Professional Documents
Culture Documents
NGNH: K THUT IN T - 60 52 70
B GIO DC V O TO
TRNG I HC S PHM K THUT
THNH PH H CH MINH
LUN VN THC S
HUNH VN HOI THANH
NGNH: K THUT IN T - 60 52 70
Hng dn khoa hc:
TS. PHAN VN CA
Li cm n
Trc tin, xin gi li cm n su sc nht n thy TS. Phan Vn Ca, ngi tn
tnh hng dn em trong sut qu trnh lm ti ny. Em xin by t li cm n su
sc n nhng thy c gio ging dy em trong sut kha hc qua, nhng kin
thc m chng em nhn c trn ging ng Cao hc s l hnh trang gip chng
em vng bc trong tng lai. Xin gi li cm n su sc n tt c bn b v tp
th lp K thut in t kha 12B, nhng ngi lun bn em trong sut kha hc.
c hon thnh trong thi gian hn hp, lun vn ny chc chn cn nhiu thiu
st. Xin cm n thy c, bn b c nhng kin ng gp chn thnh cho ni
dung ca lun vn ny em tip tc i su vo tm hiu v ng dng thc tin cng
tc.
iii
Li cam oan
Em xin cam oan lun vn ny l cng trnh nghin cu ca em v khng trng lp
vi bt k cng trnh nghin cu khc, cha tng c cng b trn bt k tp ch
no.
iv
Tm tt
S pht trin ca Internet v thng mi in t, cng vi nhng c hi m h mang
li, lm tng nhu cu truyn thng an ton gia cc mng cng ty, ngi dng c
nhn, v th gii bn ngoi. Khi truyn thng v thng mi qua Internet tng, ri
ro an ninh cho cc mng cng ty cng tng ln. Vn an ninh tr thnh mt yu t
quan trng trong vic xc nh kh nng tip cn ca mt t chc vi Internet. Mc
tiu ca an ninh mng l cung cp tnh b mt, tnh ton vn v xc thc. Trong s
cc gii php an ninh mng hin nay, mng ring o (VPN) c li th ring ca n
thu ht s quan tm ca nhiu ngi s dng. Nhng hu ht cc gii php VPN
Vit Nam c s dng t nc ngoi. Do tnh cht c th ca cc gii php an
ninh mng, chng ta phi pht trin gii php bo mt ca ring chng ta. Lun n
ny gii thiu mt phng php xy dng tng bc mng ring o ngun m bng
cch s dng OpenVPN. OpenVPN l phn mm ng dng ngun m dng trin
khai cng ngh VPN v vic thm cc lp xc thc l iu d dng i vi OpenVPN.
Sau khi c th nghim, phng php ny c th cu hnh thnh mt s sn phm
vi
Abstract
The growth of the Internet and e-commerce, together with the opportunities they
bring, have increased the need for secure communication between company networks,individual users, and the outside world. As communication and commerce
through the Internet increase, security risks for company networks also increase.
Security issues have now become a crucial factor in determining an organizations
accessibility to the Internet. The goal of network security is to provide confidentiality, integrity and authenticity. Among the current network security solutions, VPN
with its own unique advantages have attracted the concern of many users. But most
of the VPN solutions in Vietnam are used from abroad. Due to the special nature
of network security solutions, we must develop our own security solutions. A Virtual Private Network (VPN) is a network technology that creates a secure network
connection over a public network such as the Internet. Large corporations, educational institutions, and government agencies use VPN technology to enable remote
users to securely connect to a private network. This thesis introduced a method to
vii
build open source Virtual Private Networks by using OpenVPN. OpenVPN is an open
source software application that implements VPN techniques and additional layer of
authentication (e.g. PKI/AD/LDAP) can easily be added to OpenVPN. After being tested, this method could configure some high quality VPN products, which can
achieve security and confidentiality of network data transmission, and meet the needs
of most users, help to saves investment costs and gradually mastering technology.
Thesis Supervisor: VAN-CA PHAN, PhD
Title: Lecturer
viii
Mc lc
Danh sch hnh nh
xii
xiv
1 TNG QUAN
1.1
Tnh cp thit ca ti . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.1
1.1.2
1.1.3
1.1.4
1.1.5
. . . . . . . . . . . . . .
1.2
Mc ch nghin cu . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.3
1.3.1
Trong nc . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.3.2
Ngoi nc . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.4
14
1.5
Phm vi nghin cu
. . . . . . . . . . . . . . . . . . . . . . . . . . .
15
1.6
Nhim v nghin cu . . . . . . . . . . . . . . . . . . . . . . . . . . .
15
1.7
16
1.8
Nhng ng gp mi ca ti . . . . . . . . . . . . . . . . . . . . .
16
1.9
Cu trc ti . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
17
2 C S L THUYT
19
ix
2.1
. . . . . . . . . . . . . . .
19
2.1.1
Xm nhp th ng . . . . . . . . . . . . . . . . . . . . . . .
19
2.1.2
Xm nhp ch ng . . . . . . . . . . . . . . . . . . . . . . .
20
Cng ngh mt m . . . . . . . . . . . . . . . . . . . . . . . . . . . .
21
2.2.1
Mt m i xng . . . . . . . . . . . . . . . . . . . . . . . . .
22
2.2.2
Mt m bt i xng . . . . . . . . . . . . . . . . . . . . . . .
23
2.2.3
Hm bm . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
28
2.3
29
2.4
Xc thc . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
29
2.5
30
2.5.1
CA (Certificate Authority) . . . . . . . . . . . . . . . . . . . .
30
2.5.2
30
33
2.6.1
IPSEC VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . .
34
2.6.2
36
41
2.2
2.6
2.7
3 GII PHP
44
3.1
t vn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
44
3.2
Yu cu gii php . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
44
3.3
46
3.3.1
46
3.3.2
Qu trnh to ch k s CA (1) . . . . . . . . . . . . . . . . .
50
3.3.3
50
3.3.4
51
3.4
53
3.5
55
3.6
55
3.6.1
55
3.6.2
56
3.6.3
3.7
56
58
4 TH NGHIM H THNG
4.1
60
60
4.1.1
60
4.1.2
63
4.1.3
64
4.2
64
4.3
65
4.3.1
Cu hnh a ch IP . . . . . . . . . . . . . . . . . . . . . . . .
66
4.3.2
68
70
4.4
5 KT LUN
72
5.1
Cc kt qu thc hin c . . . . . . . . . . . . . . . . . . . . . .
72
5.2
73
5.3
xut . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
74
5.4
Kt lun . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
74
76
xi
1.2
1.3
1.4
1.5
10
1.6
11
1.7
11
1.8
12
1.9
M hnh OpenVPN . . . . . . . . . . . . . . . . . . . . . . . . . . . .
12
12
13
13
2.1
20
2.2
22
2.3
24
2.4
Ch k s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
26
2.5
27
2.6
HMAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
28
2.7
Chng ch s X.509 . . . . . . . . . . . . . . . . . . . . . . . . . . . .
31
2.8
35
2.9
37
40
xii
3.1
45
3.2
47
3.3
48
3.4
49
3.5
Qu trnh to v xc thc ch k s ca CA . . . . . . . . . . . . . .
50
3.6
. . . . . . . . . . . . . . . . . . . . . .
52
3.7
53
3.8
54
3.9
57
57
59
4.1
Xy dng CA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
61
4.2
To kha Diffie-Hellman . . . . . . . . . . . . . . . . . . . . . . . . .
62
4.3
63
4.4
64
4.5
65
4.6
66
4.7
S h thng th nghim . . . . . . . . . . . . . . . . . . . . . . . .
67
4.8
Kt qu kim tra . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
67
4.9
69
69
xiii
58
4.1
68
4.2
70
xiv
Chng 1
TNG QUAN
1.1
1.1.1
Tnh cp thit ca ti
Bo mt l yu cu cn thit cho t chc, doanh nghip
1.1.2
"
!
#$
%& $ '$
1.1.3
1.1.4
1.1.5
1.2
Mc ch nghin cu
Nghin cu gii php xy dng tng bc mng ring o trn c s s dng cng
ngh ngun m OpenVPN sn c ca cng ng cho vic bo mt d liu truyn trn
mng.
1.3
1.3.1
(1) Cc c quan, doanh nghip, trng hc... Vit Nam v ang nghin cu ng
dng v pht trin gii php bo mt d liu trn ng truyn dng cng ngh VPN
phc v tt trong hot ng cng tc ca mnh nh Vin thng VNPT, FPT, ngn
hng Sacombank, Vietinbank... dng gii php VPN ca Cisco; Bo him Bo Vit
dng gii php VPN ca Juniper v mt s tnh thnh ph nh H Ni, Nng,
TP H Ch Minh, TP Cn Th, ng Nai, Ph Yn, Long An...c bit h thng
4
1.3.2
Ngoi nc
10
11
er of privacy shared
technology of VPN.
mplement a new type
L protocol is widely
o used by Outlook
er traditional VPN
features of simple
low-cost, network
1.4
14
1.5
Phm vi nghin cu
1.6
Nhim v nghin cu
qua mng.
Nghin cu v cng ngh mt m, cng ngh bo mt dng trong VPN.
Nghin cu gii php bo mt d liu trn ng truyn dng cng ngh mng
VPN Firewall) bao gm gii php VPN, Firewall v c th tch hp cc gii php
bo mt m rng khc nh IDS/IPS (Intrusion Detection/Prevention System).
xut m hnh h thng mng truyn d liu cho Cng an tnh trn c s
15
1.7
1.8
Nhng ng gp mi ca ti
1.9
Cu trc ti
17
18
Chng 2
C S L THUYT
2.1
2.1.1
Xm nhp th ng
2.1.2
Xm nhp ch ng
20
2.2
Cng ngh mt m
21
2.2.1
Mt m i xng
hnh 2.2(a). Bi v cc thut ton kha i xng da trn cc php ton n gin,
h l kh nhanh v thng c s dng cho cc dch v m ha, h c th d dng
tng tc bng phn cng. Trong VPN, mt m i xng m bo tnh b mt ca
thng tin. Mt s thut ton m ha i xng c s dng ph bin trong gii php
VPN nh: DES (Data Encryption Standard), 3DES (Triple DES), AES (Advanced
Encryption Standard), RC4 (Rivest Cipher or Rons Code)...
Tuy nhin, h thng m ha i xng t ra hai vn chnh. Th nht, nu k
xm nhp bit c kha b mt th tt c cc thng tin m ha s b nguy him. Do
, kha phi c i nh k. Th hai, nu s kt ni qu nhiu th vic qun l
kha tr thnh mt nhim v phc tp. Thm vo , giai on u tin lin quan
n vic thit lp cp kha, phn phi v s thay i kha nh k u tn km v
mt thi gian. H thng m ha i xng gii quyt c hai vn trn.
2.2.2
Mt m bt i xng
ngi gi v ngi nhn nhn dng chnh xc nhau, l hai thc th ch thc, ta
phi xc thc. Ta s dng mt m bt i xng (m ha bt i xng) hay mt m
kha cng khai gii quyt vn ny. M ha bt i xng c thit k theo mt
cch m cc kha c s dng m ha v gii m l khc nhau. Kha b mt
dng cho gii m, kha cng khai dng cho m ha. M ha kha cng khai da ch
yu trn cc hm ton hc, do thch hp vi thc thi bng phn mm v tc
m ho thp, hnh 2.2(b).
Chiu di cha kha thng thng cho cc thut ton bt i xng trong khong
512-2048 bit. Chiu di thut ton bt i xng khng th so snh trc tip vi
chiu di gii thut i xng bi v hai thut ton ny khc nhau c bn v thit
k. Trong gii php VPN, hai thut ton m ha bt i xng ni ting nht l: DH
(Diffie-Hellman), RSA (Rivest Shamir Adleman).
Mt m ha dng kha cng khai ch c u im khi n c mt c ch phn phi
kha cng khai mt cch an ton v hiu qu cho cc thc th trong h thng. Chng
23
php cho vn phn phi kha l s dng mt thut ton trao i kha mt m
Diffie-Hellman cho php tha thun kha m khng thc s tit l cha kha trn
mng. Tuy nhin, Diffie-Hellman khng m bo danh tnh ca cc bn vi ngi m
bn ang trao i kha. Mt s loi c ch xc thc l cn thit m bo rng
bn khng v tnh trao i kha vi k tn cng.
Thut ton trao i kha Diffie-Hellman da trn cng ngh kha cng khai v
c th c s dng t c cc im cui ging nhau bng cch trao i kha
i xng, c s dng thc hin m ha v gii m d liu. Thut ton DH hot
ng theo cch thc sau:
Bn gi s dng kha cng khai ca ca bn nhn. Kha ny sn c cho tt c
cc pha kt ni.
Bn gi sau thc hin bc tnh ton bao gm kha ring ca bn gi v
cch thc hin mt tnh ton tng t gm kha ring ca chnh n v kha
cng khai ca bn gi.
Gi thit c bn ca thut ton ny l nu mt ngi no chn v xem c vn
bn m ha th ngi khng th nhn c thng tin ban u bi v khng c
kha ring ca ngi nhn.
Qu trnh trao i d liu da trn thut ton DH c coi nh bo mt bi t c
kh nng xy ra rng d liu c th b xem trm hoc chnh trong qu trnh truyn.
Thm vo , bi khng c qu trnh trao i kha b mt trong sut phin VPN
nn kh nng kha b mt ca bt k thc th no trong qu trnh kt ni b k xm
25
nhp bit c l rt thp. Hn na, vic qun l kha khng tn nhiu thi gian
nh vi qu trnh m ha i xng mc d mt s lng kt ni c to ra.
Tuy thut ton DH cung cp kh nng bo mt hn m ha i xng nhng vn
cn mt vn l m bo rng cc kha chung c trao i trc khi qu trnh
truyn d liu c tin hnh. V d, nu hai kt ni giao tip trao i kha chung
qua mt mi trng khng bo mt nh Internet th rt d dng b k xm nhp
thay i yu cu cho cc kha chung v gi kha chung ca n ti c hai kt ni.
Trong trng hp ny, k xm nhp d dng tn cng vo qu trnh kt ni bi hai
kt ni gi s trao i d liu s dng kha chung ca k xm nhp. Kiu xm nhp
ny l tn cng t gia (Man-in-the-Middle).
Thut ton RSA
Trong VPN, RSA ch yu c s dng cho mc ch xc thc, chng t chi (ch
k s RSA) v trao i kha. Ch k s hay cn gi l ch k in t c th c
hnh dung tng t nh ch k vit tay. Ch k s c s dng trong cc giao dch
in t, l thng tin i km theo d liu nhm mc ch xc nhn ngi ch ca d
liu , gn vi tp tin cha chng ch s. Qu trnh m ha bt i xng c s
dng to ra ch k s, hnh 2.4.
Hnh 2.4: Ch k s
Ch k s cung cp ba tnh nng an ton trong truyn thng l xc thc, ton
26
c chuyn i.
Bc 2: Ngi gi s dng hm bm hash gim kch c ca bn tin ban u.
to ra mt ch k in t duy nht.
Bc 4: Bn tin v ch k in t c kt hp v chuyn ti ngi nhn.
Bc 5: Khi ngi nhn c bn tin m ha, ngi nhn s ti to li bn tin
ngi gi.
Bc 7: Ngi nhn sau so snh tp bn tin c ti to (bc 5) v tp tin
2.2.3
Hm bm
2.3
i tng tham gia truyn thng c th c kim tra nhn dng di mt phng
thc no . C th kim tra nhn dng mt i tng (con ngi) no thng qua
iu m i tng bit (mt khu); vt m i tng c (h chiu, CMND, th
thng minh, chng ch s...); c tnh vt l ca i tng (vn tay, vng mc,
ging ni...); kt qu ca mt hnh ng bc pht ca i tng (ch k).
2.4
Xc thc
29
2.5
2.5.1
CA (Certificate Authority)
2.5.2
kha ring ca CA. chng minh rng thc th thc s l thc th ta mun
trao i, ta ch cn chng minh rng h c ph duyt bi CA. chng minh
rng CA l tin cy i vi thc th , ta cn kha cng khai ca CA. Khi ta nhn
c mt chng thc s (c ch k s c to bi kha ring ca CA), ta s dng
kha cng khai ca CA gii m ch k m bo giy chng nhn l hp l. Nu
c 100 host c chng thc bi CA, ta c th xc thc cc host ny bng cch kim
tra ch k CA trn chng ch s ca n bng kha cng khai ca CA v ch cn gi
mt kha cng khai ca CA trn h thng.
Chng ch s X.509 Chng ch kho cng khai X.509 c Hi vin thng quc
(
% $
%
)
!
& *+,-- $%
(%
#
*+,-- $%
)
(%
.
#
#
$%
!"
&
/0
)
'%
thit phi c trong chng ch. Phn th hai cha thm mt s trng ph, nhng
trng ph ny c gi l trng m rng dng xc nh v p ng nhng yu
cu b sung ca h thng, c th nh sau:
Version: Ch nh phin bn ca chng nhn X.509.
Serial Number: S lot pht hnh c gn bi CA. Mi CA nn gn mt m
ca kha cng khai. Mt CA khng th pht hnh 2 giy chng nhn c cng
mt Subject Name.
Public key: Xc nh thut ton ca kha cng khai (nh RSA) v cha kha
32
2.6
VPN (Virtual Private Network) l mt mng ring o trn mng cng cng (c th
l mng Internet, c s h tng IP, mng Frame Replay (RL) hoc ATM. N s dng
cng ngh mt m bo m tnh b mt, xc thc v tnh ton vn ca thng
tin d liu trn ng truyn, m bo an ton kt ni point-to-point gia hai hoc
nhiu im trn mng khng an ton. Cc kt ni ny c thit lp bng cch to
mt ng hm gia hai node c kt ni, sau m ha thng tin d liu truyn
qua tunnel. Cng ngh ng hm ny cho php d liu truyn c an ton gia
cc im cui trn mng [3032].
VPN l s m rng ca mt mng ni b. N c th gip ngi dng t xa, cc
chi nhnh ca cng ty, cc i tc kinh doanh v cc nh cung cp thit lp kt ni
an ton v tin cy vi mng ni b ca mt cng ty v m bo vic truyn ti d
liu c an ton. VPN l mt gii php logic nhm m bo an ton cho vic truy
cp t xa, cho php cc im cui kt ni vi nhau qua Internet nh trong mng
LAN m khng cn phi cc thu ng thu bao dnh ring t tin (leased lines).
Mt trong nhng yu t chnh ca VPN l m ha. bo v cc d liu nhy
cm truyn qua mng cng cng, chng ta cn phi to ra mt ng hm ring o
bng cch m ha cc packet hoc frame trc khi truyn.
VPN lm vic bng cch to ra mt ng hm o qua Internet cng cng.
33
2.6.1
IPSEC VPN
34
IKE: Tha thun cc thng s an ninh, thit lp cc kha xc thc. Giao thc
UDP port 500, gi tin IPsec hin th nh l gi tin ESP. Khi kt ni VPN cn
35
2.6.2
SSL VPN ngun m l mt cng ngh VPN s dng giao thc bo mt SSL (Secure
Sockets layer) nhm m bo tnh b mt d liu, tnh ton vn thng ip v tnh
xc thc ca thc th tham gia truyn thng, l mt gii php VPN s dng SSL
m bo an ton d liu trn ng truyn. SSL l mt giao thc mt m c thit
k bi Netscape cho php bo v an ton d liu truyn gia hai thit b trn mt
mng cng cng. Mc tiu ca SSL l dng thit lp mt knh truyn thng an
ton gia Client v Server. An ton ca n c cung cp bng cch s dng cng
ngh mt m, tham kho [30, 3336].
SSL cung cp tnh b mt, xc thc v ton vn d liu thng qua vic s dng
cng ngh mt m. SSL cha mt lot cc thut ton trao i kha (RSA, DH,...),
m ha (RC4, 3DES...) v hm bm (MD5, SHA,...). Nh hnh 2.9, giao thc SSL
nm gia lp ng dng v lp vn chuyn trong m hnh tham chiu TCP/IP, l
mt giao thc lp bao gm giao thc Handshake (thit lp v duy tr an ton truyn
thng bng vic trao i kha v thut ton mt m..), giao thc change cipher spec
(gm cc byte thng ip n c s dng xc nhn cc thut ton mt m hin
hnh) v giao thc alert (cc cnh bo v li bng vic truyn cc thng ip cnh
bo); giao thc Record cung cp dch v m ha, xc thc v ton vn (ng gi d
liu t lp ng dng bng vic phn on, nn, thm MAC v m ha).
36
nhau v thng lng thng nht cc thut ton xc thc MAC v m ho. Th
tc ny cng trao i kho b mt dng cho m ho v MAC. Th tc bt tay phi
thc hin trc khi trao i d liu. Tin trnh bt tay gm 4 giai on (phase) c
trnh by hnh 2.10, c th nh sau:
Giai on 1: Thit lp ni kt logic
Client gi yu cu kt ni n Server (bng thng ip "client hello"). Server nhn
yu cu v gi thng ip tr li cho Client (bng mt thng ip Sever Hello). Client
gi tt c cc danh sch thut ton n Server cng vi mt s ngu nhin m s
dng nh u vo trong mt qu trnh to kha.
Giai on 2: Xc thc Server v trao i kha
Server gi chng ch s ca mnh cho Client nh thng tin nhn dng. Da trn
cc ni dung ca danh sch, Server chn thut ton m ha v gi li cho Client cng
vi chng ch s cha kha cng khai ca Server. Chng ch ny cng cha cc k
hiu ca Server cho mc ch xc thc, ng thi Server cung cp mt s ngu nhin
nh l mt phn ca u vo trong qu trnh to kha.
Giai on 3: Trao i kha v xc thc Client
Client kim tra chng ch ca Server v ly kha cng khai ca Server. Sau n
to ra mt chui mt khu ngu nhin c t tn l pre master secret v s dng
kha cng khai ca Server m ha chng. Cui cng, Client gi thng tin c
m ha n Server.
Giai on 4: Bt tay hon thnh
Theo pre master secret v s ngu nhin ca Client v Server, Client v Server
tnh ton kha m ha v MAC. Client gi cc gi tr MAC ca tt c cc thng ip
bt tay n Server. Server gi cc gi tr MAC ca tt c cc thng ip bt tay n
Client. Qu trnh bt tay kt thc, khi to ng hm cho vic trao i d liu an
ton.
Tnh b mt:
Bo m d liu khng b tip xc, b s dng bi ngi khng c thm quyn.
39
%
!
"
"
40
2.7
Vi cng ngh tin tin, gii php SafeNet iKey 1032 thay th phng php xc thc
truyn thng username v password. SafeNet iKey 1032 l gii php xc thc mnh
41
php ch phn mm. Gii php bo v da trn phn cng cho cc thng tin
mt xy ra trn chip.
Tit kim chi ph: chi ph thp, hiu qu hn gii php phn cng khc.
Kh khn cho client t chi tham gia vo mt giao dch v client phi chu
ty.
D dng s dng: khng cn phn cng b sung, ch cn chn cc thng tin
D dng qun l.
trust...
PKCS 12: Lu tr kha b mt v chng ch s vo iKey.
MS-CAPI: Th vin mt m API ca Microsoft, h tr cc ng dng nh
43
Chng 3
GII PHP
3.1
t vn
Gi s ngi gi (my trm client) gi thng tin n ngi nhn (my ch Server)
thng qua knh truyn b kim sot bi i phng (hacker), minh ha hnh 3.1.
Cc hnh ng ca hacker c nhiu dng, nhng ph bin nht l:
Nghe trm, theo di dng thng tin.
Ghi thng tin v thay i ni dung thng tin bng cch xa, chn, thm bt
khng?...
3.2
Yu cu gii php
vic pht trin, ng dng cng ngh thng tin v m bo an ton thng tin
qua mng...
m bo an ton thng tin d liu khi trao i. Ngn chn truy cp tri php
vo mng.
Chi ph hp l, d dng trin khai trong thc t cng nh trong vic cu hnh,
cp.
Tn dng ti a cc thit b sn c gim chi ph u t mua sm thit b.
p ng c cc kh nng m rng mng (bng thng, s lng ngi dng,
thng tin, bo co, ch o, iu hnh, thng bo, lch cng tc, chng trnh,
k hoch, x l cng tc nghip v...)
3.3
3.3.1
Qu trnh cp pht chng ch s (chng ch kha cng khai), hnh 3.4, c trnh
by c th nh sau:
Mi thc th bao gm CA Server u c cp kha public/private
(1) client yu cu kha cng khai ca CA.
46
"@
:;<
=! >? !2 "3
"
"
! "
#
$!
!% & ' (
+,
- ./ 0
) $!
" 1 2
4 !% -
47
*
#.5 6 75 8 9
=I
D
"( !9 "#
:/ /";
"$ %
"#
"$ %
E
<
F %
!
!
6 "#
!9
6 "#
"$ %
"#
"$ %
'
0(
=
"+
7
8 "
"$ 7
7
"#
8 "
"$ %
"( )* + ,- . "
+/
( 1
2 "(
,3 . 43
>
. ? )@ (
G
F %
&
( 1A B
.
5
C
"H
48
5
$ "
$
01 23
&
$
$
01 23
&
# 7 !"#$
% & !"$
'$
s tin cy.
(7) Server tin cy kha cng khai ca client sau khi kim tra ch k ca CA
49
! "
#$% &' %( ) * +
! "
#$% ,"
%-
%( ) * +
3.3.2
Qu trnh to ch k s CA (1)
ca mnh.
3.3.3
3.3.4
Sau khi xc thc kha cng khai ca my trm l hp l, dng kha cng khai
ca my trm s m ha d liu v ch c gii m vi kha b mt. Mi h thng
u cui u c cp kha public/private. Kha cng khai c mi bit v dng
m ha v kha ring dng gii m.
DH trao i kha trn tnh ton cc s Logarit phc tp, thng dng chia
s kha b mt gia cc bn (cc kha b mt ny c th s dng trong m ha i
xng v hm bm HMAC), hnh 3.6. Thut ton trao i kha Diffie-Hellman da
trn cng ngh kha cng khai v c th c s dng t c cc im cui
51
cc pha kt ni.
Bn gi sau thc hin bc tnh ton bao gm kha ring ca bn gi v
cch thc hin mt tnh ton tng t gm kha ring ca chnh n v kha
cng khai ca bn gi.
Gi thit c bn ca thut ton ny l nu mt ngi no chn v xem c vn
bn m ha th ngi khng th nhn c thng tin ban u bi v khng c
kha ring ca ngi nhn.
52
'
!"#$%
&
(
) *
3.4
ca Server ni ip header s c kim tra v sau giao cho chng giao thc
lp cao hn. Module Authentication pht hin gi d liu, xc thc v gii m
gi d liu c ng gi thnh gi d liu gc (ban u). Sau , trnh iu
khin thit b char (char device driver) s chuyn thng ip gc n card mng
53
"
54
3.5
3.6
3.6.1
Sau khi nghin cu, th nghim, gii php VPN ngun m c th c cu hnh
thnh sn phm VPN cht lng cao. Tuy nhin, qu trnh thit k chc chn s
khng . tng cng tnh an ton, bo mt ca thit b, ta cn nhng thm cc
c ch bo mt nh Firewall, IDS/IPS...pht trin thnh sn phm FVS. Do l sn
phm phn mm ngun m nn vic m rng, nhng cc c ch bo mt do ngi
dng to ra vo thit b FVS l ty . FVS c cc chc nng c bn nh sau:
Chc nng Router: Cho php nh tuyn cc gi tin n mng ch.
Chc nng Firewall: Ngn chn cc cuc tn cng t bn ngoi, kim sot
55
3.6.2
3.6.3
56
!" #$ %
!&! '
! $( )
57
c im
CPU
ARM S3C2440
SDRAM
32MB
Flash Memory
16 MB
3.7
Kernel Version
linux-2.6
OpenVPN
openvpn 2.0.7
Firewall
Netfilter/Iptable
ng dng khc
PHP/Wedmin
Database server, Application server, Report server, Web Server (D kin vng
ny s s dng Firewall ring).
Vng mng Lan: bao gm cc my trm t ti trung tm, mng LAN cc
"
#$
"
"
#$
% )
"
#$
% #
"
#$
"
"
"
#$
'(
#$
59
#$
% &
Chng 4
TH NGHIM H THNG
4.1
4.1.1
4.1.2
4.1.3
4.2
64
4.3
Tng t nh th nghim trn h thng thc nhng phn ny ta cu hnh thm Ipsec
VPN.
S dng VMWARE gi lp PC, PC dng lm my trm, dng lm router, FVS.
H iu hnh c s dng l Linux (CentOS kernel t 2.6), Unix (FreeBSD 8.0).
Cc cng c th nghim gm phn mm VMWARE (xy dng v th nghim cc
ng dng mng nh to my tnh o, Switch o, mng o.., cho php nhiu h iu
hnh v cc ng dng chy ng thi trn mt my tnh vt l mt cch ng tin
cy; NetCat (tin ch ca Unix, dng truyn d liu qua kt ni mng, s dng
giao thc TCP hoc UDP); Tcpdump (cng c phn tch mng ph bin trong mi
trng Unix hay Linux); WireShark (bt v phn tch gi tin), Iperf (o bng thng),
SafeNet iKey 1032
Xy dng PC dng h iu hnh nhng Linux gi lp thit b FVS gm chc nng
65
4.3.1
Cu hnh a ch IP
66
,/
,/
!#
$%& '% (
!
$
&'
%
!#
$%& '% (
$% ! #
&'
%
'%
$%
%&
$% ! #
&'
%
!
#
$
%&
'%
(
.
)
.
!#
$%&
+ ,
*
*
-
!#
$%&
'% (
#*
! % (
&'
$%
*
,/
'% (
!#
$%& '% (
+
.
!"
!#
$%& '% (
!#
&'
$%
$% ! #
&'
%
)
)
,
.
67
4.3.2
D liu bt c
Hnh 4.9
ky thuat TPHCM
69
D liu bt c
Hnh 4.10
ky thuat TPHCM
D liu c m ha bo mt
ky thuat TPHCM
4.4
70
v va.
Ch ng trong vic s hu phn mm bo mt.
C th ty bin theo tng yu cu ng dng bo mt, c th d dng b sung
71
Chng 5
KT LUN
5.1
Cc kt qu thc hin c
5.2
73
theo tiu chun an ton thng tin ISO/IEC 27000, trong tiu chun ISO/IEC
27001:2005 quy nh cc yu cu i vi h thng qun l an ton thng tin. Tiu
chun ISO/IEC 27001 c thit lp cung cp mt thc o chun mc da trn
m xy dng h thng an ton thng tin cho cc c quan, t chc.
5.3
xut
i vi Cng an tnh v B Cng an: u t chi ph, cho php trin khai gii
5.4
Kt lun
75
76
77
[16] W. Huang and F. Kong, The research of vpn on wlan, in Computational and Information Sciences (ICCIS), 2010 International Conference on, 2010, pp. 250253.
[17] L. Lian and G. Wen-mei, Building ipsec vpn in ipv6 based on openswan, in Network and Parallel Computing Workshops, 2007. NPC Workshops. IFIP International
Conference on, 2007, pp. 784787.
[18] D. Meng, Implementation of a host-to-host vpn based on udp tunnel and openvpn
tap interface in java and its performance analysis, in Computer Science Education
(ICCSE), 2013 8th International Conference on, 2013, pp. 940943.
[19] J. Qu, T. Li, and F. Dang, Performance evaluation and analysis of openvpn on android, in Computational and Information Sciences (ICCIS), 2012 Fourth International
Conference on, 2012, pp. 10881091.
[20] C. Hosner, Openvpn and the ssl vpn revolution, 2004.
[21] J. Zhang, W. Hu, and F. Gao, Construction of vpn gateway based on frees/wan under
linux, in Signal Processing, 2008. ICSP 2008. 9th International Conference on, Oct
2008, pp. 28762879.
[22] G. Wang, M. Xu, and X. Huan, Design and implementation of an embedded router
with packet filtering, in Electrical Electronics Engineering (EEESYM), 2012 IEEE
Symposium on, 2012, pp. 285288.
[23] B. Zhong and L. Huaqing, Design of a new firewall based on netfilter, in Computer
Science and Electronics Engineering (ICCSEE), 2012 International Conference on,
vol. 3, 2012, pp. 624627.
[24] P. Butler, A. Rhodes, and R. Hasan, Manticore: Masking all network traffic via ip
concealment with openvpn relaying to ec2, in Cloud Computing (CLOUD), 2012 IEEE
5th International Conference on, 2012, pp. 487493.
[25] P. Thanh and K. Kim, A methodology for implementation and integration two-factor
authentication into vpn, in Performance Computing and Communications Conference
(IPCCC), 2012 IEEE 31st International, Dec 2012, pp. 195196.
78
[28] Y. Bhaiji, Network Security Technologies and Solutions, 1st ed., 2008.
[29] Q. H. Jazib Frahim, Designing VPN Security, V. 1.0, Ed. Cisco, 2003.
[30] M. E. Charlie Scott, Paul Wolfe, Virtual Private Networks, Second Edition, S. Edition,
Ed.
[31] A. G. Mason, Ed., Cisco Secure Virtual Private Networks. Cisco Press, 2001.
[32] M. Lewis, Comparing, Designing, and Deploying VPNs (Networking Technology).
Cisco Press, 2006.
[33] M. Feilner, Beginning OpenVPN 2.0.9, A. Johari, Ed.
Packt
Publishing Ltd. 32 Lincoln Road Olton Birmingham, B27 6PA, UK., April 2006.
[35] K. B. Paul Wouters, Building and Integrating Virtual Private Networks with Openswan,
R. Deeson, Ed. Packt Publishing Ltd. 32 Lincoln Road Olton Birmingham, B27 6PA,
UK, February 2006.
[36] J. J. Keijser, OpenVPN 2 Cookbook, M. S. Ajay Shanker, Ed.
79