quc t , nh t rng xc nh mc t iu gio dc
v o to t hc cht, dn t hn vo t hng nhu cu ca x hi, bng cc t rng chng tr nh k
thut vin. o to p ng nhu cu x hi t ip tc c duy tr v pht trin khi T r ng t r
thnh trng Cao ng vo nhng nm cui th k 20. Tm nhn, s mnh v trit l o to
hnh t hnh da trn gi tr ct li ny t ip tc a i hc Hoa Sen pht trin vi t cch
trng i hc bt u t nm 2006.
5.2 Yu cu
Vi ch nm hc 2010 - 2011 Cng nhau vn cao hnnhm hng n vic tng
cng hp tc thnh cng hn na gia Tr ng H Hoa Sen v cc i tc s phm, i tc
doanh nghip v x hi. Tr ong nm hc ny nh trng n cho 2623 tn sinh vin, do ,
nhm t ha mn nhu cu hc tp cng nh nng cao hiu qu lm vic, nh t rng quyt nh
nng cp ton b h thng mng t i cc c s hot ng:
Xy dng h t hng mng ni b gm phng lm vic, phng lab cho sinh vin, cung cp
kt ni Wireless gip sinh vin t r a cu ti nguyn mng ngoi gi hc trng.
Cn bo m an ton thng tin, chng s x m nhp h t hng tri php bng vic trin
khai h t hng tng la, gii php VPN gip tr uy cp t xa gia cc c s ng t hi
theo di vghi nhn cc cuc tn cng qua IDS/IPS.
Cung cp h thng d phng cho tng la khi gp s c, phn chia vic kim tr a cc
lung t hng t in qua tng la, tn dng ti a hiu sut hot ng tng la ng
thi cn bng ti kt ni r a Internet nhm m bo h thng hot ng tt vlin t c.
Cc yu cu c th i vi tng phng ban:
Thi Gian
Lm Vic
Phng Ban
i Tng
T ruy cp
Yu cu c th
8h30 n
11h30
13h n 17h
Gio vin
Nhn vin
Cho php tr uy cp Web, File
Ser ver vgi mail.
Chia s file gia cc phng ban.
o To
Tuyn Sinh
K T on T i
Chnh
6h30 n 12h
13h n 17h30
Lab (cho tt c
sinh vin)
Sinh vin
Khng cho php truy cp Internet.
Lab T hc Hnh
Mng
Cho php tr uy cp Internet,
mail v cc dch v khc gip sinh
vin t hc hnh t hit k h t hng.
T h vin
Ch cho php t r uy cp Web.
10h n 14h Internet
6h30 n
17h30
Wireless
Sinh vin
Cho php tr uy cp Internet Nhn vin
Khch mi
Bng 3 Bng yu cu i vi cc phng ban
5.3 T rin khai
5.3.1 S h thng mng ti tr s chnh
5.3.1.1 M hnh mng
Da trn cc mu kin t rc tng la t rn, chng t i quyt nh t r in khai h t hng t ng la cho
trng i Hc Hoa Sen t heo mt trong hai m hnh sau:
(a)
(b)
Hnh 50 S h thng mng trng i Hc Hoa Sen
S khc bit
Vi s th nht: i km vic ng dng cng ngh d phng
tng la
Act ive/Act ive Failover , chng t i cn s dng HSRP (Hot Standby Router Protocol)
gii php t tn km nht chng t i la chn (s c gii php khc ti u hn c
cp trong phn Load Balancing Fir ewall) nhm t n dng ti a ti nguyn thit b. Tuy
khai t hc ht ti nguyn h thng nhng cng mang li mt s hn ch sau:
Chi ph u t cao.
i hi qun t ri vin h t hng mng phi c kinh nghim vtrnh nht nh.
Qu trnh trin khai cng nh qun t r tng i phc t p do vic s dng kh
nhiu thit b (nht lthit b Swit ch lp 3).
Vi s th hai: s dng cng ngh d phng tng la Act ive/Standby Failover.
Cng vi vic b bt cc t ht b (Switch lp 3), chi ph u t c gim bt ng k.
Ngoi ra, vic t r in khai theo m hnh th hai cn gim bt gnh nng cho nh qun
tr, khng gp nhng vn v HSRP hay nhng gii php loadbalancing cho
firewall. Tuy nhin, so vi m hnh t h nht, m hnh ny cng mc phi hn ch:
Khng khai t hc t on b ti nguyn h thng (c th lhai t ng la Standby).
T heo hai s trn, h thng mng t rng i hc Hoa Sen ch yu gm bn vng mng
chnh, c sp x p theo bo mt gim dn:
Vng mng Lp a ch IP Subnet Mask M t c th
Mng bn t rong
(Inside Network)
172.16.x.0 (x: VLAN
tng ng)
255.255.255.0
Mng ni b tin cy. Mc
bo mt cao nht (100)
Ser ver Far m
10.0.0.0
255.255.255.0
t Server quan t rng (gm
Database Server). Mc
bo mt 100
Vng Phi Qun
S (DMZ
Demilit ar ized
Zone)
11.0.0.0
255.255.255.0
t cc Server qung b r a
Internet (gm Web Server,
Mail Ser ver). Mc bo
mt x p sau Server Far m (50)
Mng bn ngoi
Internet (Outside
Network)
Cc lp IP Public khc
dy a ch trn
Mng khng t in cy. Mc
bo mt thp nht (0)
Bng 4 Bng cc vng mng trong h thng trng i Hc Hoa Sen
Ngoi ra, i vi cc kt ni im im (point - point) gia cc thit b, chng t i s dng lp
a ch IP 193.1.0.0/16, t trong r a ngoi c cu hnh a ch IP nh s au:
Thit b Kt ni Lp a ch IP Subnet Mask
Cp t ng la bn
t rong (Inside
firewall)
Switch lp 3 vi Act ive Firewall 193.1.1.0 255.255.255.0
Swit ch lp 3 vi Standby Firewall
(cp Fir ewall Inside)
193.1.2.0
255.255.255.0
Gia hai cp
tng la t rong v
ngoi (Inside &
Outside)
Gia hai cp tng la Act ive 193.1.4.0 255.255.255.0
Gia hai cp tng la Standby
193.1.3.0
255.255.255.0
Cp tng la bn
ngoi (Outside
firewall)
Router bin vi Act ive Firewall
(cp fir ewall Outside)
193.1.5.0
255.255.255.0
Router bin vi Stanby Firewall
(cp Fir ewall Outside)
193.1.6.0
255.255.255.0
Bng 5 Lp a ch IP trn kt ni gia cc thit b
5.3.1.2 Xc nh cc nhm ngi dng
Mi phng ban ng vi tng nhm ngi dng v c phn chia t heo cc VLAN tng
ng, bao gm 9 phng ban nh sau:
Phng ban
VLAN
tng ng
Lp IP tng
ng
Subnet Mask
Miu t c th
Access
Point
1
172.16.1.0
255.255.255.0
Cung cp mng khng dy
cho khch mi, nhn vin v
sinh vin
NetLab 2 172.16.2.0 255.255.255.0 Phng lab sinh vin mng
Lab
3
172.16.3.0
255.255.255.0
Phng t hc hnh cho tt c
sinh vin
T h vin
(Libr ar y)
4
172.16.6.0
255.255.255.0
T h vin cho sinh vin t
nghin cu
Gio vin
(Falcult y)
5
172.16.7.0
255.255.255.0
Phng ngh cho gio vin
o To
(T raining)
6
172.16.8.0
255.255.255.0
Tnh t on s sch, a r a cc
bo co hot ng
K T on
Ti Chnh
(Finance)
7
172.16.9.0
255.255.255.0
Qun l kt qu hc tp
Tuyn sinh
(Admission)
8
172.16.10.0
255.255.255.0
Cung cp, x l cc t hng tin
tuyn sinh
IT 9 172.16.11.0 255.255.255.0 Qun t r h t hng
Bng 6 Bng VLAN cc phng ban
Ngoi 9 VLAN c cu hnh t rn, chng ti cn cu hnh t hm 2 VLAN l Rest ricted
VLAN (c s dng khi ngi dng ng nhp sai) v Guest VLAN (c dng khi cung
cp username vpassword trng ng nhp h t hng).
Ngoi r a, chng t i cn t r in khai h t hng t hoi V OIP cho t ng phng ban. y, chng t i
quy nh nh dng s in t hoi ti khon ngi dng lxxxx, t rong :
Hai s u ls c s.
Mt s t ip t heo ls phng ban.
Mt s cui ls t h t ngi dng.
S th t cc c s, phng ban vngi dng t ng ng c quy nh t heo cc bng sau:
C s S th t tng ng
Quang T rung 11
Nguyn Vn T rng 22
Cao T hng 77
Bng 7 Cc c s trin khai VOIP
Phng ban S th t tng ng
Gio vin (Falcult y) 1
o T o (Tr aining) 2
K T on Ti Chnh (Finance) 3
Tuyn sinh (Admission) 4
T h vin (Libr ar y) 5
NetLab 6
Lab 7
Bng 8 Cc phng ban trin khai VOIP
Ti khon ngi dng S th t tng ng
User 1 1
User 2 2
Bng 9 S th t ti khon ngi dng
5.3.1.3 Cc quy nh kim tra gi tin trn tng la
Vic kim t r a cc gi t in r a vo qua h t hng mng lv cng quan t rng, ng vai t r quyt nh
trong vic pht hin vngn chn cc cuc t n cng vo h thng. Do , tng cng
bo mt an ton h t hng mng, chng ti x y dng quy nh kim t ra, bao gm hai loi:
Rule lp mng cho tng phng ban: gm ba loi tng ng vi ba vng mng, p dng
cho cc lung t hng tin xut pht t:
Mng bn trong: c cu hnh trn tng la bn trong
Phng ban
Hnh ng
Giao thc
Thi gian p
dng
Miu t
Access
Point
ALLOW
HTT PS
6h30 sng n
5h30 chiu
Cho php thit lp Web
VPN tr uy cp Internet
Lab
DENY
ALL
0h n 24h
Cm t t c cc tr uy cp
r a mng bn ngoi.
NetLab
ALLOW
ALL
6h30 sng n
5h30 chiu
Cho php t ruy cp mi
giao t hc r a Inter net
IT
ALLOW
ALL
6h30 sng n
5h30 chiu
Cho php t r uy cp web
server trong DMZ, truy
cp web t rn Internet v
cc giao t hc qun l
mng, h tr ngi dng
Cc phng
ban cn li
ALLOW
HTT P, HTTPS,
SMTP, FTP,
SMB, SKINNY.
6h30 sng n
5h30 chiu
Ch cho php t ruy cp
web, file ser ver mail
server vchia s file,
VOIP
Bng 10 Bng quy lut cho cc phng ban trong mng ni b
Ngoi t hi gian hot ng t rn, tng la s kha tt c kt ni t ruy cp t trong r a ngoi.
Vng Server Farm
Cm mi kt ni t vng ny vo mng bn tr ong hay i r a mng bn ngoi. Tuy nhin,
nhng kt ni c chng t hc t cc ser ver c t h i vo bn trong t hng qua ng dng
web trn cc cng c ch nh t rc, do cc k s lp trnh t hc hin.
Mng phi qun s (DMZ): Cm mi kt ni t vng ny vo mng bn t rong hay i
r a mng bn ngoi.
Mng bn ngoi: c cu hnh trn tng la bn ngoi.
Ch cho php t r uy cp web (HT TP) v mail (SMTP) trn vng DMZ.
Cm ping (ICMP) trn t t c cng giao tip ca t ng la.
Chng IP Spoofing v ARP Spoofing.
Rule lp ng dng da vo hng lu lng
T bn trong ra bn ngoi: c cu hnh t rn t ng la bn t rong.
Giao thc
Cc phn
kim tra
Chi tit
Miu t c th
HTT P ur l- lengt h 100 di a ch tr uy cp web l100
Request
(host)
www.tuoitre.vn,
www.dant ri.com
Cm truy cp Tui T r vDn T r
uri r equest union, scr ipt, char() Chn nhng ur i cha ba chui ny
FTP
filename
*.exe, *.wav, *.mpg,
*.avi,..
Cm ti cc file audio, video, file
nn vfile t hc thi
IM (Instant
Messenger)
pr otocol
msn, yahoo
Cm s dng phn mm chat
Bng 11 Bng quy lut lp ng dng t bn trong ra bn ngoi
T bn ngoi vo mng DMZ: c cu hnh t rn t ng la bn ngoi.
Giao thc Cc phn kim tra Chi tit Miu t c th
HTT P Max - conn 1000 Quy nh s kt ni ti a
Embroyic Connect ion 200 Quy nh s kt ni khng hon tt
ur l- lengt h 100 di a ch t ruy cp web l100
ur i request
union, scr ipt,
char()
Chn nhng ur i cha ba chui ny
spoof- ser ver Ser verPRO Chng Ser ver Finger pr int ing
Bng 12 Bng quy lut lp ng dng t bn ngoi vo DMZ
Rule i vi kt ni VPN
Loi VPN Hnh ng Giao thc Miu t
Site to Site
VPN
ALLOW
H323
SMB
FTP
HTT P
Ngi dng cc chi nhnh gi in cho nhau
Cho php chia s file trn Dat abase Ser ver
Cho php ti file, truy cp web t rn cc server
trong vng DMZ
Easy VPN
ALLOW
SKINNY
SMB
FTP
HTT P
Voice
Cho php chia s file trn Dat abase Ser ver
T hi gian idle 30 pht
T hi gian kt ni ti a 5h, sau xc thc li
T hi gian t n t i ca kha l1h
Cho php ti f ile, truy cp web trn cc ser ver
trong vng DMZ
Web VPN
FT P
HTT P
T hi gian idle 30 pht
T hi gian kt ni ti a 5h, sau xc thc li
T hi gian t n t i ca kha l1h
Bng 13 Bng quy lut i vi kt ni VPN
5.3.2 Xy dng cc chnh sch
bo mt cc thng t in t rong h t hng mng, vic thit lp cc chnh sch kim tr a trn t ng
thit b v cng quan t rng, c t h g m cc t hit b mng sau:
5.3.2.1 Swit ch Layer 2
Port Security: m bo s tng minh cc t hit b u cui. Khi c thit b l gn vo
t h cng s b shutdown ngay lp t c.
Remote SPAN (Switched Port Analyzer): cho php nh qun tr gim st h t hng
d dng. Khi t nh nng ny c bt, thit b (Switch) sao chp ton b gi t in i qua
n v gi n cng hay VLAN c nh. T , nh qun tr phn tch, gim st, nh
gi h t hng t hng qua t hit b gim st, h thng IDS (Intrusion Detect ion System)
BPDU guard: bt trn cc cng mode access ca Swit ch, mt trong cc tnh nng
Spanning Tr ee Pr otocol (ST P) nhm chng nhng k tn cng bn t rong c tnh gi
gi BPDU (Port Fast Bridge Pr otocol Data Unit ) tr thnh Root Bridge. Nu
Switch nhn c g i BPDU t cng bt tnh nng ny t h ngay lp t c cng ny ri
vo t rng t hi errdisable, khng th tr uyn hay nhn d liu. Mun s dng li cng
ny, cn c s can t hip ca qun t r vin hay i khong thi gian errdisable ht hn.
IEEE 802.1x (dot1x ): cung cp m hnh chng t hc client - ser ver nhm hn ch
ngi dng tham gia mng LAN thng qua cng vt l (PNAC - port - based Network
Access Control), ch trin khai trn Swit ch c h tr. Cng vic cu hnh trn
Switch, cn bt tnh nng ny trn cc my trm u cui. So vi WEP (Wired
Equivalent Privacy), 802.1x m bo t nh t in cy, ton vn d liu. Hn na, 802. 1x
em li mt s phng php t in tin, nh c ch lc (Filtering). Ngoi thc hin lc
SSID vMAC, 802.1x cn h tr kh nng lc giao t hc.
5.3.2.2 Swit ch Layer 3
Xy dng ACL theo hng t trong r a ngoi vi quy nh sau:
Ngn chn s tr uy cp gia hai phng Lab v th vin ti cc phng ban nhn vin
(Phng Gio Vin, K T on Ti Chnh, o T o, Tuyn Sinh) vtr uy cp ln nhau.
Cho php cc phng ban nhn vin (Phng Gio Vin, K T on Ti Chnh, o
To, Tuyn Sinh) tr uy cp giao t hc SKINNY (s dng dch v VOIP).
Cho php phng NetLab t ruy cp tt c giao thc bn ngoi (Outside).
T h vin ch c php tr uy cp HTT P bn ngoi (Outside).
Cm phng Lab t hng tr uy cp tt c giao t hc cc my ni b vbn ngoi.
Cho php cc kt ni truy cp giao t hc HTT PS t Access Point (AP) n Tng la bn
t rong (Firewall Inside).
5.3.2.3 Firewall Inside (T ng la bn trong)
Theo hng lu lng
T trong (Inside) ra ngoi (Outside)
o Xy dng Access Cont rol List (ACL): cho php cc my t nh ni b (Inside) tr uy
cp cc giao thc HTT P, HTT PS, FTP, SMTP, H323 gia cc CCM ser ver . Ngn
chn ngi dung wifi kt ni vo c s khc.
time- range NOWORK
periodic weekdays 0:00 to 06:30
periodic weekdays 17:00 to 24:00
periodic weekend 0:00 to 24:00
!
access- list IN_OUT extended deny ip 172.16.20.0 255.255.255.0 11.0.0.0 255.0.0.0
access - list IN_OUT ext ended deny ip 172.16.20.0 255.255.255.0 10.0.0.0 255.0.0.0
access- list IN_OUT ext ended per mit ospf any any
access- list IN_OUT ext ended deny ip any any t ime- range NOWORK
access- list IN_OUT ext ended per mit tcp 172.16.0.0 255.255.0.0 host 10.1.0.2 eq 445
access- list IN_OUT extended per mit t cp 172.16.0.0 255.255.0.0 any eq htt p
access- list IN_OUT ext ended per mit t cp 172.16.0.0 255.255.0.0 any eq https
access- list IN_OUT extended per mit t cp 172.16.0.0 255.255.0.0 any eq ft p
access- list IN_OUT extended per mit t cp 172.16.0.0 255.255.0.0 any eq ftp- dat a
access- list IN_OUT extended per mit t cp 172.16.0.0 255.255.0.0 host 11.0.0.2 eq smtp
access - list IN_OUT extended permit t cp 172.16.0.0 255.255.0.0 host 11.0.0.2 eq pop3
access- list IN_OUT ext ended per mit tcp host 10.0.0.4 host 10.1.0.4 eq 1720
access- list IN_OUT extended per mit t cp 172.16.0.0 255.255.0.0 any eq domain
access- list IN_OUT extended per mit udp 172.16.0.0 255.255.0.0 any eq domain
Bng 14 Cc ACL t trong ra ngoi
o Thit lp chnh sch kim t r a (Inspect ion Policy) lp Application vi giao t hc:
HTTP: cm tr uy cp cc t rang web c ni dung xu, hoc phn ng (v
d www.tuoitre.com.vn v www.dant r i.com); ngn chn ti cc f ile c ui
m rng nh .exe, .bat, .gif, .vbs), cc file nn, file gii t r ; chn cc ng
dng web (c trng header l applicat ion); gii hn chiu di header phi
ln hn 100; chn ni dung ti v khng ph hp vi ni dung header ,
chn ti cc trang web chy Act iveX, J ava Applet; chng CSS (Cross Site
Script ing) v SQL Inject ion.
regex URL_TUOITRE ".*[ Tt] [ Uu] [ Oo] [Ii][Tt] [ Rr][Ee]\ .[ Vv][ Nn] "
regex URL_DANTRI ".*[Dd][ Aa] [ Nn][ Tt][ Rr] [Ii] \ .[ Cc][Oo][Mm] \ .[ Vv] [Nn] "
regex VIRUS ".*\ .([Ee][ Xx][ Ee] | [ Cc] [Oo] [Mm] | [ Bb][Aa] [ Tt] ) HTTP/1.[ 01] "
regex IMAGE ".*\ .([Pp] [ Ii] [Ff]| [Vv][ Bb] [ Ss] | [ Ww] [ Ss][ Hh]) HTTP/1.[ 01] "
regex VIDEO ".*\ .([Aa][ Vv] [Ii]| [ Ff] [Ll][ Vv]| [Ww] [ Mm] [ Vv]) HTTP/1.[ 01] "
regex MUSIC ".*\ .([Mm][Pp] 3| [ Ww] [ Mm][Aa] | [ Ww] [ Aa] [ Vv]) HTTP/1.[ 01] "
regex COMPRESS ".*\ .([Zz][ Ii][ Pp] | [ Tt][ Aa][Rr]| [ Tt][ Gg][ Zz]) HTTP/1.[ 01] "
regex UNION ".*[ Uu][ Nn] [Ii][Oo][Nn].*"
regex SCRIPT ".*[ Ss][Cc] [Rr][Ii][Pp][ Tt].*"
regex CHAR ".*[ Cc] [ H]h[Aa][ Rr] \ (.*\ ).*"
regex contenttype "Content- Type"
regex applicationheader "application/.*"
!
class- map HTTP_MAP
match port tcp eq www
!
class- map type regex match- any RESTRITED_URLS
match regex URL_TUOITRE
match regex URL_DANTRI
!
class- map type inspect http match- any URI_BLOCK
match request header referer regex UNION
match request header referer regex SCRIPT
match request header referer regex CHAR
match request uri regex VIRUS
match request uri regex IMAGE
match request uri regex VIDEO
match request uri regex MUSIC
match request uri regex COMPRESS
!
class- map type inspect http match- any RESTRICTED_HTTP
match request uri length gt 200
match request header host regex class RESTRITED_URLS
!
class- map type inspect http match- all AppHeaderClass
match response header regex contenttype regex applicationheader
!
policy- map type inspect http MY_HTTP_MAP
parameters
protocol- violation action drop- connection
class RESTRICTED_HTTP
reset log
class URI_BLOCK
reset log
class AppHeaderClass
drop- connection log
!
policy- map IN_OUT
class HTTP_MAP
set connection conn- max 1000 embryonic- conn- max 200 per- client- max 10 per- client-
embryonic- max 5
inspect http MY_HTTP_MAP
!
service- policy IN_OUT interface inside
Bng 15 Chnh sch HTTP Inspection trn Firewall Inside
FT P: cu hnh cc chnh sch tng t giao thc HTT P.
regex EXT_DOC ".+[ Dd][ Oc][ Cc] "
regex EXT_DOCX ".+[ Dd] [ Oc] [ Cc] [Xx] "
regex EXT_XLS ".+[ Xx] [ Ll][ Ss]"
regex EXT_XLSX ".+[ Xx][ Ll] [ Ss][ Xx]"
regex EXT_EXE ".+[ Ee] [Xx][ Ee] "
regex EXT_WAV ".+[ Ww] [ Aa][ Vv] "
regex EXT_MPG ".+[ Mm][ Pp] [ Gg]"
regex EXT_AVI ".+[ Aa] [ Vv][ Ii] "
regex EXT_GIF ".+[ Gg] [ Ii][ Ff]"
regex EXT_MP3 ".+[ Mp][Pp] 3"
regex EXT_FLV ".+[Ff] [Ll][Vv]"
regex EXT_ZIP ".+[ Zz] [Ii][Pp]"
regex EXT_RAR ".+[ Rr] [ Aa][Rr] "
!
class- map type inspect ftp match- any RESTRICTED_EXT
match filename regex EXT_EXE
match filename regex EXT_WAV
match filename regex EXT_MPG
match filename regex EXT_AVI
match filename regex EXT_GIF
match filename regex EXT_MP3
match filename regex EXT_FLV
match filename regex EXT_ZIP
match filename regex EXT_RAR
!
policy- map type inspect ftp MY_FTP_MAP
class RESTRICTED_EXT
reset log
!
class- map FTP_MAP
match port tcp eq ftp
!
policy- map IN_OUT
class FTP_MAP
inspect ftp strict MY_FTP_MAP
class RESTRICTED_EXT
reset log
class- map FTP_MAP
match port tcp eq ftp
!
policy- map IN_OUT
class FTP_MAP
inspect ftp strict MY_FTP_MAP
!
service- policy IN_OUT interface inside
!
Bng 16 Chnh sch FTP Inspection trn Firewall Inside
Block Yahoo v MSN messenger
class- map IM
match any
!
policy- map type inspect im IM
match protocol yahoo- im msn- im
drop- connection
policy- map IN_OUT
class IM
inspect im IM
!
service- policy IN_OUT interface inside
Bng 17: Block Yahoo Messenger v MSN Messenger
T bn ngoi (Outside) vo bn trong (Inside)
o Cu hnh Access Cont rol List (ACL)
M cng 8000 t Web Ser ver n Database Ser ver, x c t hc do lp t rnh vin
x l.
Cho php cc c s khc tr uy cp vo Dat abase Server.
Cho php user (Easy VPN) kt ni vo Call Manager v Call Manager kt ni
vi nhau
Cho php cc ng dng ca Web VPN hot ng.
Cho php t fir ewall outside connect vo ACS x c t hc.
access- list OUT_IN extended permit tcp 172.17.0.0 255.255.0.0 host 10.0.0.2 eq 445
access- list OUT_IN extended permit tcp host 10.1.0.4 host 10.0.0.4 eq 1720
access- list OUT_IN extended permit tcp host 11.0.0.2 host 10.0.0.2 eq 8000
access- list OUT_IN extended permit ospf any any
access- list OUT_IN extended permit udp host 193.1.3.1 host 10.0.0.2 eq radius
access- list OUT_IN extended permit tcp host 193.1.3.1 host 10.0.0.2 eq 139
access- list OUT_IN extended permit tcp 12.0.0.0 255.255.255.0 host 10.0.0.4 eq 2000
access- list OUT_IN extended deny ip any any
Bng 18 Cc ACL t ngoi vo Inside
Kt ni VPN
Web VPN: khng cn ci t hm phn mm, s dng trnh duyt web (web browser )
thc hin kt ni VPN. Cho php cc i tng sau tr uy cp Inter net thng qua
Anyconnect. Tuy nhin, cc i t ng ny khng th tr uy cp h t hng mng ni b.
Gio vin
Sinh vin
Cng nhn vin
Khch mi
ip local pool WIFI 172.16.20.1- 172.16.20.254
aaa- server RADIUS protocol radius
aaa- server RADIUS (inside) host 10.0.0.2 123456
!
webvpn
enable inside
tunnel- group- list enable
onscreen- keyboard logon
svc image flash:/anyconnect- win- 2.4.0202- k9.pkg
svc enable
exit
!
http server enable
!
group- policy WIFI internal
group- policy WIFI attributes
vpn- tunnel- protocol svc
webvpn
svc ask enable
svc keep- installer installed
svc rekey method ssl
svc rekey time 60
!
tunnel- group WIFI type webvpn
tunnel- group WIFI general- attributes
address- pool WIFI
authentication- server- group RADIUS LOCAL
default- group- policy WIFI
tunnel- group WIFI webvpn- attributes
group- alias WIFI_GROUP enable
Bng 19 Cc chnh sch Web VPN trn Firewall Inside
5.3.2.4 Firewall Outside (Tng la bn ngoi)
Theo hng lu lng
T bn ngoi (Outside) vo vng Phi Qun S (DMZ - Demilitarized Zone)
Xy dng Access Control List (ACL) cho php cc my tnh bn ngoi tr uy cp
HTT P n Web Server, SMTP n Mail Ser ver trong vng DMZ.
access- list OUT_IN extended permit tcp any host 193.1.5.2 eq http
access- list OUT_IN extended permit tcp any host 193.1.5.2 eq https
access- list OUT_IN extended permit tcp any host 193.1.5.2 eq smtp
access- list OUT_IN extended permit tcp any host 193.1.5.2 eq pop3
Bng 20 Cc ACL cho php t bn ngoi vo DMZ
Gii hn s lng kt ni tr uy cp ti a (Max Connect ion) l 1000, cc kt ni
khng hon tt qu trnh bt t ay (Embroyic Connection) l 200.
static (inside,outside) tcp interface http 10.0.0.2 http netmask 255.255.255.255 tcp 1000
200
static (inside,outside) tcp interface ftp 10.0.0.2 ftp netmask 255.255.255.255 tcp 1000 200
static (inside,outside) tcp interface ftp- data 10.0.0.2 ftp- data netmask 255.255.255.255 tcp
1000 200
static (inside,outside) tcp interface smtp 10.0.0.2 smtp netmask 255.255.255.255 tcp 1000
200
static (inside,outside) tcp interface pop3 10.0.0.2 pop3 netmask 255.255.255.255 tcp 1000
200
static (inside,outside) tcp interface imap 10.0.0.2 imap netmask 255.255.255.255 tcp 1000
200
Bng 21 Cc chnh sch gii hn kt ni t ngoi vo DMZ
T hit lp chnh sch kim tr a (Inspection Policy) lp Applicat ion vi giao
thc HTT P nhm chng tn cng Web Ser ver Fingerpr inting, Cross Sit e
Scr ipt ing v SQL Inject ion t bn ngoi vo web ser ver.
regex UNION ".*[ uU][ nN] [ iI][ oO][nN].*"
regex SCRIPT ".*[ Ss][ Cc] [Rr][ Ii][Pp][ Tt] .*"
regex CHAR ".*[Cc][ H] h[ Aa][ Rr] \ (.*\ ).*"
!
class- map type inspect http match- any HACKING
match request uri regex UNION
match request uri regex SCRIPT
match request uri regex CHAR
!
policy- map type inspect http MY_HTTP
parameters
spoof- server ServerPRO
class HACKING
drop- connection log
!
policy- map OUT_IN
class OUT_IN
inspect http MY_HTTP
!
service- policy OUT_IN interface outside
Bng 22 Chnh sch HTTP Inspection trn Firewall Outside
Kt ni VPN
Site to Site VPN
Xy dng Access List quy nh cc Interesting traf fic, cho php nhn vin chi nhnh khc c
th kt ni n Dat abase Ser ver trung tm cng nh truy cp DMZ. Ngoi ra, cho php cc
Call Manager Server lin lc vi nhau gip ngi dng cc c s c t h lien lc vi nhau.
access- list VPN extended permit tcp 172.16.0.0 255.255.0.0 host 10.1.0.2 eq 445
access- list VPN extended permit tcp host 10.0.0.4 host 10.1.0.4 eq 1720
access- list VPN extended permit tcp host 10.0.0.2 eq 445 172.17.0.0 255.255.0.0
access- list VPN extended permit tcp host 10.0.0.4 eq 1720 host 10.1.0.4
!
access- list NONAT extended permit ip 172.16.0.0 255.255.0.0 10.1.0.0 255.255.255.0
access- list NONAT extended permit ip host 10.0.0.4 host 10.1.0.4
!
nat (inside) 0 access- list NONAT
!
crypto isakmp key 123456 address 192.168.2.3
!
crypto isakmp policy 10
authentication pre- share
encryption 3des
hash md5
group 2
life 84600
crypto ipsec transform- set TRANFORM esp- aes esp- sha- hmac
!
crypto map IPSEC 10 match address VPN
crypto map IPSEC 10 set peer 192.168.2.3
crypto map IPSEC 10 set transform- set TRANFORM
crypto map IPSEC interface outside
!
crypto isakmp enable outside
Bng 23 Cc chnh sch Site to Site VPN trn Firewall Outside
Easy VPN: Cho php nhn vin tr uy cp h t hng mng ni b khi i cng tc, ch yu
s dng ba dch v sau:
Kt ni Database Ser ver tr ung t m.
Tr uy cp web, mail trong DMZ.
Kt ni Call Manager Server t hc hin cc cuc gi.
ip local pool EASY_VPN 12.0.0.1- 12.0.0.254
!
access- list SPLIT stand permit 10.0.0.0 255.255.255.0
access- list NONAT extended permit ip 10.0.0.0 255.255.255.0 12.0.0.0 255.255.255.0
!
aaa- server RADIUS protocol radius
aaa- server RADIUS (inside) host 10.0.0.2 123456
exit
!
crypto isakmp policy 10
authentication pre- share
encryption 3des
hash md5
group 2
life 84600
crypto ipsec transform- set TRANFORM esp- aes esp- sha- hmac
!
group- policy POLICY_EASY_VPN internal
group- policy POLICY_EASY_VPN attributes
split- tunnel- policy tunnelspecified
split- tunnel- network- list value SPLIT
dns- server value 172.16.5.2 203.113.131.1
vpn- idle- timeout 15
default- domain value lotus.edu.vn
!
tunnel- group EASY_VPN type remote- access
tunnel- group EASY_VPN general- attributes
authentication- server- group RADIUS local
address- pool EASY_VPN
default- group- policy POLICY_EASY_VPN
exit
!
tunnel- group EASY_VPN ipsec- attributes
pre- shared- key 123456
exit
!
crypto dynamic- map DYN_MAP_EASY_VPN 20 set transform- set TRANFORM
crypto map IPSEC 60000 ipsec- isakmp dynamic DYN_MAP_EASY_VPN
crypto map IPSEC interface outside
Bng 24 Cc chnh sch Easy VPN trn Firewall Outside
Web VPN: Cho php nhn vin tr uy cp h thng mng ni b khi i cng t c, ch
yu s dng ba dch v sau:
Kt ni Database Ser ver tr ung t m.
Tr uy cp web, mail trong DMZ. (Port Forwarding).
webvpn
enable outside
tunnel- group- list enable
onscreen- keyboard logon
port- forward APPLICATIONS 23 193.1.1.2 23
!
http server enable
!
group- policy NHANVIEN internal
group- policy NHANVIEN attributes
vpn- tunnel- protocol webvpn
group- lock value NHANVIEN
webvpn
functions url- entry file- access file- entry file- browsing
url- list value URLs
!
tunnel- group NHANVIEN type webvpn
tunnel- group NHANVIEN general- attributes
authentication- server- group RADIUS LOCAL
tunnel- group NHANVIEN webvpn- attributes
group- alias NVGroup enable
group- policy NHANVIEN attributes
group- lock value NHANVIEN
!
group- policy ADMIN internal
group- policy ADMIN attributes
group- lock value ADMIN
vpn- tunnel- protocol webvpn
webvpn
functions port- forward
port- forward value APPLICATIONS
!
tunnel- group ADMIN type webvpn
tunnel- group ADMIN general- attributes
authentication- server- group RADIUS LOCAL
tunnel- group ADMIN webvpn- attributes
group- alias AdminGroup enable
group- policy ADMIN attributes
group- lock value ADMIN
Bng 25 Cc chnh sch Web VPN trn Firewall Outside
5.3.2.5 Router bin
Cu hnh chc nng NAT (Networ k Addr ess Tr anslat ion) cc my bn trong h
thng mng (Inside) c th tr uy cp bn ngoi Internet (Outside)
Xy dng Access Control List (ACL) cho php cc kt ni t ngoi t ruy cp cc
giao thc ISAKMP, ESP i vo Tng la bn ngoi (Firewall Outside)
v HTT P, HTT PS, SMTP cho cc my Web Server, Mail Ser ver.
5.3.3 Cc cng ngh s dng
HSRP (Hot St andby Redundancy Protocol): trin khai trn hai Swit ch Layer 3 nhm cn
bng t i v d phng khi mt t rong hai Switch gp bt k s c no. Ngoi ra, hai Swit ch
ny cn ng vai tr DHCP Server cung cp a ch IP t ng cho cc my t nh
trong h thng. Do , vi s h t r cu HSRP, mt s ngi dng ly Swit ch 1 l
Default Gat eway ca mnh, trong khi mt s khc nhn t hy Swit ch 2 mi l Default
Gateway. Qua , gip phn chia ti mng tr uy cp tr n hai Swit ch ng thi tng kh nng
chu li cho h t hng.
Failover (D Phng): cu hnh trn hai cp tng la (Inside v Outside Fir ewall) m bo
hot ng lin t c v chnh x c ng thi t n dng ti a hiu nng ca c hai cp t ng la.
Load Balancing: ch yu trin khai trn hai t hit b:
Firewall Load Balancing (Cn bng ti trn tng la): Vic trin khai h thng d
phng (Failover ) trn t ng la l cha , cn phi kt hp thm t nh nng cn bng
ti gip phn chia kim tr a cc lu lng tr uy cp t rong h t hng. Ch nh vy mi
m bo thng t in bo mt an ton ng thi t ng la cng lun sn sng hot ng.
Load balancing ADSL (Cn bng ti trn Router bin): cn bng ti hai
hay nhiu kt ni Internet, c nhiu cch khc nhau, ty nhu cu v kh nng kinh t v
tt nhin c s cn i gia chi ph v li ch m n mang li.
HSRP/MHSRP: l cch n gin t tn km nht tuy nhin n khng phi l
cch cn bng ti hon ho, v qu trnh phn chia cc ti mng ph thuc vo
kt ni c khi to t bn t rong r a bn ngoi. Xt kha cnh ngc li,
vic tr uy cp
t bn ngoi vo s khng c cn bng ti. Chnh iu ny m gii php
HSRP/MHSRP ch mang tnh t ng i khi khng c iu kin trin khai nhng
gii php khc nh BGP hay load balancing bng Vigor ...
i vi BGP: dng t rn Internet, qu tr nh cu hnh tng i phc tp ng
thi yu cu ISP phi h tr mi c t h trin khai. So vi HSRP/MHSRP, BGP
l gii php tng i hon ho hn. Tuy nhin, BGP i hi kh nng x l
ca CPU cng nh RAM ca Router.
Ngoi hai cch trn, cn nhiu cch khc nhau. Tuy nhiu, theo cc nh gi ca nhiu
chuyn gia, cn bng ti tr n phn cng (hardwar e load balancing) s l gii php ti u nht
so vi cn bng t i t rn phn mm (soft ware load balancing).
S dng thit b Vigor: cho php gp chung hai hay ba ng Internet. Chnh
v y l gii php phn cng nn kinh ph u t cao hn hai cch trn,
nhng so vi hiu qu m n mang li t h rt ng t rin khai.
V t h, y cng l g ii php chng ti chn la cho m hnh mng trng i Hc Hoa Sen.
VOIP: cung cp h t hng thoi cho ngi dng t rong cng c s hay gia cc chi nhnh v i
nhau thng qua kt ni leased line hay t rin khai h t hng VPN (Virtual Pr ivat e Network).
5.4 Mt s cng ngh trin khai thm
5.4.1 Failover
a. Gii thiu
Tnh nng c bit nhm cung cp kh nng d phng cho thit b, m bo h thng lun
hot ng t t v lin t c khi gp s c. Mt cp thit b, trong mt ng vai tr Active,
mt ng vai t r Standby, bao gm hai loi d phng:
D phng Phn cng (Hardware failover): cung cp kh nng chu li cho thit b
phn cng, ch yu ng b cu hnh gia hai thi t b. V t h, gi s t rong khi kt ni
thit lp m thit b Pr imar y b s hutdown th mi kt ni u b ngt v phi c khi
to li bn t hit b secondar y, iu khng mong mun khi tr in khai h t hng.
D phng Ghi Nh Trng Thi (Stateful failov er): va cung cp kh nng chu
li cho t hit b phn cng v kh nng bo ton kt ni. Ngoi vic ng b cu hnh,
hai thit b cn ng b bng t rng t hi kt ni, ngy gi, MAC
address i vi transparent mode, SIP v VPN connect ion. V th vic b mt kt
ni v phi khi to
li thit b secondar y l iu him khi xy ra.
b. Hot ng
Dng Active/Standby: mt trong hai thit b trng t hi Act ive, cn li l Standby ti mt
thi im. Mc nh, Pr imar y s Active, t t c lung d liu i qua thit b Act ive v ng b
sang Standby. Standby ch gim st t hit b Active, nu nhn t hy Act ive khng hot ng t h
n t chuyn s ang Act ive. Mi t hit b c IP v MAC r ing. Nu x y r a vn vi Active t h
Standby t chuyn IP v MAC ca mnh t hnh IP v MAC ca act ive v gi i nhng fr ame
r a cc cng giao tip cp nht bng MAC ca Swit ch. Ch thit b act ive va rt khng
chuyn sang Standby cho n khi s a x ong. Cho d sa xong, thit b ny cng trng t hi
Standby ch khng ly li quyn Active. Tuy nhin, s dng dng ny lng ph mt thit b.
Dng Active/Active: Khc phc nhc im ca Act ive/Standby, Act ive/Act ive r a i
da tr n n n tng v s kt hp ca Act ive/Standby v Cont ext (cho php x y dng
firewall o).T rn mi t hit b s c hai context (CTX1A, CTX1 B, CTX2A, CT X2B), mi
cont ext bn ny s kt hp vi cont ext bn kia to nn mt Act ive/St andby, nh vy
s c mt cp Act ive/Standby. Cp t h nht CTX1A l Act ive, CTX2A l Standby t h cp
th hai CT X1B lm Standby, CT X2B lm Active. Ngoi ra, kt hp vi ng nh t uyn
tnh (Static Rout e), hay ng (dynamip r oute) transparent mode t h s c th cn bng ti
trn hai thit b. Tuy nhin, trong t hc t quan st th vic dng nh t uyn tnh (Static Route)
cn bng t i l khng t i u, v hu ht d liu ch i t heo mt hng nht nh. Ch :
mult iple mode (h
tr context) khng h tr nh t uyn ng (dynamip routing).
c. Nguyn nhn
C nhiu nguyn nhn dn n Failover nh mt ng un, mt hay nhiu cng giao t ip b h, car d
mng li hay vn phn mm nh thiu b nh, tc nhn t rc tip ca ngi qun t r
vi cu lnh failover active tr n tng la Standby. Di y l t hi gian pht hin vn :
Hnh 51 Thi gian Failover pht hin li
d. Gim st
V c bn, kt ni d phng ( failover link) v kt ni d liu (dat a link) gim st bi failover.
i vi kt ni d phng, t in nhn hello (failover hello message) to r a mi 15s (mt nh),
nu ba t in lin t ip u khng t hy phn hi t i phng t h gi tin ARP c to r a vgi
i trn tt c cng giao tip. Nu khng nhn c hi p no t cng giao tip no th
failover s lm vic, t ng chuyn t hnh t rng thi Act ive. Cn nu khng nhn c hi
p t kt ni d phng m nhn c hi p t cc cng giao tip cn li th qu t r nh
chuyn i s khng xy r a. Trong trng hp ny, failover kt lun li do kt ni d phng.
i vi kt ni d liu (dat a link), tin nhn hello (failover hello message) to r a vgi i t rn
tt c cng giao t ip (ti a l 255), nh tin nhn trn v cng gi i mi 15s. Nu qu na
thi gian hold- down m vn khng t hy tr li th thit b s t in hnh kim tra, xc nh c
vn g xy r a vi cng giao tip ny. T r c mi ln kim tra, b m s lng gi tin nhn
c trn cng giao tip s c x a trng. Sau , thit b s kim tr a xem c nhn c
fr ame hay g i tin no hp l khng, nu c kt lun cng giao tip hot ng bnh thng,
ngc li ch n ln kim t ra tip t heo, gm bn ni dung:
Link up/down: v hiu ha (Disable) vkch hot li (r e- enable) kim t ra.
Hot ng mng: gim st cc fr ame nhn c t rong vng 5s.
ARP: to hai gi t in tr uy vn ARP (ARP Query) cho hai mc mi nht t rong bng
ARP (ARP t able) vch i fr ame hp l tr ong vng 5s.
Broadcast ping test: to gi ping br oadcast vch gi t in phn hi hp l trong 5s
T hng t hng t hit b c kt ni switch layer 2, v t h gim kh nng xy r a li t h phi
m bo cc cng giao tip cng VLAN. Nu khng t h phi v hiu ha gim st trn cng
giao tip bng lnh [ no] monitor- interface logical_if_name. T ip n m bo vic vn
hnh t hut ton ST P khng t c ng hay kha cc cng ny. Ngoi ra nn cu hnh t nh nng
PortFast nu dng sn phm ca Cisco. Nu khng lm th, Switch s khng s dng RSTP
m thay vo dng chun do IEEE a r a (802.1d), sau ST P li phi t nh t on li, vic ny
mt khong 30 45 giy dn n b l ba gi tin hello vnh hng n failover.
5.4.2 HSRP (Hot Standby Redundancy Protocol)
a. Gii thiu
bo m h thng mng sn sng hot ng (Hig h Availabilit y) lin tc khi gp s c,
HSRP l mt trong s tnh nng cung cp kh nng d phng lp Network cho cc my
trong h t hng mng, gip ti u ha vic cung cp cc ng kt ni khi pht hin lin kt
b h v c ch phc hi sau khi gp s c. Nh HSRP, Virtual Router Redundancy Pr otocol
(VRRP) v Gateway Load Balancing Pr otocol (GLBP) cng cung cp nhng chc nng
tng t, VRRP l giao t hc chun, c h tr bi hu ht Router khc nhau, cn GLBP l
chun ca Cis co, c ci t in t VRRP v b sung t hm t nh nng cn bng t i.
Hnh 52 Giao thc HSRP
HSRP l chun ca Cisco, miu t c t h trong RFC 2281. HSRP cung cp kh nng d
phng cho my trm da trn s phi hp ca cc Router a ra mt Rout er o gip nh
tuy n lu lng r a vo h t hng. Nh dng chung a ch IP v MAC, Router o ny ng
vai tr nh t uyn cc gi t in trong h thng. T rn t hc t , Router o ny hon t on khng tn t i; n
c biu din nh t hnh phn chung cc Router vt l cu hnh t nh nng HSRP.
b. Hot ng
a ch IP ca Router o c cu hnh l Default Gateway cho cc my trm trong mng. Khi
nhng fr ame c gi t cc my t nh n n default gat eway, chng dng c ch ARP (Address
Resolution Pr otocol) phn gii a ch MAC vi IP default gateway. Cc fr ame gi n a ch
MAC ny s c x l t ip t c bi Router chnh (Active Router ) hay Router
d phng (Standby Router) t huc cng nhm Router o cu hnh. Qutrnh ny din r a hon ton
trong sut vi cc my trm u cui. Nh , HSRP gip nh t uyn cc lu lng m
khng cn da vo tnh sn sng ca bt k Router n l no.
Hnh 53 Qutrnh hot ng ca HSRP
Trong hnh trn Router A ang vai t r Active v chuyn t ip t t c frame n a ch MAC
l0000.0c07.acXX vi XX l s nhm d phng (standby group). a ch IP v MAC tng ng
ca Router o c duy t r t rong bng ARP ca mi Router trong nhm.
Hnh 54 Bng ARP ca cc Router thnh vin trong nhm
Hnh t rn hin t h bng ARP ca Router thnh vin nhm d phng 1 thuc VLAN 10. Qua
, a ch IP ca Router o l 172.16.10.110 vi MAC tng ng l 0000.0c07. ac01 (01 l
s nhm, hin th di h c s thp lc phn).
Cc Router d phng (Standby Router) t rong nhm lun t heo di trng thi hot ng ca
Router chnh (Act ive Router) nhanh chng chuyn trng t hi chuyn tip gi tin nu
Router chnh gp bt k s c no. Act ive v Standby Router s truyn cc gi tin hello
message giao tip vi cc Router khc trong nhm vi a ch ch mult icast 224.0.0.2,
kiu tr uy n UDP cng 1985 v a ch IP ngun l a ch IP Router gi i. Ngoi ra trong
nhm cn cha mt s Router khc khng phi Act ive hay Standby, nhng Router ny s
gim st cc gi t in hello message c gi bi Active v Standby Router chc chn
Act ive v Standby Router vn ang tn t i. Hn na, cc Router ny ch chuyn t ip nhng g i
tin n chnh a ch IP ca n mkhng chuyn tip ch n Router o.
Khi Act ive Router b li, nhng router khc thuc cng HSRP gr oup s khng cn nhn c
message t active r outer, Standby Router s gi nh vai tr ca n lc ny l Act ive v iu
khin cc lu lng mng, cc Router trong nhm li bu chn r a Standby Router. Lc ny
qu trnh tr uyn fr ame ca cc my t rm vn khng b nh hng bi v Router trng thi
chuyn t ip vn s dng a ch IP o vMAC o nh lc u.
Hnh 55 Qutrnh chuyn i khi Active Router gp s c
Nu Act ive v Standby Router gp s c th tt c Router trong nhm la chn li Act ive v
Standby Router mi. Act ive Router mi nhn ly nhim v chuyn tip gi t in n cc my
trong h thng mng.
Cc vai tr ca Router trong HSRP
HSRP nh ngha r a cc nhm d phng (Standby Group), cc Router s c gn vai t r
khc nhau t rong nhm ny:
Virtual Router: thc t ch l mt cp a ch IP v MAC m t t c t hit b u cui dng
lm IP default gat eway. Active r outer s x l t t c gi t in v fr ame gi ti a
ch IP hay MAC ca Router o.
Active Router: bu chn da trn gi tr u t in (1- 255, mc nh l 100) cng nh
a ch IP cao nht, chu tr ch nhim chuyn t ip gi t in ng t hi gi a ch MAC
o n cc thit b u cui.
Standby Router: d phng khi Act ive Router gp bt c s c no. Khi , Standby
Router s ng vai t r Active, tip tc nh t uyn cc lu lng trong h t hng.
Other router: cc Router khc khng tham gia nhm d phng (Standby Group).
Cc trng thi trong giao thc HSRP: Mt Router trong nhm d phng c t h mt
trong s trng thi sau:
Hnh 56 Cc trng thi ca HSRP
Initial: t rng t hi bt u t t c Router trong nhm. trng t hi ny, HSRP khng
hot ng.
Learn: Router mong ch nhn cc gi t in HSRP, t nhn thy a ch IP ca
Router o vxc nh Act ive Router, Standby Router trong nhm.
Listen: Sau khi nhn gi tin HSRP v bit c a ch IP Router o, n tip t c
chuyn sang trng thi listen nhm x c nh x em c s tn ti Act ive hay Standby
Router trong nhm khng. Nu nh c th n vn gi nguyn trng t hi, ngc li
chuyn sang t rng thi Speak.
Speak: Cc Router ch ng t ham d qu tr nh chn la Act ive Router , Standby
Router da vo gi tin Hello.
Standby: ng vin cho v tr Active Router k tip. Standby Rout er nh k gi cc
gi tin hello, ng thi cng lng ng he cc hello message t Active Router . Trong
mt mng HSRP ch c duy nht mt Standby Router.
Active: chuyn t ip gi tin, gi a ch MAC o ca nhm ng t hi hi p cc g i
tin ARP request hng n IP o. Active Router cng nh k gi r a cc hello
message. Tr ong mt nhm d phng ch tn t i duy nht mt Active Router.
c. Mt s thut ng trong HSRP
C ba dng t imer dng tr ong HSRP. Nu khng c gi t in hello no c nhn t Act ive
Router trong khong t hi gian Act ive th Router chuyn sang trng t hi mi.
Active timer: dng gim st Active Router, t khi ng li vo bt k t hi im no
khi bt k Router trong nhm nhn c gi t in hello t Act ive Rout er.
Standby timer: dng gim st st andby r outer , t khi ng li vo bt k t hi im no
bt k Router trong nhm nhn c gi t in hello t Standby Router .
Hello timer: thi gian ca gi t in hello. Tt c cc Router t rong nhm d phng bt
k trng t hi no ca HSRP u to r a gi t in hello khi mhello t imer quhn.
Ngoi r a, xc nh khong t hi gian ti a gi tin hello, chng t a quan tn hai gitr sau:
Hello Interval Time: khong t hi gian g ia hai gi t in hello thnh cng t mt
Router . Mc nh l3 giy.
Hold Interval Time: khong thi gian gia hai gi t in hello c nhn v gi nh
Router gi ang gp s c. Mc nh l10 giy.
d. Multiple HSRP (MHSRP)
T phin bn Cis co IOS Release 12.2(18) SE tr ln u c kh nng h tr Mult iple HSRP
(MHSRP) c m rng t HSRP cho php cn bng t i gia hai hay nhiu nhm HSRP t
cc my t rm n cc ser ver trong h t hng.
Hnh 57 Multiple HSRP
Trong hnh trn, ta t hy c Router A v Router B u t huc hai nhm d phng. i vi
nhm 1, Router A mc nh l Act ive Router v n c gi tr u t in cao nht v Router B l
Standby Router. Ngc li nhm 1, trong nhm 2, Router B mc nh lAct ive Router bi v
n c gi t r u tin cao nht v Router A l Standby Router . T rong sut qu tr nh hot ng
bnh thng, hai Router A v B ln lt phn chia ti mng. Khi hai Router khng hot ng,
cc Router khc trong nhm s t bu chn Act ive v Standby bo m h t hng mng lun
hot ng lin t c vcn bng t i cc lung lu lng trong mng.
5.4.3 Cn bng ti trn Firewall (Firewall Load Balancing)
Trong mi t rng mng mbo mt ng vai t r sng cn nh hin nay, vic bo m t ng
la lun sn sng hot ng (High Availabilit y) rt quan trng. Ngoi vic cu hnh t nh nng
d phng cho t ng la (Fir ewall Failover) cung cp kh nng hot ng lin tc v chnh
xc, vic phn chia cc lung t hng t in kim t ra trn tng la cng ng vai t r v cng cn
thit . T phin bn ASA 7.0 v FWSM 3.1, Cisco a r a khi nim cont ext v h tr tr in
khai nhiu cont ext trn cc cp tng la d phng gip chia ti kim tr a cc lu lng r a
vo h thng. Tuy nhin, qu t r nh ny i hi cu hnh bng tay v cc tng la t ham gia
phi ging nhau v mu, phin bn vcc thng s k t hut khc.
a. Tng quan
Vic tr in khai h t hng tng la c t h t hc hin bng nhiu cch khc nhau. Di y l
bng so snh gi thnh, cc t nh nng bo mt cng nh kh nng d phng trn h thng
trin khai xy dng mt t ng la n l, mt cp tng la hay nhm cc tng la cu
hnh t nh nng Fir ewall Load Balancing (FWLB).
Cc tnh nng T ng la n l
(Single Firewall)
D phng tng la
(Firewall Failover)
Cn bng ti trn
tng la (FWLB)
GiThnh T hp, ch xy
dng mt tng
la.
Va, cn xy dng hai
tng la.
Cao, t nht hai tng
la, km t heo thit b
cn bng t i.
im d phng
(Firewall Point
of Failover)
Mt: bn thn
t ng la
Khng: hai tng la vt
l r ing bit
Khng: Tt c tng
la gom t hnh nhm.
Hiu nng Hn ch i vi h
thng tng la
n l.
Hn ch i vi h thng
t ng la n l. Ch mt
cp tng la chnh kim
sot cc lu lng ti
t hi im nht nh.
T l thun s lng
tng la. Tr n l
thuyt , mi t ng la
tn dng ti a nng
lc vi kh nng cn
bng t i l t ng.
Cn bng ti Khng. Khng, t ng la chnh
(active) kim sot mi
kt ni truy cp.
Kim t ra kt ni t ruy
cp giao cho cc tng
la, da t heo thut ton
bm. Cng mt thi
im, t t c tng la
kim sot cc lu
lng r a vo.
Phn ng khi
gp s c
Khng chuyn t ip
hay kim sot bt
k lu lng no.
Tt c lu lng truy cp
y qua tng la d
phng (st andby) x l.
Kt ni t ruy cp mi
giao cho cc tng la
khc x l.
Ci t thm
cc phn cng
b sung
Khng Khng Mt thit b FWLB phi
ci t mi bn nhm
tng la. Vi
Cat alyst 6500 Content
Swit ching Module
(CSM), CSM thc t hi
trn c hai bn nhm
tng la.
Bng 26 Bng so snh cc cc tnh nng tng la trn cc h thng khc nhau
phn phi cc kt ni gia cc t hnh vin tr ong nhm, FWLB yu cu t hm mt chc nng
cn bng t i trn mi bn nhm tng la. iu ny m bo cc kt ni c phn
phi trn cc bc tng la vcc lu lng r a vo h t hng lun gi n cng t ng la.
Hnh 58 Firewall Load Balancing (FWLB)
b. Mt s phng php cn bng ti trn tng la
Vi vic s dng hay kt hp mt trong cc cch sau:
Phn mm: gm cc t nh nng sau:
Phn mm Cisco IOS dng trn cc swit ch Cat alyst 6500 cho IOS Firewall Load
Bal ancing (IOS FWLB), mt thnh phn ca Server Load Balancing (IOS SLB).
Cc t ng la c cu hnh nh mt t rang tri tng la (fir ewall far m).
Khi lu lng c nh t uyn qua nng t ri tng la, cc kt ni phn phi
cho tng tng la t rong trang tri. Qu tr nh ny din r a t rong sut vi ngi
dng.
Phn cng: Cc thit b cn bng ti phn phi cc lu lng tr uy cp cho t hnh
vin nng t ri t ng la. Nhng kt ni qua t ng la u c cn bng ti t hng
qua cc thit b phn cng vi cc t huc t nh sau:
Cisco Cat alyst 6500 Content Swit ching Module (CSM) dng cn bng ti trn
tng la nh l mt t hnh phn ca Acceler ated Ser ver Load Balancing (ASLB).
Tng la c cu hnh nh my ch trang t ri bnh t hng.
Khi lu lng tr uy cp c nhn t rn VLAN trong, CSM phn chia cc kt
ni cho cc t ng la t hnh vin x l.
Cc thit b chuy n dng
T hit b chuyn ni dung (Exter nal content - swit ching appliances) t trn mi bn nhm
tng la. Cc kt ni tr uy cp phn phi cho cc thnh vin t rong trang tri, da theo:
Cisco Content Services Swit ch (CSS) dng cn bng ti.
Tng la c cu hnh r ing, CSS xem chng nh danh sch tng la hu
ch hn l mt trang tri tng la.
CSS phn phi cc lung tr uy cp n tng la t heo ng nh t uyn x c nh
v t hut ton bm trn a ch IP.
5.4.4 Chng thc
802.1x a. Gii thiu
IEEE 802.1x c pht trin bi IEEE, mt trong s nhng giao thc mng IEEE
802.1 nhm cung cp kh nng chng t hc cho ngi dng tr ong mng khng dy. Sau
, n cn c dng trong mng Ethernet nh l mt c ch iu khin tr uy cp tr n cc
cng vt l.
Chun 802.1x xy dng da trn m hnh chng thc kiu client - server gip hn ch ngi
dng tham gia mng LAN thng qua phng php port- based. Bn cnh , 802.1x cn a
r a h tng cho vic xc nhn v iu khin lu thng ngi dng t rong mng c bo v
cng nh cp pht ng cc kha m ha khc nhau.
b. Kin trc
Supplicant System (hay Client): my t rm hoc cc thit b c nhu cu c chng t hc
c thm quy n t ham gia vo mng. Qu trnh x c t hc c kch hot khi ngi dng thc
thi chng t r nh cung cp kh nng x c t hc 802.1x m cc ng dng ny t hng i hi
phi h t r giao t hc EAPoL (Ext ensible Authentication Protocol over LAN).
Hnh 59 Kin trc 802. 1x
Authenticator System (thng l cc thit b mng h tr xc thc 802.1 x
nh
Switch): cung cp cc cng (vt l v lun l) cho my t nh tr uy cp h t hng mng.
Ngoi r a, n cn gip trung chuyn cc thng tin chng thc qua li gia client vser ver .
Authentication Server System: cung cp dch v xc t hc cho Authent icator System, thng
thng l RADIUS server, AAA server. Ngoi ra, n cn lu tr t hng tin ngi dng nh
username, passwor d, VLAN ph thuc dng so snh vi cc thng tin ng i dng gi
n nhm xc nhn xem y c phi l ngi dng hp l hay khng.
Authent icator v Authent icat ion Ser ver c t ch hp chung trn mt thit b. Tuy nhin,
trnh trng hp ngi dng t ip xc t rc tip gy tn hi ser ver, Authent ication Server v
Authent icator System thng kt ni thng qua Switch vtn ti trong sut vi ngi dng.
c. Hot ng: Quy tr nh xc thc (authent icate) v y quy n (authorize) theo
chun 802.1x din r a nh sau:
Hnh 60 Hot ng xc thc ngi dng theo chun 802.1x
Initialization: Khi pht hin supplicant mi, cng trn switch (authent icat or) c kch hot
trng thi cha c y quyn (unauthorized). trng t hi ny, ch cho php cc lu lng
802.1X, ngoi r a nhng lu lng tr uy cp khc nh DHCP, HTT P u b b i.
Initiation: bt u qu tr nh chng t hc, aut hent icat or s ln lt chuyn cc fr ame EAP-
Request/Ident it y n mt a ch c bit lp hai trn phn mng cc b. Supplicant s lng
nghe t rn a ch ny v khi nhn c fr ame EAP- Request/Identit y, n s tr li bng fr ame
EAP- Response/Ident it y cha cc t hng tin chng t hc ca supplicant nh tn ng nhp
(User ID), mt m (password). Sau Authent icator s ng g i cc t hng tin ny t rong gi
tin RADIUS Access- Request v chuyn t ip cho Authent icat ion Ser ver. Supplicant cng c
th bt u hay khi ng li qu tr nh chng thc bng cch gi fr ame EAPOL- St art cho
Authent icator, msau s c tr li vi fr ame EAP- Request Identit y.
Negotiation (hay EAP negotiation): Authent icat ion Server gi tr li (ng g i trong gi t in
RADIUS Access- Challenge) cho Authenticator, gm thng s EAP Met hod (loi chng thc
da trn EAP Supplicant mun t hc hin). Authent icator ng gi EAP Request trong fr ame
EAPOL vchuyn ti Supplicant. Lc ny, Supplicant c t h NAK yu cu EAP Met hod v
tr li vi t hng s EAP Met hods n mun t hc hin hay bt u yu cu EAP Met hod.
Authentication: Nu c Aut henticat ion Ser ver v Supplicant u ng cc thng s EAP
Met hod th Supplicant v Authent icat ion Server (thng qua Authenticator) s ln lt tr ao i
cc bn t in EAP Requests vResponses cho n khi Authentication Ser ver p ng mt trong
hai tin EAP- Success (gi g n t rong gi tin RADIUS Access) hay EAP- Failure (gi gn trong
gi t in RADIUS Access- Reject). Nu chng thc thnh cng th Authent icat or s thit lp
trng thi cng l "Author ized" v cho php chuyn t ip mi lu lng t ruy cp; ngc li
nu t ht bi, cng vn trng t hi "unaut hor ized". Khi Supplicant thot khi h t hng, n gi
bn t in EAPOL- logoff cho Authent icator ln na thit lp trng thi
cng l "unauthorized", kha mi lu lng t r uy cp ngoi tr cc lu lng EAP.
Hnh 61 Cch thc trao i gia Supplicant, Authenticator vAuthentication Server
Nhn chung, qu trnh tr ao i bn t in gia Supplicant v Authent icat ion Ser ver thc hin
thng qua EAP Method dng kt ni im - im, ph thuc loi EAP- Met hod cn
Authent icator v Supplicant t rao i cc bn t in t hng qua giao t hc chng thc EAPOL
(EAP over LAN). Ngoi ra, trc khi chng t hc thnh cng, ch c mt s giao thc c bn
c dng t r ao i qua li gia Supplicant v Aut hent icator nh STP, CDP, EAPOL... Ch
sau khi c chng thc, cc fr ame d liu khc mi c trao i bnh t hng.
d. u vnhc im ca 802.1x
u im
m bo tnh tin cy: Hu ht thng t in tr ao i t rong mng u m ha, c mt khu ban u,
trnh vic gi mo t hng qua c ch chng t hc ln nhau gia Client vSer ver , p dng
cc phng php mha nh SSH (Secure Shell), SSL (Secure Sockets Layer) hay IPSec.
m bo tnh ton vn: dng cc phng thc kim tr a nh Checksum hay
Cyclic Redundancy Checks (CRCs) kim t ra tnh ton vn d liu, bn cnh cn
dng cc t hut ton ha MD5 vRC4 m bo s ton vn ny.
m bo tnh sn sng: cp nht vi s pht trin thit b cng nh cc vn pht sinh
mi nht m bo sn sng khng gp phi t r ng i cng nh tng t hch t hit b hin c.
C ch xc thc: kt hp gia c ch chng t hc ng v qun l cha kha tp trung,
802.1x khc phc c hu ht vn ca cc giao thc khc. EAP - nh ngha tr ong RFC
2284, dng cho kt ni point - to- point (PPP), a ra nhng c t rng ca phng php chng
thc gm nh dng ngi dng nh mt m (pas sword), chng nhn (cert ificate), giao t hc
c s dng (MD5, T LS, GMS, OTP), h tr sinh kha t ng vchng t hc ln nhau.
Do 802.1x da trn c s iu khin tr uy cp trn cc cng nn ngoi cc phng php bo
mt chung, 802.1x cn em li mt s phng php t in ti n, nh c ch lc (Filter ing).
Ngoi vic thc hin lc SSID v MAC nh cc chun khc, 802. 1x cn h tr kh nng lc
giao t hc. Mng LAN khng dy lc cc g i i qua mng da trn cc giao t hc lp 2 n
lp 7. Trong nhiu trng hp, cc nh sn xut lm cc b lc giao thc c t h nh hnh
c lp cho c nhng on mng hu t uyn vv tuyn ca Access Point (AP).
Nhc im
Mc d theo nghin cu trn th 802.1x l mt chun bo mt kh an ton. Tuy nhin n vn tn
ti nhng hn ch:
Khng t h chng li tn cng T chi dch v (DoS Denial of Service).
Mt s c tnh yu cu c bit v phn cng, do phi kt hp cc phng php bo
mt vi nhau, ng t hi a r a cc chnh sch bo mt hp l.
T heo cc vn trn, bn t hn 802. 1x a r a mt s chnh sch khc phc:
Bo mt v mt thit b vt l, phn cp quyn hp l, lun bt tnh nng ti u nht,
do mi t nh nng hu nh u c th kch hot hay v hiu ha.
S dng cc thit b qut ph xc nh thit b nghe t rm, cng sut pht hp l trnh
t n hiu sng b r r r a ngoi phm vi cn thit .
Tch hp VPN bo mt kt ni WLAN. Khi VPN Ser ver tch hp vo Access Point
(AP), ngi dng s dng phn mm VPN Client, cc giao t hc nh PPT P hay IPSec
hnh thnh ng hm trc tip ti Access Point (AP). Tr c tin ngi dng kt
ni t i im tr uy nhp, sau quay s kt ni VPN. T t c lu lng c qua t hng
qua ng hm, vc th c mha t hm mt lp an t on.
5.4.5 H thng thoi VOIP (Voice Over IP)
a. Gii thiu
Hin nay, h t hng voice l yu cu cp thit m bt k doanh nghip hay t chc no cng
cn n. Ty nhu cu, doanh nghip c t h trin khai h t hng thoi tr uy n t hng hay Voice
Over IP (VOIP). V vy, c nhiu gii php t hoi a r a nh: h t hng tng i 3CX, h
thng Asterisk hay CVOICE ca Cisco. L mt trong cc nh sn x ut ln, Cisco cung cp
nhiu gii php v thit b phc v lnh vc mng tr uy n t hng, c bit l gii php t ch hp
ting ni v hnh nh trn cng mng d l iu AVVID (Architecture for Voice, Video and
Integrated Dat a), gm ba thnh phn chnh c bn l c s h tng (Infr astruct ure), thit b
u cui (Clients) v chng tr nh ng dng (Applicat ions). Bn cnh , Cisco l hng a
r a gii php y vng b gia cc t hnh phn: nh t uyn, Bo mt vChuyn mch.
V vn ng tr uyn, VOIP s dng h tng mng IP thng thng gm LAN, WAN v
kt ni PST N. i vi LAN, v hot ng trn nn IP nn VOIP c th s dng chung h
tng c sn, khng cn u t li. i vi kt ni WAN, c th dng ng truy n leased-
line hay VPN kt ni hai hay nhiu t rung tm. Tuy nhin, gii php no cng tn ti u v
nhc ca n. Vi leased- line, m bo cht lng cuc gi nhng gi t hnh cao, cn vi
VPN kh m bo cht lng cuc gi. V t h, ty nhu cu mc s chn la thch hp.
Hnh 62 M hnh VOIP n gin
V thit b, cc thit b sau khng t h thiu t r ong h t hng VOIP ca Cisco:
Call Manager: h t hng tch hp phn cng v phn mm do Cisco ch to sn, hot
ng nh Ser ver tr ong mng. T uy nhin c t h s dng Ser ver bnh t hng do nh
sn x ut khc cung cp (c trong danh sch h tr bi Cisco) ci t Call Manager.
CCM Server: x l nh tuyn cuc gi, qun l in t hoi IP (IP Phone).
IP Phone: t hit b u cui, chuyn m thanh t hnh t n hiu s, ng gi vo g i t in
v ngc li. Ngoi r a, Cisco cn a r a phn mm Soft Phone tng t IP Phone.
Voice gateway (hay Voice- enable Router): chuyn t hoi IP thnh Analog mng
PST N. Hin nay dng Router 2800 hay 3800 c Card Voice FXO hay Card E1/T1 Pri.
Hn na, Gateway cn lm m nhim chc nng QoS (Qualit y of Service) m bo
cht lng m t hoi.
b. Gii php trin khai: bao gm hai phng n:
S dng My ch Call Manager cho h thng c nhiu hn 96 client
Trong gii php ny, t i mi im s dng mt Call Manager Ser ver r ing. Mi Ser ver chu
trch nhim x l cuc gi mi chi nhnh. Khi cn thit ngi dng chi nhnh ny c t h
gi ngi dng chi nhnh kia thng qua WAN hay PST N ty cu hnh, gm t hit b sau:
S dng hai Voice Gat eway c lp kt ni n PST N.
Ty nhu cu, c t h dng Card E1 PRI (30 knh t hoi ng t hi) hay n ng FXO (n
knh t hoi ng t hi). Khi doanh nghip thudch v tng ng t bu in.
Ngoi ra chng ti cn t hu thm ng WAN kt ni hai chi nhnh li vi nhau
va t ruyn thoi vd liu. Mi cuc g i cn ti thiu l 30Kb/s nn khuyn ng h
lt hung ti thiu khong 128Kb/s.
IP phone c th dng phn cng hay phn mm.
u im
Kh nng m rng ln, mi Ser ver c th x l cho 1000 my.
Nng cp, a r a cc dch v cho IP Phone d hn nh: Conference, IP Cont act
Center, Voice mail.
Nhc im: Githnh cao.
S dng My ch Call Manager cho h thng c s my in thoi mi chi nhnh
u nh hn 96 Client
Trong gii php ny khng dng CCM Server ti hai chi nhnh, vic x l cuc g i v qun
l IP Phone c thc hin bi Voice Gat eway. Mi t hng s khc vn khng i.
u im: Chi ph t hp.
Nhc im:
Kh m r ng, tch hp dch v mi.
t tnh nng hn.
KT LUN
Trong t hi i khoa hc ngy cng pht trin, bo mt an ton d liu t rong h t hng mng
ngy cng ng vai tr quan t rng, khon chi ph u t khng t h thiu i vi hu ht t
chc doanh nghip. Bo co cp n nhng cng ng h chung ca tng la t i cc lp
Networ k, Tr ansport v Applicat ion, nghin cu tr in khai h t hng VPN v IPS/IDS. ng
dng cc cng ngh ny t rn s h thng mng t rng i Hc Hoa Sen.
Vic bo m thng tin hon t on bo mt t rn ng t ruyn liu khng t h, bi khng c gii
php no l hon ho t rong lnh vc bo mt t hng t in, nht lt rong giai on cng ngh
k t hut ngy cng pht t rin nh hin nay. Phng thc t n cng ngy cng tinh vi, cc cng
c mi xm nhp, nh cp d liu ngy cng nhiu v kh phng chng. y, nhm
chng t i ch a r a mt trong s nhiu li gii cho bi t on bo mt h t hng mng trng
i Hc Hoa Sen, cn c nhiu cch trin khai khc nhau t y kin t hc cng nh kinh
nghim mi ngi. T uy y khng phi l gii php hon ho v mi mt nhng gii php
ny va p ng nhu cu ngi dng va tn dng c ti a t i nguyn h t hng. Vic
thit k xy dng h t hng VPN cng nh IDS/IPS cng l iu khng t h thiu i vi cc
t chc doanh nghip, gp phn t ng cng an ninh mng.
Vi tc pht trin vt bc ca khoa hc k t hut, vic cp nht thng x uyn cc cng
ngh mi phng chng cc cuc x m nhp tri php bo m h t hng mng lun c bo
v an ton. Ngoi ra, cn phi khng ngng hon thin cc chnh sch bo mt duy tr an ninh
mng lu di.
Nu c t hm t hi gian cng nh chi ph u t cc t hit b mng tht, chng t i hy vng c
th nghin cu, ng dng t hm cc cng ngh bo mt mi. Bi l, vn bo mt lun l
ti quan tm hng u ca cc cng ty trong vngoi nc.
TI LIU THAM KHO
1. Andrew Mason, CCSP SNAF Quick Reference, Cisco Pr ess, USA, Dec 2008.
2. Brandon Carroll, Cisco Access Control Security: AAA Administrative Services, Cisco
Pr ess, USA, May 27, 2004.
3. David Hucaby, Cisco ASA, PIX, and FWSM Firewall Handbook, Cisco Pr ess, USA, Aug
2007.
4. Designing Cisco Network Service Architectures (ARCH) v2.0 Lab Guide, Cisco Systems,
Inc., May 03, 2007.
5. Designing Cisco Network Service Architectures (ARCH) v2.0 Student Guide,
Cisco
Syst ems, Inc., May 08, 2007.
6. Dr. T homas W. Shinder, Cher ie Amon, Robert J . Shimonski & Debra Littlejohn Shinder ,
The Best Damn Firewall Book Period, Syngress Publishing Inc., Unit ed States, 2003.
7. Earl Carter & J onathan Hogue, Intrusion Prevention Fundamentals, Cisco Pr ess, USA,
J an 18, 2006.
8. Edwin Lyle Brown, 802.1x Port- Based Authentication, Auerbach Publication, New York,
USA, 2008.
9. Elizabet h D. Zwicky, Simon Cooper & D. Brent Chapman, Building Internet Firewalls
Second Edition, OReilly, United States, J un 2000.
10. IOS Router: Authproxy Authentication Inbound with ACS for IPSec and VPN Client
Configuration, Document ID 14294, Cisco Systems, Inc., J an 14, 2008.
11. J ames Henr y Car mouche, IPSec Virtual Private Network, Cisco Pr ess, USA, J ul 19, 2006.
12. J azib Fr ahim & Omar Sant os, Cisco ASA: All- in- One Firewall, IPS, and VPN Adaptive
Security Appliance, Cisco Pr ess, USA, Oct 21, 2005
13. J eremy Cioara, Michael J. Cavanaugh, Kr is A. Krake, CCNA Voice Official
Exam
Certification Guide, Cisco Pr ess, USA, Oct 2004.
14. J im Geier, Implementing 802.1X Security Solutions for Wired and Wireless Networks,
Wiley Publis hing Inc., Indianapolis, Indiana, 2008.
15. Keit h Hutton & Amir Ranjbar , CCDP Self- Study: Designing Cisco Network Service
Architectures (ARCH), Cisco Press, USA, 2007.
16. Matt War nock, An Evaluation of Firewall Technologies, Final Ter m Paper - Bus 503, J an
02 2005.
17. Ralph Tr oupe, Vitaly Osipov, Mike Sweeney & Woody Weaver , Cisco
Security
Specialists Guide to PIX Firewall, Syngr ess Publishing Inc., United States, 2002.
18. Richar d A. Deal, Cisco ASA Configuration, The McGr aw- Hill Companies, Inc., Unit ed
States, 2009.
19. Robert Padjen & T odd Lammle, CCDP: Cisco Internetwork Design Study
Guide, SYBEX Inc., Alameda, CA, 2000.
20. Ryan Lindfield, CCSP SNAA Quick Reference, Cis co Pr ess, USA, Feb 2009.
21. Securing Networks with PIX and ASA (SNPA) Lab Guide, Cisco Syst em, Inc., May 04
2007.
22. Securing Networks with PIX and ASA (SNPA) Student Guide, Cisco System, Inc., May
04, 2007.
23. Symantec Internet Security Threat Report trends for 2009, Symantec Cor p, April 2010.
24. Wes Noonan & Ido Dubrawsky, Firewall Fundamentals, Cisco Pr ess, USA, J un 02, 2006.
You might also like
- Thủ Thuật Router MikrotikDocument33 pagesThủ Thuật Router MikrotikMinh Nghia PhamNo ratings yet
- Tài liệu cấu hình mikrotikDocument30 pagesTài liệu cấu hình mikrotikhieucao089No ratings yet
- Giải Pháp Sophos XGDocument28 pagesGiải Pháp Sophos XGsmit2808No ratings yet
- Tai Lieu Cau Hinh Co Ban Sophos UTM v9 20150121Document53 pagesTai Lieu Cau Hinh Co Ban Sophos UTM v9 20150121Minh Hồng0% (1)
- Tổng quan về firewallDocument8 pagesTổng quan về firewallhung170872No ratings yet
- NewStar LPI2Document41 pagesNewStar LPI2darkworldNo ratings yet
- VnNet S3 LAB5Document3 pagesVnNet S3 LAB5Jonh NguyễnNo ratings yet
- Firewall PfSenseDocument19 pagesFirewall PfSenseVũ Quang LongNo ratings yet
- SLide HMIS TaphuanDocument104 pagesSLide HMIS TaphuanHồng Quang VươngNo ratings yet
- Hướng Dẫn Cấu Hình Load Balancing Router Draytek Đơn Giản Nhất/ Tutorial Configure Load Balancing Router Draytek Very SimpleDocument21 pagesHướng Dẫn Cấu Hình Load Balancing Router Draytek Đơn Giản Nhất/ Tutorial Configure Load Balancing Router Draytek Very SimpleLê Ngọc HảiNo ratings yet
- Baocao-Trien Khai Mikrotik PDFDocument89 pagesBaocao-Trien Khai Mikrotik PDFLe Quyen100% (1)
- Cau Hinh FORTIGATEDocument21 pagesCau Hinh FORTIGATETiến Quang Nguyễn TiếnNo ratings yet
- Giáo Án PfSense+SnortDocument36 pagesGiáo Án PfSense+SnortHau TranNo ratings yet
- Bài 1. Bài Mở Đầu - 01 BuổiDocument49 pagesBài 1. Bài Mở Đầu - 01 BuổiSon HongNo ratings yet
- Ivanti - Patch Management Proposal v1.1Document18 pagesIvanti - Patch Management Proposal v1.1cong dat nguyenNo ratings yet
- 1b. IOS-XR ArchitectureDocument56 pages1b. IOS-XR ArchitectureDang KhueNo ratings yet
- ĐỒ ÁN - Tìm Hiểu Nghiên Cứu Cũng Như Triển Khai Áp Dụng Được Splunk Vào Mô Hình Mạng Thực TếDocument62 pagesĐỒ ÁN - Tìm Hiểu Nghiên Cứu Cũng Như Triển Khai Áp Dụng Được Splunk Vào Mô Hình Mạng Thực TếTuấn Nguyễn Anh100% (1)
- Do An Tham Khao01Document306 pagesDo An Tham Khao01Trường BùiNo ratings yet
- Nagios Centos LinuxDocument14 pagesNagios Centos LinuxD19CQAT01-N HUYNH TRONG PHUCNo ratings yet
- Cấu Hình FORTIGATEDocument35 pagesCấu Hình FORTIGATEChâu Tinh TrìNo ratings yet
- Cau Hinh Toi Uu MikrotikDocument44 pagesCau Hinh Toi Uu Mikrotiktrunglh67No ratings yet
- Xây dựng mạng VPN cho hệ thống mạng: Nhóm 13: Do Duy Hung Nguyen Thuy Duong Nguyen Minh Hang Trinh Thi DungDocument17 pagesXây dựng mạng VPN cho hệ thống mạng: Nhóm 13: Do Duy Hung Nguyen Thuy Duong Nguyen Minh Hang Trinh Thi DungVu NguyễnNo ratings yet
- Đề tài - THIẾT KẾ MẠNG WLAN - 834766 PDFDocument46 pagesĐề tài - THIẾT KẾ MẠNG WLAN - 834766 PDFVăn Quân SầmNo ratings yet
- 01-BT2 +Bai+tap+phan+tich+goi+tin+DNSDocument3 pages01-BT2 +Bai+tap+phan+tich+goi+tin+DNSLương Tiến Dũng NguyễnNo ratings yet
- Lab CCNA (Download Tai Tailieudep - Com)Document298 pagesLab CCNA (Download Tai Tailieudep - Com)toan phamngocNo ratings yet
- Cai Dat Va Cau Hinh Firewall FortigateDocument48 pagesCai Dat Va Cau Hinh Firewall FortigateNguyen Ba Thanh Tung100% (1)
- Giới Thiệu PfsenseDocument22 pagesGiới Thiệu PfsenseYi SơnNo ratings yet
- MPLS - Tieng VietDocument147 pagesMPLS - Tieng VietmaiataiNo ratings yet
- Chương 2. Phân tích mã độc cơ bảnDocument17 pagesChương 2. Phân tích mã độc cơ bảnvuphucNo ratings yet
- Tham khảo KTLT năm trướcDocument50 pagesTham khảo KTLT năm trướcMinh Hoàng NguyễnNo ratings yet
- Mikrotik RouterOS - Phan Phuong Giang - C11QM15Document17 pagesMikrotik RouterOS - Phan Phuong Giang - C11QM15hirenbootNo ratings yet
- Tài Liệu cấu hình CISCO ASADocument34 pagesTài Liệu cấu hình CISCO ASAoh123stars50% (2)
- MikroTik 10 Bước Bảo Vệ Router MikrotikDocument7 pagesMikroTik 10 Bước Bảo Vệ Router MikrotikKNtek NetworkNo ratings yet
- Tổng Quan Về Server, Storage,Hệ Thống Mạng SANDocument33 pagesTổng Quan Về Server, Storage,Hệ Thống Mạng SANAnhTuấnNo ratings yet
- PPMa HoaDocument15 pagesPPMa HoaVu NguyễnNo ratings yet
- McAfee Data Loss PreventDocument53 pagesMcAfee Data Loss PreventNguyễn Trung KiênNo ratings yet
- Huong - Dan.cai - Dat.va - Cau.hinh - Giam.sat - Mang.bang - Cacti.linux Asterisk - VNDocument13 pagesHuong - Dan.cai - Dat.va - Cau.hinh - Giam.sat - Mang.bang - Cacti.linux Asterisk - VNlemoNo ratings yet
- PRTGDocument8 pagesPRTGLại Văn DuyênNo ratings yet
- Tailieuxanh Bao Cao TKM hk2 2013 2014 Nhom02x 9679Document50 pagesTailieuxanh Bao Cao TKM hk2 2013 2014 Nhom02x 9679Đàn Lê KhắcNo ratings yet
- Loop Back - GNS3Document48 pagesLoop Back - GNS3Nguyễn Công ThắngNo ratings yet
- Nghiên Cứu Kỹ Thuật Thu Thập Và Phân Tích Dữ Liệu Từ ổ Cứng - Nhóm 02Document22 pagesNghiên Cứu Kỹ Thuật Thu Thập Và Phân Tích Dữ Liệu Từ ổ Cứng - Nhóm 02Vu NguyễnNo ratings yet
- (Nac) Cisco Ise 27072020Document22 pages(Nac) Cisco Ise 27072020Lê Trung LươngNo ratings yet
- Trien Khai Firewall StormShieldDocument75 pagesTrien Khai Firewall StormShieldThành Nam NgôNo ratings yet
- Huong Dan Co Ban Cai Dat Va Quan Tri KSCDocument41 pagesHuong Dan Co Ban Cai Dat Va Quan Tri KSCTra Vinh TUNo ratings yet
- Giải Pháp MikrotikDocument28 pagesGiải Pháp MikrotikMinh Nghia PhamNo ratings yet
- Huong Dan Cac Buoc Cau Hinh Router MikrotikDocument27 pagesHuong Dan Cac Buoc Cau Hinh Router MikrotikPhạm Đức HạnhNo ratings yet
- ADG - Back 2 Basic (Sent)Document40 pagesADG - Back 2 Basic (Sent)Nguyen Hoang AnhNo ratings yet
- Cau Hinh Router - Cau Truc IP - Chia IPDocument7 pagesCau Hinh Router - Cau Truc IP - Chia IPNguyễn NamNo ratings yet
- Đ ÁN - Nghiên C U Pfsense FirewallDocument44 pagesĐ ÁN - Nghiên C U Pfsense FirewallThang NguyenNo ratings yet
- NGHIÊN CỨU VỀ TƯỜNG LỬA PFSENSEDocument61 pagesNGHIÊN CỨU VỀ TƯỜNG LỬA PFSENSECrush MyNo ratings yet
- Cài Đặt Checkpoint Gateway Trên VmwareDocument13 pagesCài Đặt Checkpoint Gateway Trên VmwarephamvanhaNo ratings yet
- Luan Van Tot Nghiep - V1.6.Plus CompleteDocument99 pagesLuan Van Tot Nghiep - V1.6.Plus CompletethanglxNo ratings yet
- S D NG NetstumblerDocument4 pagesS D NG NetstumblerbizminhNo ratings yet
- N18dcat018 Quachtruonggiang BaocaoDocument28 pagesN18dcat018 Quachtruonggiang BaocaoLậpTrìnhTráiTimNo ratings yet
- LLD PeruDocument80 pagesLLD Perulennond14No ratings yet
- Hoang Van Hanh CT1901MDocument75 pagesHoang Van Hanh CT1901MTú HoàngNo ratings yet
- Chuyên đề HTTTDocument108 pagesChuyên đề HTTTĐỗ SơnNo ratings yet
- Chuyền Đề Hệ Thống an Toàn Thông TinDocument100 pagesChuyền Đề Hệ Thống an Toàn Thông TinĐỗ SơnNo ratings yet
- 20Nh14 ATTT Lab19 102200227Document37 pages20Nh14 ATTT Lab19 102200227Quân MaiNo ratings yet
- Phan Tich Va Thiet Ke He Thong Nhung - Nguyen Van Dung - Doan Van Hung - CHCDT2018ADocument32 pagesPhan Tich Va Thiet Ke He Thong Nhung - Nguyen Van Dung - Doan Van Hung - CHCDT2018ANguyễn Đăng QuangNo ratings yet
