You are on page 1of 44

Mng ring o

(VPN - Virtual Private Network)

1. KHI NIM V MNG RING O


Virtual Private Networks (VPN) hay gi l Mng Ring o, cho php bn m rng phm vi mng ni b bng cch s dng li th ca internet. K thut VPN cho php bn kt ni vi mt host nm xa hng ngn dm vi mng LAN ca bn v lm cho n tr thnh mt node hay mt PC na trong mng LAN. Mt c im na ca VPN l s kt ni gia clients v mng o ca bn kh an ton nh chnh bn ang ngi trong cng mt mng LAN. Quan im: Nu trong mng ton cu c hai ch kt ni ang trao i thng tin th vic bo m tnh b mt v tnh ton vn ca d liu ang truyn i trn mng, cn xy dng mt knh ngm o m vic kt ni vo n ca cc quan st vin bn ngoi dng tch cc hay th ng l cc k kh khn. Thut ng o ch ra rng vic kt ni gia hai nt trn mng nh vy khng phi l cng m ch tn ti trong thi gian xut hin ng dn trn mng.
-

2. CHC NNG CA MNG RING O - Chc nng:


Bo mt thng tin trong qu trnh truyn trn cc knh lin lc m Bo m cc mng cc b v cc my l c kt ni vi cc knh cng khai khi cc can thip tri php t bn ngoi.

M hnh mng ring o

3. C S H TNG K THUT XY DNG MNG RING O

K thut mt m C s h tng kho cng khai Cc giao thc an ton v bo mt

3.1 K THUT MT M Vai tr ca k thut mt m trong bo v thng tin: 1. N c dng che du thng tin mt c t trong h thng. Nh chng ta bit cc knh truyn thng vt l lun b tn cng bi s nghe trm v xuyn tc thng bo. iu ny da trn nguyn tc l mt thng bo c m ho vi mt kho m xc nh v ch c th c gii m bi ngi bit kho ngc tng ng.

3.1 K THUT MT M
2. N c dng h tr c ch truyn thng xc thc gia cc cp ngi dng hp php m ta gi l ngi u nhim (Principal). Mt ngi u nhim sau khi gii m thnh cng mt thng bo bng cch dng mt kho dch xc nh c th tha nhn rng thng bo c xc thc nu n cha mt vi gi tr mong mun. T ngi nhn c th suy ra rng ngi gi ca thng bo c kho m tng ng. Nh vy nu cc kho c gi b mt th vic gii m thnh cng s xc thc thng bo c n t mt ngi gi xc nh.

3.1 K THUT MT M
3. N c dng ci t mt c ch ch k s. Ch k s c vai tr nh mt ch k thng thng trong vic xc nhn vi mt thnh vin th ba rng mt thng bo l mt bn sao khng b thay i ca mt thng bo c to bi mt ngi u nhim c bit. Kh nng cung cp mt ch k s da trn nguyn tc l c nhng vic ch c ngi u nhim l ngi gi thc s mi c th lm cn nhng ngi khc th khng th. iu ny c th t c bng vic i hi mt thnh vin th ba tin cy m anh ta c bng chng nh danh ca ngi yu cu m thng bo hoc m mt dng ngn ca thng bo c gi l digest tng t nh mt checksum. Thng bo hoc digest c m ng vai tr nh mt ch k i km vi thng bo.

M hnh ca h thng bo mt thng tin trn mng dng k thut mt m

Mt m kho b mt

Trong mt m kho b mt, cc kho c dng cho lp m v gii m thng bo l nh nhau

Mt m kho cng khai


H thng mt m kho cng khai c c trng bi vic dng mt thut ton m vi hai kho, kho b mt v kho cng khai. Tu thuc vo ng dng, ngi gi hoc dng kho cng khai ca ngi nhn hoc dng kho b mt ca ngi gi hoc c hai tin hnh mt vi thao tc i vi hm mt m. Chng ta c th phn loi vic dng h thng mt m kho cng khai thnh ba loi : - M v gii m : Ngi gi m thng bo bng kho cng khai ca ngi nhn. - Ch k s : Ngi gi k mt thng bo vi kho b mt ca mnh. Ch k thu c bi mt thut ton mt m c thao tc trn thng bo hoc mt khi nh ca d liu to t thng bo. Trao i kho : Hai i tng truyn thng hp tc trao i kho phin.

3.2. C S H TNG KHO CNG KHAI PKI

(Public Key Infrastructure)


Vn ny sinh khi s dng mt m kha cng khai? Trnh gi mo kho cng khai Xc thc ngi dng Trnh gi mo ch k Gii quyt Xy dng c s h tng kho cng khai !
Trung tm xc thc Cc thnh vin tham gia h thng Cc ch dn mng

nh ngha Da trn nn tng l mt m kho cng khai v ch k s Thnh phn


Chnh sch bo mt (Security Policy) Xc nhn chng ch (Certificate Authority-CA) Xc nhn ng k (Registration Authority-RA) H thng phn phi chng ch (Certificate Distribution System) Mi trng ng dng PKI (PKI-enabled Applications)

Cc thnh phn ca PKI


Security Policy Ngoi nhng iu khon bo mt v nh ngha ca cc t chc ng u v bo mt thng tin, cc t chc ny khi a ra cc m bo mt cn c xc nhn c c quyn a ra cc m cho cc kho mt

Cc thnh phn ca PKI


Certificate Authority (CA) H thng CA l trung tm c tin cy cao nht ca PKI, qun l kho chung trong mi tnh hung. a ra c cc chng ch v tp hp li thnh c im ring ca ngi s dng hoc h thng to thnh kha chung vi m s.

Thi hn s dng cho cc chng ch . S loi b trong danh sch kho cho nhng trng hp chng ch khng ng, khng tng minh.

Cc thnh phn ca PKI


Registration Authority (RA) Cung cp giao din gia ngi s dng v CA, tip nhn v nhn dng nhng c im ca ngi s dng, cng nh h thng, a qua CA. X l cc tnh cht ring bit ca tng nhn dng, xc nh s thuc mc tin cy no trn tng chng ch. Certificate Distribution System Chng ch c th c phn b theo s tu thuc vo kin trc ca mi trng PKI.

Cc thnh phn ca PKI


PKI-enabled applications PKI theo mt ngha thc cht chnh l im cui, n s tu thuc vo mi trng ng dng m h thng chy, nh: Web servers v browsers E-mail Chuyn d liu in t (Electronic Data Interchange - EDI) Th tn dng chuyn trn Internet (Credit card transactions over the Internet) Mng ring o (Virtual Private Networks - VPNs)

ng dng PKI
Mng ring o - IPSec Virtual Private Network (VPNs) Th bo m, xc thc user (Secure E-mail, Client authentication) Xc thc Server - bo mt ng truyn (Server authentication - SSL) Chng thc s cho pht trin phn mm (Code signing) K v m ho vn bn, ti liu, d liu (Files signing) Cc ng dng Web Enterprise, web applications (Intranet, Extranet, portals) Cc ng dng khc ...

4. Hng dn thit lp W2K VPN server

H iu hnh Windows 2000 Server cho php thit lp VPN server bng cch s dng RRAS (Remote Routing Access Service). Sau khi thit lp mt server thnh VPN server th cc clients c th gi vo v truy cp nhng ti nguyn trong mng ni b hay cn gi l LAN nh l ang kt ni trc tip vi network .

VPN Clients

VPN clients c th l bt k mt computer no s dng h iu hnh t Win9x, Windows NT Workstation hay l Windows 2000 Professional. Ngay c server cng c th l VPN clients. Hot ng gia client v server: Cch n gin v thng dng nht l client khi to mt kt ni vi ISP bng giao thc PPP (Point to Point Protocol). Kt ni theo dng ny cn c gi l Non-Virtual kt ni khng o tng datalink, client c th s dng giao thc PPP ny mt ln na thit lp mt kt ni o vi VPN server v t y n c th tr thnh mt node hay mt my trm trong h thng LAN.

4.1 Ci t VPN Server


Bc 1: Enable Routing and Remote Access Service (RRAS). Bc ny khng cn phi ci t v n c ci t sn khi ci t h iu hnh Windows. Tuy nhin mc d c ci t theo windows nhng n cha c enable, cho nn enable RRAS c th lm theo cc bc sau y:

Bc 1: Enable Routing and Remote Access Service (RRAS).


1:Chn start, chn Programs, chn Administrative Tools, chn Routing and Remote Access (RRAS). 2:Trong Routing and Remote Access console, right click tn server ca bn, v chn Enable Routing and Remote Access. Sau khi chn nh trn n cn khong vi giy activate. 3:Sau RRAS Wizard s khi ng. Trong phn ny, nn chn mc Manually configured server v click Next theo hnh di y.

Bc 1: Enable Routing and Remote Access Service (RRAS).


4:C tip tc lm theo s ch dn trn wizard cho ti khi hon tt phn wizard, v cui cng l chn Finish hon tt phn enable RRAS. 5:Sau khi hon tt phn enable RRAS cn phi restart service, bn ch chn Yes.

Bc 1: Enable Routing and Remote Access Service (RRAS).


Khi RRAS bt u lm vic th s thy nh hnh di y.

Bc 2: Thit lp cu hnh (Phn General Tab )


Right click vo server name v chn Properties. Trong phn ny, chn mc Router v computer ca bn s chu trch nhim chuyn ti nhng yu cu t VPN clients vi li mng ni b LAN. Phn lm vic ca mc router ny l route traffic trc tip gia mng LAN v nhng my truy cp thng qua kt ni theo dng demand-dial. Nu mun VPN theo dng gateway-to-gateway VPN, chn mc Router v lun c mc LAN and demand-dial routing. Chn thm mc Remote access server. Nu khng chn mc ny th VPN client khng th gi vo c.

Bc 3: Thit lp cu hnh (Phn Server "IP" Tab )


Chn vo mc Enable IP routing, mc ny cho php clients c quyn truy cp vo mng ni b, nu khng chn mc ny th cc clients ch c th truy cp vo VPN server m thi. Mc Allow IP-based remote access and demand-dial connections phi c enable cc clients c th c cp pht a ch IP khi client truy cp. Tip theo cn phi quyt nh s IP cp pht cho VPN clients nh th no. Bn c hai cch cp pht IP Dynamic Host Configuration Protocol (DHCP) - IP ng. Static Address Pool - IP Tnh

Bc 4: Thit lp cu hnh VPN Ports


Trong RRAS Console, right click on Ports -> Properties.

Bc 4: Thit lp cu hnh VPN Ports


Trong phn Ports Properties. Chn VPN interface m bn mun enable, v d nh bn mun enable giao thc PPTP client c th to kt ni vi mng VPN, giao thc PPTP tng i l n gin, nn bt u bng cch chn WAN Miniport (PPTP) sau nhn vo mc Configure.

Trong phn configure WAN Miniport (PPTP), nn chn mc Remote access connections (inbound only) clients c th to kt ni vi VPN server. Mc Demand-dial routing connections (inbound and outbound) cho php RRAS server c php khi to hoc l chp nhn kt ni n v t demand-dial routers. Trong hp Phone number for this device, nhp vo a ch IP ca VPN server interface.

Bc 4: Thit lp cu hnh VPN Ports

Chn vo th mc Remote Access Policy, bn tay phi bn right click vo mc Allow access if dial-in permission is enable chn properties nh hnh di.

Bc 5: Cho php truy cp qua Remote Access Policy

Trong phn Allow access if dial-in permission is enable Properties, chn vo mc Grant remote access permission. Mc ny cho php users truy cp bt c lc no min l khp vi iu kin t ra ca Policy Change the If a user matches the conditions setting to Grant remote access permission

Bc 5: Cho php truy cp qua Remote Access Policy

4.2 Ci t VPN Client


1. Right click vo My Network Places, chn Properties, double click vo Make New Connection, sau click Next

4.2 Ci t VPN Client


2. Chn vo Connect to private network through the Internet theo hnh di y

4.2 Ci t VPN Client


3. Nu bn cha kt ni vi internet th bn c th chn mc Automatically dial this initial connection, nu bn kt ni ri th nn chn Do not dial the initial connection theo hnh di y v Click Next

4.2 Ci t VPN Client


4. Trong phn host name or IP, bn c th nhp vo server name ca bn hoc nu bn khng c tn min th bn c th nhp vo a ch IP address nh hnh di y.

4.2 Ci t VPN Client


5. Nu bn cho php cc users khc c php s dng kt ni ny ca bn truy cp VPN th chn mc For all users, cn khng th chn Only for myself

4.2 Ci t VPN Client


6. Trong hnh di y bn ch vic nhp vo user name v password kt ni

4.2 Ci t VPN Client


7. Khi mi thit lp v lm quen vi VPN, bn nn s dng giao thc PPTP, v giao thc ny l giao thc n gin nht trong 3 giao thc v n khng i hi certificate hay l PKI (Public Key Infrastructure) nh L2TP.

4.3 To Ti khon truy nhp VPN


Khi to cng c qun tr Users trn DC Chn Action/New/ Users

4.3 To Ti khon truy nhp VPN


3 . Nhp cc thng tin v ti khon cn to: tn ng nhp, mt khu .....

4.3 To Ti khon truy nhp VPN


3. Cho php ti khon truy nhp VPN: Chn ti khon Action/Properties/ Chn th Dialin Chn mc Allow access

4.4 Khi to kt ni VPN


kim tra li cu hnh ca client, sau khi kt ni thnh cng chng ta s thy a ch vpn client c cp pht, dng lnh ping n DC kim tra c connect c vi domain controller hay khng.

4.4 Kt ni Client vo Domain


Hy join client vo domain. Sau khi qu trnh join domain hon thnh hy restart li my tnh v khi to li kt ni vpn n Server, v th truy cp vo ti nguyn chia s trn Server

4.5 Thc hnh thit k mng VPN


Windows XP IP: 10.0.0.201 Gateway, firewal 1 Ip int: 10.0.0.254 Ip ext: 200.1.1.1

Gateway, firewall 2 Ip int: 192.168.2.254 Ip ext: 200.1.1.2 Windows XP IP: 192.168.2.100 Default gateway: 192.168.2.254

WinXP IP: 10.0.0.200

Gateway, firewall 3 Ip int: 192.168.3.254 Ip ext: 200.1.1.3 Windows XP IP: 192.168.3.100 Default gateway: 192.168.3.254

You might also like