An ton v An ninh

Thng tin
Nguyn Linh Giang.
B mn Truyn thng
v Mng my tnh.

I.
II.
III.
IV.
V.
VI.
VII.
VIII.

Nhp mn An ton thng tin

Cc phng php m ha i xng
Cc h mt kha cng khai
Xc thc thng ip
Ch k s v cc giao thc xc thc
Cc c ch xc thc trong cc h phn tn
Bo v cc dch v Internet
nh du n vo d liu

Ti liu

W. Stallings Network and Internetwork

Security;
Introduction to Cryptography PGP
D. Stinson Cryptography: Theory and Practice

Chng I. Nhp mn
1.
2.

3.
4.
5.

Nhp mn
Cc dch v, c ch an ton an ninh thng tin v cc
dng tn cng vo h thng mng
Cc dng tn cng
Cc dch v an ton an ninh
Cc m hnh an ton an ninh mng

Nhp mn

Mt s v d v vn
bo v an ton thng tin:

Truyn file
A

A v B trao i thng tin

ring t

C chn
gi thng
tin trao
i gia
A v B

Nhp mn

Trao i thng ip:

Nhp mn

Gi mo:
D khng thng tin E

E
Danh sch gi
mo

F gi mo
D, gi
danh sch
mi n E

Nhp mn

S phc tp trong bi ton Bo mt lin mng:

Khng tn ti phng php thch hp cho mi trng

hp.

Cc c ch bo mt lun i i vi cc bin php i

ph.

La chn nhng gii php thch hp vi tng ng cnh

s dng.

Dch v v c ch an ton an ninh

Cc dng tn cng

Ba kha cnh an ton an ninh thng tin:

Tn cng vo an ninh thng tin

Cc c ch an ton an ninh
Cc dch v an ton an ninh thng tin

Dch v v c ch an ton an ninh

Cc dng tn cng

Phn loi cc dch v an ton an ninh:

Bo mt ring t ( confidentiality
Xc thc ( authentication )
Ton vn thng tin ( integrity )
Chng ph nh ( nonrepudiation )
Kim sot truy cp ( access control )
Tnh sn sng ( availability )

Dch v v c ch an ton an ninh

Cc dng tn cng

Cc c ch an ton an ninh

Khng tn ti mt c ch duy nht;

S dng cc k thut mt m.

Dch v v c ch an ton an ninh

Cc dng tn cng

Cc dng tn cng.

Truy nhp thng tin bt hp php;

Sa i thng tin bt hp php;
v.v v v.v ...

Cc dng tn cng vo h thng

Cc dng tn cng vo h thng my tnh v mng:

Ngun thng tin

Ni nhn thng tin

Lung thng tin thng

thng

Gin on truyn tin ( interruption ):

Lung thng tin b

gin on

Cc dng tn cng vo h thng

Chn gi thng tin (

interception ):
Lung thng tin b
chn gi

Sa i thng tin (
modification ):

Lung thng tin b

sa i

Cc dng tn cng vo h thng

Gi mo thng tin (
fabrication ).

Lung thng
tin b gi mo

Cc dng tn cng vo h thng

Tn cng th ng

Tn cng th ng
Mi e da th ng

Chn gi thng tin mt

Gii phng ni dung

thng ip

Phn tch ti

Cc dng tn cng vo h thng

Tn cng th ng

Cc dng tn cng th ng:

Gii phng ni dung thng ip ( release of message

contents ).

Ngn chn i phng thu v tm hiu c ni dung ca

thng tin truyn ti.

Phn tch ti ( traffic analysis ).

i phng c th xc nh:

V tr ca cc my tham gia vo qu trnh truyn tin,

Tn sut v kch thc bn tin.

Cc dng tn cng vo h thng

Tn cng th ng

Dng tn cng th ng rt kh b pht hin v

khng lm thay i d liu.
Vi dng tn cng th ng, nhn mnh vn
ngn chn hn l vn pht hin.

Cc dng tn cng vo h thng

Tn cng ch ng

Dng tn cng ch ng.

Dng tn cng ch ng bao gm: sa cc dng d liu, a

nhng d liu gi, gi danh, pht li, thay i thng ip, ph
nhn dch v.
Mi e da ch ng

Gin on truyn tin

( tnh sn sng)

Gi mo thng tin
( tnh xc thc)
Sa i ni dung
( tnh ton vn)

Cc dng tn cng vo h thng

Tn cng ch ng

Gi danh ( masquerade ): khi i phng gi mo mt

i tng c u quyn.
Pht li ( replay ): dng tn cng khi i phng chn
bt cc n v d liu v pht li chng to nn cc hiu
ng khng c u quyn;

Cc dng tn cng vo h thng

Tn cng ch ng

Thay i thng ip ( modification of message ): mt

phn ca thng ip hp php b sa i, b lm chm
li hoc b sp xp li v to ra nhng hiu ng khng
c u quyn.
Ph nhn dch v ( denial of service): dng tn cng a
n vic cm hoc ngn chn s dng cc dch v, cc
kh nng truyn thng.

Cc dng tn cng vo h thng

Tn cng ch ng

Dng tn cng ch ng rt kh c th ngn chn

tuyt i. iu yu cu phi bo v vt l mi
ng truyn thng ti mi thi im.
Mc tiu an ton: pht hin v phc hi li thng
tin t mi trng hp b ph hu v lm tr.

Cc dch v an ton an ninh

m bo tnh ring t ( Confidentiality )

m bo tnh ring t ( Confidentiality ).

m bo tnh ring t ca thng tin: Bo v d liu

c truyn ti khi cc tn cng th ng.
Tng ng vi hnh thc pht hin ni dung thng ip
( release of message content ) c mt vi phng php
bo v ng truyn:

Bo v mi d liu c truyn gia hai ngi s dng ti mi

thi im:

Thit lp ng truyn o gia hai h thng v ngn chn mi

hnh thc pht hin ni dung thng ip.

V d: VPN

Cc dch v an ton an ninh

m bo tnh ring t ( Confidentiality )

Bo v cc thng ip n l hoc mt s trng n l ca

thng ip.
Khng thc s hu ch;
Trong nhiu trng hp kh phc tp;
Yu cu chi ph ln khi thc hin.

m bo tnh ring t: bo v lung thng tin trao i khi

cc thao tc phn tch

Yu cu: pha tn cng khng th pht hin c cc c

im ca qu trnh truyn tin:
Ngun v ch ca thng tin;
Tn sut, di;
Cc thng s khc ca lung thng tin.

Cc dch v an ton an ninh

m bo tnh xc thc ( Authentication )

m bo tnh xc thc ( Authentication )

Dch v m bo tnh xc thc:

Khng nh cc bn tham gia vo qu trnh truyn tin c xc

thc v ng tin cy.

i vi cc thng ip n l:

Cc thng bo, bo hiu: dch v xc thc:

m bo cho bn nhn rng cc thng ip c a ra t nhng

ngun ng tin cy.

Cc dch v an ton an ninh

m bo tnh xc thc ( Authentication )

i vi nhng lin kt trc tuyn, c hai kha cnh

cn phi ch ti:

Ti thi im khi to kt ni, dch v xc thc phi hai

thc th tham gia vo trao i thng tin phi c y
quyn.
Dch v cn khng nh rng kt ni khng b can thip
bi mt bn th ba. Trong bn th ba ny c th gi
mo mt trong hai bn c y quyn c th tham
gi vo qu trnh truyn tin v thu nhn cc thng ip.

Cc dch v an ton an ninh

m bo tnh sn sng ( Availability)

m bo tnh sn sng ( Availability ).

Tn cng ph hy tnh sn sng ca h thng:

Thc hin cc thao tc vt l tc ng ln h thng.

Dch v m bo tn sn sng phi:

Ngn chn cc nh hng ln thng tin trong h thng;

Phc hi kh nng phc v ca cc phn t h thng trong
thi gian nhanh nht.

Cc dch v an ton an ninh

m bo tnh ton vn( Integrity)

m bo tnh ton vn ( Integrity ).

m bo tnh ton vn cng c th p dng cho lung

thng ip, mt thng ip hoc mt s trng c
la chn ca thng ip.
Phng php hu ch nht l trc tip bo v lung
thng ip.
m bo tnh ton vn:

Dch v bo m tnh ton vn d liu hng lin kt;

Dch v bo m tnh ton vn hng khng lin kt.

Cc dch v an ton an ninh

m bo tnh ton vn ( Integrity )

Dch v bo m tnh ton vn d liu hng lin

kt:

Tc ng ln lung thng ip v m bo rng thng

ip c nhn hon ton ging khi c gi, khng b
sao chp, khng b sa i, thm bt.
Cc d liu b ph hu cng phi c khi phc bng
dch v ny.
Dch v bo m tnh ton vn d liu hng lin kt x
l cc vn lin quan ti s sa i ca lung cc
thng ip v chi b dch v.

Cc dch v an ton an ninh

m bo tnh ton vn ( Integrity )

Dch v bo m tnh ton vn hng khng lin

kt:

Ch x l mt thng ip n l. Khng quan tm ti

nhng ng cnh rng hn.
Ch tp trung vo ngn chn vic sa i ni dung thng
ip.

Cc dch v an ton an ninh

Dch v chng ph nhn ( Nonrepudiation)

Dch v chng ph nhn ( nonrepudiation ).

Dch v chng ph nhn ngn chn ngi nhn v

ngi gi t chi thng ip c truyn ti.
Khi thng ip c gi i, ngi nhn c th khng
nh c rng thng ip ch thc c gi ti t
ngi c u quyn.
Khi thng ip c nhn, ngi gi c th khng
nh c rng thng ip ch thc ti ch.

Cc dch v an ton an ninh

Dch v kim sot truy cp

Dch v kim sot truy nhp.

Dch v kim sot truy nhp cung cp kh nng

gii hn v kim sot cc truy nhp ti cc my
ch hoc cc ng dng thng qua ng truyn
tin.
t c s kim sot ny, mi i tng khi
truy nhp vo mng phi c nhn bit hoc
c xc thc, sao cho quyn truy cp s c
gn vi tng c nhn.

Cc m hnh an ton mng v

h thng

M hnh an ton mng

Bi ton an ton an ninh thng tin mng ny

sinh khi:

Cn

thit phi bo v qu trnh truyn tin khi

cc hnh ng truy cp tri php;

m bo tnh ring t v tnh ton vn;

m bo tnh xc thc; ..vv.

M hnh truyn thng ca qu trnh truyn

tin an ton

Cc m hnh an ton mng v

h thng
Nh cung cp c u
nhim

Ngi u nhim

Thng ip

Ngi u nhim

Knh truyn tin

Thng tin
mt

Qu trnh truyn tin c

bo mt

Thng ip

Thng tin
mt

i phng

Qu trnh truyn tin c

bo mt

Cc m hnh an ton mng v

h thng

Tt c cc k thut m bo an ton h thng truyn tin

u c hai thnh phn:

Qu trnh truyn ti c bo mt thng tin c gi.

V d: mt m thng ip s lm cho k tn cng khng th c

c thng ip.
Thm vo thng ip nhng thng tin c tng hp t ni dung
thng ip. Cc thng tin ny c tc dng xc nh ngi gi.

Mt s thng tin mt s c chia s gia hai bn truyn tin.

Cc thng tin ny c coi l b mt vi i phng.

V d: kha mt m c dng kt hp vi qu trnh truyn m
ha thng ip khi gi v gii m thng ip khi nhn.

Cc m hnh an ton mng v

h thng

Bn th ba c y quyn: trong nhiu trng

hp, cn thit cho qu trnh truyn tin mt:

C trch nhim phn phi nhng thng tin mt gia hai

bn truyn tin;
Gi cho cc thng tin trao i vi cc bn c b mt
i vi ngi tn cng.
C trch nhim phn x gia hai pha truyn tin v tnh
xc thc ca thng ip c truyn.

Cc m hnh an ton mng v

h thng

Cc thao tc c bn thit k mt h thng an

ninh:

Thit k cc thut ton thc hin qu trnh

truyn tin an ton;

Cc thut ton ny phi m bo: tn cng khng lm mt

kh nng an ton ca chng.

To ra nhng thng tin mt s c x l bng

thut ton trn.

Cc m hnh an ton mng v

h thng

Pht trin nhng phng php phn phi v

chia s cc thng tin mt.
t ra giao thc trao i:

Cho php hai bn truyn tin trao i thng tin s dng

nhng thut ton an ton;
Nhng thng tin mt t c an ton thch hp.

Cc m hnh an ton mng v

h thng

M hnh an ton an ninh h thng

Truy nhp ca cc hacker;

Cc l hng an ninh h thng;
Cc tin trnh ngoi lai:

Cc tin trnh truy cp ti thng tin: lm ph hy, sa

i thng tin khng c php.
Cc tin trnh dch v: pht hin cc li trong cc dch v
ca h thng ngn chn vic s dng ca nhng
ngi khng c y quyn.

Cc m hnh an ton mng v

h thng

i phng
Con ngi
Phn mm

Knh truy nhp

Cng
bo v

Cc ti nguyn
ca h thng:
D liu;
Cc qu trnh
,ng dng;
Cc phn mm;...

M hnh An ninh truy nhp h thng Mng

An ninh h thng

Cc l hng bo mt
Qut l hng bo mt

L hng bo mt

Khi nim l hng bo mt

Phn loi l hng bo mt

L hng t chi dch v

L hng cho php ngi dng bn trong mng
vi quyn hn ch c th tng quyn m khng
cn xc thc.
L hng cho php nhng ngi khng c y
quyn c th xm nhp t xa khng xc thc.

Khi nim l hng

Tt c nhng c tnh ca phn mm
hoc phn cng cho php ngi dng
khng hp l, c th truy cp hay tng
quyn khng cn xc thc.

Tng qut: l hng l nhng phng tin
i phng c th li dng xm nhp
vo h thng

L hng t chi dch v

Cho php i phng li dng lm t lit dch

v ca h thng.
i phng c th lm mt kh nng hot ng
ca my tnh hay mt mng, nh hng ti ton
b t chc.
Mt s loi tn cng t chi dch v:

Bandwith/Throughput Attacks
Protocol Attacks
Software Vulnerability Attacks

L hng tng quyn truy nhp

khng cn xc thc.

L li nhng phn mm hay h iu hnh c

s phn cp ngi dng.
Cho php loi ngi dng vi quyn s dng
hn ch c th tng quyn tri php.
V d :

Sendmail : cho php ngi dng bnh thng c th

khi ng tin trnh sendmail, li dng sendmail khi
ng chng trnh khc vi quyn root

L hng tng quyn truy nhp

khng cn xc thc.

Trn b m :
Code segment

Buffer

Data segment

Overflow here

L hng cho php xm nhp t xa

khng xc thc.

L li ch quan ca ngi qun tr h thng hay

ngi dng.
Do khng thn trng, thiu kinh nghim, v khng
quan tm n vn bo mt.
Mt s nhng cu hnh thiu kinh nghim :

Ti khon c password rng

Ti khon mc nh
Khng c h thng bo v nh firewall, IDS, proxy
Chy nhng dch v khng cn thit m khng an ton :
SNMP, pcAnywhere,VNC ,

Mc ch ca qut l hng

Pht hin cc l hng bo mt ca h thng

Pht hin cc nghi vn v bo mt ngn
chn

Cc phng php, k thut qut l

hng bo mt

Qut mng
Qut im yu
Kim tra log
Kim tra tnh ton vn file
Pht hin virus
Chng tn cng quay s
Chng tn cng vo access point

Qut mng

Kim tra s tn ti ca h thng ch

Qut cng
D h iu hnh

Qut mng

Kim tra s tn ti ca h thng ch

Qut ping kim tra xem h thng c hot ng

hay khng
Pht hin bng IDS hoc mt s trnh tin ch
Cu hnh h thng, hn ch lu lng cc gi
ICMP ngn nga

Qut mng

Qut cng

Nhm nhn din dch v, ng dng

S dng cc k thut qut ni TCP, TCP FIN,
xt s cng suy ra dch v, ng dng
Pht hin qut da vo IDS hoc c ch bo mt
ca my ch
V hiu ha cc dch v khng cn thit du
mnh

Qut mng

D h iu hnh

D da vo c trng giao thc

Pht hin bng cc phn mm pht hin qut
cng, phng nga, s dng firewall, IDS.

Qut im yu h thng

Lit k thng tin

Qut im yu dch v
Kim tra an ton mt khu

Qut im yu

Lit k thng tin

Xm nhp h thng, to cc vn tin trc tip

Nhm thu thp cc thng tin v

Dng chung, ti nguyn mng

Ti khon ngi dng v nhm ngi dng
ng dng v banner

V d v lit k thng tin trong Windows

V d v lit k thng tin trong Unix/Linux

Qut im yu

Qut im yu dch v

Qut ti khon yu: Tm ra acc vi t in khi ti

khon yu
Qut dch v yu: Da trn xc nh nh cung
cp v phin bn
Bin php i ph: Cu hnh dch v hp l, nng
cp, v li kp thi.

Qut im yu

B kha mt khu
Nhanh chng tm ra mt khu yu
Cung cp cc thng tin c th v an
ton ca mt khu
D thc hin
Gi thnh thp

Kim sot log file

Ghi li xc nh cc thao tc trong h thng

Dng xc nh cc s sai lch trong chnh sch
bo mt
C th bng tay hoc t ng
Nn c thc hin thng xuyn trn cc thit b
chnh
Cung cp cc thng tin c ngha cao
p dng cho tt c cc ngun cho php ghi li hot
ng trn n

Kim tra tnh ton vn file

Cc thng tin v thao tc file c lu tr trong c

s d liu tham chiu
Mt phn mm i chiu file v d liu trong c s
d liu pht hin truy nhp tri php
Phng php tin cy pht hin truy nhp tri
php
T ng ha cao
Gi thnh h
Khng pht hin khong thi gian
Lun phi cp nht c s d liu tham chiu

Qut Virus

Mc ch: bo v h thng khi b ly nhim v ph

hoi ca virus
Hai loi phn mm chnh:

Ci t trn server

Ci t trn my trm

Trn mail server hoc trm chnh (proxy)

Bo v trn ca ng vo
Cp nht virus database thun li
c im: thng qut ton b h thng (file, a, website
ngi dng truy nhp)
i hi phi c quan tm nhiu ca ngi dng

C hai loi u c th c t ng ha v c hiu

qu cao, gi thnh hp l

War Dialing

Ngn chn nhng modem khng xc thc

quay s ti h thng
Chng trnh quay s c th quay t ng
d tm cng vo h thng
Policy: hn ch s in thoi truy nhp cho
tng thnh vin
Phng php ny i hi nhiu thi gian

Qut LAN khng dy

Lin kt bng tn hiu khng dng dy dn -> thun

tin cho kt ni ng thi to ra nhiu l hng mi
Hacker c th tn cng vo mng vi my tnh xch
tay c chun khng dy
Chun thng dng 802.11b c nhiu hn ch v bo
mt
Chnh sch bo m an ton:

Da trn cc nn phn cng v cc chun c th

Vic cu hnh mng phi cht ch v b mt
G b cc cng vo khng cn thit

Kim th cc thm nhp

Dng cc k thut do
i phng s dng.
Xc nh c th cc l
hng v mc nh
hng ca chng
Chu trnh:

Kim th thm nhp (Cont)

Cc loi l hng c th c pht hin:

Thiu st ca nhn h thng.

Trn b m.
Cc lin kt ng dn.
Tn cng b miu t file.
Quyn truy nhp file v th mc
Trojan

So snh cc phng php

Kiu qut

im mnh

Qut mng

nhanh so vi qut im yu
hiu qu cho qut ton mng
nhiu chng trnh phn mm
min ph
tnh t ng ha cao
gi thnh h

Qut im yu

c th nhanh, ty thuc vo s
im c qut
mt s phn mm min ph
t ng cao
ch ra c im yu c th
thng a ra c cc gi gii
quyt im yu
gi thnh cao cho cc phn mm
tt cho ti free
d vn hnh

im yu
khng ch ra c cc im yu c
th
thng c dng m u cho
kim th thm nhp
i hi phi c kin chuyn mn
nh gi kt qa
tuy nhin t l tht bi cao
chim ta nguyn ln ti im qut
khng c tnh n cao (d b pht
hin bi ngi s dng, tng la,
IDS)
c th tr nn nguy him trong tay
nhng ngi km hiu bit
thng khng pht hin c cc
im yu mi nht
ch ch ra c cc im yu trn
b mt ca h thng

So snh (Cont)

Kim th
thm nhp

S dng cc k thut thc t m cc k

tn cng s dng
Ch ra c cc im yu
Tm hiu su hn v im yu, chng c
th c s dng nh th no tn cng
vo h thng
Cho thy rng cc im yu khng ch l
trn l thuyt
Cung cp bng chng cho vn bo
mt

i hi nhiu ngi c kh nng chuyn

mn cao
Tn rt nhiu cng sc
Chm, cc im kim th c th phi
ngng lm vic trong thi gian di
Khng phi tt c cc host u c th
nghim (do tn thi gian)
Nguy him nu c thc hin bi nhng
ngi khng c chuyn mn
Cc cng c v k thut c th l tri lut
Gi thnh t

Kt chng

Cc dch v, c ch an ton an ninh mng

Cc dng tn cng vo mng
Cc m hnh an ton an ninh mng
H thng v cc l hng bo mt