Luan Van Nghien Cuu VPN 4892

Kho lun tt nghip
i hc Cng ngh
Mc lc Li m u Chng 1: Tng quan v VPN

Tng Quan ...................................................................................................... 5 1.1 nh ngha VPN ................................................................................... 5 1.2 Li ch ca VPN .................................................................................. 6 1.3 Chc nng ca VPN ............................................................................. 7 2 nh ngha ng hm v m ho ......................................................... 7 2.1 nh ngha ng hm: ........................................................................ 7 2.2 Cu trc mt gi tin IP trong ng hm: ............................................ 8 2.3 M ho v gii m (Encryption/Deccryption): ...................................... 8 2.4 Mt s thut ng s dng trong VPN: .................................................. 8 2.5 Cc thut ton c s dng trong m ho thng tin ............................ 9 3 Cc dng kt ni mng ring o VPN ......................................................... 10 3.1 Truy cp VPN (Remote Access VPNs) .............................................. 10 3.1.1 Mt s thnh phn chnh ............................................................. 11 3.1.2 Thun li chnh ca Remote Access VPNs: ................................ 12 3.1.3 Ngoi nhng thun li trn, VPNs cng tn ti mt s bt li khc nh: .................................................................................................... 12 3.2 Site To Site VPN ......................................................................... 13 3.2.1 Intranet........................................................................................ 14 3.2.2 Extranet VPNs (VPN m rng) ................................................... 16 4. VPN v cc vn an ton bo mt trn Internet. ..................................... 18 4.1 An ton v tin cy. ............................................................................. 19 4.2 Hnh thc an ton ............................................................................... 20 1.
Chng 2: Giao thc trong VPN

B giao thc IPSec (IP Security Protocol): ................................................ 22 1.1 Cu trc bo mt ..................................................................................... 22 1.1.1 Hin trng......................................................................................... 23 2 Ch lm vic ca IPSec .......................................................................... 23 2.1 Ch chuyn vn (Transport mode) ................................................. 23 2.2 Ch ng hm ( Tunnel Mode ):.................................................. 24 3 Giao thc PPTP v L2TP ............................................................................. 31 3.1 Giao thc nh ng hm im ti im (Point-to-Point Tunneling Protocol) ....................................................................................................... 31 3.1.1 Quan h gia PPTP v PPP ......................................................... 32 3.2 Giao thc chuyn tip lp 2 (Layer 2 Forwarding Protocol) .................... 34 3.3 Giao thc nh ng hm lp 2 (Layer 2 Tunneling Protocol)............... 35 3.3.1 Quan h gia L2TP vi PPP ............................................................ 36 3.4 Tng quan giao thc inh ng hm lp 2 ( L2TP Overview). .......... 38 3.5 ng dng L2TP trong VPN................................................................. 42 3.6 So snh gia PPTP v L2TP ............................................................... 42 1 L Anh Hng K49DB
1
Kho lun tt nghip
i hc Cng ngh
3.6.1 u im ca L2TP. ........................................................................ 43 3.6.2 u im ca PPTP ...................................................................... 43
Chng 3: M ho v chng thc trong VPN

1. M ho trong VPN. ...................................................................................... 45 1.1 Thut ton m ho DES...................................................................... 45 1.1.1 M t DES .................................................................................. 46 1.1.2 u v nhc im ca DES ....................................................... 47 1.1.3 ng dng ca thut ton DES trong thc t. ............................... 47 1.2 Thut ton m ho 3DES. ................................................................... 48 1.2.1 M t 3DES. ............................................................................... 48 1.2.2 u v nhc im ca 3DES ...................................................... 49 1.3 Gii thut hm bm (Secure Hash Algorithm). ................................... 49 1.4 Gii thut RSA ................................................................................... 49 2 Chng thc trong VPN ................................................................................ 50 2.1 Password Authentication Protocol (PAP): Giao thc chng thc bng mt khu. ...................................................................................................... 51 2.2 Challenge Handshare Authentication Protocol (CHAP). ..................... 52 3 Firewall ........................................................................................................ 52 3.1 Khi nim v Firewall. ....................................................................... 52 3.2 Cc thnh phn ca Firewall. ............................................................. 53 3.2.1 B lc gi (Packet Filtering Router). ........................................... 53 3.2.2 Cng ng dng (Application-level gateway) ............................... 55 3.2.3 Cng vng (Circuit-level Gateway) .................................................. 57 3.3 Nhng hn ch t Firewall ................................................................. 58 3.4 Thit lp chnh sch cho Firewall ....................................................... 58 3.5 Mt s loi Firewall ........................................................................... 59 3.5.1 Screened Host Firewall. .................................................................... 60 3.5.2 Screened-Subnet Firewall ................................................................. 61 3.6 M hnh kt hp Firewall vi VPN. ........................................................ 62
Chng 4: Cu hnh VPN trn thit b Cisco

1. M hnh Site to Site VPN v Extranet VPN ....................................... 64 1.1 Kch bn Site to site VPN ............................................................. 64 1.1.1 Phn chia cc thnh phn a ch vt l ca m hnh site to site VPN .................................................................................................... 64 1.1.2 Bng a ch chi tit cho m hnh mng Site to Site VPN............ 65 2.1 Kch bn Extranet............................................................................... 65 2.1.1 Phn chia cc thnh phn a ch vt l ca m hnh Extranet VPN .................................................................................................... 66 2.1.2 Bng a ch chi tit cho m hnh mng Extranet VPN ............... 66 2 Cu hnh ng hm (tunnel) ...................................................................... 67 2.1 S nh cu hnh mt GRE Tunnel ..................................................... 68 2.1.1 S cu hnh giao din ng hm, Ngun, v ch ..................... 68
L Anh Hng K49DB
Kho lun tt nghip
i hc Cng ngh
2.1.2 Kim tra giao din ng hm, Ngun, v ch.......................... 70 2.2 Cu hnh mt IPSec Tunnel: ............................................................... 70 3 Cu hnh NAT (Network Address Translation). ........................................ 71 3.1 Cu hnh Static Inside Source Address Translation............................ 73 3.2 Kim tra Static Inside Source Address Translation. ........................... 73 4 Cu hnh s m ho v IPSec. ..................................................................... 74 4.1. Cu hnh nhng chnh sch IKE: ........................................................ 75 4.1.1 To ra nhng chnh sch IKE. ..................................................... 76 4.1.2 Cu hnh b xung thm yu cu cho nhng chnh sch IKE: ....... 77 4.1.3 Cu hnh Nhng kho dng chung .............................................. 78 4.2 Cu hnh cng vo cho s thao tc gia chng ch s. ........................ 80 4.2.1 Kim tra IKE Policies ................................................................. 81 4.2.2 Cu hnh kho dng chung khc ................................................. 81 4.3 Cu hnh IPSec v ch IPSec tunnel. ............................................. 82 4.3.1 To ra nhng danh sch truy nhp mt m. ................................. 83 4.3.2 Kim tra nhng danh sch mt m. ............................................. 83 4.4 nh ngha nhng tp hp bin i v cu hnh ch IPSec tunnel .. 83 4.4.1 Kim tra nhng tp hp bin i v ch IPSec tunnel............. 85 4.5 Cu hnh Crypto Maps. ...................................................................... 85 4.5.1 To ra nhng mc Crypto Map. .................................................. 85 4.5.2 Kim tra nhng mc Crypto map ................................................ 88 4.5.3 p dng Crypto map vo Interface.............................................. 88 4.5.4 Kim tra s kt hp Crypto Map trn interface............................ 89 5. Cu hnh nhng tnh nng Cisco IOS Firewall .......................................... 89 5.1 To ra Access list m rng v s dng s Access list ......................... 90 5.2 Kim tra Access list m rng ............................................................. 90 5.3 p dng Access-list ti Interface ....................................................... 90 5.4 Kim tra Access-list c p dng chnh xc ........................................ 91
Chng 5: Cu hnh VPN trn Widows Server 2003

1. Gii thiu chung ........................................................................................... 92 2. Ci t VPN Server ............................................................................................. 92 3. Cu hnh VPN Server .......................................................................................... 99 3.1. Route and Remote Access Properties ..................................................... 99 3.2. Ports Properties .................................................................................... 102 3.3. Remote Access Policies ....................................................................... 103 4. To User trn Windows cho php s dng VPN ............................................. 104 5. VPN Client trn Windows XP .......................................................................... 106 6. Qun l kt ni trn VPN Server............................................................... 113 Kt lun .................................................................................................................. 115 Ti liu tham kho ................................................................................................. 116 CC THUT NG VIT TT .............................................................................. 117
L Anh Hng K49DB
Kho lun tt nghip
i hc Cng ngh
Li m u
Trc kia, cch truy cp thng tin t xa trn my tnh c thc hin l s dng mt kt ni quay s. Cc kt ni RAS dial-up lm vic trn cc ng in thoi POTS (Plain Old Telephone Service) thng thng v c tc t vo khong 56kbps. Tc l mt vn ln i vi cc kt ni dial-up RAS, tuy nhin mt vn ln hn l chi ph cho cc kt ni i vi khong cch di cn c cho vic truy cp Ngy nay vi s pht trin bng n, mng Internet ngy cng c m rng, kh kim sot v km theo l s mt an ton trong vic trao i thng tin trn mng, cc thng tin d liu trao i trn mng c th b r r hoc b nh cp khin cho cc t chc nh: Cc doanh nghip, Ngn hng, Cng ty v cc doanh nhn lo ngi v vn an ton v bo mt thng tin d liu trong cc mng cc b ca mnh (LAN) khi trao i thng tin qua mng cng cng Internet. VPN ( Virtual Private Network) l gii php c a ra cung cp mt gii php an ton cho cc: T chc, doanh nghip v cc doanh nhn trao i thng tin t mng cc b ca mnh xuyn qua mng Internet mt cch an ton v bo mt. Hn th na n cn gip cho cc doanh nghip gim thiu c chi ph cho nhng lin kt t xa v a bn rng (trn ton quc hay ton cu). L mt sinh vin cng ngh, phn no em cng hiu c s bn khon v lo lng v s mt an ton bo mt khi trao i thng tin ca cc t chc, c nhn. Vi s hng dn, v gip ca thy c v bn b, em chn ti mng ring o (VPN) nghin cu v cc gii php cng ngh cho vn xy dng mng ring o. Nghin cu cc m hnh truy cp, cc phng php xc thc v ng dng trin khai ci t trn cc h thng mng.
L Anh Hng K49DB
Kho lun tt nghip Chng 1 TNG QUAN V VPN 1. Tng Quan
i hc Cng ngh
Trong thi i ngy nay. Internet pht trin mnh m v mt m hnh cho nn cng nghip, p ng cc nhu cu ca ngi s dng. Internet c thit k kt ni nhiu mng khc nhau v cho php thng tin chuyn n ngi s dng mt cch t do v nhanh chng m khng xem xt n my v mng m ngi s dng ang s dng. lm c iu ny ngi ta s dng mt my tnh c bit gi l Router kt ni cc LAN v WAN vi nhau. Cc my tnh kt ni vo Internet thng qua nh cung cp dch v (ISP Internet service Provider), cn mt giao thc chung l TCP/IP. iu m k thut cn tip tc phi gii quyt l nng lc truyn thng ca cc mng vin thng cng cng. Vi Internet, nhng dch v nh gio dc t xa, mua hang trc tuyn, t vn y t,v rt nhiu iu khc tr thnh hin thc. Tuy nhin do Internet c phm vi ton cu v khng mt t chc, chnh ph c th no qun l nn rt kh khn trong vic bo mt v an ton d liu cng nh trong vic qun l cc dch v. T ngi ta a ra mt m hnh mng mi nhm tho mn nhng yu cu trn m vn c th tn dng li nhng c s h tng hin c ca Internet, chnh l m hnh mng rin o (Virtual Private Network VPN ). Vi m hnh mi ny, ngi ta khng phi u t thm nhiu v c s h tng m cc tnh nng nh bo mt, tin cy vn m bo, ng thi c th qun l ring c s hot ng ca mng ny. VPN cho php ngi s dng lm vic ti nh ring, trn ng i hay cc vn phng chi nhnh c th kt ni an ton n my ch ca t chc mnh bng c s h tng c cung cp bi mng cng cng. N c th m bo an ton thng tin gia cc i l, ngi cung cp, v cc i tc kinh doanh vi nhau trong mi trng truyn thng rng ln. Trong nhiu trng hp VPN cng ging nh WAN (Wire Area Network), tuy nhin c tnh quyt nh ca VPN l chng c th dng mng cng cng nh Internet m m bo tnh ring t v tit kim hn nhiu 1.1 nh ngha VPN
VPN c hiu n gin nh l s m rng ca mt mng ring ( Private Network) thng qua cc mng cng cng. V cn bn, mi VPN l mt mng ring r s dng mt mng chung (thng l Internet) kt ni cng vi cc site (cc mng ring l) hay nhiu ngi s dng t xa. Thay cho vic s dng kt ni thc, chuyn dng nh ng leased-line, mi VPN s dng cc kt ni o c dn ng qua Internet t mng ring ca cc cng ty ti cc site hay L Anh Hng K49DB
5
Kho lun tt nghip
i hc Cng ngh
cc nhn vin t xa. c th gi v nhn d liu thng qua mng cng cng m vn bo m tnh an ton v bo mt VPN cung cp cc c ch m ho d liu trn ng truyn to ra mt ng ng bo mt gia ni nhn v ni gi (Tunnel) ging nh mt kt ni point-to-point trn mng ring. c th to ra mt ng ng bo mt , d liu phi c m ho hay c ch giu i, ch cung cp phn u gi d liu (header) l thng tin v ng i cho php n c th i n ch thng qua mng cng cng mt cch nhanh chng. D liu c m ho mt cch cn thn do nu cc packet b bt li trn ng truyn cng cng cng khng th c c ni dng v khng c kho gii m. Lin kt vi d liu c m ho v ng gi c gi l kt ni VPN. Cc ng kt ni VPN thng c gi l ng ng VPN (Tunnel)
Hnh 1: M hnh mng VPN 1.2 Li ch ca VPN
VPN cung cp nhiu c tnh hn so vi nhng mng truyn thng v nhng mng leased-line. Nhng li ch u tin bao gm: Chi ph thp hn nhng mng ring: VPN c th gim chi ph khi truyn ti 20-40% so vi nhng mng thuc mng leased-line v gim vic chi ph truy cp t xa t 60-80% Tnh linh hot cho kh nng kinh t trn Internet: VPN vn c tnh linh hot v c th leo thang nhng kin trc mng hn l nhng mng c in, bng cch no n c th hot ng kinh doanh nhanh chng v chi ph mt cch hiu qu cho vic kt ni t xa ca nhng vn phng, nhng v tr ngoi quc t, nhng ngi truyn
L Anh Hng K49DB
Kho lun tt nghip
i hc Cng ngh
Bo mt a ch IP: Bi v thng tin c gi i trn VPN c m ho

do cc a ch bn trong mng ring c che giu v ch s dng cc a ch bn ngoi Internet
thng, nhng ngi dng in thoi di ng, nhng ngi hot ng kinh doanh bn ngoi nh nhng yu cu kinh doanh i hi n gin ha nhng gnh nng Nhng cu trc mng ng, v th gim vic qun l nhng gnh nng: S dng mt giao thc Internet backbone loi tr nhng PVC tnh hp vi kt ni hng nhng giao thc nh l Frame Relay v ATM Tng tnh bo mt: Cc d liu quan trng s c che giu i vi nhng ngi khng c quyn truy cp v cho php truy cp i vi nhng ngi dng c quyn truy cp H tr cc giao thc mng thng dng nht hin nay nh TCP/IP
1.3
Chc nng ca VPN VPN cung cp 4 chc nng chnh S tin cy (Confidentiality): Ngi gi c th m ho cc gi d liu trc khi truyn chng ngang qua mng. Bng cch lm nh vy, khng mt ai c th truy nhp thng tin m khng c php, m nu ly c thng tin th cng khng c c v thng tin c m ho Tnh ton vn d liu (Data Integrity): Ngi nhn c th kim tra rng d liu c truyn qua mng Internet m khng c s thay i no Xc thc ngun gc (Origin Authentication): Ngi nhn c th xc thc ngun gc ca gi d liu, m bo v cng nhn ngun thng tin
nh ngha ng hm v m ho
Chc nng chnh ca mt mng ring o VPN l cung cp s bo mt thng tin bng cch m ho v chng thc qua mt ng hm (tunnel) 2.1 nh ngha ng hm:
Cung cp cc kt ni logic, im ti im vn chuyn cc gi d liu m ho bng mt ng hm ring bit qua mng IP, iu lm tng tnh bo mt thng tin v d liu sau khi m ho s lu chuyn trong mt ng hm c thit lp gia ngi gi v ngi nhn cho nn s trnh c s mt cp, xem trm thng tin, ng hm chnh l c tnh o ca VPN. Cc giao thc nh ng hm c s dng trong VPN nh sau: L Anh Hng K49DB
7
Kho lun tt nghip
i hc Cng ngh
L2TP (layer 2 Tunneling Protocol): Giao thc nh ng hm lp 2 PPTP (Point-to-Point Tunneling Protocol) L2F (Layer 2 Forwarding) Cc VPN ni b v VPN m rng c th s dng cc cng ngh: IP Sec (IP security) GRE (Genenic Routing Encapsulation) 2.2 Cu trc mt gi tin IP trong ng hm: Tunnel mode packet IP AH ESP Header Data
Original packet
2.3
Hnh 2: Cu trc mt gi tin IP trong ng hm M ho v gii m (Encryption/Deccryption):
Bin i ni dng thng tin nguyn bn dng c c (clear text hay plain text) thnh mt dng vn bn mt m v ngha khng c c (cyphertex), v vy n khng c kh nng c c hay kh nng s dng bi nhng ngi dng khng c php. Gii m l qu trnh ngc li ca m ho, tc l bin i vn bn m ho thnh dng c c bi nhng ngi dng c php 2.4 Mt s thut ng s dng trong VPN:
H thng m ho (Crysystem): l mt h thng thc hin m ho hay gii m, xc thc ngi dng, bm (hashing), v cc qu trnh trao i kho, mt h thng m ho c th s dng mt hay nhiu phng thc khc nhau tu thuc vo yu cu cho mt vi loi traffic ngi dng c th. Hm bm (hashing): l mt k thut ton vn d liu m s dng mt cng thc hoc mt thut ton bin i mt bn tin c chiu di thay i v mt kho mt m cng cng vo trong mt chui n cc s liu c chiu di c inh. Bn tin hay kho v hash di chuyn trn mng t ngun ti ch. ni nhn vic tnh ton li hash c s dng kim tra rng bn tin v kho khng b thay i trong khi truyn trn mng. Xc thc (Authentication): L qu trnh ca vic nhn bit mt ngi s dng hay qu trnh truy cp h thng my tnh hoc kt ni mng. Xc thc chc chn rng c nhn hay mt tin trnh l hon ton xc nh
L Anh Hng K49DB
Kho lun tt nghip
i hc Cng ngh
Cho php (Authorization): L hot ng kim tra thc th c c php thc hin nhng quyn hn c th no Qun l kho (Key management): Mt kho thng tin, thng l mt dy ngu nhin hoc trng ging nh cc s nh phn ngu nhin, c s dng ban u thit lp v thay i mt cch nh k s hot ng trong mt h thng mt m. Qun l kho l s gim st v iu khin tin trnh nh cc kho c to ra, ct gi, bo v, bin i, ti ln, s dng hay loi b. Dch v chng thc CA (Certificate of Authority): Mt dch v m c tin tng gip bo mt qu trnh truyn tin gia cc thc th mng hoc cc ngi dng bng cch to ra v gn cc chng nhn s nh cc chng nhn kho cng cng, cho mc ch m ho. Mt CA m bo cho s lien kt gia cc thnh phn bo mt trong chng nhn. 2.5 Cc thut ton c s dng trong m ho thng tin: DES (Data Encryption Security) 3DES (Triple Data Encryption Security) SHA (Secure Hash Algorithm) AH ( Authentication Header): La giao thc bo mt gip xc thc d liu, bo m tnh ton vn d liu v cc dch v anti-replay (dch v bo m tnh duy nht ca gi tin). AH c nhng vo trong d liu bo v. ESP (Encapsulation Security Payload): L mt giao thc bo mt cung cp s tin cy d liu, bo m tnh ton vn d liu, v xc thc ngun gc d liu, cc dch v anti-replay. ESP ng gi d liu bo v. Oakley v Skeme mi ci nh ngha mt phng thc thit lp mt s trao i kho xc thc, ci bao gm cu trc ti tin, thng tin m cc ti tin mang, th t m cc kho c s l v cc kho c s dng nh th no. ISAKMP (Internet Security Association and Key Management): IKE (Internet Key Exchange): L giao thc lai m trin khai trao i kha Oakley v trao i kho Skeme bn trong khung ISAKMP (Protocol): L mt khung giao thc m nh ngha cc nh dng ti tin, cc giao thc trin khai mt giao thc trao i kho v s trao i ca mt SA (Security Association) SA (Security Association): L mt tp cc chnh sch v cc kho c s dng bo v thng tin. ISAKMP SA l cc chnh sch chung v cc kho c s dng bi cc i tng ngang hang m phn trong giao thc ny bo v thng tin ca chng L Anh Hng K49DB
9
Kho lun tt nghip
i hc Cng ngh
AAA (Authentication, Authorization v Accouting): l cc dch v bo mt mng m cung cp cc khung chnh qua iu khin truy cp c t trn Router hay cc Server truy cp. Hai s la chn chnh cho AAA l TACACS+ v RADIUS TACACS+ (Terminal Access Controller Access Control System Plus): L mt ng dng bo mt m cung cp s xc thc tp trung ca cc ngi dng c gng truy nhp ti Router hay mng truy cp Server. RADIUS (Remote Authentication Dial-In User Service): L mt h thng phn tn client/server m bo mt cc truy cp khng c php ti mng. 3 3.1 Cc dng kt ni mng ring o VPN Truy cp VPN (Remote Access VPNs)
Remote Access VPNs cho php truy cp bt c lc no bng Remote, mobile, v cc thit b truyn thng ca nhn vin cc chi nhnh kt ni n ti nguyn mng ca t chc Remote Access VPN m t cng vic cc ngi dng xa s dng cc phn mm VPN truy cp vo mng Intranet ca cng ty thng qua gateway hoc VPN concentrator (bn cht l mt server). V l do ny, gii php ny thng c gi l client/server. Trong gii php ny, cc ngi dng thng thng s dng cc cng ngh WAN truyn thng to li cc tunnel v mng HO ca h Mt hng pht trin kh mi trong remote access VPN l dng wireless VPN, trong mt nhn vin c th truy cp v mng ca h thng qua kt ni khng dy. Trong thit k ny, cc kt ni khng dy cn phi kt ni v mt trm wireless (Wireless terminal) v sau v mng ca cng ty. Trong c hai trng hp, phn mm client trn my PC u cho php khi to cc kt ni bo mt, cn c gi l tunnel Mt phn quan trng ca thit k ny l vic thit k qu trnh xc thc ban u nhm m bo l yu cu c xut pht t mt ngun tin cy. Thng th giai on ban u ny da trn cng mt chnh sch v bo mt ca cng ty. Chnh sch ny bao gm: quy trnh (Procedure), k thut, server (such as Remote Authentication Dial-In User Service [RADIUS], Terminal Access Controller Access Control System Plus [TACACS+] ).
L Anh Hng K49DB
10
Kho lun tt nghip 3.1.1 Mt s thnh phn chnh
i hc Cng ngh
Remote Access Server (RAS): c t ti trung tm c nhim v xc nhn v chng nhn cc yu cu gi ti. Quay s kt ni n trung tm, iu ny s lm gim chi ph cho mt s yu cu kh xa so vi trung tm. H tr cho nhng ngi c nhim v cu hnh, bo tr v qun l RAS v h tr truy cp t xa bi ngi dng.
Hnh 3 Thit lp mt non-VPN remote access Bng vic trin khai Remote Access VPNs, nhng ngi dng t xa hoc cc chi nhnh vn phng ch cn ci t mt kt ni cc b n nh cung cp dch v ISP hoc ISPs POP v kt ni n ti nguyn thng qua Internet. Thng tin Remote Access Setup c m t bi hnh v sau:
L Anh Hng K49DB
11
Kho lun tt nghip
i hc Cng ngh
Hnh 4 Thit lp mt VPN remote access 3.1.2 Thun li chnh ca Remote Access VPNs: - S cn thit ca RAS v vic kt hp vi modem c loi tr. - S cn thit h tr cho ngi dng c nhn c loi tr bi v kt ni t xa c to iu kin thun li bi ISP. - Vic quay s t nhng khong cch xa c loi tr, thay vo , nhng kt ni vi khong cch xa s c thay th bi cc kt ni cc b. - Gim gi thnh chi ph kt ni vi khong cch xa. - Do y l mt kt ni mang tnh cc b, do vy t kt ni s cao hn so vi kt ni trc tip n nhng khong cch xa. - VPNs cung cp kh nng truy cp n trung tm tt hn bi v n h tr dch v truy cp mc ti thiu nht cho d c s tng nhanh chng cc kt ni ng thi n mng. 3.1.3 Ngoi nhng thun li trn, VPNs cng tn ti mt s bt li khc nh: - Remote Access VPNs cng khng m bo c cht lng dch v - Kh nng mt d liu l rt cao, thm na l cc phn on ca gi d liu c th i ra ngoi v b tht thot.
L Anh Hng K49DB
12
Kho lun tt nghip
i hc Cng ngh
- Do phc tp ca thut ton m ho, protocol overhead tng ng k, iu ny gy kh khn cho qu trnh xc nhn. Thm vo , vic nn d liu IP v PPP-based din ra v cng chm chp v ti t. - Do phi truyn d liu thng qua Internet, nn khi trao i cc d liu ln nh cc gi d liu truyn thng, phim nh, m thanh s rt chm. 3.2 Site To Site VPN
Site to site : c p dng ci t mng t mt v tr ny kt ni ti mng ca mt v tr khc thng qua VPN. Trong hon cnh ny th vic chng thc ban u gia cc thit b mng c giao cho ngi s dng. Ni m c mt kt ni VPN c thit lp gia chng. Khi cc thit b ny ng vi tr nh l mt gateway, v m bo rng vic lu thng c d tnh trc cho cc site khc. Cc Router v Firewall tng thch vi VPN, v cc b tp trung VPN chuyn dng u cung cp chc nng ny.
Hnh 5 Site to site VPN Site to Site VPN c th c xem nh l Intranet VPN hoc Extranet VPN. Nu chng ta xem xt chng di gc chng thc n c th c xem nh l mt intranet VPN, ngc li chng c xem nh mt extranet VPN. Tnh cht ch trong vic truy cp gia cc site c th c iu khi bi c hai (Intranet v Extranet VPN) theo cc site tng ng ca chng. Gii php Site To Site VPN khng phi l mt remote access VPN nhng n c thm vo y v tnh cht hon thin ca n. S phn bit gia remote access VPN v Site To Site VPN ch n thun mang tnh cht tng trng v xa hn l n c cung cp cho mc ch tho lun. V d nh l cc thit b VPN da trn phn cng mi (Router Cisco L Anh Hng K49DB
13
Kho lun tt nghip
i hc Cng ngh
3002 chng hn) y phn loi c, chng ta phi p dng c hai cch, bi v harware-based client c th xut hin nu mt thit b ang truy cp vo mng. Mc d mt mng c th c nhiu thit b VPN ang vn hnh. Mt v d khc nh l mt ch m rng ca gii php Ez VPN bng cch dng Router 806 v 17xx Site to Site VPN l s kt ni hai mng ring l thng qua mt ng hm bo mt, ng hm bo mt ny c th s dng cc giao thc PPTP, L2TP, hoc IPSec, mc ch ca Site to Site VPN l kt ni hi mng khng c ng ni li vi nhau, khng c vic tho hip tch hp, chng thc, s cn mt ca d liu, bn c th thit lp mt Site to Site VPN thng qua s kt hp ca cc thit b VPN concentrators, Router, v Firewalls. Kt ni Site to Site VPN c thit k to mt kt ni mng trc tip, hiu qu bt chp khong cch vt l gia chng. C th kt ni ny lun chuyn thng qua Internet hoc mt mng khng c tin cy. Bn phi m bo vn bo mt bng cch s dng s m ho d liu trn t c cc gi d liu ang lun chuyn gia cc mng . 3.2.1 Intranet
Hnh 6 Thit lp Intranet s dng WAN backbone Intranet VPNs hay cn gi l cc VPN ni b s kt ni cc mng ca tr s chnh, vn phng v cc chi nhnh t xa qua mt c s h tng mng dng chung nh Internet thnh mt mng ring t ca mt tp on hay mt t chc L Anh Hng K49DB
14
Kho lun tt nghip
i hc Cng ngh
gm nhiu cng ty v vn phng lm vic m cc kt ni ny lun lun c m ho thng tin Intranet VPN c s dng kt ni n cc chi nhnh vn phng ca t chc n Corporate Intranet (Backbone Router) s dng campus router (Hnh 7) Theo m hnh bn trn s rt tn chi ph do phi s dng 2 Router thit lp c mng, thm vo , vic trin khai, bo tr v qun l mng Intranet Backbone s rt tn km cn tu thunc vo lng lu thng trn mng i trn n v phm vi a l ca ton b mng Intranet. gii quyt vn trn, s tn km ca WAN backbone c thay th bi cc kt ni Internet vi chi ph thp, iu ny c th mt lng chi ph ng k ca vic trin khai mng Intranet (Hnh 1-5)
Hnh 7 Thip lp Intranet da trn VPN Nhng thun li chnh ca Intranet setup da trn VPN theo hnh 7. - Hiu qu chi ph hn do gim s lng router c s dng theo m hnh WAN backbone.
L Anh Hng K49DB
15
Kho lun tt nghip
i hc Cng ngh
- Gim thiu s lng h tr yu cu ngi dng c nhn qua ton cu, cc trm mt s remote site khc nhau. - Bi v Internet hot ng nh mt kt ni trung gian, n d dng cung cp nhng kt ni mi ngang hang. - Kt ni nhanh hn v tt hn do v bn cht kt ni n nh cung cp dch v, loi b vn khong cch xa v thm na gip t chc gim thiu chi ph cho vic thc hin Intranet. Nhng bt li chnh kt hp vi cch gii quyt: - Bi v d liu vn cn tunnel trong qu trnh chia s trn mng cng cng-Internet v nhng nguy c tn cng, nh tn cng bng t chi dch v (denial-of service), vn cn l mt mi e do an ton thng tin. - Kh nng mt d liu trong lc di chuyn thng tin cng rt cao - Trong mt s trng hp, nht l khi d liu l loi high-end, nh cc tp tin multimedia, vic trao i d liu s rt chm chp do c truyn thng qua Internet. - Do l kt ni da trn Internet, nn tnh hiu qu khng lin tc, thng xuyn, v QoS cng khng c bo m. 3.2.2 Extranet VPNs (VPN m rng)
Hnh 8 Extranet VPN
L Anh Hng K49DB
16
Kho lun tt nghip
i hc Cng ngh
Extranet l s m rng t nhng Intranet lin kt cc khch hng, nhng nh cung cp, nhng i tc hay nhng nhn vin lm vic trong cc Intranet qua c s h tng dng chung chia s nhng kt ni. Khng gin nh intranet v Remote Access based, Extranet khng an ton cch ly t bn ngoi (outer-world), Extranet cho php truy nhp nhng ti nguyn mng cn thit k ca cc i tc kinh doanh, chng hn nh khch hang, nh cung cp, i tc nhng ngi gi vi tr quan trng trong t chc.
Hnh 9 Thit lp mng Extranet theo truyn thng Nh hnh trn, mng Extranet rt tn km do c nhiu on mng ring bit trn intranet kt hp li vi nhau to ra mt Extranet. iu ny lm cho kh trin khai v qun l do c nhiu mng, ng thi cng kh khn cho c nhn lm cng vic bo tr v qun tr. Thm na l mng Extranet d m rng do iu ny s lm ri tung ton b mng Intranet v c th nh hng n cc kt ni bn ngoi mng. S c nhng vn bn gp phi bt thnh lnh khi kt ni mt Intranet vo mt mng Extranet. Trin khai v thit k mt mng Extranet c th l mt cn c mng ca cc nh thit k v qun tr mng.
L Anh Hng K49DB
17
Kho lun tt nghip
i hc Cng ngh
Hnh 10: Thit lp Extranet Mt s thun li ca Extranet: Do hot ng trn mi trng Internet, bn c th la chn nh phn phi khi la chn v a ra phng php gii quyt tu theo nhu cu ca t chc. Bi v mt phn Internet-connectivity c bo tr bi nh cung cp ISP nn cng gim chi ph bo tr khi thu nhn vin bo tr. D dng trin khai, qun l v chnh sa thng tin. Mt s bt li: - S e do v tnh an ton, nh b tn cng bng t chi dch v vn cn tn ti - Tng thm nguy him s xm nhp i vi t chc trn Extranet. - Do da trn Internet nn khi d liu l cc loi high-end data th vic trao i din ra chm chp. - Do da trn Internet, QoS cng khng c bo m thng xuyn. 4. VPN v cc vn an ton bo mt trn Internet.
Nh chng ta bit, s pht trin bng n v m rng mng ton cu Internet ngy cng tng, hng thng c khong 10.000 mng mi kt ni vo Internet km theo l vn lm sao c th trao i thng tin d liu mt cch an ton qua mng cng cng nh Internet. Hng nm s r r v mt cp thng tin d liu gy thit hi rt ln v kinh t trn ton th gii. Cc ti
L Anh Hng K49DB
18
Kho lun tt nghip
i hc Cng ngh
phm tin tc hacker lun tm mi cch nghe trm, nh cp thng tin d liu nhy cm nh: th tn dng, ti khon ngi dng, cc thng tin kinh t nhy cm... ca cc t chc hay c nhn. Vy gii php s dng mng ring o VPN s gii quyt vn an ton v bo mt thng tin trn Internet nh th no ? Cu tr li cc t chc, cc doanh nghip, c nhn cm thy yn tm khi trao i thng tin d liu qua mng Internet l s dng cng ngh mng ring o VPN. Thc cht cng ngh chnh c s dng trong mng ring o VPN l to ra mt ng hm (tunnel) m ho v chng thc d liu gia hai u kt ni. Cc thng tin d liu s c m ho v chng thc trc khi c lu chuyn trong mt ng hm ring bit, qua s trnh c nhng cp mt t m mun nh cp thng tin 4.1 An ton v tin cy.
S an ton ca h thng my tnh l mt b phn ca kh nng bo tr mt h thng ng tin cy c. Thuc tnh ny ca mt h thng c vin dn nh s ng tin cy c. C 4 yu t nh hng n mt h thng ng tin cy: Tnh sn sang: Kh nng sn sang phc v, p ng yu cu trong khon thi gian. Tnh sn sang thng c thc hin qua nhng h thng phn cng d phng. S tin cy: N nh ngha xc xut ca h thng thc hin cc chc nng ca n trong mt chu k thi gian. S tin cy khc vi tnh sn sang , n c o trong c mt chu k ca thi gian. N tng ng ti tnh lin tc ca mt dch v. S an ton: N ch bo hiu mt h thng thc hin nhng chc nng ca n chnh xc hoc thc hin trong trng hp tht bi mt ng x khng thit hi no xut hin. S an ninh: Trong trng hp ny s an ninh c ngha nh mt s bo v tt c cc ti nguyn h thng Mt h thng my tnh ng tin cy mc cao nht l lun m bo an ton bt k thi gian no. N m bo khng mt s v chm no m khng cnh bo thng tin c cm gic, lu tm n d liu c cm gic c 2 kha cnh xem xt: Tnh b mt. Tnh ton vn Thut ng tnh bo mt nh c xc nh c ngha rng d liu khng thay i trong mt ng x khng hp php trong thi gian tn ti ca n. Tnh
L Anh Hng K49DB
19
Kho lun tt nghip
i hc Cng ngh
sn sang, s an ton v anh ninh l nhng thnh phn ph thuc ln nhau. S an ninh bo v h thng khi nhng mi e do v s tn cng. N m bo mt h thng an ton lun sn sang v ng tin cy. 4.2 Hnh thc an ton S an ton ca h thng my tnh ph thuc vo tt c nhng thnh phn ca n C 3 kiu khc nhau ca s an ton: S an ton phn cng S an ton thng tin S an ton qun tr An ton phn cng: Nhng mi e do v tn cng c lin quan ti phn cng ca h thng. N c th c phn ra vo 2 phm tr: S an ton vt l An ton bt ngun S an ton vt l bo v phn cng trong h thng khi nhng mi e do vt l bn ngoi nh s can thip, mt cp thng tin, ng t v nc lm ngp lt. Tt c nhng thng tin nhy cm trong nhng ti nguyn phn cng ca h thng cn s bo v chng li tt c nhng s bo v ny. An ton thng tin: Lin quan n tnh d b tn thng trong phn mm, phn cng v s kt hp ca phn cng v phn mm. N c th c chia vo s an ton v truyn thng my tnh. S an ton my tnh bao trm vic bo v ca cc i tng chng li s phi by v s d b tn thng ca h thng, bao gm cc c ch iu khin truy nhp, cc c ch iu khin bt buc chnh sch an ton, c ch phn cng, k thut m ho S an ton truyn thng bo v i tng truyn. An ton qun tr: An ton qun tr lin quan n tt c cc mi e do m con ngi li dng ti mt h thng my tnh. Nhng mi e do ny c th l hot ng nhn s. S an ton nhn s bao bao trm vic bo v ca nhng i tng chng li s tn cng t nhng ngi dng u quyn. Mi ngi dng ca h thng c nhng c quyn truy nhp nhng ti nguyn nht nh. S an ton nhn s cha ng nhng c ch bo v chng li nhng ngi dng c tnh tm kim c nhng c quyn cao hn hoc lm L Anh Hng K49DB
20
Kho lun tt nghip
i hc Cng ngh
dng nhng c quyn ca h, cho nn s gio dc nhn thc rt quan trng n thc s l mt c ch bo v s an ton h thng. Thng k cho thy nhng ngi dng u quyn c t l e do cao hn cho mt h thng my tnh so vi t bn ngoi tn cng. Nhng thng tin c thng k cho thy ch c 10% ca tt c cc nguy hi my tnh c thc hin t bn ngoi h thng, trong khi c n 40% l bi nhng ngi dng trong cuc v khong 50% l bi ngi lm thu c
L Anh Hng K49DB
21
Kho lun tt nghip Chng 2 GIAO THC TRONG VPN
i hc Cng ngh
Trong VPN c 3 giao thc chnh xy dng ln mt mng ring o hon chnh l IP Sec (IP Security) PPTP (Point-to-Point Tunneling Protocol) L2TP (Layer 2 Tunneling Protocol) Tu theo tng lp ng dng c th m mi giao thc u c u v nhc im khc nhau khi trin khai vo mng VPN 1 B giao thc IPSec (IP Security Protocol):
IPSec thc cht khng phi l mt giao thc, n ch l mt khung ca cc tp giao thc chun m rng c thit k cung cp tnh xc thc v ton vn d liu. Giao thc IPSec c lm vic ti tng Network Layer- Layer 3 ca m hnh OSI. Cc giao thc bo mt trn Internet khc nh SSL, TLS v SSH, c thc hin t tng transport layer tr ln (T tng 4 n tng 7 ca m hnh OSI). iu ny to ra tnh mm do cho IPSec, giao thc ny c th hot ng ti tng 4 vi TCP, UDP, hu ht cc giao thc s dng ti tng ny. IPSec c mt tnh nng cao cp hn SSL v cc phng thc khc hot ng ti cc tng trn ca m hnh OSI. Vi mt ng dng s dng IPSec m (code) khng b thay i, nhng nu ng dng bt buc s dng SSL v cc giao thc bo mt trn cc tng trn trong m hnh OSI th on m ng dng s b thay i ln. 1.1 Cu trc bo mt IPSec c trin khai (1) s dng cc giao thc cung cp mt m (cryptographic protocols) nhm bo mt gi tin (packet) trong qu trnh truyn, (2) phng thc xc thc v (3) thit lp cc thng s m ho. Xy dng khi nim v bo mt trn nn tng IP. Mt s kt hp bo mt n gin khi kt hp cc thut ton v cc thng s (v d nh cc kho-keys) l nn tng trong vic m ho v xc thc trong mt chiu. Tuy nhin trong cc giao tip hai chiu, cc giao thc bo mt s lm vic vi nhau v p ng qu trnh giao tip. Thc t la chn cc thut ton m ho v xc thc li ph thuc vo ngi qun tr IPSec bi v IPSec bao gm mt nhm cc giao thc bo mt p ng m ho v xc thc cho mi gi tin IP. Trong cc bc thc hin phi quyt nh ci g cn bo v v cung cp cho mt gi tin outgoing (i ra ngoi), IPSec s dng cc thng s Security L Anh Hng K49DB
22
Kho lun tt nghip
i hc Cng ngh
Parameter Index (SPI), mi qu trnh Index ( nh th t v lu trong d liu Index v nh mt cun danh b in thoi) bao gm Security Association Database (SADB), theo sut chiu di ca a ch ch trong header ca gi tin, cng vi s nhn dng duy nht ca mt tho hip bo mt cho mi gi tin. Mt qu trnh tng t cng c lm vi gi tin i vo (incoming packet), ni IPSec thc hin qu trnh gii m v kim tra cc kho t SADB. Cho cc gi multicast, mt tho hip bo mt s cung cp cho mt group, v thc hin cho ton b cc receiver trong group . C th c hn mt tho hip bo mt cho mt group, bng cch s dng cc SPI khc nhau, tuy nhin n cng cho php thc hin nhiu mc bo mt cho mt group. Mi ngi gi c th c nhiu tho hip bo mt, cho php xc thc, trong khi ngi nhn ch bit c cc keys c gi i trong d liu. Ch cc chun khng miu t lm th no cc tho hip v la chn vic nhn bn t group ti cc c nhn. 1.1.1 Hin trng IPSec l mt phn bt buc ca IPv6, c th c la chn khi s dng IPv4. Trong khi cc chun c thit k cho cc phin bn IP ging nhau, ph bin hin nay l p dng v trin khai trn nn tng IPv4. Cc giao thc IPSec c nh ngha t RFCs 1825 -1829, v c ph bin nm 1995. Nm 1998, c nng cp vi cc phin bn RFC 2401-2412, n khng tng thch vi chun 1825-1829. Trong thng 12 nm 2005, th h th 3 ca chun IPSec, RFC 4301-4309. Cng khng khc nhiu so vi chun RFC 2401-2412 nhng th h mi c cung cp chun IKE second. Trong th h mi ny IP security cng c vit tt li l IPSec. 2 2.1 Ch lm vic ca IPSec Ch chuyn vn (Transport mode)
Ch ny h tr truyn thng tin gia cc my hoc gia my ch vi my khc m khng c s can thip no ca cc gateway lm nhim v an ninh mng. Trong Transport mode, ch nhng d liu bn giao tip cc gi tin c m ho v hoc xc thc. Trong qu trnh Routing, c IP header u khng b chnh sa hay m ho; tuy nhin khi authentication header c s dng, a ch IP khng th chnh sa ( v d nh port number). Transport mode s dng trong tnh hung giao tip host-tohost.
L Anh Hng K49DB
23
Kho lun tt nghip
i hc Cng ngh
iu ny c ngha l ng gi cc thng tin trong IPSec cho NAT traversal c nh ngha bi cc thng tin trong ti liu ca RFC bi NAT-T 2.2 Ch ng hm ( Tunnel Mode ):
Ch ny h tr kh nng truy nhp t xa v lin kt an ton cc Website. Ch chuyn vn s dng AH v ESP i vi phn ca tng chuyn vn trong mt gi tin IP. Phn d liu thc ca giao thc IP ny l phn duy nht c bo v trong ton gi tin. Phn header ca gi tin IP vi a ch ca im truyn v im nhn khng bo v. Khi p dng c AH v ESP th AH c p dng sau tnh ra tnh ton vn ca d liu trn tng lng d liu. Mt khc ch ng hm cho php m ho v tip nhn i vi ton b gi tin IP. Cc cng bo mt s dng ch ny cung cp cc dch v bo mt thay cho cc thc th khc trn mng. Cc im truyn thng u cui c bo v bn trong cc gi tin IP n trong khi cc im cui m ho li c lu trong cc gi tin IP truyn i. Mt gateway bo mt thc hin phn tch gi tin IP n cho im nhn cui cng sau khi IPSec hon thnh vic s l ca mnh. Trong ch ng hm, a ch IP ca im n c bo v. Trong ch ng hm, c mt phn header IP ph c thm vo, cn trong ch chuyn vn th khng c iu ny. IPSec nh ra ch ng hm p dng cho AH v ESP. Khi host 1 mun giao tip vi host 2, n c th s dng ch ng hm cho php cc gateway bo mt c th cung cp cc dch v m bo an ton cho vic lin lc gia hai nt mng trn mng cng cng. IPSec cho php ch bo mt theo nhiu lp v theo nhiu tuyn truyn. Trong , phn header ca gi tin ni ti c hon ton bao bc bi phn header ca gi tin c pht i. Tuy vy, phi c mt iu kin l cc tuyn truyn khng c gi chng ln nhau. i vi vic s l lung d liu truyn i, tng IP s tham chiu n SPD (Security Policy Database ) quyt nh cc dch v bo mt cn p dng. Cc b chn lc c ly ra t cc phn header s dng ch ra mt cch thc hot ng cho SPD. Nu hot ng ca SPD l p dng tnh nng bo mt th s c mt con tr, tr n SA trong SADB ( Security Association Database ) c tr v. Trng hp SA khng c trong SADB th IKE s c kch hot. Sau cc phn header AH v ESP c b xng theo cch m SA nh ra v gi tin s c truyn i.
L Anh Hng K49DB
24
Kho lun tt nghip
i hc Cng ngh
Vi vic s l lung d liu gi n, sau khi nhn c mt gi tin, tng c nhim v bo mt s kim tra danh mc cc phng thc bo mt a ra cc hnh ng sau y: hu b, b qua hoc p dng. Nu hnh ng l p dng m SA khng tn ti th gi tin s b b qua. Tuy nhin, nu SA c trong SADB th gi tin s c chuyn n tng tip theo x l. Nu gi tin c cha cc phn header ca dch v IPSec th stack ca IPSec s thu nhn gi tin ny v thc hin s l. Trong qu trnh s l, IPSec ly ra phn SPI, phn a ch ngun v a ch ch ca gi tin. ng thi, SADB c nh s theo cc tham s chn ra SA nht n s dng: SPT, a ch ch hoc l giao thc.
Hnh 11 + IPSec cho php thit lp cc mi truyn thng ring bit v m bo tnh b mt trn mng internet m khng cn bit n cc ng dng ang chy trn my hay cc giao thc tng cao hn nh tng vn chuyn ( Transport layer).
Hnh 12
L Anh Hng K49DB
25
Kho lun tt nghip
i hc Cng ngh
+ IPSec l b giao thc c kh nng thm nh d liu c hai pha ngi gi v ngi nhn, m bo tnh b mt v ton vn d liu bng cch m ho chng thc. IPSec c kh nng thch ng vi tt c cc trnh ng dng chy trn mng IP. + IPSec hot ng hiu qu v nhanh hn cc ng dng bo mt hot ng tng ng dng ( Application layer)
Hnh 13 + IPSec c th c coi nh l mt lp di ca giao thc TCP/IP, lp ny kim sot cc ngi dng truy nhp da vo mt chnh sch an ton v mi my tnh v mt t chc m phn an ninh gia ngi gi v ngi nhn. Giao thc ng gi an ton ESP ( Encapsulation Security Payload): l giao thc s 50 c gn bi IANA. ESP l mt giao thc bo mt c th c s dng cho vic cung cp tnh bo mt v xc thc cc gi d liu khi s nhm ng ca ngi dng khng c php. ESP cung cp phn ti tin ca gi d liu, ESP cung cp s xc thc cho gi tin IP ni b v phn tiu ESP. S xc thc cung cp s xc thc v ngun gc v tnh ton vn ca gi d liu. ESP l giao thc h tr v kiu m ho i xng nh: Blowfish, DES. Thut ton m ho d liu mc nh s dng trong IPSec l thut ton DES 56 bit. Trong cc sn phm v thit b mng ca Cisco dng trong VPN cn s dng vic m ho d liu tt hn bng cch s dng thut ton 3DES( Triple Data Encryption Security ) 128 bit. + Giao thc ESP c th c s dng c lp hoc kt hp vi giao thc chng thc u mc AH ( Authentication Header ) tu thuc vo tng mi trng. Hai giao thc ESP v AH u cung cp tnh ton vn, xc thc cc gi d liu. L Anh Hng K49DB
26
Kho lun tt nghip
i hc Cng ngh
+ Giao thc ESP cng c th bo v c tnh duy nht ca gi tin bng cch yu cu bn nhn t bit replay trong tiu ch ra rng gi tin c gi. Giao thc chng thc mc u AH ( Authentication Header Protocol). Trong h thng IPSec c mt u mc c bit: u mc chng thc AH c thit k cung cp hu ht dch v chng thc cho d liu IP. Vi IP v4
Hnh 14.1 Vi IP v6
Hnh 14.2 Giao thc trao i cha kho Inernet ( IKE ). AH v ESP l nhng giao thc m IPSec yu cu nhng b mt dng chung trong vic phn phi kho, do cc cha kho c th mt cp khi trao i qua li. Do mt c ch trao i cha kho an ton cho IPSec phi tho mn yu cu sau Khng ph thuc vo cc thut ton c bit. Khng ph thuc vo mt nghi thc trao i kho c bit, S chng thc ca nhng thc th qun l kho Thit lp cc SA trn cc tuyn giao thng khng an ton. S dng hiu qu cc ngun ti nguyn. Giao thc IKE da trn khung ca Hip hi qun l cha kha trn Internet v Giao thc phn phi kho Oakley
L Anh Hng K49DB
27
Kho lun tt nghip
i hc Cng ngh
Giao thc IKE c cc c tnh sau: + Cc cha kho pht sinh v nhng th tc nhn bit. + T ng lm mi li cha kho. + Gii quyt vn mt kho. + Mi mt giao thc an ton ( AH, ESP ) c mt khng gian ch s an ton ca chnh mnh + Gn sn s bo v. + Chng li cc cuc tn cng lm nghn mch ti nguyn nh: Tn cng t chi dch v DoS ( Denial- of- Service ). + Tip cn hai giai on Thit lp nhng SA cho kho trao i. Thit lp SA cho d liu chuyn. + S dng ch k s. + Dng chung kho. Giao thc IKE thit k ra cung cp 5 kh nng: Cung cp nhng phng tin cho hai bn v s ng nhng giao thc, thut ton v nhng cha kho s dng. m bo trao i kho n ng ngi dng. Qun l nhng cha kho sau khi c chp nhn. m bo rng s iu khin v trao i kho an ton. Cho php s chng thc ng gia cc i tng ngang hang. thit lp mt hip hi kho IKE bt u t mt im, ch nh hay cng vo an ton mt Intranet tp on, ta cn thit k 4 khon. Mt gii thut m ho d liu. Mt gii thut hm bm gim bt d liu trn. Mt phng php chng thc d liu. Thng tin v nhm ngi dng khi trao i Diffie-Hellman Trc khi IPSec gi xc nhn hoc m ho d liu IP, gia hai ngi gi v ngi nhn phi thng nht v gii thut m ho v cha kho m ho hoc nhng cha kho s dng. IPSec s dng giao thc IKE t thit lp nhng giao thc m phn v nhng cha kho m ho, thut ton s dng. Giao thc IKE cung cp s chng thc s cp: vic xc minh s nhn bit cc h thng t xa trc khi bn bc, thng lng v cha kho v gii thut. Giao thc IKE l giao thc lai ghp ca 3 giao thc: ISAKMP ( Internet Security Association and Key Management Protocol ), Oakley, SKEME.
L Anh Hng K49DB
28
Kho lun tt nghip
i hc Cng ngh
Giao thc ISAKMP cung cp mt khung cho s trao i chng thc v cha kho. Giao thc Oakley m t nhng kiu trao i cha kho. Giao thc SKEME inh ngha k thut trao i cha kho. Trong ISAKMP c hai knh thnh lp SA ( Security Association - Hip hi an ton ). Giao thc IKE c hai lung chung: ISAKMP thc hin ln mt ( kiu chnh): m phn thit lp Hip hi an ton ISAKMP, mt knh an ton truyn thng t xa hn na cho IKE, hai h thng pht sinh mt cha kho dng chung Diffie-Ellman. Xc minh nhn bit h thng t xa ( Chng thc s cp ).
A
Step 1 Node A A&B select Diffie-Hellman Group
B
Node B
A
Step 2 Public Value
B
Public Value
Private Value Private Value combined with Public Value B
Private Value Private Value B combined with Public Value A
A
Step 3 Shared Secret Value
Shared Secret Value
Hnh 15: S hnh thnh kho dng chung Diffie-Hellman ISAKMP thc hin ln 2 ( Kiu nhanh). S dng knh truyn thng an ton ca ISAKMP SA cho s m ho IPSec AH hoc ESP.
L Anh Hng K49DB
29
Kho lun tt nghip
i hc Cng ngh
Hnh 16: Thit lp SA + S chng thc s cp IKE ( IKE Primary Authentication ): IKE phi xc nhn nhng h thng s dng thut ton Diffie-Hellman, qui trnh ny c gi l chng thc s cp. IKE c th s dng hai phng php chng thc s cp: Ch k s ( Digital Signatures). Kho dng chung ( Pre-shared keys) Ch k s v s m ho cha kho cng cng l c s v s m ho cha kho bt i xng v yu cu mt c ch phn phi nhng cha kho cng cng. S chng thc ch k s ( IKE Digital Signature Authentication ): Mt ch k s tng t nh mt gi tr hm bm cha kho i xng. S khc nhau gia chng l ch c mt ngi nm gi cha kho ring mi c th pht sinh ra ch k s, trong khi mi ngi gi cha kho i xng c th pht sinh mt gi tr hm bm cha kho i xng, S chng thc kho dng chung ( IKE Pre-Shared Key Authentication ): Vi s chng thc kho dng, gia ngi gi v ngi nhn phi trao i bng tay v nh hnh mt cha kho dng chung i xng. Kho dng chung ch c s dng chng thc s cp.
L Anh Hng K49DB
30
Kho lun tt nghip 3 Giao thc PPTP v L2TP
i hc Cng ngh
Hnh 17 3.1 Giao thc nh ng hm im ti im (Point-to-Point Tunneling Protocol) PPTP l mt trong s nhiu k thut c s dng thit lp ng hm cho nhng kt ni t xa. Giao thc PPTP l s m rng ca giao thc PPP c bn cho nn giao thc PPTP khng h tr nhng kt ni nhiu im lin tc m n ch h tr kt ni t im ti im.
Hnh 18 PPTP ch h tr IP, IPX, NetBIOS, NetBEUI, PPTP khng lm thay i PPP m n ch l gii php mi, mt cch to ng hm trong vic chuyn ch giao thng PPP.
L Anh Hng K49DB
31
Kho lun tt nghip
i hc Cng ngh
Hnh 19
Hnh 20
3.1.1 Quan h gia PPTP v PPP PPP tr thnh giao thc quay s truy cp Internet v cc mng TCP/IP rt ph bin hin nay. Giao thc ny lm vic lp th 2 trong m hnh OSI. PPP bao gm cc phng php ng gi cho cc loi gi d liu khc nhau truyn ni tip. PPTP da trn PPP to ra cc kt ni quay s gia khch hng v my ch truy cp mng. PPTP da trn PPP thc thi cc chc nng. Thit lp v kt thc kt ni vt l. Xc thc cc ngi dng. To ra gi d liu PPP. Sau khi PPP thit lp kt ni, PPTP s dng cc quy lut ng gi ca PPP ng gi cc gi truyn trong ng hm nh di y:
L Anh Hng K49DB
32
Kho lun tt nghip
i hc Cng ngh
Hnh 21 tn dng u im ca kt ni to ra bi PPP, PPTP nh ngha hai loi gi: Gi iu khin v gi d liu ri gn chng vo hai knh ring. Sau , PPTP phn tch cc knh iu khin v knh d liu thnh lung diu khin vi giao thc TCP v lung d liu vi giao thc IP. Kt ni TCP c to ra gia client PPTP vi my ch PPTP c s dng chuyn thng bo iu khin. Sau khi ng hm c thit lp th d liu c truyn t client sang my ch PPTP cha cc gi d liu IP. Gi d liu IP c ng gi tiu nh hnh sau:
Hnh 22 Khi ng gi n c s dng s ID ca host cho iu khin truy cp. ACK cho gim st tc truyn d liu trong ng hm PPTP cng c c ch iu khin tc nhm gii hn s lng d liu truyn i. Ch ny lm gim ti thiu kch thc d liu phi truyn li do mt gi. PPTP cho php ngi dng v cc ISP c th to ra nhiu loi ng hm khc nhau. Ngi dng c th ch nh im kt thc ca ng hm ngay ti my tnh ca mnh nu nh c ci client PPTP, hay ti my ch ISP nu nh
L Anh Hng K49DB
33
Kho lun tt nghip
i hc Cng ngh
my tnh ca h ch c PPP m khng c PPTP. ng hm c chia ra lm hai loi: ng hm t nguyn c to ra theo yu cu ca ngi dng cho mc ch xc nh. ng hm bt buc c to ra khng thng qua ngi dng cho nn n trong sut i vi ngi dng u cui. 3.2 Giao thc chuyn tip lp 2 (Layer 2 Forwarding Protocol) Giao thc L2F l mt k thut c nghin cu v pht trin trong cc h thng mng ca Cisco trong lc giao thc PPP ang pht trin, n l mt giao thc cho php mt my tnh ca ngi dng truy nhp vo mt intranet ca mt t chc xuyn qua c s h tng mng cng cng Internet vi s an ton v iu khin c bo tr. Tng t nh giao thc nh ng hm im ti im PPTP, giao thc L2F cho php s truy nhp mng ring o an ton xuyn qua c s h tng mng cng cng Internet bng cch to ra mt ng hm gia hai im kt ni. S khc nhau c bn gia hai giao thc PPTP v L2F l PPTP ch h tr IP, IPX, NetBIOS, NetBEUI, cn L2F nh ng hm khng tu thuc vo mng IP, L2F c th lm vic vi nhiu th tc mng khc nhau nh: Frame Relay, ATM, FDDI. Mt L2F h tr vic nh ng hm cho hn mt kt ni, gii hn ca giao thc PPTP. L2F c th lm c iu ny trong khi n nh ngha nhng kt ni bn trong ng hm, y l mt c im hu ch ca L2F. Trong tnh trng ni c nhiu mt ngi ang dng truy nhp t xa m ch c duy nht mt kt ni c tho mn yu cu.
Hnh 23
L Anh Hng K49DB
34
Kho lun tt nghip
i hc Cng ngh
Hnh 24 L2F s dng giao thc PPP cho s chng thc khch hang nh giao thc PPTP, tuy nhin L2F cn h tr chng thc ngi dng quay s t xa RADIUS ( Remote Authentication Dial-up User Service ) v h thng iu khin gim st u cui TACACS+ ( Terminal Access Controller Access Control System ). S chng thc L2F th hin hai mc: u tin khi ngi dng t xa kt ni ti nh cung cp dch v ISP qua giao thc bu in POP sau kt ni c chuyn ti cng vo mng Intranet ca t chc. L2F chuyn nhng gi d liu xuyn qua mt ng hm ring o gia hai u cui ca mt kt ni im ti im, L2F lm iu ny ti giao thc. L2F l mt lp hai giao thc cho nn L2F c th s dng cho nhng giao thc khc IP nh: IPX, NetBEUI Vi giao thc L2F, mt s an ton y gia hai u im cui VPN c th c to ra v s dng, n l mt gii php bin i c v ng tin cy. 3.3 Giao thc nh ng hm lp 2 (Layer 2 Tunneling Protocol) L2TP l mt k thut ny sinh cung cp mt kt ni t xa ti mt Intranet tp on hay t chc. L2TP l giao thc c pht trin ho trn gia hai giao thc PPTP v L2F.
Hnh 25 L Anh Hng K49DB

35
Kho lun tt nghip
i hc Cng ngh
L2TP cung cp mt k thut xy dng cho mt kt ni ng hm qua giao thc im ti im PPP. ng hm c th v u c to ra gia ngi dng t xa ti nh cung cp dch v.
Hnh 26 Giao thc L2TP khng nhng cung cp cc kt ni t xa ca ngi dng trong mt mng ring o VPN m cn c th h tr cc giao thng a th tc, l tt c cc giao thc lp mng h tr bi giao thc PPP ng tin cy. Hn na, L2TP cung cp s h tr cho bt k s nh v cho bt k lp mng no ln s kt ni qua Internet. 3.3.1 Quan h gia L2TP vi PPP Giao thc nh ng hm lp 2, L2TP l s kt hp gia hai giao thc l PPTP v L2F. Ging nh PPTP, L2F l giao thc ng hm, n s dng tiu ng gi ring cho vic truyn cc gi lp 2. im khc bit gia PPTP v L2F l L2F khng ph thuc vo IP v GRE. Cho php n c th lm vic cc mi trng vt l khc. L2TP mang c tnh ca PPTP v L2F. Tuy nhin, L2TP nh ngha ring mt giao thc ng hm da trn hot ng ca L2F. L2TP da trn PPP to kt ni quay s gia client v my ch truy cp mng ( NAS ). L2TP s dng PPP to kt ni vt l, tin hnh xc thc u, to gi d liu PPP v ng kt ni khi kt thc phin lm vic. L2TP c th to nhiu ng hm gia ISP v cc my ch mng client.
L Anh Hng K49DB
36
Kho lun tt nghip

Chuyn mch truy nhp t xa ca ISP
i hc Cng ngh
`
Host
`
Host
Client Di ng
Server
` LAN
Tiu mi trng phn phi (IP,ATM,X.25) Tiu IP Tiu MT Khung PPP
Tiu GREv2
Gi ti PPP IP, IPX v gi d liu NETBEUI
Khung Ethernet
Hnh 27 L2TP cng ging vi PPTP l n cng c 2 thng bo: Thng bo iu khin Thng bo d liu Cng tng t nh PPP, sau khi ng hm c thit lp th d liu c truyn t client sang my ch PPTP cha cc gi d liu IP. Gi d liu IP c ng gi tiu nh hnh sau.
Hnh 28: B lc gi L2TP L2TP cng s dng nhng lp ng hm nh PPTP. ng hm t nguyn: To theo yu cu ca ngi dng ng hm bt buc: c to t ng ( Ngi dng khng c la chn ).
L Anh Hng K49DB
37
Kho lun tt nghip 3.4
i hc Cng ngh
Tng quan giao thc inh ng hm lp 2 ( L2TP Overview).
Giao thc L2TP c th h tr s truy cp mng LAN t xa s dng bt k giao thc lp mng no c h tr bi giao thc PPP qua cc phin ng hm v ci trc tip c qun l bi vic kt thc kt ni PPP trong s truy nhp cng vo mng Intranet ca mt t chc hay mt tp on.
Hnh 29 Trong giao thc L2TP c mt s phn t tham gia vo vic thit lp ng hm: L2TP Access Concentrator (LAC): B tp trung truy nhp giao thc. B tp trung truy nhp LAC c inh v ti nh cung cp dch v ISP qua giao thc POP cung cp cc kt ni vt l ca ngi dng t xa. Trong LAC phng tin truyn thng vt l c kt thc v n c th c ni ti mng in thoi chuyn mch cng cng PSTN hoc mng s tch hp a dch v ISDN. Qua b tp trung LAC ny, ngi ta c th thit lp kt ni ng hm L2TP qua b nh tuyn LAC router ti ngi dng u cui ni ng hm c kt thc. L2TP Network Server ( LNS): My ch phc v L2TP LNS tip nhn cc phin kt ni ca ngi dng t xa, ch c mt kt ni n c s dng trn LNS kt thc cc knh kt ni gi n t nhng ngi dng t xa t cc phng tin truyn thng khc nhau nh ISDN, V120 B tp trung a truy nhp cng c th c s dng nh LNS khi n c s dng nh cng vo truy nhp Intranet tp on. Network Access Server (NAS): My ch truy cp mng.
L Anh Hng K49DB
38
Kho lun tt nghip
i hc Cng ngh
NAS l mt thit b truy nhp t im ti im p ng nhng yu cu truy nhp ca ngi dng t xa qua ISDN hay PSTN. NAS thnh lp v iu khin cc phin hp v ng hm + Ngi dng t xa bt u mt kt ni PPP ti NAS + NAS chp nhn cuc gi + S chng thc ngi dng u cui c my ch u nhim cho php ti NAS + Ngi dng u cui thit lp kt ni vi LNS to ra ng hm ti Intranet tp on. Cc phin kt ni c LAC qun l v cc gi d liu c gi qua ng hm LAC LNS, mi LAC v LNS theo di tnh trng cc kt ni ca ngi dng.
Hnh 30 + Ngi dng t xa cng c xc nhn bi my ch chng thc ca cng ra vo LNS trc khi c chp nhn kt ni ng hm. + LNS chp nhn kt ni v thit lp ng hm L2TP v NAS chng thc. + LNS trao i vi ngi dng t xa qua giao thc PPP. L2PT c th h tr cc hm sau: Thit lp ng hm ca ngi dng n quay s trong nhng khch hang S xuyn ng hm bng cc chng trnh chuyn vn nh. u vo ca mt kt ni gi ti LNS t LAC. Thit lp a ng hm. U nhim chng thc cho PAP v CHAP S chng thc im cui ca ng hm. Che du cp thuc tnh truyn mt mt khu PAP u nhim. S xuyn ng hm s dng mt lookup table. S xuyn ng hm s dng tn lookup ngi dng PPP trong h thng AAA. Nhng kiu ng hm L2TP: Nhng ng hm L2TP bt buc: Vi kiu ng hm L2TP bt buc ny th ng hm L2TP c thit lp gia LAC, nh cung cp dch v ISP v mt LNS ti mng Intranet ca tp on.
L Anh Hng K49DB
39
Kho lun tt nghip
i hc Cng ngh
Hnh 31 Mt ng hm bt buc c thit lp nh sau: Ngi dng t xa bt u mt kt ni PPP ti nh cung cp dch v ISP Nh cung cp dch v ISP chp nhn kt ni v mi lin kt PPP c thnh lp ISP thit lp mt ng hm L2TP ti LNS, nu LNS chp nhn kt ni th LAC ng gi PPP vi L2TP v chuyn vo ng hm, LNS chp nhn khung ny, tc b L2TP v s l u vo PPP. LNS s dng chng thc lm cho c hiu lc vi ngi dng sau gn a ch IP
Hnh 32
L Anh Hng K49DB
40
Kho lun tt nghip
i hc Cng ngh
Hnh 33 : ng gi d liu trong ng hm L2TP Thit lp kt ni mng ring o t xa s dng L2TP v IPSec.
Hnh 34: S dng IPSec bo v L2TP trong ng hm bt buc gia ngi dng t xa vi mt cng vo tp on
Hnh 35
L Anh Hng K49DB
41
Kho lun tt nghip 3.5 ng dng L2TP trong VPN.
i hc Cng ngh
V d: Cng ty c h tr bi nh cung cp dch v VPN. C ngha l ISP cung cp kt ni Internet cho cng ty c my ch Proxy RADIUS v LAC. Cn ti cng ty duy tr my ch RADIUS v LNS
Hnh 36:Quay s L2TP truy nhp VPN L2TP l mt th h giao thc quay s truy cp mi ca VPN. N phi hp nhng c im tt nht ca PPTP v L2F. Hu ht cc nh cung cp sn phm PPTP u a ra cc sn phm tng thch L2TP hoc gii thiu sau ny. Mc d n chy ch yu trn mng IP nhng n cng khng c kh nng chy trn mng Frame Relay, ATM iu ny cng lm cho n cng tr nn ph bin. 3.6 So snh gia PPTP v L2TP
C hai PPTP v L2TP\IPSec s dng giao thc kt ni im - im cung cp mt v bc c s cho d liu, v sau ni thm phn header vo truyn qua cc mng lm vic. Tuy nhin c nhng ci khc sau y: Vi PPTP, d liu c bt u m ho sau khi PPP kt ni x l ( v, bi vy, PPP c xc thc ) l hon thnh. Vi L2TP\IPSec, d liu c bt u m ho trc khi PPP kt ni x l bng m phn mt IPSec lin kt bo mt. PPTP kt ni s dng MPPE, mi chui mt m l mt c bn trn RSA RC-4 thut ton m ho s dng 40, 56, hoc 128 bit cc kho m ho. Chui mt m m ho d liu nh mt bit cc chui kt ni L2TP\IPSec s dng DES, ci no l mt khi mt m m s dng hoc mt kho 56 bit cho DES, hoc 3 kho 56 bit cho 3-
L Anh Hng K49DB
42
Kho lun tt nghip
i hc Cng ngh
DES. Cc khi mt m m ho d liu trong cc khi ring bit ( cc khi 64 bit, trong trng hp ca DES). Cc kt ni PPTP yu cu ch s dng mc chng thc qua mt giao thc chng thc PPP c bn. Cc kt ni L2TP\IPSec yu cu nh s dng mc chng thc v thm mc my tnh chng thc s dng my tnh cp chng nhn. 3.6.1 u im ca L2TP. Sau y l nhng thun li s dng L2TP\IPSec hn PPTP trong Windows 2000: IPSec cung cp cho mi gi d liu chng thc ( Chng minh d liu c gi bi ngi dng cho php), ton ven d liu (Chng minh l d liu khng b sa i trong qu trnh truyn ), replay protection ( Ngn cn t vic gi li mt chui ca cc gi ly c ), v d liu tin cy ( Ngn cn t vic phin dch cc gi ly c vi ngoi cc kho m ho). Bi tri ngc, PPP cung cp ch cho mi gi d liu tin cy. Cc kt ni L2TP/IPSec cung cp chng thc chc chn bng yu cu c hai chng thc mc my tnh qua giy chng nhn v mc chng thc ngi dng qua mt giao thc chng thc PPP. Cc gi PPP thay i trong thi gian mc chng thc ngi dng l khng bao gi gi dng khng phi bng m v kt ni PPP x l cho L2TP/IPSec xut hin sau khi IPSec lin kt bo mt (SAs) c thit lp. Nu chc, xc thc PPP thay i mt vi kiu ca cc giao thc xc thc PPP c th s dng thc thi cc tn cng t in ngoi tuyn v quyt nh s dng cc mt khu. Bi m ho thay i xc thc PPP, cc tn cng t in ngoi tuyn l ch c th thc hin c sau khi cc gi m ho hon thnh gii m. 3.6.2 u im ca PPTP Sau y l nhng thun li ca PPTP hn L2TP/ IPSec trong Windows 2000. PPTP khng yu cu mt chng nhn c s h tng. L2TP/IPSec yu cu mt chng nhn c s h tng a ra cc chng nhn my tnh ti my ch VPN v tt c cc my khch. PPTP c th s dng bng cc my tnh chy Windows XP, Windows 2000 vi mng Windows quay s thc thi v cp nht bo mt. L2TP/IPSec c th ch s dng vi Windows XP v
L Anh Hng K49DB
43
Kho lun tt nghip
i hc Cng ngh
Windows 2000 cc my khch VPN. Ch cc khch h tr giao thc L2TP/IPSec, v s dng cc chng nhn. Cc my khch v cc my ch PPTP c th t gia mt my truyn a ch mng (NAT) nu NAT c my ph trch thch hp cho giao thng PPTP. Cc my khch hoc my ch L2TP/IPSec c bn khng th t gia mt NATunnless c hai h tr IPSec NAT traversal (NAT-T). IPSec NAT-T l h tr bi Windows Server 2003
L Anh Hng K49DB
44
Kho lun tt nghip Chng 3
i hc Cng ngh
M HA V CHNG THC TRONG VPN
Ngy nay mng my tnh tr nn ph bin v l thnh phn khng th thiu i vi mi ngi trong chng ta cng nh cc quc gia. Cc ng dng, dch v trn mng my tnh: th in t, chuyn v nhn tin, thng mi in t, chnh ph in t tr nn ph bin, thun li v quan trng th yu cu v an ton mng, v an ninh d liu trn mng ngy cng tr nn cp bch v cn thit. T chc Interpol khuyn co v cc nguy c i vi mng my tnh nh: S truy nhp tri php v n cp thng tin. Sa i d liu my tnh. Sao chp tri php. Lm t lit mng my tnh. Nhng tn cng khc Do , thng tin trn mng, d ang truyn hay c lu tr u cn c bo v hoc cc thng tin cn c gi b mt hoc chng phi c cho php ngi ta kim tra tin tng rng chng khng b sa i so vi dng nguyn thu ca mnh v chng ng l ca ngi gi cho ta, hn na nim tin phi c php lut h tr. Do rt nhiu quc gia trn th gii rt quan tm n vn ny, cc nh khoa hc nghin cu v a ra cc thut ton m ho bo mt thng tin ngy mt tt hn trnh nguy c r r, mt mt thng tin cho ngi dng, cc doanh nghip v cc quc gia khi giao dch, trao i thng tin qua mng ton cu Internet. Trong ng dng cng ngh Mng ring o VPN, cc thut ton m ho c ng dng trong tng lp giao thc m ngi dng tu chn cch m ho thng tin bng thut ton m ho nh DES, 3-DES .. 1. 1.1 M ho trong VPN. Thut ton m ho DES
Thut ton m ho DES c IBM pht trin vo nhng nm 1970 sau c U ban tiu chun Quc gia Hoa K (The National Bureau of Standard). Ngy nay l NIST chp nhn ngy 15-5-1973. DES tr thnh chun m ho d liu chnh thc cho Chnh ph Hoa K v nm 1977 v tr thnh h mt c s dng rng ri nht trn th gii.
L Anh Hng K49DB
45
Kho lun tt nghip
i hc Cng ngh
Thut ton m ho DES c th tho mn cc yu cu sau: Thut ton phi c an ton cao. Thut ton phi c nh ngha y v hon ton d hiu. an ton phi nm kha, khng ph thuc vo tnh b mt ca thut ton. Thut ton phi sn sng cung cp cho mi ngi dng. Thut ton phi thch nghi c vi vic dng cho cc ng dng khc nhau. Thut ton phi c ci t c mt cch tit kim trong cc thit b in t. Thut ton khi s dng phi pht huy ti a hiu qu. Thut ton phi c kh nng hp thc ho. Thut ton phi c tnh thng mi. 1.1.1 M t DES Mt m t y v DES c nu ra trong Cng bo v chun x l thng tin Lin bang s 46 ngy 15-1-1977. DES m ho mt dng bit r x c di 64 vi kho K l dng 56 bit, a ra bn m y cng l mt dy bit c di 64.
Hnh 37 M t DES | x | =64; | y | = 64; | k | = 56 Thut ton DES gm 3 giai on: Cho bn r x, ta tnh c x0 qua vic hon v cc bt ca x theo hon v u IP: X0 = IP(x)=L0R0 L0 l 32 bit u tin ca x0, R0 l 32 bit cn li v IP l hon v u c nh Lp 16 vng. 1 i 16 Li = Ri-1; Ri = Li-1 f(Ri-1,k);
L Anh Hng K49DB
46
Kho lun tt nghip
i hc Cng ngh
Du th hin php ton hoc loi tr hai dy bit, f l mt hm, ki l nhng dy di 48 bit c to t kho k bi thut ton ring. Li-1 Ri-1
f
+
ki
Li
Ri
Hnh 38: Mt vng ca DES Bn m y c tnh ton bi hon v IP -1 ca R16L16, ch o ngc v tr ca L16 v R16 Y= IP-1 (R16L16) L16 R16 R16 L16
Cc mu hot ng ca DES: nh ta thy, u vo ca DES ch c 8 byte, vy m vn bn cn m li c th rt di, c vi kbyte chng hn. gii quyt vn ny, ngi ta ra 4 mu hot ng cho DES l: Electronic CodeBook mode (ECB). Cippher FeedBack mode (CFB). Cipher Block Chaining mode (CBC). Output FeedBack mode (OFB). 1.1.2 u v nhc im ca DES u im: Thut ton m ho DES tc m ho d liu rt nhanh. Nhc im: Do DES c kch c ca khng gian kho 256 l qu nh, khng an ton, cho nn nhng my c mc ch c bit c th s b gy v d ra kho rt nhanh.
1.1.3 ng dng ca thut ton DES trong thc t. Mt ng dng rt quan trng ca DES l ng dng cho cc vn bn trong giao dch ngn hang s dng cc tiu chun c hip hi cc ngn hang M L Anh Hng K49DB
47
Kho lun tt nghip
i hc Cng ngh
pht trin. DES c s dng m ho cc s nhn dng c nhn (Pins) v cc vn bn v ti khon c my thu ngn t ng thc hin (ATMs) 1.2 Thut ton m ho 3DES.
Thut ton m ho 3DES l mt bin th ph ca DES, nh ta bit DES vn tn ti nhiu nhc im nh: C th b gy bng nhng my c mc ch c bit tm ra kha. 1.2.1 M t 3DES. Thut ton m ho 3DES gm 3 cha kho 64 bit, tc l ton b chiu di kho l 192 bit Trong khi m ho rin t, chng ta n gin l nhp ton b 192 bit kho n l vo mi 3 cha kho c nhn.
Plaintext
Key 1 Des Encryption Des Encryption Des Encryption Key 2
Key 3
Ciphertext
Hnh 39: M t 3DES Th tc m ho cng tng t DES nhng n c lp li 3 ln tc l tng ln 3 ln DES. D liu c m ho vi cha kho u tin, v c gii m vi cha kho 2, sau m ho ln na vi cha kho th 3 thu c d liu m ho cui cng. + Cc mu hot ng ca 3DES: Triple ECB (Triple Electronic Code Book): Sch m ho in t. Triple CBC (Triple Cipher Chaining): Mc ni khi k s.
L Anh Hng K49DB
48
Kho lun tt nghip 1.2.2 u v nhc im ca 3DES -
i hc Cng ngh
u im: Khc vi DES, thut ton m ho 3DES c m ho 3 ln DES vi kch c khng gian kho 168 bit cho nn an ton hn rt nhiu so vi DES. Nhc im: V 3DES s dng 3 ln m ho DES cho nn tc m ho s chm hn rt nhiu so vi DES. Phn mm ng dng t ra rt chm i vi hnh nh s v mt s ng dng d liu tc cao v kch thc khi 64 bit vn cn l mt nhc im i vi nhng h c tc ca th k 21. Gii thut hm bm (Secure Hash Algorithm).
1.3
i vi cc s ch k thng thng, ta ch c th k cc bc in nh. Chng hn khi dng chun ch k s DSS, mt ti liu di 160 bit s c k bng ch di 320 bit. Trn thc t ta cn k cc ti liu di hn nhiu ( Chng hn, mt ti liu v php lut c th di nhiu Megabyte ). Gii php gii quyt cc vn ny l dng hm Hash m kho cng khai nhanh. Hm ny da trn ni dng mt ti liu c di tu to ra mt bn tm tt ca ti liu vi kch thc quy nh (160 bit nu dng DSS). Sau , bn tm tt ca ti liu ny (d liu ra ca hm Hash) s c k. Vic dng hm Hash vi DSS c biu din nh sau. Bc in: m: di tu Tnh bn tm lc thng bo: z=h(m) 160 bit Khi B mun k bc in x, trc tin B to mt bn tm tt z ca ti liu bng cch s dng hm bm h v sau dng kho b mt ca mnh tm ch k s (s=Sigk(z); trong Sigk l hm m ho RSA vi kho b mt ca B). Tip theo, B gi cp (m,s) n cho A. xc thc trc ht A phi khi phc bn tm tt ca ti liu bng hm h (z=h(m)) v sau thc hin kim tra xem Verk(m,s) c bng true hay khng. 1.4 Gii thut RSA
RSA l mt h mt m kho cng khai ph bin v cng a nng nht trong thc t, c pht minh bi Rivest, Shamir v Adleman c coi nh l mt h chun i vi cc h mt m kho cng khai. RSA da trn tnh kh ca bi ton phn tch cc s ln thnh ra tha s nguyn t: bit mt s nguyn t nhn chng vi nhau thu c mt hp s l
L Anh Hng K49DB
49
Kho lun tt nghip
i hc Cng ngh
bi ton d. Cn khi bit hp s, phn tch n ra thnh tha s nguyn t l bi ton rt kh m hu nh khng thc hin c nu 2 nguyn t l nhng s ln. Gi s n l mt s nguyn t v l tch ca hai s nguyn t ln khc nhau p v q (n=p.q). Ta chn mt s nguyn t vi (n)=(p-1)(q-1),v tnh b=a-1 Mod (n), tc l a.b 1 mod (n). H RSA c m t nh sau: Ly n=p.q, trong p v q l hai s nguyn t.t P=C=Zn: K={(n,b,a):ab 1 mod (n)}, Trong (n, b) l kho cng khai, cn a l kho b mt Vi K = (K,K), K = (n,b), K = a, ta nh ngha ek(x) = xb mod n dk(y) = yb mod n Vi x, y Zn Ta thy rng vi mi x Zn* (Tc l x Zn v x l nguyn t vi n) Dk (ek(x))= (xb)a = xab = xt.(n) + 1 = x mod n Vi x Zn\Zn* ta vn c ng thc ni trn, v khi hoc x chia ht cho p v x nguyn t vi q hoc x chia ht cho q v x nguyn t vi p. Trong c hai trng hp ta u c: xt.(n) + 1 = x mod p xt.(n) + 1 = x mod q T suy ra ta c xt.(n) + 1 = x mod n. 2 Chng thc trong VPN. S chng thc l mt b phn cu trc ca s an ton mng ring o VPN, c th ta c mt h thng ng tin cy xc nhn nhng mng, ngi dng v dch v mng nhng nh vy cha hn l mt h thng an ton tuyt i, ta khng th kim sot c cc truy nhp vo h thng ti nguyn mng tp on ca ta trc nhng ngi dng bt hp php. Cho nn mt gii php c th iu khin v ngn cn ngi dng bt hp php c tnh truy nhp h thng l ta s dng phng php chng thc.
Hnh 40: Kch bn ca s chng thc S chng thc th da vo mt trong ba thuc tnh sau: Something you have : Cha kho hay mt th du hiu Something you know: Mt khu L Anh Hng K49DB
50
Kho lun tt nghip
i hc Cng ngh
Something you are: Ting ni hay qut vng mc Ngi dng c th chng thc bng: Password. One-time Password (s/key). USB ikey. Smart card. PKI/ certificate IP. Tuy nhin ch l nhng phng php chng thc n, khng thch hp hay cha mnh m bo v nhng h thng, thay vo cc chuyn gia an ton gii thiu phng php chng thc mnh m, p dng hai trong nhng thuc tnh trc cho s chng thc. S a dng ca nhng h thng mng VPN sn c hin thi ph thuc vo nhng phng php khc nhau ca s chng thc hoc nhng s kt hp ca chng, Ngoi cc phng php chng thc n, trong mng ring o VPN cn s dng s chng thc bng giao thc. Giao thc chng thc: Password Authentication Protocol (PAP). Challenge Handshare Authentication Protocol (CHAP). Extensible Authentication Protocol (EAP). Remote Authentication Dial-up User Services (RADIUS). My ch chng thc: Radius. Kerberos. LDAP. NT domain. Solaris Pluggable Authentication Modules (PAM). Novell Directory Services (NDS). 2.1 Password Authentication Protocol (PAP): Giao thc chng thc bng mt khu. Giao thc chng thc mt khu PAP trc kia c thit k ra chnh l mt my tnh xc nhn my tnh khc thng qua giao thc t im ti im PPP c s dng nh th tc truyn tin. S chng thc PAP c th c s dng ti ni bt u mt mi lin kt PPP tc l khi mt my trm truy nhp t xa ti h thng mng tp on n phi gi ID (tn ngi dng) v mt khu ti h thng mng ch, my ch iu khin truy nhp NAS c nhim v chng thc my trm ca ngi dng c c php truy nhp ti ti nguyn mng ca tp on hay khng. L Anh Hng K49DB
51
Kho lun tt nghip
i hc Cng ngh
Tuy nhin, s chng thc bng giao thc chng thc bng mt khu cha s an ton v tin cy v thng tin chng thc c trao i khng an ton trong mi trng mng cng cng Internet nn cc ti phm tin hc c th nghe trm, nh cp thng tin t on ra c mt khu truy nhp vo h thng. 2.2 Challenge Handshare Authentication Protocol (CHAP).
Giao thc CHAP c thit k tng t giao thc PAP nhng c an ton cao hn nhiu. Cng nh giao thc PAP, giao thc CHAP cng c th c s dng ti ni bt u mt mi lin kt PPP v sau lp li sau khi mi lin kt c thit lp. 3 3.1 Firewall Khi nim v Firewall.
Firewall l mt thut ng c ngun gc t mt k thut thit k trong xy dng ngn chn, hn ch ho hon. Trong cng ngh mng thng tin, Firewall l mt k thut c tch hp vo h thng mng nhm mc ch: Ngn chn v hn ch cc truy nhp tri php, nhm bo v cc ngun ti nguyn , thng tin d liu. Cm truy nhp t bn trong (Intranet) ti mt s a ch nht nh trn Internet Cng c th hiu Firewall l mt c ch bo v mt mng tin cy khi cc mng khng tin cy nh mng cng cng Internet. Thng thng Firewall c t gia mng tin cy bn trong nh mng Intranet ca mt cng ty hay mt t chc v mng khng tin cy nh Internet. M hnh Firewall
Hnh 41
L Anh Hng K49DB
52
Kho lun tt nghip
i hc Cng ngh
Chc nng ca tng la Firewall: L kim sot lung thng tin ra, vo gia mng tin cy (Intranet) v mng khng tin cy Internet. Thit lp c ch iu khin cc lung thng tin c th l: Cho php hoc cm nhng dch v truy nhp t mng tin cy ra ngoi mng khng tin cy (T mng Intranet ti mng Internet). Cho php hoc cm nhng dch v truy nhp t mng khng tin cy vo trong mng tin cy. Theo di v iu khin cc lung d liu gia Internet v Intranet. Kim sot cc a ch truy nhp hoc cm a ch truy nhp. Kim sot ngi dng v vic truy nhp ca ngi dng. 3.2 Cc thnh phn ca Firewall. Firewall c th phn loi thnh 3 dng c bn: B lc gi (Packet Filters) My phc v u nhim (Proxy Server) bao gm 1. Cng ng dng (Application Gateway). 2. Cng mch (Circuit level gateway). B lc gi c trng thi (Statefull Packet Filters)
Hnh 42 xy dng Firewall hot ng c hiu qu nht, nn s dng kt hp tt c cc thnh phn trn
3.2.1 B lc gi (Packet Filtering Router).
L Anh Hng K49DB
53
Kho lun tt nghip
i hc Cng ngh
Hnh 43
Khi ni n vic lu thng d liu gia cc mng vi nhau thng qua Firewall th iu c ngha rng Firewall hot ng cht ch vi giao thc TCP/IP. Nguyn l: B lc packet cho php hay t chi mi packet m n nhn c. N kim tra ton b on d liu quyt nh xem on d liu c tho mn mt trong s cc lut l ca b lc packet hay khng. Cc lut l lc packet ny l da trn cc thng tin u mi packet (Packet header) dng cho php truyn cc packet trn mng. l: a ch IP ni xut pht (IP Source address) a ch IP ni nhn (IP Destination address) Nhng th tc truyn tin (TCP,UDP. ICMP, IP tunnel) Cng TCP/UDP ni xut pht Cng TCP/UDP ni nhn Dng thng bo ICMP (ICMP message type) Giao din packet n (Incomming interface of packet) Giao din packet i (outcomming interface of packet) Nu lut l lc packet c tho mn th packet c chuyn qua Firewall.Nu khng tho mn, packet s b b i. Nh vy m Firewall c th ngn cn c cc kt ni vo cc my ch hoc mng no c xc nh, hoc kho vic truy cp vo h thng mng ni b t nhng a ch khng cho php. Hn na, vic kim sot cc cng lm cho Firewall c kh nng ch cho php mt s loi kt ni nht nh vo cc loi my ch no , hoc ch c nhng dch v (Telnet, SMTP, FTP ) c php mi chy c trn h thng mng cc b.
u im
L Anh Hng K49DB
54
Kho lun tt nghip
i hc Cng ngh
a s cc h thng Firewall u s dng b lc packet. Mt trong nhng u im ca phng php dng b lc packet l chi ph thp v c ch lc packet c bao gm trong mi phn mm Router. Ngoi ra, b lc packet l trong sut i vi ngi s dng v cc ng dng, v vy n khng yu cu s hun luyn, o to c bit no c. Hn ch Vic nh ngha cc ch lc packet l mt vic kh phc tp, i hi ngi qun tr mng cn c hiu bit chi tit v cc dch v Internet, cc dng packet header, v cc gi tr c th c th nhn trn mi trng. Khi i hi v s lc cng ln, cc lut lc cng tr nn di v phc tp, rt kh qun l v iu khin. Do lm vic da trn header ca cc packet, r rang l b lc packet khng kim sot c ni dng thng tin ca packet. Cc packet chuyn qua vn c th mang theo nhng hnh ng vi ly cp thng tin hay ph hoi ca k xu. 3.2.2 Cng ng dng (Application-level gateway)
Hnh 44 Nguyn l: L Anh Hng K49DB

55
Kho lun tt nghip
i hc Cng ngh
y l mt loi Firewall c thit k tng cng chc nng kim sot cc loi dch v, giao thc c php truy cp vo h thng mng. C ch hot ng da trn cch thc gi l Proxy service. Proxy service l cc b m c bit ci t trn gateway cho tng ng dng. Nu ngi qun tr mng khng ci t Proxy code cho mt ng dng no , dch v tng ng s khng c cung cp v do khng th chuyn thng tin qua Firewall. Ngoi ra, Proxy code c th c nh cu hnh h tr ch mt s c im trong ng dng m ngi qun tr mng cho l chp nhn c trong khi t chi nhng c im khc. Mt cng ng dng thng c coi nh mt pho i (bastion host), bi v n c thit k c bit chng li s tn cng t bn ngoi. Nhng bin php m bo an ninh mng ca mt bastion host l: Bastion host lun chy cc version an ton (Secure version) ca cc phn mm h thng. Cc version an ton ny c thit k chuyn cho mc ch chng li s tn cng vo Openrating System, cng nh m bo s tch hp Firewall. Ch nhng dch v m ngi qun tr mng cho l cn thit mi c ci t trn bastion host, n gin ch v nu mt dch v khng c ci t, n khng th b tn cng. Thng thng, ch mt s gii hn cc ng dng cho cc dch v Telnet, DNS, FTP, SMTP v xc thc user l c ci t trn bastion host Bastion host c th yu cu nhiu mc xc thc khc nhau, v d nh: user name, password hay smart card. Mi mt proxy c t cu hnh cho php truy nhp ch mt s cc my ch nht nh. iu ny c ngha rng b lnh v c im thit lp cho mi proxy ch ng vi mt s my ch trn ton h thng. Mi proxy duy tr mt quyn nht k ghi chp li ton b chi tit ca giao thng qua n, mi s kt ni, khong thi gian kt ni. Nht k ny rt c ch trong vic tm theo du vt hay ngn chn k ph hoi. Mi proxy c lp vi cc proxies khc trn bastion host. iu ny cho php d dng qu trnh ci t mt proxy mi, hay tho g mt proxy ang c vn . u im: Cho php ngi qun tr mng hon ton iu khin c tng dch v trn mng, bi v ng dng proxy hn ch b lnh v quyt nh nhng my ch no c th truy cp c bi cc dch v.
L Anh Hng K49DB
56
Kho lun tt nghip
i hc Cng ngh
Cho php ngi qun tr mng hon ton iu khin c nhng dch v no cho php, bi v s vng mt ca cc proxy cho cc dch v tng ng c ngha l cc dch v y b kho Cng ng dng cho php kim tra xc thc rt tt, v n c nht k ghi chp li thng tin v truy nhp h thng. Lut l lc Filltering cho cng ng dng l d dng cu hnh v kim tra hn so vi b lc packet. Hn ch: Yu cu cc user thay i thao tc, hoc thay i phn mm ci t trn my client cho truy nhp vo cc dch v proxy. Chng hn, dch v telnet truy nhp qua cng ng dng i hi hai bc ni vi my ch ch khng phi ch mt bc. Tuy nhin, c mt s phn mm client cho php chy ng dng trn cng ng dng l trong sut, bng cch cho php user ch ra my ch ch khng phi cng ng dng trn Telnet. 3.2.3 Cng vng (Circuit-level Gateway)
Hnh 45
Nguyn l:
L Anh Hng K49DB
57
Kho lun tt nghip
i hc Cng ngh
Cng vng l mt chc nng c bit c th thc hin c bi mt cng ng dng. Cng vng n gin ch chuyn tip (relay) cc kt ni TCP l khng thc hin bt k mt hnh ng x l hay lc packet no. Cng vng lm vic nh mt si dy sao chp cc byte gia kt ni bn trong (inside connection) v cc kt ni bn ngoi (outside connection). Tuy nhin, v s kt ni ny xut hin t h thng Firewall, n che du thng tin v mng ni b. Cng vng thng c s dng cho cc kt ni ra ngoi, ni m cc ngi qun tr mng tht s tin tng nhng ngi dng bn trong. u im ln nht l mt bastion host c th c cu hnh nh l mt hn hp cung cp cng ng dng cho nhng kt ni n, v cng vng cho cc kt ni i. iu ny lm cho h thng bc tng la d dng s dng cho nhng ngi trong mng ni b mun trc tip truy nhp ti cc dch v Internet, trong khi vn cung cp chc nng bc tng la bo v mng ni b t nhng s tn cng bn ngoi. 3.3 Nhng hn ch t Firewall
Firewall khng thng minh c th hiu c tng loi thng tin v phn tch ni dng tt hay xu ca n. Firewall ch c th ngn chn s xm nhp ca nhng ngun thng tin khng mong mun nhng phi xc nh r cc thng s a ch. Firewall khng th ngn chn mt cuc tn cng nu cuc tn cng ny khng i qua n. Mt cch c th, Firewall khng th chng li mt cuc tn cng t mt ng Dial-up, hoc s d r thng tin do d liu b sao chp bt hp php ln a mm. Firewall cng khng th chng li cc cuc tn cng bng d liu. Khi c mt s chng trnh c chuyn theo th in t, vt qua Firewall vo trong mng c bo v v bt u hot ng y. Mt v d l cc virus my tnh. Firewall khng th lm nhim v qut virus trn cc d liu c chuyn qua n, do tc lm vic, s xut hin lin tc ca cc virus mi v do c rt nhiu cch m ho d liu, thot khi kh nng kim sot ca firewall. Tuy nhin, Firewall vn l gii php hu hiu c s dng rng ri.
3.4
Thit lp chnh sch cho Firewall.
L Anh Hng K49DB
58
Kho lun tt nghip
i hc Cng ngh
Cc chnh sch c thng bo trc ngi qun l mng v ngi dng mng bit c mnh c th lm c nhng g, c th truy cp hay khng th truy cp ti nhng Webside no trn mng. Mt s im ch khi thit lp chnh xch c bn ca Firewall: Ngn chn tt c lu lng vo ra, sau ch cho php mt s c i qua. Tt c lu lng vo ra khi mng u phi chuyn qua bc tng la kim tra v sang lc nhng lu lng c th qua c. Khng dng firewall nh l ni lu tr thng tin chung a chc nng hoc chy chng trnh. Khng cho php mt m hay cc a ch bn trong mng qua tng la. Nu nh mng cn phi cung cp dich v cho mng Internet th t dch v ra ngoi tng la. Lu tr li cc thng tin d liu quan trng ca dch v cng cng bng cch to ra my ch Stand-by. 3.5 Mt s loi Firewall Packet-Filltering Firewall Dual-Homed Gateway Firewall Screened Host Firewall
Hnh 46 u im: Tc cao
L Anh Hng K49DB
59
Kho lun tt nghip
i hc Cng ngh
D dng thch ng vi cc dch v mi xut hin Gi thnh thp, cu hnh v qun tr n gin Trong sut i vi user Hn ch: C tt c hn ch ca mt packet-filltering router: D b tn cng vo cc b lc m cu hnh c t khng hon ho, hoc b tn cng nhm di nhng dch v c php (gi mo a ch IP). Bi v cc packet c trao i trc tip gia hai mng thng qua router, nguy c b tn cng c quyt nh bi cc host v dch v c php.iu dn n mi mt host c php truy nhp trc tip vo Internet cn phi c cung cp mt h thng xc thc phc tp, v ngi qun tr phi thng xuyn kim tra xem c du hiu ca s tn cng no khng. Mt s packet-filltering khng m bo yu cu v trng thi dng an ton. Khi c ch kim sot cc gi tin khng lm vic, nhng h ny s lm vic nh mt router, chuyn tt c cc kt ni gia hai mng: mng ni b v mng bn ngoi dn n tt c h thng trn mng ni b c th b tn cng. 3.5.1 Screened Host Firewall. H thng ny bao gm mt Packet-filltering router v mt bastion host. H thng ny cung cp bo mt cao hn h thng trn, v n thc hin bo mt c tng Network v tng ng dng. ng thi, k tn cng phi ph b c hai tng bo mt tn cng vo mng ni b
Hnh 47: Screened Host Firewall
L Anh Hng K49DB
60
Kho lun tt nghip
i hc Cng ngh
Hnh 48 3.5.2 Screened-Subnet Firewall
Hnh 49 H thng bao gm hai packet-filltering router v mt bastion host. H thng c an ton cao nht v n cung cp bo mt c lp mng v lp ng dng, trong khi nh ngha mt mng phi qun s. Mng DMZ ng vi tr nh mt mng nh, c lp t gia mng cng cng Internet v mng ni b. C bn, mt DMZ c cu hnh sao cho cc h thng trn Internet v mng ni b ch c th truy nhp c mt s gii hn cc h thng trn mng DMZ v s truyn trc tip qua mng DMZ l khng th c. Vi nhng thng tin n, router ngoi chng li nhng s tn cng (nh gi mo a ch IP), v iu khin truy nhp ti DMZ. H thng ch cho php bn ngoi truy nhp vo bastion host.
L Anh Hng K49DB
61
Kho lun tt nghip
i hc Cng ngh
Router trong cung cp s bo v th hai bng cch iu khin DMZ truy nhp mng ni b vi nhng truyn thng bt u t bastion host. Vi nhng thng tin i, Router trong iu khin truy nhp mng ni b truy nhp ti DMZ. N ch cho php cc h thng bn trong truy nhp bastion host v c th c Information server. Quy lut Filltering trn router ngoi yu cu s dng dch v proxy bng cch ch cho php thng tin ra bt ngun t bastion host. u im: Mun tn cng cn ph v ba tng bo v: Router ngoi, bastion host v router trong. Bi v Router ngoi ch qung co DMZ network ti Internet, h thng mng ni b l khng th nhn thy (invisible). Ch c mt s h thng c chn ra trn DMZ l c bit n bi Internet qua routing table v DNS information exchange. Bi v Router bn trong ch qung co DMZ network ti mng ni b, cc h thng trong mng ni b khng th truy cp trc tip vo Internet. iu ny m bo rng nhng user bn trong bt buc phi truy nhp Internet qua dch v proxy. 3.6 M hnh kt hp Firewall vi VPN.
Nh chng ta bit tng la l mt thit b bao gm c hai phn cng v phn mm c t gia mt mng tin cy cn c bo v ti mng khng tin cy bn ngoi nh mng cng cng Internet bo v mng ring o VPN ca mt cng ty hay mt tp on thot khi s nguy him n t cc mng khng tin cy cng nh nhng ngi dng khng hp php c tnh truy nhp vo mng khai thc ti nguyn thng tin.
Hnh 50: M hnh s dng Firewall iu khin truy nhp gia hai mng my tnh
L Anh Hng K49DB
62
Kho lun tt nghip
i hc Cng ngh
Cc lung trao i thng tin d liu v nhng yu cu truy nhp gia hai mng my tnh u phi i qua Firewall Mt mng ring o VPN cung cp nhng phin kt ni an ton da trn c s h tng mng cng cng Internet, do mng ring o VPN s lm gim chi ph xy dng c s h tng mt mng my tnh cng nh gi thnh truy cp t xa bng vic s dng ti nguyn, c s h tng mng cng cng Internet dng chung bi nhiu ngi dng. Cng ngh mng ring o VPN cho php nhng cng ty xy dng nhng mng Intranet lin kt cc tr s, chi nhnh vn phng ti mng tp on. VPN c s dng kt hp vi Firewall cung cp s bo v an ton ton din hn cho mt t chc.
Hnh 51: M hnh kt hp Firewall v VPN S truy nhp ti nguyn mng tp on c iu khin bi Firewall, qua thit lp c s tin tng gia ngi dng v mng. Tuy nhin d liu truyn gia ngi dng v mng tp on vn tim n nhng mi nguy him nh: R r, mt cp hay thay i thng tin bi ngi dng bt hp php khi cc lung thng tin i ngang qua mng cng cng Internet. Do VPN c to ra cung cp s an ton d liu ring t gia hai v tr mng. Nh vy vic s dng kt hp gia hai cng ngh Firewall v mng ring o VPN l mt gii php ti u v hiu qu an ton thng tin cao
L Anh Hng K49DB
63
Kho lun tt nghip Chng 4
i hc Cng ngh
CU HNH VPN TRN THIT B CISCO
Chng ny gii thch nhng cng vic c bn cho s cu hnh IP-base, site to site v Extranet Virtual Private Networks (VPNs) trn mt Cisco IOS VPN gateway s dng gi nh tuyn chung (GRE) v nhng giao thc IPSec tunneling. C bn v bo mt, s truyn i a ch mng (NAT), s m ho, v s m rng danh sch truy nhp c bn cho traffic filtering c cu hnh. 1. 1.1 M hnh Site to Site VPN v Extranet VPN Kch bn Site to site VPN
Hnh 52 1.1.1 Phn chia cc thnh phn a ch vt l ca m hnh site to site VPN
Hnh 53
L Anh Hng K49DB
64
Kho lun tt nghip
i hc Cng ngh
1.1.2 Bng a ch chi tit cho m hnh mng Site to Site VPN
2.1
Kch bn Extranet
Hnh 54
L Anh Hng K49DB
65
Kho lun tt nghip
i hc Cng ngh
2.1.1 Phn chia cc thnh phn a ch vt l ca m hnh Extranet VPN
Hnh 55 2.1.2 Bng a ch chi tit cho m hnh mng Extranet VPN
L Anh Hng K49DB
66
Kho lun tt nghip 2 Cu hnh ng hm (tunnel)
i hc Cng ngh
Tunneling cung cp mt cch ng gi nhng gi trong mt giao thc truyn ti. Tunneling th c thc hin nh mt giao din o cung cp mt giao din n gin cho s cu hnh. Giao din Tunnel th khng b rng buc ring bit ti nhng giao thc passenger hoc transport, nhng ng hn, n l mt cu trc ci m c thit k cung cp nhng dch v cn thit thc thi bt k s ng gi Point to Point chun no ln lc . V nhng tunnel l nhng lin kt Point to Point, bn phi nh hnh mt ng hm ring bit cho mi lin kt Tunneling c ba thnh phn chnh sau y: Passenger Protocol, y l mt giao thc bn ang ng gi (Apple Talk, Banyan VINES, Connectionless Network Service [CLNS], DECnet, IP, hoc Internetwork Packet Exchange [IPX]). Carrier Protocol, nh giao thc ng gi l trnh chung (GRE) hoc giao thc IPSec. Transport Protocol, nh IP, l giao thc s dng mang theo giao thc c ng gi S : Minh ha thut ng v khi nim xuyn ng hm
Hnh 56 Mc ny bao gm nhng ch sau: Cu hnh mt GRE Tunnel Cu hnh mt IPSec Tunnel
L Anh Hng K49DB
67
Kho lun tt nghip 2.1 S nh cu hnh mt GRE Tunnel
i hc Cng ngh
GRE c kh nng iu khin s truyn ti ca a giao thc v lu lng IP multicast gia hai a im, Ni m ch c duy nht no c kt ni IP unicast. S quan trng ca vic s dng nhng ng hm trong mt mi trng mng ring o VPN l c bn da trn thc t m s m ho IPSec ch lm vic duy nht trn nhng khung IP unicast. Tunneling cho php c s m ho v s truyn ti ca lu lng a giao thc ngang qua VPN mt khi nhng gi ang c trong ng hm xut hin ti mng IP nh mt khung IP unicast gia nhng u cui ng hm. Nu tt c cc kt ni phi i xuyn qua gateway router, nhng ng hm cng cho php s dng s nh v mng ring xuyn qua mt nh cung cp dch v m khng cn chy c tnh NAT (Network Address Translation). S d tha ca mng l mt s xem xet quan trng trong quyt nh s dng nhng ng hm GRE Tunnel, IPSec Tunnel, hoc nhng ng hm m s dng IPSec thng qua GRE. GRE c th c s dng kt hp vi IPSec i qua l trnh cp nht gia cc v tr trn mt IPSec VPN. GRE ng gi gi tin hon ton l dng text, khi IPSec (trong transport hoc tunnel mode) m ho gi tin. Lung gi ny ca IPSec qua GRE cho php cp nht nh tuyn, m ni chung l multicast, c i qua mt lin kt c m ho. IPSec mt mnh khng th lm c iu ny, bi v n khng c h tr multicast. Nhng ng hm GRE tha ang c s dng c bo v bi IPSec t mt Remote Router n nhng Headquater Router tha. Nhng giao thc nh tuyn c th c thu phc ho Primary v Secondary Headquater Router. trn s mt mt ca kt ni ti Router chnh, nhng giao thc nh tuyn s khm ph li v tuyn n Gateway th hai, iu cung cp d tha mng. Tht quan trng ch rng nhiu hn mt Router phi c thu ti HQ-SANJOSE cung cp d tha cho mng. Cho s d tha mng VPN, v tr t xa cn phi c nh hnh vi hai ng hm GRE, mt lm Router HQSANJOSE VPN chnh, v ci cn li sao lu. Trong mc ny bao gm nhng bc c bn nh hnh mt GRE tunnel v bao gm nhng cng vic sau: S cu hnh giao din ng hm, Ngun, v ch Kim tra giao din ng hm, Ngun, v ch 2.1.1 S cu hnh giao din ng hm, Ngun, v ch cu hnh mt GRE tunnel gia Headquater router v Remote office router. Chng ta cn phi cu hnh mt giao din, ngun, v ch trn Headquater router v remote office router. lm c iu ny, cn hon
L Anh Hng K49DB
68
Kho lun tt nghip
i hc Cng ngh
thnh nhng bc sau y bt u trong ch cu hnh chung (global configuration mode). Lnh Bc 1 Hq-sanjose(config)# interface tunnel 0 Hq-sanjose(config-if)# ip address 172.17.3.3 255.255.255.0 Mc ch Ch r mt tunnel interface number a vo ch cu hnh interface, v cu hnh a ch IP v subnet mask cho tunnel interface. Trong v d ny, IP address v subnet mask 172.17.3.3 255.255.255.0 cho tunnel interface 0 trn headquarter router. Ch r a ch ngun ca tunnel interface v subnet mask. y s dng a ch IP v subnet mask ca T3 serial interface 1/0 ca headquarter router. Ch r a ch tunnel interface ch. y s dng a ch IP v subnet mask ca T3 serial interface 1/0 ca remote office router. Cu hnh GRE nh mt kiu tunnel. GRE th mc nh ng hm encapsulation mode, v vy lnh ny th khng nht thit bt buc. Tunnel interface c kch hot
Bc 2 Hq-sanjose(config-if) # tunnel source 172.17.2.4 255.255.255.0
Bc 3 Hq-sanjose(Config-if)# tunnel destination 172.24.2.5 255.255.255.0
Bc 4 Hq-sanjose(config-if)# mode gre ip
tunnel
Bc 5 Hq-sanjose(config)# interface tunnel 0 Hq-sanjose(config-if)# no shut %LINK-3-UPDOWN: Interface Tunnel0, changed state to up
Bc 6 Hq-sanjose(config-if)# exit Thot khi ch cu hnh ton Hq-sanjose(config)# ip route cc v cu hnh giao thng t mng remote office xuyn qua 10.1.4.0 255.255.255.0 tunnel 0 ng hm. y cu hnh giao thng t remote office Fast Ethernet network (10.1.4.0 255.255.255.0) xuyn qua GRE tunnel 0 L Anh Hng K49DB
69
Kho lun tt nghip
i hc Cng ngh
Cu hnh trn Remote office router cng c thc hin theo nhng bc trn trong ch cu hnh GRE. 2.1.2 Kim tra giao din ng hm, Ngun, v ch kim tra cu hnh. a vo lnh Show interfaces tunnel 0 trong mode EXEC xem trng thi tunnel interface, nhng a ch IP c cu hnh, v kiu ng gi, trng thi ca interface. Hq-sanjose# show interfaces tunnel 0 Tunnel0 is up, line protocol is up Hardware is Tunnel Internet address is 172.17.3.3/24 MTU 1514 bytes, BW 180 Kbit, DLY 500000 usec, reliablility 255/255, txload 1/255, rxload 1/255 Encapsulation TUNNEL, loopback not set Keepalive set (10 sec) Tunnel source 172.17.2.4, destination 172.24.2.5 Tunnel protocol/transport GRE/IP, key disabled, sequencing disabled Checksumming of packets disabled, fast tunneling enabled Last input never, output 00:10:44, output hang never Last clearing of "show interface" counters never Queueing strategy:fifo Output queue 0/0, 0 drops; input queue 0/75, 0 drops 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 29 packets output, 2348 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 output buffer failures, 0 output buffers swapped out 2.2 Cu hnh mt IPSec Tunnel:
IPSec c th c cu hnh trong tunnel mode hoc transport mode. IPSec tunnel mode c th c s dng nh mt s thay th n m GRE tunnel, hoc phi hp vi mt GRE tunnel. Trong IPSec tunnel mode, ton b gi d liu nguyn bn c m ho, v n tr thnh trng ti (payload) trong mt gi tin IP mi. Trong ch ny cho php mt thit b mng, nh mt router, c hot ng nh mt IPSec proxy. Ci , router thc hins m ho trn nhn danh host. Router ngun m ho nhng gi v chuyn chng dc theo L Anh Hng K49DB
70
Kho lun tt nghip
i hc Cng ngh
ng hm IPSec. Router dch gii m gi d liu nguyn bn v y n vif ti h thng ni n. Tunnel mode bo v chng li s phn tch lu lng; vi tunnel mode, mt k tn cng c th xc nh im cui ng hm v khng phi ngun v ch n tht ca gi tin truyn qua ng hm, d chng cng ging nh u cui ng hm (Tunnel endpoints). Trong IPSec transport mode, ch IP payload l c m ho, v nhng header IP nguyn bn c li nguyn vn khng thay i. (Nh s 3-6). Ch ny c li th ca vic ch duy nht thm mt t byte ti mi gi tin. N cng cho php nhng thit b trn mng cng cng nhn thy c ngun v ch n cui cng ca gi tin. Vi kh nng ny, bn c th cho php s l c bit trong mng trung gian da trn thng tin trong IP header. Tuy nhin, Layer 4 Header s c m ho, gii hn s kim tra ca gi tin, khng may, bi chuyn qua IP header trong dng d hiu, transport mode cho php mt k tn cng c thc hin phn tch lu lng.
Hnh 57 3 Cu hnh NAT (Network Address Translation).
Ch : NAT th c s dng nu bn c nhng vng a ch ring tng phn trong kch bn Extranet. Nu bn khng c nhng vng a ch ring, s dng n STEP3 - Cu hnh s m ho trong IPSec ... NAT (Network Address Translation) cho php lin kt nhng mng IP ring vi nhng a ch m khng phi duy nht ton cu c kt ni ti Internet b vic dch nhng a ch thnh vng a ch c th nh tuyn ton cu. NAT th c cu hnh trn Router ti vin ca mt domain gc (c tham chiu ti nh mng trong) v mt mng cng cng nh Internet (c tham chiu ti nh mng bn ngoi). NAT bin i nhng a ch cc b bn trong ti nhng a ch IP duy nht ton cu trc khi gi gi tin ra mng bn ngoi. NAT cng cho php mt chin lc nh s li cho nhng t chc m nhng
L Anh Hng K49DB
71
Kho lun tt nghip
i hc Cng ngh
nh cung cp dch v ang thay i hoc t nh s li trong nhng khi nh tuyn lin vng khng phn lp (CIDR). Trong mc ny ch duy nht gii thch lm th no cu hnh Static translation dch nhng a ch IP bn trong thnh nhng a ch IP duy nht ton cu trc khi gi nhng gi tin ti mt mng bn ngoi, bao gm nhng cng vic sau y: Cu hnh Satic Inside Source Address Translation Kim tra cu hnh Satic Inside Source Address Translation Static translation thit lp mt nh x one to one gia a ch cc b bn trong v mt a ch ton cu bn trong. Static translation th hu ch khi mt host bn trong phi c th tip cn c bi mt a ch c nh t bn ngoi. NAT s dng nhng nh ngha theo sau: Inside local address - a ch IP c gn ti host trn mng bn trong. a ch IP th khng phi l mt a ch hp php c gn bi trung tm thng tin mng (NIC) hoc nh cung cp dch v. Inside global address - Mt a ch IP hp php (c gn bi NIC hoc nh cung cp dch v) ci m xut hin mt hoc nhiu a ch IP cc b ti mng bn ngoi. Outside local address - a ch IP ca mt host bn ngoi nh n xut hin ti mng bn trong. Khng tt yu phi l mt a ch hp php, n c ch nh t khng gian a ch trn mng bn trong. Outside global address - a ch IP c gn ti host trn mng bn ngoi bi ngi s hu host. a ch l a ch c ch inh t mt a ch ton cu hoc khng gian mng S hnh 58 minh ho mt Router m bin i mt a ch ngun bn trong mt mng ti a ch ngun bn ngoi mng.
L Anh Hng K49DB
72
Kho lun tt nghip
i hc Cng ngh
Hnh 58 3.1 Cu hnh Static Inside Source Address Translation
cu hnh Static Inside Source Address Translation, hon thnh nhng bc cu hnh sau y bt u trong global configuration mode. Lnh Bc 1 Hq-sanjose(config)# ip nat inside source static 10.1.6.5 10.2.2.2 Mc ch Thit lp s chuyn i tnh gia mt a ch inside local v mt a ch inside global. y chuyn i a ch inside local 10.1.6.5 (server) thnh a ch inside global 10.2.2.2 Hq-sanjose(config)#interface Ch r giao din bn trong. y l giao din c xc nh l Fast fastethernet 0/1 Ethernet interface 0/1 trn headquarter router Hq-sanjose(config-if)# ip nat nh du giao din nh c kt ni ti bn trong inside Hq-sanjose(config-if)# Ch r giao din bn ngoi. y ch r giao din serial 2/0 trn interface serial 2/0 headquarter router Hq-sanjose(config-if)# ip nat nh du giao din c kt ni ra bn ngoi outside Hq-sanjose(config-if)# exit Tr v cu hnh trong ch ton Hq-sanjose(config)# cc Kim tra Static Inside Source Address Translation. kim tra cu hnh:
Bc 2
Bc 3 Bc 4
Bc 5 Bc 6 3.2
L Anh Hng K49DB
73
Kho lun tt nghip
i hc Cng ngh
nh vo lnh show ip nat translation verbose trong mode EXEC xem s dch chuyn a ch ton cu v cc b v xc thc s bin i c cu hnh. Hq-sanjose# show ip nat translations verbose Pro Inside global Inside local Outside local Outside global --- 10.2.2.2 10.1.6.5 --- --create 00:10:28, use 00:10:28, flags: static nh vo lnh Show running-config trong mode EXEC xem nhng interface bn trong v bn ngoi, s bin i a ch global v local, v xc thc s bin i tnh c cu hnh. Hq-sanjose# show running-config interface FastEthernet0/1 ip address 10.1.6.5 255.255.255.0 no ip directed-broadcast ip nat inside interface serial2/0 ip address 172.16.2.2 255.255.255.0 ip nat outside ip nat inside source static 10.1.6.5 10.2.2.2 4 Cu hnh s m ho v IPSec.
IPSec l mt khung tiu chun m, c pht trin bi IETF (Internet Engineering Task Fore),m cung cp tnh b mt d liu, s ton vn d liu, v chng thc d liu gia thit b ngang hang. IPSec cung cp nhng dch v bo mt ny ti lp IP; n s dng IKE iu khin s iu chnh ca nhng giao thc v thut ton da trn chnh sch cc b, v pht sinh nhng cha kho m ho v quyn xc thc c s dng bi IPSec. IPSec c th c s dng bo v mt hoc nhiu lung d liu gia hai host, gia hai gateway bo mt, hoc gia mt gateway bo mt v mt host. IKE l mt giao thc an ton lai ci m thc hin kho Oakley v SKEME thay i bn trong khung giao thc qun l kho v hip hi an ton Internet (ISAKMP). Trong khi IKE c th c s dng vi nhng giao thc khc, s thi hnh ban u ca n vi giao thc IPSec. IKE cung cp s chng thc ca IPSec ngang hang, iu chnh s kt hp an ton IPSec, thit lp nhng kho IPSec, v cung cp IKE keeppalives. IPSec c th c cu hnh m khng c IKE,tr phi IKE tng cng IPSec bi vic cung cp thm nhng tnh nng,
L Anh Hng K49DB
74
Kho lun tt nghip
i hc Cng ngh
linh hot, d dng ca cu hnh cho chun IPSec, v keepalives, ci m ton ven trong mng t c d tha khi c cu hnh vi GRE. Chng nhn quyn thao tc (CAs) gia cc phn c cung cp bi ISM trong s h tr ca chun IPSec. N cho php cc thit b Cisco IOS v CAs c giao tip vi nhau v rng thit b Cisco IOS ca bn c th ang tn ti v s dng chng nhn s t CA. Mc d thit b Cisco IOS c th c thc hin trong mng ca bn m khng s dng mt CA, vic s dng mt CA cung cp iu khin c v tnh bin i ca IPSec. CA phi c cu hnh ng cch a ra nhng chng nhn. Bn phi cng cu hnh tng ng t c s chng nhn t CA. cung cp s m ho v nhng dch v IPSec tunneling trn mt Ciso IOS VPN gateway bn phi hon thnh nhng cng vic sau y: S inh cu hnh nhng chnh sch IKE S kim tra nhng chnh sch IKE nh cu hnh IPSec v ch IPSec tunnel nh cu hnh nhng bn mt m 4.1. Cu hnh nhng chnh sch IKE:
S trao i cha kho Internet th c cho php bi mc nh. IKE khng c c s cho php cho nhng giao din c nhn, nhng c cho php ton cu cho tt c cc giao din trong router. Bn phi to ra nhng chnh sch ti mi s tng ng. Mt chnh sch IKE nh ngha mt s kt hp ca nhng thng s an ton c s dng trong thi gian IKE tho thun. Bn c th to ra nhiu chnh sch IKE, mi chnh sch vi mt s kt hp khc nhau ca nhng gi tr tham s. Nu bn khng cu hnh mt chnh sch IKE no, Router s dng chnh sch theo mc nh, ci m lun t quyn u tin thp nht, v ci m cha mt tham s gi tr mc nh. Vi mi mt chnh sch m bn to ra, bn gn mt gi tr u tin duy nht (t 1 n 10.000 vi 1 c u tin cao nht). Bn c th cu hnh nhiu chnh sch trn mi s tng ng nhng ti t nht mt trong nhng chnh sch ny phi bao gm chnh xc cng s m ho, hash, quyn chng thc, v nhng gi tr tham s Diffie-Hellman nh mt trong chnh sch trn mng ngang hang t xa. Nu bn khng ch r mt gi tr cho mt tham s, gi tr mc nh c a vo.
L Anh Hng K49DB
75
Kho lun tt nghip
i hc Cng ngh
IKE keepalives hello packets c yu cu pht hin ra mt s mt mt ca kt ni, cung cp nhng kt ni d tha cho mng. Nu HQ-SANJOSE ca bn thu nhiu hn hai Router v dng IPSec, bn c th ch r di gi tin ca keepalive hoc s dng thi gian mc l 10s. ch r di khong thi gian ti ni m nhng gi tin keepalive c gi, s dng lnh cry isakmp keepalive, nh c minh ho trong bc 2 To ra nhng chnh sch IKE. Mc ny bao gm nhng bc c bn cu hnh nhng chnh sch v bao gm nhng cng vic theo sau y: To ra nhng chnh sch IKE Cu hnh b xung thm yu cu cho nhng chnh sch IKE Cu hnh nhng kho dng chung ban u. 4.1.1 To ra nhng chnh sch IKE. to ra mt chnh sch IKE, hon thnh nhng bc sau y bt u trong ch cu hnh chung (global configuration mode): Mc ch crypto Nhp vo lnh config-isakmp v nhn dng policy c to ra (Mi policy th duy nht c nhn bit bi s u tin m bn gn vo). y c cu hnh l policy 1 Hq-sanjose(config-isakmp)# Bc tu chn: ch r khong thi gian ca gi tin IKE keepalive cry isakmp keepalive 12 2 (Mc nh l 10s) v th li mt ln na khong thi gian khi gi tin keepalive b li. y cu hnh keepalive interval l 12s v khong thi gian th li l 2s Hq-sanjose(config-isakmp)# Ch nh thut ton m ho -56bit chun m ho d liu (DES[des]) encryption des hay 168bit Triple DES (3des). y cu hnh thut ton DES, ci m c mc nh. Hq-sanjose(config-isakmp)# Ch r thut ton hash-Message Digest 5 (MD5 [md5]) hoc thut hash sha ton bo mt (SHA [sha]) y cu hnh SHA, ci m c mc nh. Hq-sanjose(config-isakmp)# Ch r phng php xc thc preshare keys (pre-share). RSA1 c authentication pre-share m ho hin ti (rsa-encr), hoc Lnh Hq-sanjose(config)# isakmp policy 1
76
Bc 1
Bc 2
Bc 3
Bc 4
Bc 5
L Anh Hng K49DB
Kho lun tt nghip
i hc Cng ngh gii thut RSA (rsa-slg). y cu hnh theo mc nh pre-share keys l gii thut RSA. Ch r Diffie-Hellman group nh danh -768bit. Diffie-Hellman (1) hoc 1024bit Diffie-Hellman (2). y cu hnh theo mc nh l Diffie-Hellman (1) vi 768bit. Ch r thi gian kt hp an ton c xc nh bng giy. y cu hnh 86400s (mt ngy). Tr v ch cu hnh ton cc
Bc 6
Hq-sanjose(config-isakmp)# group 1
Bc 7
Hq-sanjose(config-isakmp)# lifetime 86400
Bc 8
Hq-sanjose(config-isakmp)# exit Hq-sanjose(config)# RSA = Rivest, Shamir, and Adelman
4.1.2 Cu hnh b xung thm yu cu cho nhng chnh sch IKE: Ph thuc vo phng php chng thc no m ban ch nh trong nhng chnh sch ca bn, bn cn hon thnh mt cu hnh b xung trc khi IKE v IPSec c th cu hnh thnh cng s dng nhng chnh sch IKE. Mi phng php chng thc i hi mt cu hnh c thm vo nh theo sau y: Phng php gii thut RSA: Nu bn ch nh gii thut RSA nh l phng php chng thc trong mt chnh sch, bn phi cu hnh tng ng t c chng nhn t mt trung tm chng nhn u quyn (CA). Chng nhn th c s dng bi mi s tng ng m bo chc chn trao i nhng cha kho cng cng. Khi c nhng thit b cng giao thc v hp l c chng nhn, chng s t ng trao i nhng cha kho cng cng vi mt thit b mng khc nh l phn ca bt k s tho thun IKE trong nhn dng RSA th c s dng. Phng php m ho RSA. Nu bn ch nh RSA c m ho nh l phng php xc thc trong mt chnh sch. Bn cn phi chc chn rng mi thit b mng cng giao thc c nhng cha kha cng cng ca cng mt giao thc khc. Khng ging nh gii thut RSA, phng php m ho RSA khng s dng chng nhn trao i nhng cha kho cng cng. Thay vo , bn chc chn rng mi thit b c cng mt giao thc c nhng cha kho cng cng khc bi c lm theo sau y: L Anh Hng K49DB
77
Kho lun tt nghip -
i hc Cng ngh
Cu hnh nhng cha kho RSA c iu khin bng tay. Chc chn rng mt IKE trao i ang s dng gii thut RSA ngay khi xut hin gia nhng thit b mng c cng giao thc. lm cho iu ny xy ra, ch nh hai chnh sch: mt chnh sch c u tin cao vi M ho RSA hin ti, v mt chnh sch c u tin thp vi Gii thut RSA. Khi nhng s iu chng IKE xut hin, Gii thut RSA s c s dng u tin bi v nhng thit b mng ngang hang cn cha c nhng cha kho cng cng khc. Ri, tng lai s iu chnh IKE s c s dng M ho RSA hin ti bi v nhng cha kho cng cng s c trao i. D nhin, thay th ny yu cu rng bn c CA h tr cu hnh. Phng php chng thc Nhng kho dng chung Nu bn ch nh Nhng kho dng chung nh l phng php chng thc trong mt chnh sch, bn phi cu hnh Nhng kho dng chung ny. Phng php chng thc chng ch s: Nu bn ch nh nhng chng ch s nh l phng php chng thc trong mt chnh sch, CA phi c ng cch cu hnh a ra chng nhn. Bn cng phi cu hnh cho nhng thit b mng cng giao thc thu c s chng nhn t CA. Nhng chng nhn s n gin ho s chng thc. Bn cn ch kt np mi thit b mng cng giao thc vi CA, hn l vic nh cu hnh bng tay cho mi thit b mng cng giao thc trao i nhng cha kha. 4.1.3 Cu hnh Nhng kho dng chung cu hnh pre-share keys ti mi peer, hon thnh nhng bc cu hnh sau y trong ch cu hnh ton cc. Lnh Hq-sanjose(config)# isakmp identity address Mc ch crypto Ti local peer: Ch r nhn dng ISAKMP (address or hostname) headquarter router s s dng khi ni vi remote office router trong thi gian IKE iu chnh. y ch r t kho address s dng a ch IP 172.17.2.4 (serial interface 1/0
78
Bc 1
L Anh Hng K49DB
Kho lun tt nghip
i hc Cng ngh ca headquarter router) nh s nhn dng cho headquarter router. Ti local peer: Ch r nhng kho chung headquarter router s s dng vi remote office router. cu hnh ny kho dng chung l test12345 c s dng vi remote peer 172.24.2.5 (serial interface 1/0 trn remote office router) Ti remote peer: Ch r nhn dng ISAKMP (address or hostname) remote office router s s dng khi ni vi headquarter router trong thi gian IKE iu chnh. Mt ln na, y ch r t kha address s dng a ch IP 172.24.2.5 (serial interface 1/0 ca remote office router) nh s nhn dng cho remote office router. Ti remote peer: Ch r cha kho dng chung c s dng voi local peer. Cha kho ny bn phi ch nh cng nhau ti local peer. y cu hnh cha kho dng chung l test12345 c s dng vi local peer 172.17.2.4 (serial interface 1/0 trn headquarter router)
Bc 2
Hq-sanjose(config)# crypto isakmp key test12345 address 172.24.2.5
Bc 3
Ro-rtp(config)# crypto identity address
isakmp
Bc 4
Ro-rtp(config)# crypto isakmp key test 12345 address 172.17.2.4
Ch : Thit lp mt ISAKMP nhn dng bt c khi no bn ch nh nhng kho dng chung. Nhng t kho address th c trng c s dng khi ch c mt giao din ci m s c s dng bi nhng thit b cng giao thc cho s iu chnh IKE, v a ch IP th c bit. S dng t kho Hostname nu c nhiu hn mt giao din trn thit b mng cng giao thc ci m phi c s dng cho s iu chnh IKE, hoc nu giao din a ch IP khng bit.
L Anh Hng K49DB
79
Kho lun tt nghip 4.2
i hc Cng ngh
Cu hnh cng vo cho s thao tc gia chng ch s.
cu hnh cng vo IOS ca bn s dng chng ch s nh l phng php xc thc, s dng nhng bc theo sau, bt u trong ch cu hnh ton cc. S cu hnh ny tha nhn s dng IOS chnh sch mc nh ISAKMP, m c s dng gii thut DES, SHA, RSA, Diffie-Hellman nhm 1, v mt khong thi gian tn ti l 86,400s. Cisco s dng thut ton m ho 3DES. Lnh Mc ch Bc 1 Hq-sanjose(config)# cryto ca Khai bo mt CA. Tn phi t identity name l tn min ca CA. Lnh ny t bn vo trong ch cu hnh nhn dng CA Bc 2 Hq-sanjose(config)# enrollment Ch r URL ca CA. url url
Bc 3
Hq-sanjose(config)# mode ra
enrollment ( chn) ch r kiu RA nu h thng CA cung cp mt u quyn ng k (RA). Phn mm Cisco IOS t ng xc nh kiu RA hoc non-RA; bi vy, nu kiu RA c s dng, lnh ny c vit ti NVRAM trong thi gian vit ln b nh
Bc 4
Bc 5
Bc 6
Ch r v tr ca dch v LDAP nu h thng CA ca bn cung cp mt RA v h tr giao thc LDAP. Hq-sanjose(config)# enrollment Ch r nhng Certificates khc retry period minutes tng ng c th vn c chp nhn bi router thm ch nu CRT thch hp th khng c th ti c router ca bn. Hq-sanjose(config)# enrollment ch r mc thi gian bao lu retry cout number router s tip tc gi Certificate khng thnh cng i hi trc Hq-sanjose(config)# query url url
L Anh Hng K49DB
80
Kho lun tt nghip
i hc Cng ngh khi t b.Theo mc nh, router s khng bao gi t b th. Ch r rng nhng Certificate tng ng khc c th vn c chp nhn bi router ca bn thm ch nu CRL thch hp th khng c th ti c router ca bn Thot khi ch cu hnh nhn dng CA
Bc 7
Hq-sanjose(config)# crt optional
Bc 8
Hq-sanjose(config)# exit
4.2.1 Kim tra IKE Policies kim tra cu hnh. Chng ta a vo lnh Show crypto isakmp policy trong ch EXEC thy c default policy v bt k default values trong cu hnh policies. Hq-sanjose# show crypto isakmp policy Protection suite priority 1 encryption algorithm:DES - Data Encryption Standard (56 bit keys) hash algorithm:Secure Hash Standard authentication method:Pre-Shared Key Diffie-Hellman group:#1 (768 bit) lifetime:86400 seconds, no volume limit 4.2.2 Cu hnh kho dng chung khc Bi v nhng kho dng chung c ch nh nh phng php chng thc cho chnh sch 1 trong Cu hnh nhng chnh sch IKE. Hon thnh nhng bc cu hnh sau y ti Headquaters routers cng nh business partner router. Bc 1: t cho mi ISAKMP s nhn bit. Mi s nhn bit tng ng cng c t ti nhng tn thit b khc hoc bi nhng a ch IP ca n. Theo mc nh, mt s nhn bit tng ng l t ti a ch IP ca n. Trong vin cnh ny, bn ch cn hon thnh nhng cng vic ti business partner router. Bc 2: Ch r nhng cha kho dng chung ti mi thit b tng ng. Ch rng mt kho dng chung cho th dng chung gia hai thit tng ng. Bn c th ch nh cng cha kho dng chung vi nhiu thit b t xa tng ng; tuy nhin, mt cch tip cn an ton hn l ch nh nhng kho khc dng chung gia nhng cp tng ng khc nhau. L Anh Hng K49DB
81
Kho lun tt nghip
i hc Cng ngh
cu hnh kho dng chung khc nhau cho vic s dng gia headquater router v business partner router, hon thnh nhng bc sau trong ch cu hnh ton cc. Lnh Mc ch Bc 1 Hq-sanjose(config)# crypto Ti local peer: ch r kho dng isakmp key test67890 address chung headquater router s s dng vi business partner router. 172.23.2.7 Trong v d cu hnh ny kho dng chung l test67890 c s dng vi remote peer 172.23.2.7(serial interface 1/0 ca business partner router) Bc 2 Hq-sanjose(config)# crypto Ti remote peer: ch r nhn dng ISAKMP (address hoc isakmp identity address hostname) business partner router s s dng khi truyn thng vi headquarter router trong lc IKE iu chnh. Bc 3 Hq-sanjose(config)# crypto ti remote peer: ch r cha kho isakmp key test67890 address c chia s s dng c vi local peer.iu ny cng ging 172.17.2.4 nh cha kho bn ch nh ti local peer. Ch : t mt s nhn bit ISAKMP bt c ni u bn ch r nhng kho dng chung. T kho address tiu biu c s dng khi c ch mt interface (v do cng ch c mt a ch IP) ci m s c s dng bi s ngang nhau cho s iu chnh IKE, v a ch IP th c bit n. S dng t kho hostname nu c nhiu hn mt interface trn mi peer ci m phi c s dng cho s iu chnh IKE, hoc nu a ch IP interface khng c bit n (nh vi a ch ng c gn vo). 4.3 Cu hnh IPSec v ch IPSec tunnel.
Sau khi chng ta cu hnh xong kho dng chung khc, cu hnh IPSec ti mi thit b tham gia IPSec peer. Mc ny bao gm nhng bc c bn sau cu hnh IPSec v bao gm nhng cng vic sau: To ra nhng danh sch truy nhp mt m Kim tra danh sch truy nhp mt m nh ngha nhng tp hp bin i v cu hnh ch IPSec tunnel Kim tra nhng tp hp bin i v ch IPSec tunnel. L Anh Hng K49DB
82
Kho lun tt nghip 4.3.1 To ra nhng danh sch truy nhp mt m.
i hc Cng ngh
Danh sch truy nhp mt m c s dng nh ngha lu lng IP no s c bo v bi mt m v lu lng no s khng c bo v bi mt m. V d, bn c to ra mt access list bo v tt c lu lng IP gia headquarter router v business partner router. Bn thn access list khng c trng cho IPSec. l mc tham chiu vo bn mt m m c bit access list ci m nh ngha liu c phi IPSec x l c ng dng tho ng lu lng mt s cho php trong access list. to ra mt danh sch mt m. a vo nhng dng lnh sau trong ch cu hnh ton cc.
Lnh Mc ch Hq-sanjose(config)# access list 111 Xc inh iu kin quyt nh permit ip host 10.2.2.2 host 10.1.5.3 nhng gi IP no c bo v. Trong cu hnh ny access list 111 m ho tt c lu lng IP gia headquarter server(a ch IP 10.2.2.2) v PC B (a ch IP 10.1.5.3) trong business partner office. 4.3.2 Kim tra nhng danh sch mt m. kim tra s cu hnh: a vo lnh show access-list 111 trong ch EXEC xem thuc tnh ca access-list. Hq-sanjose# show access-lists 111 Extended IP access list 111 permit ip host 10.2.2.2 host 10.1.5.3 4.4 nh ngha nhng tp hp bin i v cu hnh ch IPSec tunnel Bn phi nh ngha nhng tp hp bin i bt chp nhng giao thc xuyn ng hm bn s dng. nh ngha mt tp hp bin i v cu hnh ch IPSec tunnel, hon thnh nhng bc sau y bt u trong ch cu hnh ton cc: Lnh Mc ch
L Anh Hng K49DB
83
Kho lun tt nghip Bc 1
i hc Cng ngh
Bc 2
Bc 3
Hq-sanjose(config)# crypto ipsec nh ngha mt tp hp bin transform-set proposal4 ah-sha- i v a vo ch cu hnh s bin i mt m. Th hmac esp-des d ny kt hp AH1 bin i i ah-sha-hmac,s m ho ESP2 bin i esp-des, v s chng thc ESP bin i esp-sha-hmac trong tp hp chuyn i proposal4 C nhng quy tc phc tp c nh ngha nhng mc m bn s dng cho i s bin i. Nhng quy tc ny gii thch trong phn m t lnh cho crypto ipsec transform-set. Bn c th cng s dng lnh crypto ipsec transform-set?, trong ch cu hnh ton cc, xem s thay i nhng trng s. Hq-sanjose(cfg-crypto-trans)# mode Thay i ch c kt hp vi tp hp bin i. S tunnel thit t ch th ch c th p dng ti lu lng c ngun v nhng a ch ch l nhng a ch IPSec peer; n b qua tt c nhng lu lng khc. Trong v d ch cu hnh tunnel ny cho transport set proposal4, c to ra mt IPSec tunnel gia nhng a ch IPSec peer. Hq-sanjose(cfg-crypto-trans)# exit Tr v ch ton cc Hq-sanjose(config)#
- AH= u mc chng thc. u mc ny, khi no c thm ti mt gi d liu IP, m bo cho s ton vn v xc thc ca d liu, bao gm nhng trng bt bin trong u mc IP pha ngoi. N khng cung cp s bo v b mt. AH s dng mt chc nng keyed-hash hn l nhng gii thut s ha. - ESP = ng gi trng ti ti a an ton. u mc ny, khi no c thm ti mt gi d liu IP, bo v tnh b mt, s ton vn, v tnh xc thc ca d liu. L Anh Hng K49DB
84
Kho lun tt nghip
i hc Cng ngh
Nu ESP c s dng cho c hiu lc s ton vn d liu, n khng bao hm nhng trng bt bin trong phn u mc IP (IP header). 4.4.1 Kim tra nhng tp hp bin i v ch IPSec tunnel. kim tra cu hnh. a vo lnh show crypto ipsec transform-set trong ch EXEC nhn thy kiu tp hp bin i cu hnh trn router. Hq-sanjose# show crypto ipsec transform-set Transform set proposal4: { ah-sha-hmac } will negotiate = { Tunnel, }, { esp-des esp-sha-hmac } will negotiate = { Tunnel, }, -Display text omitted4.5 Cu hnh Crypto Maps.
Trong phn ny bao gm nhng bc c bn cu hnh crypto map v bao gm nhng cng vic sau y. To ra nhng mc Crypto Map Kim tra nhng mc Crypto Map. p dng Crypto Map vo interface Kim tra s kt hp Crypto Map trn interface. 4.5.1 To ra nhng mc Crypto Map. to ra nhng mc Crypto map ci m s dng IKE thit lp SAs, hon thnh nhng bc sau y bt u trong ch cu hnh ton cc. Lnh Mc ch
L Anh Hng K49DB
85
Kho lun tt nghip Bc 1
i hc Cng ngh
Hq-sanjose(config)#crypto map To ra mt Crypto map v xc s4second local-address serial nh mt a ch local (giao din vt l) c s dng cho lu 2/0 lng IPSec. V d ny to ra mt crypto map s4second v ch r serial interface 2/0 ca headquarter router nh local address. Bc ny th ch yu cu nu bn trc y s dng lnh loopback hoc nu bn ang s dng GRE tunnels
Bc 2
Hq-sanjose(config)# crypto map a crypto map vo ch cu hnh, ch r mt s trnh t cho s4second 2 crypto map bn to ra trong ipsec-isakmp bc 1, v cu hnh crypto map s dng IKE thit lp SAs. Trong trnh t cu hnh ny l 2 v IKE cho crypto map l s4second.
Bc 3
Hq-sanjose(config-crypto-map)# match address 111
Bc 4
Hq-sanjose(config-crypto-map)# set peer 172.23.2.7
Bc 5
Hq-sanjose(config-cryptomap)# set transform-set proposal4
Ch r mt access list m rng. Access list ny quyt nh lu lng no c bo v v lu lng no khng c bo v b IPSec. Trong v d cu hnh ny access list 111, c to ra trong to ra nhng danh sch truy nhp mt m Ch r mt remote IPSec peer (bi hostname hoc IP address).Peer ny c IPSec bo v, lu lng c th c truyn qua. V d ny ch r serial interface 1/0 (172.23.2.7) trn business partner router. Ch r nhng transform set no c ginh cho mc crypto map ny . Lit k nhiu transform set trong s sp t quyn u tin
L Anh Hng K49DB
86
Kho lun tt nghip
i hc Cng ngh (cao th u tin trc). V d ny ch r transform set proposal4, m c cu hnh trong phn nh ngha Transform set v s nh ch IPSec tunnel Tr li ch ton cc
Bc 6
Hq-sanjose(config-crypto-map)# exit Hq-sanjose(config)#
to ra nhng mc crypto map ng ci m s s dng IKE thit lp SAs, hon thnh nhng bc sau y, bt u trong ch ton cc. Lnh Hq-sanjose(config)# dynamic-map dynamic-map-name seq-num Mc ch crypto To ra mt mc crypto map ng dynamic-
Bc 1
Bc 2
Hq-sanjose(config)# set transform-set transform-set-name1 [transform-setname2...transform-set-name6]
Bc 3
Hq-sanjose(config-crypto-map)# match address access-list-id access-list-id
Bc 4
Hq-sanjose(config-crypto-map)# set peer {hostname | ip-address}
Bc 5
Hq-sanjose(config-crypto-map)#
87
Ch r nhng transform set no c ginh cho mc crypto map ny . Lit k nhiu transform set trong s sp t quyn u tin (cao th u tin trc) iu ny th ch cu hnh khai bo c yu cu trong nhng mc crypto map ng. (tuy chn) S access list hoc tn ca mt access list c m rng. Access list ny quyt nh lu lng c th c bo v hoc khng c bo v bi IPSec trong ng cnh ca mc crypto map ny Ch r mt remote IPSec peer. Lp li cho nhiu remote peer. iu ny thc s c cu hnh trong nhng mc crypto map ng. Nhng mc crypto map ng th thng c s dng cho nhng remote peer khng bit. Nu bn mun kt hp s an ton
L Anh Hng K49DB
Kho lun tt nghip
i hc Cng ngh
cho crypto map ny s c set security-association lifetime thng lng s dng t hn seconds seconds khong thi gian tn ti s kt and/or hp an ton IPSec hn l thi set security-association lifetime gian tn ti ton b c ch r, ch r mt cha kho cho s tn kilobytes kilobytes ti ca mc crypto map. Bc 6 Hq-sanjose(config-crypto-map)# exit Hq-sanjose(config)# Tr li ch cu hnh ton cc
4.5.2 Kim tra nhng mc Crypto map kim tra cu hnh. a vo lnh Show crypto map trong ch EXEC xem nhng mc crypto map c cu hnh trn router. Hq-sanjose# show crypto map Crypto Map: s4second idb: Serial2/0 local address: 172.16.2.2 Crypto Map s4second 2 ipsec-isakmp Peer = 172.23.2.7 Extended IP access list 111 access-list 111 permit ip source: addr = 10.2.2.2/255.255.255.0 dest: addr = 10.1.5.3/255.255.255.0S Current peer: 172.23.2.7 Security-association lifetime: 4608000 kilobytes/3600 seconds PFS (Y/N): N Transform sets={proposal4,} -Display text omitted4.5.3 p dng Crypto map vo Interface. p dng mt tp hp crypto map vo interface, hon thnh nhng bc sau bt u trong ch cu hnh ton cc: Lnh Mc ch Hq-sanjose(config)# interface Ch r mt giao din vt l p dng crypto map v vo kiu cu serial 2/0 hnh giao din. Th d ny ch r serial interface 2/0 trn headquarter
88
Bc 1
L Anh Hng K49DB
Kho lun tt nghip
i hc Cng ngh
Bc 2
Bc 3
router. Hq-sanjose(config-if)# crypto p dng tp hp crypto map n giao din vt l. Th d cu hnh map s4second ny crypto map s4second ci m c to trong to ra nhng mc crypto map Hq-sanjose(config-if)# exit Tr li ch cu hnh ton cc Hq-sanjose(config)# Hq-sanjose# clear crypto sa Trong ch privileged EXEC, xo IPSec SAs hin ti v rn bt k s thay i se c s dng ngay lp tc.
Bc 4
4.5.4 Kim tra s kt hp Crypto Map trn interface kim tra cu hnh, a vo lnh Show crypto map interface 2/0 trong mode EXEC xem crypto map c p dng ti mt interface c ch nh. Hq-sanjose# show crypto map interface serial 2/0 Crypto Map "s4second" 2 ipsec-isakmp Peer = 172.23.2.7 Extended IP access list 111 access-list 111 permit ip host 10.2.2.2 host 10.1.5.3 Current peer:172.23.2.7 Security association lifetime:4608000 kilobytes/1000 seconds PFS (Y/N):N Transform sets={ proposal4, } 5. Cu hnh nhng tnh nng Cisco IOS Firewall
Phn mm Cisco IOS cung cp mt s thit lp m rng ca nhng tnh nng bo mt vi ci m bn c th cu hnh firewall n gin hay phc tp, tu theo mc nhng yu cu. Khi bn cu hnh nhng tnh nng ca Cisco IOS firewall trn Router Cisco, bn thay i router ca bn vo trong mt firewall c hiu qu mnh m Nhng tnh nng ca Cisco IOS firewall th c thit k ngn chn s khng c php truy nhp, nhng ngi khng c php truy nhp ti mng bn trong ca bn, v ngn chn s tn cng ti mng, trong khi cng thi im
L Anh Hng K49DB
89
Kho lun tt nghip
i hc Cng ngh
cho php nhng ngi dng hp php c php truy nhp ti ti nguyn mng 5.1 To ra Access list m rng v s dng s Access list
to ra mt access list m rng ci m chc chn khng cho php hoc cho php kiu traffic, hon thnh nhng bc sau bt u trong ch cu hnh ton cc. Lnh Mc ch Bc 1 Hq(config)# access-list 102 Xc nh acces-list 102 v cu hnh access-list t chi tt c cc dch deny tcp any any v ca TCP Bc 2 Hq(config)# access-list 102 Cu hnh access-list 102 t chi tt c cc dch v UDP deny udp any any Bc 3 Hq(config)# access-list 102 Cu hnh access-list 102 cho php tt c dch v IP permit ip any any 5.2 Kim tra Access list m rng.
kim tra cu hnh a vo lnh Show access-list 102 trong ch EXEC hin th ni dng ca access-list. hq-sanjose# show access-list 102 Extended IP access list 102 deny tcp any any deny udp any any permit ip any any 5.3 p dng Access-list ti Interface
Sau khi to ra mt access-list bn c th p dng n vo mt hoc nhiu interface. Access-list c th c p dng i ra ngoi hoc i vo trong interface p dng mt access-list i vo hoc i ra mt interface, hon thnh nhng bc sau y bt u trong ch cu hnh ton cc. Lnh Mc ch Hq-sanjose(config)# interface Ch r serial interface 1/0 trn headquarter router v a vo ch serial 1/0 cu hnh interface Hq-sanjose(config-if)# ip Cu hnh access-list 102 i vo access-group 102 in trong serial interface 1/0 trn headquarter router.
90
Bc 1
Bc 2
L Anh Hng K49DB
Kho lun tt nghip Bc 3 Hq-sanjose(config-if)# access-group 102 out
i hc Cng ngh
Bc 4
ip Cu hnh access-list 102 i ra ngoi serial interface 1/0 headquarter router. Hq-sanjose(config-if)# exit Tr li ch cu hnh ton cc Hq-sanjose(config)#
5.4
Kim tra Access-list c p dng chnh xc
kim tra cu hnh. a vo lnh Show ip interface 1/0 trong ch EXEC xc nhn access-list c p dng chnh xc trn interface. hq-sanjose# show ip interface serial 1/0 Serial1/0 is up, line protocol is up Internet address is 172.17.2.4 Broadcast address is 255.255.255.255 Address determined by setup command Peer address is 172.24.2.5 MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is 102 Inbound access list is 102 -Display text omittedKt lun: Trong bi vit chng ta cng nhau lt qua cch thit lp mt VPN trn phn mm Cisco IOS. Tht ra y l mt cch thit lp kh phc tp v i hi mt k nng thc hnh cao, c hiu bit nht nh v cu hnh router xc inh c mc ch bi cu hnh. Phn mm Cisco IOS rt mnh v cng l mt phn mm chng n gin cht no. C rt nhiu option trong ch cu hnh ton cc, nu bn bit cch pht huy hay s dng n ng th bn c th tr thnh mt ngi qun tr mng gii Tt nht khi thit lp bt k cu hnh no, iu m bn nn nh u tin l c gng n gin vic thit lp chc chn rng nhng ci chng ta va thit lp hot ng chnh xc.
L Anh Hng K49DB
91
Kho lun tt nghip
i hc Cng ngh
Chng 5 CU HNH VPN TRN WINDOWS SERVER 2003 1. Gii thiu chung
VPN trn Windows 2003 di dng Remote Access s cho php cc my tnh truy nhp n mng ni b ca cng ty thng qua Internet. C th xy dng mt m hnh n gin nh sau:

Modem ADSL c a ch IP tnh. Trong trng hp khng c a ch IP tnh, c th s dng DDNS. 01 my tnh ci h iu hnh Windows 2003 Server. My tnh ny s dng cu hnh VPN Server. My tnh ny nn s dng 02 card mng.
My tnh t xa s dng Windows XP, Windows 2000, c th t kt ni VPN kt ni n Server ni trn
Hnh 59 2. Ci t VPN Server Trc khi ci VPN, cn Stop dch v Windows Firewall/Internet Connection Sharing (ICS) v chuyn dch v sang ch Disable (mc nh sau khi ci l Automatic).
L Anh Hng K49DB
92
Kho lun tt nghip
i hc Cng ngh
Chy Services Manager bng cch click Start->Programs-> Administrative Tools->Services. Giao din ca Services Manager nh Hnh 60
Hnh 60 Trong Hnh 60, tm service Windows Firewall/Internet Connection Sharing (ICS). Chut phi vo tn service , trn menu chut phi, chn Properties. Xut hin hp thoi Windows Firewall/Internet Connection Sharing (ICS) Properties. (Hnh 61)
Hnh 61: Windows Firewall/Internet Connection Sharing (ICS) Properties Trong Hnh 61, la chn Disabled trong Startup type. V nhp nt Stop dng service Windows Firewall/Internet Connection Sharing (ICS). Sau khi dng dch v Windows Firewall/Internet Connection Sharing (ICS), tin hnh ci t VPN Server. L Anh Hng K49DB
93
Kho lun tt nghip
i hc Cng ngh
ci t VPN trn Windows 2003, chy Manager Your Server bng cch click Start->Programs->Administrative Tools-> Manager Your Server.
Hnh 62: Manage Server Trn ca s Manage Your Server (hnh 62), click Add or remove a role ci thm cc dch v ca Windows 2003.
Hnh 63: Configure Your Server Wizard Preliminary Steps Trong Hnh 63, click Next tip tc.
L Anh Hng K49DB
94
Kho lun tt nghip
i hc Cng ngh
Hnh 64: Configure Your Server Wizard Server Role Hnh 64 cho php la chn cc dch v Server trn Windows 2003. Bc ny la chn Remote access / VPN server, sau nhp Next tip tc.
Hnh 65: Configure Your Server Wizard Summary of Selections
L Anh Hng K49DB
95
Kho lun tt nghip
i hc Cng ngh
Hnh 65 a ra danh sch cc dch v ca Windows 2003 Server c la chn Hnh 65. Nhp Next tip
Hnh 66: Routing and Remote Access Server Setup Wizard Step 1 Hnh 66 l bc u tin setup Routing and Remote Access. Nhp Next tip tc.
Hnh 67: Routing and Remote Access Server Setup Wizard Step 2 Hnh 67 cho php la chn cc cu hnh ca dch v Routing and Remote Access. Bc ny chn Custom configuration. Sau chn Next tip tc.
L Anh Hng K49DB
96
Kho lun tt nghip
i hc Cng ngh
Hnh 68: Routing and Remote Access Server Setup Wizard Step 3 Hnh 68 cho php la chn cc dch v bn trong Routing and Remote Access. Bc ny la chn VPN access v Lan routing. Sau nhp Next tip tc.
Hnh 69: Routing and Remote Access Server Setup Wizard Step 4
L Anh Hng K49DB
97
Kho lun tt nghip
i hc Cng ngh
Hnh 69 kt thc vic setup Routing and Remote Access. Nhp Finish kt thc.
Hnh 70: Routing and Remote Access Start Service Sau khi kt thc vic setup Routing and Remote Access, xut hin hp thoi yu cu start dch v Routing and Remote Access, chn Yes xc nhn vic start dch v .
Hnh 71: Configure Your Server Wizard Finish Hnh 72 thng bo kt thc Configure Your Server Wizard. Nhp Finish kt thc. Sau bc ny, thc hin vic cu hnh VPN Server.
L Anh Hng K49DB
98
Kho lun tt nghip 3. Cu hnh VPN Server
i hc Cng ngh
Hnh 73: Manage Server Sau khi ci t Routing and Remote Access, cu hnh VPN Server, c th chy Manage Your Server, sau click vo Manage this remote access/VPN server (Hnh 73). (Hoc c th click Start-> Programs-> Administrative Tools-> Routing and Remote Access). 3.1. Route and Remote Access Properties
Hnh 74: Routing and Remote Access L Anh Hng K49DB

99
Kho lun tt nghip
i hc Cng ngh
Hnh 74 l giao din chnh ca Routing and Remote Access. cu hnh, chut phi vo tn my (tn server trong v d l FREE4VN-HOME), trn menu chut phi chn Properties. Ch : trn menu chut phi c mt s chc nng cn quan tm:
Disable Routing and Remote Access: Chc nng ny c s dng khi ta mun xo cu hnh Routing and Remote Access c to 1 cu hnh mi. Sau khi disable, trn menu chut phi ni trn, chn Configure and Enable Routing and Remote Access, cu hnh mt Routing and Remote Access mi. All Tasks vi cc chc nng con nh Start, Stop, Pause, Resume, Restart c s dng i vi service Enable Routing and Remote Access. Vic ny cng tng t nh khi s dng Service Manager.
Hnh 75: FREE4VN-HOME Properties Tab General Hnh 75 l Properties ca FREE4VN-HOME. Cn ch n 3 tab l General, Security v IP. Trong Tab General, cn kim tra mc Router v Remote access server c check. Mc Router cho php nh tuyn cc yu cu t VPN Client n cc my trong mng ni b. Mc Remote access server cho php cc VPN client kt ni n c. Nn chn LAN and demand-dial routing.
L Anh Hng K49DB
100
Kho lun tt nghip
i hc Cng ngh
Hnh 76: FREE4VN-HOME Properties Tab Security Hnh 76 l tab Security, tab ny cho php la chn Authentication provider v Accounting provider. Nu trong mng ni b c 1 my tnh ci RADIUS, c th la chn Authentication provider v Accounting provider l RADIUS. Trong v d ny, la chn Windows Authentication v Windows Accounting.
Hnh 77: FREE4VN-HOME Properties Tab IP
L Anh Hng K49DB
101
Kho lun tt nghip
i hc Cng ngh
Hnh 77 cho php la chn IP cho kt ni VPN. Bc ny nn chn Static address pool, sau nhp nt Add.
Hnh 78: Tab IP New Address Range Trong Hnh 78, nhp cc gi tr vo cc Start IP address v End IP address. Cc IP trong di ny s c cp t ng cho mi kt ni VPN. 3.2. Ports Properties Trong giao din chnh ca Routing and Remote Access (Hnh 74), chut phi vo Ports, trn menu chut phi, chn Properties. Xut hin hp thoi Ports Properties (Hnh 79).
Hnh 79: Ports Properties
L Anh Hng K49DB
102
Kho lun tt nghip
i hc Cng ngh
Trn Hnh 79, c th nhn thy s miniport cho PPTP v L2TP u l 128. Mi miniport chnh l 1 kt ni VPN t my client n Server. gim cc s ny xung, la chn vo WAN Miniport (PPTP), sau nhp Configure.
Hnh 80: Configure Device WAN Miniport (PPTP) Trong Hnh 80, thay i tham s Maximum ports t 128 xung cn 5. Thc hin tng t i vi WAN Miniport (L2TP). Vi cu hnh ny Server s chp nhn ti a 10 kt ni VPN, trong c 5 VPN Client s dng tunnel PPTP, 5 VPN Client s dng tunnel L2TP. Ch : Nu la chn s kt ni ti VPN ln hn s a ch IP cp trong Hnh 78, khi cc kt ni n VPN ht a ch IP, VPN Server s ly a ch IP ca 1 DHCP Server trong mng cp cho kt ni VPN . Nu k c DHCP Server trn mng, s c thng bo li, khng cho php kt ni. 3.3. Remote Access Policies Bc cui cng l cho php truy cp qua Remote Access Policy.
Hnh 81: Remote Access Policies
L Anh Hng K49DB
103
Kho lun tt nghip
i hc Cng ngh
Trong Hnh 81, chn Remote Access Policies. Remote Access Policies c 2 la chn l Connections to Microsoft Routing and Remote Access Server v Connections to other access server. Chut phi vo Connections to Microsoft Routing and Remote Access Server, trn menu chut phi chn Properties.
Hnh 82: Connections to Microsoft Routing and Remote Access Server Properties Trong Hnh 82, la chn Grant remote access permission, sau nhp OK xc nhn.Thc hin cng vic tng t i vi la chn Connections to other access server. Sau bc ny l vic to account trn Windows cho php s dng kt ni VPN. 4. To User trn Windows cho php s dng VPN Nh bit, vic to user trn Windows s dng Computer Manager. chy Computer Manager, click Start->Programs->Administrative Tools>Computer Manager. Giao din chnh ca Computer Manager nh Hnh 83.
L Anh Hng K49DB
104
Kho lun tt nghip
i hc Cng ngh
Hnh 83: Computer Manager Local User and Groups Trn Hnh 83, Chn System Tools->Local Users and Groups->Users. Sau chut phi vo user mun cho php dng VPN, v d user centos4. Trn menu chut phi, nhp Properties.
Hnh 84: User Properties
L Anh Hng K49DB
105
Kho lun tt nghip
i hc Cng ngh
Trn Hnh 84, chn Tab Dial-in. Trong tab ny, chn Allow access. Nu mun ch chnh xc a ch IP cp cho VPN Client i vi user trn, chn Assign a Static IP Address. Sau g a ch IP vo tng ng. a ch ny c th nm ngoi di IP m ta chn Hnh 78. Tuy nhin n nn nm cng lp vi di IP . Sau bc ny, user centos4 c th kt ni VPN n VPN Server. 5. VPN Client trn Windows XP Trn Windows 2000, Windows XP, c th to kt ni VPN n VPN Server m ta ci t v cu hnh cc bc trn. Di y s hng dn cch to kt ni VPN n mt VPN Server trn Windows XP. Chut phi vo biu tng My Network Places trn desktop, trn menu chut phi click Properties. Xut hin hp thoi Network Connections (xem Hnh 85)
Hnh 85: Network Connections (VPN Client) Trn Hnh 85 nhp vo Create a new connection. Xut hin hp thoi New Connection Wizard vi 6 bc cu hnh.
L Anh Hng K49DB
106
Kho lun tt nghip
i hc Cng ngh
Hnh 86: New Connection Wizard Step 1 (VPN Client) Trong Hnh 86, click Next tip tc.
Hnh 87: New Connection Wizard Step 2(VPN Client) Hnh 87 cho php la chn cc kiu connect. Bc ny chn Connect to the network at my workplace, sau nhp Next tip tc.
L Anh Hng K49DB
107
Kho lun tt nghip
i hc Cng ngh
Hnh 88: New Connection Wizard Step 3(VPN Client) Hnh 88, la chn Virtual Private Network connection, sau click Next tip tc.
Hnh 89: New Connection Wizard Step 4(VPN Client) Hnh 89 cho php to tn cho kt ni vpn, trong v d ny, g free4vn.org, sau click Next tip tc. L Anh Hng K49DB
108
Kho lun tt nghip
i hc Cng ngh
Hnh 90: New Connection Wizard Step 5 (VPN Client) Hnh 90 cho php g a ch IP ca Server c ci t dch v VPN Server. C th dng a ch IP tnh c gn cho Modem ADSL hoc domain name tng ng.
Hnh 91: New Connection Wizard Finish (VPN Client) Hnh 91, kt thc New Connection Wizard, click Finish kt thc. Sau bc ny, trong Nework Connection Hnh 85 s c thm mt connect c tn l
L Anh Hng K49DB
109
Kho lun tt nghip
i hc Cng ngh
free4vn.org. kt ni n VPN Server, nhp p vo kt ni . Hp thoi Connect nh Hnh 92.
Hnh 92: Connect to free4vn.org (VPN Client) Trn Hnh 92, kt ni n VPN Server cn g User name, Password m ta khai bo trong mc 4. To User trn Windows cho php s dng VPN. Sau nhp Connect kt ni n VPN Server. C th click Properties thm cc la chn cho kt ni .
Hnh 93: free4vn.org Properties tab Options (VPN Client) Trong Hnh 93, tab Options, c th s dng tnh nng Redial if line dropped VPN Client t ng kt ni li VPN Server sau khi kt ni VPN b ngt on (c th do kt ni Internet li). La chn ny cng cho php ngi qun tr VPN Server c th reset kt ni gia VPN Client v VPN Server.
L Anh Hng K49DB
110
Kho lun tt nghip
i hc Cng ngh
Khi kt ni n VPN Server, theo cu hnh ngm nh th my client s dng Gateway l VPN Server. Nh vy c th khng dng Internet trn my client c. thay i iu ny, la chn tab Networking.
Hnh 94: free4vn.org Properties tab Networking (VPN Client) Trong Hnh 94, click vo Internet Protocol (TCP/IP), sau nhp nt Properties.
Hnh 95: Internet Protocol (TCP/IP)Properties (VPN Client) Trong Hnh 95, nhp vo Advanced. L Anh Hng K49DB
111
Kho lun tt nghip
i hc Cng ngh
Hnh 96: Advanced TCP/IP Settings tab Genera (VPN Client)l Trong Hnh 96, b chn Use default gateway on remote network. Sau khi Connect n VPN Server, trn VPN Client s xut hin thng bo xc nhn kt ni thnh cng.
Hnh 97: Kt ni VPN thnh cng (VPN Client) Mt kt ni VPN cng nh mt kt ni mng thng thng. xem trng thi ca kt ni , chut phi vo kt ni, trn menu chut phi chn Status (xem Hnh 98).
Hnh 98: Menu chut phi ca Kt ni VPN (VPN Client) L Anh Hng K49DB
112
Kho lun tt nghip
i hc Cng ngh
Hnh 99: Status ca kt ni VPN (VPN Client) Trong hp thoi Status ca kt ni VPN, chn tab Details, ch a ch IP m Client c cp i vi kt ni VPN . a ch ny cng c th c cp c nh vi tng user v cng c th theo di trn VPN Server 6. Qun l kt ni trn VPN Server
Trn VPN Server cng c th theo di cc kt ni VPN. Khi VPN Client cung cp a ch theo di a ch m ta set Hnh 18 hoc i vi t user Hnh 24. theo di cc kt ni VPN trn Server, c th chy Manage Your Server, sau click vo Manage this remote access/VPN server .(Hoc c th click Start->Programs->Administrative Tools->Routing and Remote Access).
Hnh 100: Remote Access Client
L Anh Hng K49DB
113
Kho lun tt nghip
i hc Cng ngh
Trn Hnh100, click vo Remote Access Client, trong ca s bn phi s hin th cc user ang kt ni vo VPN Server. Chut phi vo user, trn menu chut phi, click Status.
Hnh 101: Status ca kt ni VPN trn Server Trn Hnh 101 l Status ca kt ni VPN trn user centos4. Ch n phn a ch IP cp cho kt ni . V ch n nt Disconnect ngt kt ni VPN .
L Anh Hng K49DB
114
Kho lun tt nghip
i hc Cng ngh
Kt lun
VPN l cng ngh c s dng ph bin hin nay nhm cung cp kt ni an ton v hiu qu truy cp ti nguyn ni b cng ty t bn ngoi thng qua mng Internet. Mc d s dng h tng mng chia s nhng chng ta vn bo m c tnh ring t ca d liu ging nh ang truyn thng trn mt h thng mng ring. Gii php VPN "mm" gii thiu trong bi vit ny thch hp cho s lng ngi dng nh, p ng s lng ngi dng ln hn, c th phi cn n gii php VPN phn cng. Trong bi ny, em gii thiu cc gii php cng ngh cho vic xy dng mt mng ring o. Trin khai t l thuyt n thc tin trong cc vn gii quyt mng ring o ni chung, cc m hnh truy cp, cc phng php xc thc v ng dng trin khai ci t trn cc h thng mng. Sau em gii thiu n cc giao thc VPN ch yu c h tr trong Windows Server v client, gii thiu mt s vn bo mt i vi cc giao thc VPN trc . Mc d c gng ht sc, song chc chn khng chnh khi nhng thiu st. Em rt mong nhn c s thng cm v ch bo tn tnh ca qu thy c, cc anh ch v cc bn
L Anh Hng K49DB
115
Kho lun tt nghip
i hc Cng ngh
Ti liu tham kho

1. 2. 3. 4. 5. Mng my tnh v h thng m - Nguyn Thc Hi, NXB Gio dc 1997 Cisco System Cisco Networking Academy CCNA semester 2 v3.0 Cisco System Cisco Networking Academy CCNA semester 4 v4.0 . Cisco IOS Enterprise VPN Configuration Guide MCSA/MCSE Implementing and Administering Security in a Microsoft Windows 2003 Network The Complete Cisco VPN Configuration Guide By Richard Deal Webside http:\\ Quantrimang.com Webside http:\\VnExpress.net
6. 7. 8.
L Anh Hng K49DB
116
Kho lun tt nghip
i hc Cng ngh
CC THUT NG VIT TT Acknowledgment Tin bo nhn ACK Active Directory Th mc hin hnh AD Asymmetrical Digital ng thu bao s bt i xng ADSL Subscriber Line Advanced Encryption Standard Chun m ho cp cao AES Authentication Header Xc thc tiu AH American National Standard Vin tiu chun quc gia Hoa K ANSI Institute Asynchronous Transfer Mode Ch truyn ti bt ng b ATM Certificate Authority Dch v cp quyn chng nhn. CA Cipher Block Chaining Rng buc khi m ho CBC Domain Controller My iu khin min DC Data Encryption Standard Chun m ho d liu DES Domain Name System H thng tn min DNS Department of Social Security B an ninh x hi DSS Digital Service Unit n v dch v d liu DSU Encapsulating Security Payload ng gi ti cn bo mt ESP File Transfer Protocol Giao thc truyn tp tin FTP Generic Routing Encapsulation Gi nh tuyn chung GRE Internet Control Message Giao thc thng ip iu khin ICMP Protocol Internet ID Ch danh ID Internet Key Exchange Chuyn kho Internet IKE Internet Protocol Giao thc Internet IP Internet Packet Exchange Giao thc chuyn i gi Internet IPX Microsoft Internet Seccurity an Phn mm bo mt Internet ca ISA Acceleration Server Microsoft Server H thng bo mt Internet v giao ISAKMP Internet Security Association and Key Management Protocol thc qun l kho. Integrate Services Digital Mng tch hp s a dch v ISDN Network International Standards T chc tiu chun quc t ISO Organization Intitialization Vector Vect khi to IV Layer 2 Forwarding Giao thc hng lp 2 L2F Layer 2 Tunneling Protocol Giao thc to ng hm lp 2 L2TP Local Area Network Mng cc b LAN Lighweight Directory Access Dch v th mc ca IETF LDAP Protocol Medium Access Control Kim sot truy nhp mi trng MAC L Anh Hng K49DB
117
Kho lun tt nghip
i hc Cng ngh truyn thng M ho im - im ca Microsoft My ch truy cp mng Giao thc- giao din ngi dng m rng trong NetBIOS H thng file mng M hnh lin kt cc h thng m My tnh c nhn im hin din Giao thc bu in Giao thc im - im Giao thc chuyn giao im im Mng in thoi chuyn mch cng cng Cht lng dch v Dch v truy nhp bng in thoi xc nhn t xa H mt m kho cng khai T hp an ninh Lin kt d liu ng b Thut ton phn tch bo mt Giao thc truyn mail n gin Giao thc qun tr mng n gin Chnh sch bo mt c s d liu Danh mc cc tham s bo mt Giao thc iu khin truyn thng Giao thc gi d liu ngi dng Cp xon khng bc kim Mng ring o Mng din rng
Microsoft Point to Point Encryption Network Access Server NAS NetBEIU NetBIOS Enhanced User Interface Network File System NFS Open Systems Interconnection OSI Personal Computer PC Point of Presence POP Post Office Protocol POP Point to Point Protocol PPP Point to Point Transfer Protocol PPTP MPPE PSTN QoS RADIUS RSA SA SDL SHA SMTP SNMP SPD SPI TCP UDP UTP VPN WAN Public Switched Telephone Network Quality of Service Remote Authentication Dial-In User Service Rivest, Shamir, Adleman Security Association Synchronous Data Link Secure Hash Algorithm Simple Mail Transfer Protocol Simple Network Management Protocol Security Policy Database Security Parameters Index Transmission Control Protocol User Datagram Protocol Unshielded Twisted Pair Virtual Private Network Wide Area Network
L Anh Hng K49DB
118

Luan Van Nghien Cuu VPN 4892

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Luan Van Nghien Cuu VPN 4892

Uploaded by

Copyright:

Available Formats

Kho lun tt nghip

Mc lc Li m u Chng 1: Tng quan v VPN

Chng 2: Giao thc trong VPN

Kho lun tt nghip

3.6.1 u im ca L2TP. ........................................................................ 43 3.6.2 u im ca PPTP ...................................................................... 43

Chng 3: M ho v chng thc trong VPN

Chng 4: Cu hnh VPN trn thit b Cisco

L Anh Hng K49DB

Kho lun tt nghip

Chng 5: Cu hnh VPN trn Widows Server 2003

L Anh Hng K49DB

Kho lun tt nghip

L Anh Hng K49DB

Kho lun tt nghip Chng 1 TNG QUAN V VPN 1. Tng Quan

Kho lun tt nghip

Hnh 1: M hnh mng VPN 1.2 Li ch ca VPN

L Anh Hng K49DB

Kho lun tt nghip

Bo mt a ch IP: Bi v thng tin c gi i trn VPN c m ho

Kho lun tt nghip

Hnh 2: Cu trc mt gi tin IP trong ng hm M ho v gii m (Encryption/Deccryption):

L Anh Hng K49DB

Kho lun tt nghip

Kho lun tt nghip

L Anh Hng K49DB

Kho lun tt nghip 3.1.1 Mt s thnh phn chnh

L Anh Hng K49DB

Kho lun tt nghip

L Anh Hng K49DB

Kho lun tt nghip

Kho lun tt nghip

Kho lun tt nghip

L Anh Hng K49DB

Kho lun tt nghip

Hnh 8 Extranet VPN

L Anh Hng K49DB

Kho lun tt nghip

L Anh Hng K49DB

Kho lun tt nghip

L Anh Hng K49DB

Kho lun tt nghip

L Anh Hng K49DB

Kho lun tt nghip

Kho lun tt nghip

L Anh Hng K49DB

Kho lun tt nghip Chng 2 GIAO THC TRONG VPN

Kho lun tt nghip

L Anh Hng K49DB

Kho lun tt nghip

L Anh Hng K49DB

Kho lun tt nghip

L Anh Hng K49DB

Kho lun tt nghip

Kho lun tt nghip

L Anh Hng K49DB

Kho lun tt nghip

L Anh Hng K49DB

Kho lun tt nghip

Private Value Private Value combined with Public Value B

Private Value Private Value B combined with Public Value A

Shared Secret Value

L Anh Hng K49DB

Kho lun tt nghip

L Anh Hng K49DB