Professional Documents
Culture Documents
Mc lc
A.Tng quan v ti......................................................................................................................2 B. Cu trc ca ti.......................................................................................................................3 I.Tng quan v an ninh mng:.........................................................................................................4 1.Mc tiu an ninh mng.............................................................................................................4 2.Cc phng thc tn cng........................................................................................................5 3. Cc chnh sch an ninh mng..................................................................................................9 II. Radius........................................................................................................................................15 1. Tng quan v Radius:............................................................................................................15 2. Kin trc RADIUS:...............................................................................................................20 3. Hot ng:.............................................................................................................................34 4. RFCs:.....................................................................................................................................38 III. ASA..........................................................................................................................................44 1. Lch s ra i. .......................................................................................................................44 2. Cc sn phm tng la ca Cisco:......................................................................................45 3. iu khin truy cp mng (NAC).........................................................................................45 4. Giao thc AAA v dch v h tr ca Cisco ASA...............................................................50 5. Kim tra ng dng.................................................................................................................60 6. Kh nng chu li v d phng (failover and redundancy)..................................................60 7. Cht lng dch v (QoS).....................................................................................................62 8. Pht hin xm nhp (IDS).....................................................................................................64 IV. M phng.................................................................................................................................68 1. Mc tiu ca m phng.........................................................................................................68 2. M hnh m phng................................................................................................................69 3. Cc cng c cn thit thc hin m phng......................................................................69 4. Cc bc m phng...............................................................................................................69 5. Kt qu t c....................................................................................................................78 V.KT LUN CHUNG................................................................................................................79 VI.HNG PHT TRIN CA TI...................................................................................80
Mc lc hnh v
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
A.Tng quan v ti
Mc tiu ca vic nghin cu v Firewall ASA + Vic nghin cu gip cho kh nng t hc ,tm hiu v nghin cu c lp ngy cng tt hn + Nghin cu v h thng firewall ASA. + Trin khai h thng pht hin, ngn chn cc lu lng ra vo ca h thng l s cn thit cho cc doanh nghip c nhu cu v s an ton ca h thng trc nhng hnh vi xm nhp tri php. Trc s pht trin ca internet v s hiu bit ca ngy cng su ca con ngi th vic truy cp v ph hoi h thng mng ca mt doanh nghip ,cng ty no cng theo pht trin ca internet m tng ln rt nhiu. + Vic nghin cu ny p ng cho lnh vc bo mt v an ninh ca h thng.
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
+ ASA(Adaptive Security Appliance) l mt thit b tng la mnh tt c trong mt v c a chung nht hin nay ca Cisco.Chnh v vy mc tiu ca ti ny l nhm nghin cu v tm hiu cch thc hot ng,phng php cu hnh v ng dng ca n trong vic bo mt h thng mng.Kt qu t c qua vic nghin cu thit b ny l hiu c cch thc hot ng v c kh nng trin khai thit b ny vo trong mt s h thng mng bt k. +Nghin cu v AAA server. +Nghin cu v cch t chc gim st hot ng ca ngi dng cui nh thi gian bt u hay kt thc ca ngi dng (accounting).Bo mt l vn rt quan trng.Vi mc iu khin, tht d dng ci t bo mt v qun tr mng. c th nh ngha cc vai tr (role) a ra cho user nhng lnh m h cn hon thnh nhim v ca h v theo di nhng thay i trong mng. Vi kh nng log li cc s kin, ta c th c nhng s iu chnh thch hp vi tng yu cu t ra. Tt c nhng thnh phn ny l cn thit duy tr tnh an ton, bo mt cho mng. Vi thng tin thu thp c, c th tin on vic cp nht cn thit theo thi gian. Yu cu bo mt d liu, gia tng bng thng, gim st cc vn trn mng thng AAA server.
B. Cu trc ca ti.
ti c chia lm 6 phn. I. Tng quan v an ninh mng Chng ny m t v cc nguy c an ninh mng v cc chnh sch an ninh nhm em li hiu qua cho vic bo mt d liu lm gim nguy c hoc pht hin ra s tn cng. II. Radius Chng ny m t v k thut s dng xc thc,y quyn,thanh ton nhm em li hiu qu cao cho an ninh mng ton vn v trnh tht thot d liu. III. ASA
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
Chng ny gii thiu v tng la cisco asa ,cc k thut c p dng cho tng lu . IV. M phng. Chng ny m t qu trnh hin thc cisco asa vi m hnh mng c th cho thy tnh thc t v kim nghim ng l thuyt ca ti ny.Ch r chi tit qu trnh thc nghim. V. Kt lun chung. Chng ny nu ra nhng kt qu ca ti lm c nhng g v nhng mc hn ch kh khn cha thc hin c ca ti. VI. Hng pht trin ca ti.
2.1 Virus
Mt virus my tnh c thit k tn cng mt my tnh v thng ph cc my tnh khc v cc thit b mng. Mt virus thng c th l mt tp tin nh km trong e-mail, v chn cc tp tin nh km c th gy ra cc m thc thi chy v ti to virus. Mt virus phi c thc hin hoc chy trong b nh chy v tm kim cc chng trnh khc hoc my ch ly nhim v nhn rng. Nh tn ca n, virus cn mt my ch nh l mt bng tnh hoc e-mail nh km, ly nhim, v nhn rng. C mt s hiu ng chung ca vi rt. Mt s virus lnh tnh, v ch cn thng bo cho nn nhn ca h rng h b nhim bnh. Cc virus c tnh to ra s hy hoi bng cch xa cc tp tin v nu khng th gy ra li cho cc my tnh b nhim c cha ti sn k thut s, chng hn nh hnh nh, ti liu, mt khu, v cc bn bo co ti chnh.
2.2 Worm
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
Worm l mt chng trnh ph hoi qut cc im yu hoc l hng bo mt trn cc my tnh khc khai thc cc im yu v nhn rng.Worm c th ti to c lp v rt nhanh chng. Worm khc vi virus trong hai cch chnh: Virus cn mt my ch nh km v thc hin, v su khng yu cu mt my ch.Virus v su thng gy ra cc loi khc nhau ca s hy dit. Virus, mt khi chng ang c tr trong b nh, thng xa v sa i cc tp tin quan trng trn my tnh b nhim bnh. Tuy nhin, Worms c xu hng mng trung tm hn so vi my tnh trung tm. Worms c th ti to mt cch nhanh chng bng cch bt u kt ni mng nhn rng v gi s lng ln d liu. Worms cng c th cha mt hnh khch mang theo, hoc trng ti d liu, m c th giao mt my tnh mc tiu cho cc trng thi ca mt zombie. Zombie l mt my tnh c b xm phm v hin ang c kim sot bi nhng k tn cng mng. Zombies thng c s dng khi ng cc cuc tn cng mng khc. Mt b su tp ln cc zombie di s iu khin ca k tn cng c gi l mt "botnet". Botnets c th pht trin c kh ln. Botnet c xc nh ln hn 100.000 my tnh zombie.
2.6. Spyware
Spyware l mt lp cc ng dng phn mm c th tham gia vo mt cuc tn cng mng. Spyware l mt ng dng ci t v vn cn n trn my tnh hoc my tnh xch tay mc tiu. Mt khi cc ng dng phn mm gin ip c b mt ci t, phn mm gin ip bt thng tin v nhng g ngi dng ang lm vi my tnh ca
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
h. Mt s thng tin b bt bao gm cc trang web truy cp, e-mail gi i, v mt khu s dng. Nhng k tn cng c th s dng cc mt khu v thng tin bt c i vo c mng khi ng mt cuc tn cng mng. Ngoi vic c s dng trc tip tham gia vo mt cuc tn cng mng, phn mm gin ip cng c th c s dng thu thp thng tin c th c bn mt cch b mt. Thng tin ny, mt ln mua, c th c s dng bi mt k tn cng khc l "khai thc d liu" s dng trong vic lp k hoch cho mt cuc tn cng mng khc.
2.7. Phishing
Phishing l mt kiu tn cng mng thng bt u bng cch gi e-mail ngi dng khng nghi ng. Cc e-mail la o c gng trng ging nh mt th in t hp php t mt t chc c bit n v ng tin cy nh l mt trang web ngn hng, thng mi in t. E-mail gi ny c gng thuyt phc ngi dng rng mt vic g xy ra, chng hn nh hot ng ng ng v ti khon ca h, v ngi s dng phi thc hin theo cc lin kt trong e-mail v ng nhp vo trang web xem thng tin ngi dng ca h. Cc lin kt trong e-mail ny thng l mt bn sao gi ca ngn hng hoc trang web thng mi in t thc s v cc tnh nng tng t nhn-v-cm nhn cc trang web thc s. Cc cuc tn cng la o c thit k la ngi dng cung cp thng tin c gi tr nh tn ngi dng v mt khu ca h.
Truy cp vt l tr Truy cp qun Nng cp phn mm Tp tin cu hnh Cc giao thc nh tuyn Truy cp vo mng tng la bo v
10
Hnh 1-1: Cc lp bo mt tng la. Ti trung tm l cc lp ton vn vt l ca tng la, m ch yu l lin quan ti cc quyn truy cp vt l vo tng la, m bo quyn truy cp vt l vo thit b, chng hn nh thng qua mt kt ni cng l cng console. Lp tip theo l cu hnh tng la tnh, m ch yu l lin quan ti truy cp vo cc phn mm tng la c cu hnh tnh ang chy (v d, cc h iu hnh PIX v cu hnh khi ng). Ti lp ny, chnh sch bo mt cn tp trung vo vic xc nh cc hn ch s c yu cu hn ch truy cp qun tr, bao gm c bn cp nht phn mm thc hin v cu hnh tng la. Lp th ba l cu hnh tng la ng, trong b sung cc cu hnh tnh bng vic c lin quan ti cu hnh ng ca tng la thng qua vic s dng cc cng ngh nh giao thc nh tuyn, lnh ARP, giao din v tnh trng thit b, kim ton, nht k, v cc lnh trnh. Mc tiu ca chnh sch an ninh ti im ny l xc nh cc yu cu xung quanh nhng g cc loi cu hnh ng s c cho php. Cui cng l lu lng mng qua tng la, m l thc s nhng g m tng la tn ti bo v ti nguyn. Lp ny l c lin quan ti chc nng nh ACL v thng tin dch v proxy. Cc chnh sch an ninh lp ny c trch nhim xc nh cc yu cu nh chng lin quan n lu lng i qua tng la. nh dng chnh sch an ninh:
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
11
thc hin cc mc tiu c xc nh trc , hu ht cc chnh sch bo mt tun theo mt nh dng hoc b tr c th v cc chia s yu t thng thng. Ni chung, hu ht cc chnh sch an ninh chia s by phn:
Tng quan: Phn tng quan cung cp mt gii thch ngn gn v nhng a ch Mc ch: phn mc ch gii thch ti sao chnh sch l cn thit. Phm vi: Phn phm vi xc nh chnh sch p dng cho nhng g v xc nh Chnh sch: phn chnh sch l bn thn chnh sch thc t. Thc thi: Phn thc thi nh ngha cch chnh sch cn c thc thi v cc hu nh ngha: Phn nh ngha bao gm cc nh ngha ca cc t hoc khi nim Xem li lch s: Phn xem li lch s l ni m cc thay i chnh sch c ghi
chnh sch.
qu ca vic khng theo cc chnh sch. c s dng trong chnh sch. li v theo di. Mi t chc c yu cu an ninh ring bit v do c chnh sch bo mt ring c o ca h. Tuy nhin, hu ht khng phi tt c cc mi trng i hi mt s chnh sch an ninh chung, bao gm:
Chnh sch Remote-access/VPN Chnh sch gim st / ghi nhn Chnh sch vng phi qun s (DMZ) Chnh sch c th p dng thng thng
12
phi nh ngha cho c hai giao thc qun l t xa v cc b s c cho php, cng nh ngi dng c th kt ni vi tng la v c quyn truy cp thc hin nhng tc v. Ngoi ra, cc chnh sch qun l truy cp cn xc nh cc yu cu i vi cc giao thc qun l nh Network Time Protocol (NTP), syslog, TFTP, FTP, Simple Network Management Protocol (SNMP), v bt k giao thc khc c th c s dng qun l v duy tr thit b.
13
giao thc c th cn phi c cu hnh, (v d, vic s dng thut ton bm m bo ch cc nt c chng thc c th vt qua d liu nh tuyn).
14
Chnh sch gim st / ghi nhn cng nn xc nh cch cc thng tin phi c thu thp, duy tr, v bo co. Trong nhiu trng hp, thng tin ny c th c s dng xc nh cc yu cu qun l ca bn th ba v cc ng dng theo di nh CiscoWorks, NetIQ Security Manager, hoc Kiwi Syslog Daemon.
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
15
Chnh sch kim nh: chnh sch kim nh ca cng ty phi c cp xc nh cc yu cu kim nh ca tng la. Chnh sch nh gi ri ro: chnh sch nh gi ri ro ca cng ty cn c cp xc nh phng php s c s dng xc nh cc ri ro lin quan vi h thng tt c thm, di chuyn, v thay i v n lin quan n tng la v chu vi mng trong ton th. Di y l mt s cng vic cn thit cho ngi qun tr mng: Ghi nhn v xem li nht k tng la thng xuyn. To ACL i vo tht chi tit, c th. Bo v vng DMZ v nhiu pha. Thn trng vi lu lng ICMP. Gi mi lu lng qun l firewall c bo mt. Xem li cc quy tc tng la nh k.
II. Radius
1. Tng quan v Radius: 1.1. AAA: 1.1.1. Xc thc (Authentication)
Xc thc l qu trnh xc minh danh tnh ca mt ngi (hoc ca my tnh). Hnh thc ph bin nht ca xc thc, bng cch s dng mt s kt hp ca ID ng nhp v mt khu, trong kin thc ca mt khu l mt biu tng m ngi dng c xc thc. Phn phi cc mt khu, tuy nhin, ph hy cc phng php xc thc, trong nhc nh ngi sng to ca cc trang web thng mi in t v kinh doanh giao dch Internet khc yu cu mt b xc thc mnh m hn, ng tin cy hn. Giy chng nhn k thut s l mt trong nhng gii php y, v trong nm n mi nm tip theo n c th l s dng giy chng nhn k thut s nh l mt phn ca c s h tng kho cng khai (PKI) s tr thnh b xc thc c a thch trn Internet.
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
16
Cc kha cnh quan trng ca chng thc l n cho php hai i tng duy nht hnh thnh mt mi quan h tin cy - c hai u gi nh l ngi dng hp l. S tin tng gia cc h thng cho php cho cc chc nng quan trng nh cc my ch proxy, trong mt h thng chp nhn mt yu cu thay mt cho mt h thng khc v cho php AAA thc thi ni cc mng khng ng nht h tr cc loi my khch v dch v khc nhau. Mi quan h tin tng c th tr nn kh phc tp.
17
ph hp. Mt phn tch bo mt c th xem xt cc yu cu t chi, xem nu mt mu xut hin, v c th trnh mt hacker hoc ngi ti min ph. Cc d liu k ton l cc tin ch tuyt vi cho mt qun tr vin my ch AAA.
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
18
Proxy l mt tnh nng rt hu ch ca m hnh AAA v c li cho doanh nghip v trin khai mng li phn phi, trong mt s thit b AAA c th c cu hnh yu cu lun y quyn cho cc my ti cc a im khc. Mt v d v y quyn tt nht l vi mt tha thun ngi bn li ISP. Thng th mt cng ty mng ln s u t ng k c s h tng mng v cc im din ra s hin din nhiu a im. Trang b mng li phn phi, cng ty sau bn li cho cc ISP nh hn c nhu cu m rng phm vi bo him ca h v tn dng li th ca mt mng li tt hn. i l bn l c cung cp mt s hnh thc kim sot truy cp trn cc ngun ti nguyn hu hnh mi v tr, nhng cc ISP nh hn khng mun chia s thng tin c nhn v ngi dng ca mnh vi cc i l bn l. Trong trng hp ny, mt my AAA proxy c t ti mi im ca i l bn l ca s hin din, v nhng my sau giao tip vi cc thit b NAS thch hp ti cc ISP nh hn. My khch yu cu dch v v ngun ti nguyn t mt my ch AAA (v trong trng hp ny, my khch c th bao gm AAA proxy) c th giao tip vi nhau bng cch s dng hoc l mt giao dch hop-to-hop hoc mt giao dch end-to-end. S phn bit l ni m cc mi quan h tin cy nm trong chui giao dch. Xem xt cc trng hp sau y c c mt hnh nh tt hn. Trong mt giao dch hop-to-hop, mt my khch gi mt yu cu ban u cho mt thit b AAA. Ti thi im ny, c mt mi quan h tin cy gia my khch v my ch AAA tuyn u. My xc nh yu cu cn phi c chuyn tip n mt my ch khc mt v tr khc nhau, do , n hot ng nh mt proxy v a ch lin lc mt my ch AAA. By gi cc mi quan h tin tng l vi hai my ch AAA, vi cc
Mi quan h nh cc Mi v my AAA th my tnh tin tuyn hot ngtin tng my khchquan h tin tng hai ng vai tr l
my ch. iu quan trng cn lu rng mi quan h tin tng khng phi l vn hiu ngm, c ngha l cc my Proxies ban u vYu cu Proxies th hai khng c mt cc my AAA Yu cu khch mi quan h tin tng. Hnh 2-1 cho thy s tin tng l tun t v c lp vi nhau.
My ch AAA ph duyt
My ch AAA cui
TRUST
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079 khng c mi quan h tin tng no y gia my khch v my ch AAA trung gian My khch v my ch AAA cui
19
HNH 2-1:MI QUAN H TIN TNG C LP TRONG MT GIAO DCH HOP-TO-HOP Khc vi m hnh hop-to-hop l phng php giao dch end-to-end. S khc bit chnh l, mt ln na, ni m cc mi quan h tin cy nm trong m hnh ny, l gia my khch yu cu v my ch AAA m cui cng cho php cc yu cu. Trong mt m hnh end-to-end, chui proxy vn cn rt nhiu chc nng nh l m hnh khng c ngha l cc giao dch end-to-end: l mi quan h tin tng. Bi v n l thit k khng ng k truyn thng tin nhy cm trong cc yu cu proxy, mt s c ngha khc ca chng thc mt yu cu v xc nhn tnh ton vn d liu l cn thit khi nhy yu cu ban u thng qua cc bc nhy trong chui proxy. Thng thng nht, giy chng nhn k thut s v PKI xc nhn khc c s dng trong cc tnh hung ny. RFC 2903 v 2905 m t cc yu cu ca vic thc hin an ninh end-to-end, c th hin trong hnh 2-2.
Yu cu Proxies
Yu cu Proxies
My ch AAA ph duyt
TRUST
My ch AAA cui
GVHD: THS Nguyn c Quang Mi quan h tin tng SVTH:Nguyn c Nguyn Long MSSV:106102078 My khch L Hong Long MSSV:106102079
20
HNH 2-2:MI QUAN H TIN TNG MY KHCH/MY CH TRONG M HNH END-TO-END 2. Kin trc RADIUS:
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
21
ca d liu TCP hai pht sau khng hu ch. Vic s dng nhanh hn ca my ch thay th cho php ngi dng truy cp trc khi b cuc." K t khi RADIUS l khng quc tch , UDP c v t nhin, nh UDP cng l khng quc tch. Vi TCP, my v my ch phi c m c bit hoc cch gii quyt hnh chnh gim thiu nhng nh hng ca tn tht in nng, khi ng li, lu lng mng ln, v ngng hot ng ca h thng. UDP ngn nga c vn hc ba ny v n cho php mt phin m v vn m trong sut ton b giao dch. cho php h thng nng n s dng v giao thng trn mt sau, m i khi c th tr hon cc truy vn v tm kim hn 30 giy hoc nhiu hn, n c xc nh rng RADIUS l a lung. UDP cho php RADIUS sn sinh phc v nhiu yu cu ti mt thi im, v mi phin y, kh nng giao tip khng c gii hn gia cc thit b mng v my khch. V vy, UDP l ph hp. Nhc im duy nht khi s dng UDP l cc nh pht trin phi t to v qun l gi pht li, kh nng ny c xy dng vo TCP. Tuy nhin, nhm RADIUS cm thy rng y l mt nhc im t nh hng hn so vi s tin li v n gin ca vic s dng UDP. V v th UDP c s dng.
T nh danh (1)
di
(2)
B xc thc
(16)
Cc thuc tnh v gi tr
(Ty bin)
HNH 2-3:MT M T V CU TRC GI TIN D LIU RADIUS Cu trc d liu c chia thnh 5 khu vc ring bit: M
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
22
2.2.1. M:
Trng m di mt octet v dng phn bit cc loi tin nhn RADIUS c gi trong gi . Cc gi tin vi cc lnh vc m khng hp l c nm i m khng thng bo. M s hp l l: 1 - Access-Request 2 - Access-Accept 3 - Access-Reject 4 - Accounting-Request 5 - Accounting-Response 11 - Access-Challenge 12 - Tnh trng my ch 13 - Tnh trng my khch 255 - Dnh ring
2.2.2. T nh danh:
Cc t nh danh l khu vc di 1 octet v c s dng thc hin lung, hoc t ng lin kt cc yu cu ban u v tr li tip theo. My ch RADIUS ni chung c th ngn chn bn sao tin nhn bng cch kim tra cc yu t nh a ch IP ngun, cng UDP ngun, khong thi gian gia cc tin nhn nghi ng, v cc lnh vc nhn dng.
2.2.3. di:
Cc khu vc c chiu di l hai octet v c s dng ch nh di gi tin RADIUS c php. Gi tr trong lnh vc ny c tnh bng cch phn tch m, nhn dng, chiu di, thm nh, v cc lnh vc thuc tnh v vic tm kim tng hp ca
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
23
chng. Cc lnh vc c kim tra chiu di khi mt my ch RADIUS nhn c mt gi tin m bo ton vn d liu. Gi tr hp l chiu di khong t 20 n 4096. Cc c im k thut RFC i hi nhng hot ng nht nh ca cc my ch RADIUS c lin quan n chiu di d liu khng chnh xc. Nu my ch RADIUS nhn c mt hp vi mt tin nhn di hn so vi lnh vc chiu di, n s b qua tt c cc d liu qua cc im cui c ch nh trong lnh vc chiu di. Ngc li, nu my ch nhn c mt tin nhn ngn hn so vi di lnh vc bo co, my ch s loi b cc tin nhn.
2.2.4. B xc thc:
Cc khu vc thm nh, thng di 16 octet, l lnh vc m trong s ton vn ca ti trng ca tin nhn c kim tra v xc minh. Trong lnh vc ny, cc octet quan trng nht c truyn trc bt k octet khc mt gi tr c s dng tr li xc thc t my ch RADIUS. Gi tr ny cng c s dng trong c ch che giu mt khu. C hai loi hnh c th ca cc gi tr xc thc: cc gi tr yu cu v p ng. Yu cu cc b xc thc c s dng vi cc gi yu cu xc thc v Accounting-Request. Trong cc gi tr yu cu, lnh vc ny di 16 octet v c to ra trn c s hon ton ngu nhin ngn chn bt k cuc tn cng. Trong khi RADIUS khng lm mt iu khon bo v thng tin lin lc i vi nghe ln v bt gi tin, cc gi tr ngu nhin kt hp vi mt mt khu mnh lm cho tn cng v rnh m kh khn. Vic xc thc p tr c s dng trong gi Access-Accept, Access-Reject, v Access-Challenge . Gi tr c tnh bng cch s dng m bm MD5 mt chiu c to ra t cc gi tr ca m ny, nhn dng, chiu di, v yu cu chng thc cc vng ca tiu gi tin, tip theo l trng ti gi d liu v b mt c chia s.
24
2.3.1. Access-Request:
Cc gi tin Access-Request c s dng bi ngi tiu dng dch v khi c ngh mt dch v c th t mng. My khch gi mt gi tin yu cu n my ch RADIUS vi mt danh sch cc dch v yu cu. Cc yu t quan trng trong vic truyn ny l trng mt m trong tiu gi: n phi c t l 1, gi tr duy nht ca cc gi yu cu. Cc RFC cho thy cc gi tr li phi c gi n tt c cc gi yu cu hp l, tr li l xc thc hay t chi. Cc ti trng ca gi tin Access-Request nn bao gm cc thuc tnh tn ngi dng xc nh nhng ngi c gng truy cp vo cc ti nguyn mng. Trng ti c yu cu phi c cc a ch IP hoc tn tiu chun ca cc thit b mng m t n c yu cu dch v. N cng c cha mt mt khu ngi dng, mt khu da trn mt CHAP, hoc mt nh danh, nhng khng phi c hai loi mt khu. Cc mt khu ngi dng phi c bm bng cch s dng MD5. V c bn, cc gi d liu mi cn phi c to ra bt c khi no thuc tnh c thay i, k t khi xc nh cc thng tin c thay i. Cc thuc tnh vi nhng b mt c chia s, cn phi c o ngc bi cc my ch proxy ( c c nhng thng tin ti trng ban u) v sau m ha mt ln na vi b mt m my ch proxy chia s vi my ch t xa. Cu trc gi tin Access-Request c th hin trong hnh 2-4.
M
(1)
T nh danh
(Duy nht)
di
(Tiu v ti trng)
Cc thuc tnh: username NAS ID hoc name MD5 user password hoc CHAP PWD
(Ty bin)
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
25
2.3.2. Access-Accept:
Cc gi tin Access-Accept c gi bi my ch RADIUS ti my khch xc nhn rng yu cu ca my khch c chp nhn. Nu tt c cc yu cu trong cc ti trng Access-Request c chp nhn, sau cc my ch RADIUS phi thit lp trng mt m gi tin tr li l 2. Cc my khch khi nhn c gi chp nhn, ph hp n vi cc gi tin tr li bng cch s dng trng nhn dng. Cc gi khng theo tiu chun ny c b i. Tt nhin, m bo rng cc gi tin yu cu v chp nhn ph hp nh ni, m bo cc p tr chp nhn c gi trong cc gi tin tr li yu cu tng ng, trng nh danh trong tiu gi Access-Accept phi c mt gi tr ging ht gi tr ca trng nh danh trong gi Access-Request. Cc gi tin Access-Accept c th cha nhiu hay t thng tin thuc tnh nh l n cn phi bao gm. Nhiu kh nng cc thng tin thuc tnh trong gi ny s m t cc loi hnh dch v c xc thc v y quyn my khch c th t mnh ln s dng cc dch v. Tuy nhin, nu khng c thng tin thuc tnh c bao gm, my khch gi nh rng cc dch v n yu cu l nhng th c chp nhn. Cu trc gi tin Access-Accept c hin th trong hnh 2-5.
M
(2)
T nh danh
(Duy nht mi ln truyn)
di
(Tiu v ti trng)
2.3.3. Access-Reject:
My ch RADIUS c yu cu gi mt gi tin Access-Reject li cho my khch nu n phi t chi bt k dch v c yu cu trong cc gi tin Access-Request. S t
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
26
chi ny c th c da trn chnh sch h thng, c quyn cha y , hoc bt k cc tiu chun khc - phn ln iu ny l mt chc nng ca cc thc hin c nhn. Gi Access-Reject c th c gi ti bt k thi gian trong mt phin, lm cho chng l tng cho vic thi hnh gii hn thi gian kt ni. Tuy nhin, khng phi tt c thit b h tr nhn c gi Access-Reject trong mt kt ni c thit lp sn. Cc ti trng cho loi gi tin c gii hn trong hai thuc tnh c th: cc thuc tnh tin nhn tr li v thuc tnh trng thi Proxy. Trong khi cc thuc tnh ny c th xut hin nhiu hn mt ln trong ti trng ca gi tin, ngoi tr bt k thuc tnh nh cung cp c th, khng c cc thuc tnh khc c cho php, theo cc c im k thut RFC, c bao gm trong gi tin. Cu trc gi tin Access-Reject c th hin trong hnh 2-6.
(Duy nht mi = MD5(M + ID + di + b xc thc (3) Cc thuc tnh: Khng bt buc (Tiu v ti hn: reply-message+ thuc tnh v kha b mt) Gii trng) ln truyn) yu cu
T nh danh
di
2.3.4. Access-Challenge :
Nu mt my ch nhn thng tin tri ngc nhau t ngi s dng, yu cu nhiu thng tin hn, hay n gin l mun lm gim nguy c chng thc gian ln, n c th pht hnh mt gi tin Access-Challenge cho my khch. My khch, khi nhn c gi tin Access-Challenge , sau phi ra mt gi Access-Request mi bao gm cc thng tin thch hp. Cn lu rng mt s my khch khng h tr cc qu trnh th thch / p ng nh th ny, trong trng hp , my khch x l cc gi tin Access-Challenge nh l mt gi tin Access-Reject. Mt s my khch, tuy nhin, h tr th thch, v lc tin nhn c th c trao cho ngi s dng ti my khch yu cu thm thng tin xc
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
27
thc, n khng cn thit trong tnh hnh t ra mt vng cc gi tin yu cu / p tr khc. Ging nh cc gi tin Access-Reject, ch c hai thuc tnh tiu chun c th c bao gm trong mt gi tin Access-Challenge : thuc tnh trng thi v tin nhn tr li. Bt k cc thuc tnh nh cung cp c th cn thit c th c bao gm l tt. Cc thuc tnh tin nhn tr li c th c bao gm trong gi nhiu ln, nhng cc thuc tnh trng thi c gii hn trong mt trng hp duy nht. Cc thuc tnh trng thi c sao chp khng thay i vo gi Access-Request c tr v cho my ch th thch. Cu trc gi tin Access-Challenge c th hin trong hnh 2-7.
M
(11)
T nh danh
(Duy nht mi ln truyn)
di
(Tiu v ti trng)
2.3.5. Accounting-Request:
Cc gi Accounting-Request c gi t mt my khch (thng l mt my ch truy cp mng (NAS) hoc proxy ca n) ti mt my ch k ton RADIUS, v truyn t thng tin s dng cung cp k ton cho mt dch v cung cp cho ngi dng. Cc my khch truyn mt gi tin RADIUS vi trng m thit lp l 4 (AccountingRequest). Khi nhn c mt Accounting-Request, my ch phi tr li bng gi AccountingResponse nu n ghi li cc gi tin k ton thnh cng, v khng phi tr li bt k gi no nu n ghi li cc gi tin k ton tht bi. Bt k thuc tnh hp l trong mt gi Access-Request hoc Access-Accept RADIUS l hp l trong mt gi Accounting-Request RADIUS, ngoi tr cc thuc tnh sau y khng phi c mt trong mt Accounting-Request: mt khu ngi dng, mt khu CHAP, tin nhn tr li, trng thi. Hoc a ch IP NAS hoc nhn dng NAS
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
28
phi c hin din trong mt gi Accounting-Request RADIUS. N nn cha mt thuc tnh cng NAS hoc loi cng NAS hoc c hai tr khi cc dch v khng lin quan n mt cng hoc NAS khng phn bit gia cc cng ca n. Nu cc gi tin Accounting-Request bao gm mt a ch IP khung, thuc tnh phi cha a ch IP ca ngi dng. Nu Access-Accept s dng cc gi tr c bit cho a ch IP khung ni vi NAS chuyn nhng hoc thng lng mt a ch IP cho ngi dng, cc a ch IP khung (nu c) trong Accounting-Request phi c cc a ch IP thc t c giao hoc thng lng.
M
(4)
T nh danh
(Duy nht)
di
(Tiu v ti trng)
ca trng thuc tnh thay i, v bt c khi no tr li hp l c nhn cho mt yu cu trc . i vi vic truyn li ni m ni dung ging ht nhau, vic phi nhn dng khng thay i. Lu rng nu Acct-Delay-Time c bao gm trong cc thuc tnh ca mt gi tr Accounting-Request sau gi tr Acct-Delay-Time s c cp nht khi gi d liu c truyn li, thay i ni dung ca cc trng thuc tnh v i hi mt nhn dng mi v xc thc yu cu.
gi tr mng bm MD5 16 octet tnh theo phng php m t trong "Xc thc yu cu" trn.
Thuc tnh: Cc trng thuc tnh thay i trong chiu di, v c mt danh sch
cc thuc tnh.
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
29
2.3.6. Accounting-Response:
Gi tin Accounting-Response c gi bi my ch k ton RADIUS cho my khch xc nhn rng cc Accounting-Request c nhn v ghi nhn thnh cng. Nu Accounting-Request c ghi li thnh cng sau my ch k ton RADIUS phi chuyn mt gi tin vi cc trng m thit lp l 5 (Accounting-Response). Khi gi tin Accounting-Response c tip nhn bi my khch, trng nhn dng trng khp vi mt Accounting-Request ch x l. Trng phi xc thc phn hi phi cha cc phn hi chnh xc cho cc Accounting-Request ch x l. Gi tin khng hp l c m thm b i. Mt gi Accounting-Response RADIUS khng bt buc phi c nhng thuc tnh trong .
M
(5)
T nh danh
(Duy nht)
di
(Tiu v ti trng)
Cc thuc tnh: Cha hoc khng cha danh sch cc thuc tnh (Ty bin)
M: 5 Accounting-Response. nh danh: Cc trng nhn dng l mt bn sao ca trng nhn dng ca gi Xc thc phn hi: Cc xc thc phn hi ca mt gi Accounting-Response
Accounting-Request dn n gi Accounting-Response ny. cha mt gi tr mng bm MD5 16 octet tnh theo phng php m t trong "Xc thc phn hi" trn.
Thuc tnh: Cc trng thuc tnh thay i trong chiu di, v c mt danh sch
2.4. B mt chia s:
tng cng an ninh v tng tnh ton vn giao dch, giao thc RADIUS s dng khi nim b mt chia s. B mt chia s l nhng gi tr to ra mt cch ngu nhin m
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
30
c hai my khch v my ch u bit (v th m gi "chia s"). Nhng b mt chia s c s dng trong tt c cc hot ng c yu cu d liu n v gi tr che giu. Gii hn k thut duy nht l nhng b mt chia s phi c chiu di ln hn 0, nhng RFC khuyn co rng cc b mt t nht l 16 octet. Mt b mt c di l hu nh khng th b vi phng php vt cn. B mt chia s (thng ch gi l "b mt") l duy nht vi mt cp my khch v my ch RADIUS ni ring. V d, nu mt ngi s dng ng k nhiu nh cung cp dch v Internet truy cp quay s, ngi dng ny gin tip to cc yu cu ti nhiu my ch RADIUS. Nhng b mt chia s gia thit b NAS my khch ti cc ISP A, B, v C c s dng giao tip vi cc my ch RADIUS tng ng khng ph hp. Trong khi mt s trin khai RADIUS quy m ln hn c th tin rng bo v an ninh giao dch bng cch s dng mt s thay i b mt chia s t ng l mt bc i thn trng, c mt kh khn tim n kh ln: khng c s bo m cc my khch v cc my ch c th ng b ha vi cc b mt chia s mi trong thi gian thch hp nht. V ngay c khi n c chc chn rng cc ng b ha ng thi c th xy ra, nu cn tn ti cc yu cu ti cc my ch RADIUS v my khch ang bn x l (v, do , n b l thi c ng b ha cc b mt mi), sau nhng yu cu cn tn ti s b t chi bi my ch.
Tiu
31
S thuc tnh: Con s ny biu th cc loi thuc tnh trnh by trong gi. Tn ca
thuc tnh khng c thng qua trong gi - ch c s. Ni chung, s thuc tnh c th trong khong 1-255, vi mt s c th phc v nh l mt "ca ng" ca cc loi cho cc nh cung cp cung cp cc thuc tnh c th ca mnh.
phi t 3 tr ln. Trng ny theo cch tng t nh cc lnh vc chiu di ca tiu gi tin RADIUS.
thit cho mi thuc tnh trnh by, thm ch nu gi tr bn thn n l bng khng. di ny s thay i da trn bn cht vn c ca cc thuc tnh ca n. C cu AVP th hin trong hnh 2-6 bao gm mt tp lin tc cc byte cha t nht ba octet, vi cc octet u tin l loi, th hai l chiu di, v octet cui cng l gi tr ca cc thuc tnh ca chnh n. Cc my ch RADIUS bit y v mt thuc tnh c tn gi chnh thc ca n khng cn c truyn i trong gi. Cc m s (s thuc tnh) l suy ra loi thng tin c truyn i trong gi tr c th . Cc loi thuc tnh: C 6 loi nh c nu trong RFC: S nguyn (INT): l nhng gi tr c cha s nguyn. Mt thuc tnh nh Idle Timeout c th c thit lp gi tr s nguyn l 15. Lit k (ENUM): d liu l ca cc loi lit k bao gm mt s nguyn, nhng gi tr ny da trn mt tp hp cu hnh ngi s dng ca dy nhiu gi tr v nhiu ngha. C th gp phi cc gi tr lit k c gi l gi tr s nguyn theo ng ngha, trong khi khng theo ng ngha gi tr nguyn ch n gin l loi s nguyn. a ch IP (IPADDR): loi d liu ny l mt s 32-bit c thit k thng qua mt a ch IP chnh xc. Trong khi RADIUS theo mc nh s xem xt mt a ch IP theo gi tr, mt s trin khai thc hin c th c cu hnh x l n vi mt gi tr nh sn, chng hn nh mt subnet mask ring. Ngoi ra, mt phn m rng gn y cc giao thc RADIUS cho php cc a ch IPv6 c s dng trong loi ny.
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
32
Chui k t (STRING): Chui k t thng c xc nh l chui in UTF-8 c th c c theo gi tr. D liu c truyn di dng mt dy k t c th b chn hay khng b chn, bt c ci no l thch hp. Ngy thng (DATE): l mt con s khng du 32-bit i din cho giy tri qua k t ngy 1 thng 1 nm 1970. Nh phn (BINARY): Thng ring bit vi mt s thc thi, cc gi tr nh phn ("0" hoc "1") c c theo gi tr. Cc thuc tnh nh cung cp c th: Nh vi hu ht cc giao thc RADIUS, c nhiu s linh hot i vi cc loi thuc tnh nh cung cp c th xy ra trong nhiu thc hin khc nhau. Phn ln thuc tnh ny to ra l trc tip h tr cc tnh nng c bit, cc c trng khng chun hoc gia tng gi tr m mt s thit b my khch RADIUS c bit c kh nng cung cp. Tt nhin, c l bi v trong thc t l mt tiu chun, mt s nh cung cp - c bit l Robotics/3Com Hoa K - khng theo c t RFC. Cc giao thc RADIUS nh ngha mt AVP c th nh l mt "ca ng" AVP trong cc thuc tnh nh cung cp c th, hoc VSAs, c th c ng gi. VSA c thc hin ti trng gi tr ca AVP tiu chun 26, c gi l nh cung cp c th. Hnh 2-11 cho thy AVP tiu chun v lm th no thng tin c thc hin trong VSA.
S 26
di X
Gi tr ID 262
S 47
di X
Gi tr
Ti trng gi RADIUS
Hnh 2-11: S truyn i ca 1 VAS bn trong 1 AVP tiu chun. ID nh cung cp Phn ny ca VSA gm bn octet m i din cho nh pht trin / thit k / ch s hu ca VSA. Nhng m s tiu chun c quy nh trong ti liu RFC 1700 l "Cc
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
33
s c gn. C th hn, cc nh cung cp c nhn c m ho vi con s duy nht c gi l m doanh nghip t nhn qun l mng hoc NMPECs. Th t ca cc ni dung trng ID nh cung cp c da trn mt tiu chun nghim ngt, vi byte cao nht gi tr 4 octet c thit lp v 0, v sau 3 byte cui cng t vo m NMPEC. Loi nh cung cp Trng loi nh cung cp, di mt octet, chc nng hnh x theo cch tng t nh s thuc tnh trong mt AVP tiu chun. Cc loi nh cung cp l nhng gi tr vi phm vi t 1 n 255, v tm quan trng v ngha ca tng gi tr c bit n bn trong cc my ch RADIUS. Chiu di Trng ny l mt con s mt octet cho bit chiu di ca ton b VSA, vi chiu di ti thiu ca ton b VSA l 7. Mt ln na, hot ng ca trng ny l tng t nh lnh vc chiu di trong mt tiu chun, RFC nh ngha AVP. Gi tr Cc trng gi tr c yu cu phi di t nht mt octet v cha d liu c c th cho cc chnh VSA . Hu ht cc gi tr ny c c, hiu, v phn tch bi my khch v my ch RADIUS trn u thu nhn thc ca cc tnh nng c bit v kh nng phi tiu chun m trin khai thc hin c th ca chng c h tr.
2.5.2. Cc gi tr:
Tt c cc thuc tnh phi c gi tr, thm ch nu gi tr ca thuc tnh ny l v gi tr. Gi tr i din cho cc thng tin m mi thuc tnh ring bit c thit k chuyn ti. Chng mang theo "phn ct li" ca thng tin. Gi tr phi ph hp vi cc quy tc loi thuc tnh. Bng 2-8 cho thy v d ca tng loi thuc tnh v trng gi tr d kin ti trng cho tng loi. Loi thuc tnh S nguyn Chiu di (Octet) 4 Kch thc / Phm vi 6 32 bit 256
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
V d ti trng
34
(INT)
Khng du
Lit (ENUM)
32 bit Khng du
Chui (String)
1-253
Ty bin
a ch IP (IPADDR)
32 bit
32 bit Khng du
1 bit
35
truy cp. Khi c mt khu, n c n bng cch s dng mt phng php da trn MD5. Cc Access-Request c gi ti my ch RADIUS qua mng. Nu khng c phn hi c tr v trong mt khong thi gian, yu cu c gi li mt s ln. Cc my khch cng c th chuyn tip yu cu ti mt my ch thay th hoc cc my ch trong trng hp my ch chnh b ngng hot ng hoc khng th truy cp. Mt my ch thay th c th c s dng hoc sau khi mt s c gng truy cp ti cc my ch chnh b li, hoc trong mt kiu vn hnh ln lt. Mt khi cc my ch RADIUS nhn c yu cu, n xc nhn hp l ca my khch gi. Mt yu cu t my khch m cc my ch RADIUS khng c mt b mt c chia s phi c m thm b i. Nu my khch l hp l, my ch RADIUS tra cu mt c s d liu ca ngi dng tm ngi s dng c tn ph hp vi yu cu. Mc ngi s dng trong c s d liu cha mt danh sch cc yu cu phi c p ng cho php ngi s dng truy cp. iu ny lun lun bao gm xc minh mt khu, nhng cng c th ch nh cc my khch hoc cng m ngi dng c php truy cp. My ch RADIUS c th lm cho yu cu ca cc my ch khc p ng cc yu cu, trong trng hp n hot ng nh mt my khch. Nu bt k thuc tnh Proxy-State c a ratrong cc Access-Request, chng phi c sao chp cha sa i v t vo cc gi tin tr li. Cc thuc tnh khc c th c t trc, sau, hoc thm ch gia cc thuc tnh Proxy-State. Nu iu kin no khng c p ng, my ch RADIUS gi mt phn hi "Access-Reject" cho bit yu cu ngi s dng ny khng hp l. Nu mun, cc my ch c th bao gm cc tin nhn vn bn trong Access-Reject c th c hin th bi cc my khch cho ngi dng. Khng c thuc tnh khc (tr Proxy-State) c php trong mt Access-Reject. Nu tt c cc iu kin c p ng v cc my ch RADIUS mun ra mt thch thc m ngi dng phi p ng, cc my ch RADIUS gi mt phn hi "AccessChallenge". N c th bao gm cc tin nhn vn bn c hin th bi cc my khch
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
36
cho ngi s dng phn hi cho thch thc ny, v c th bao gm mt thuc tnh trng thi. Nu my khch nhn c mt Access-Challenge v h tr thch thc / phn ng n c th hin th cc tin nhn vn bn, nu c, cho ngi s dng, v sau nhc nh ngi dng v mt phn hi. My khch sau np li bn gc Access-Request ca n vi mt ID yu cu mi, vi cc thuc tnh ngi dng mt khu thay th bng cc phn hi ( m ha), v bao gm c cc thuc tnh trng thi t cc Access-Challenge, nu c. Ch c 0 hoc 1 th hin ca thuc tnh trng thi c mt trong yu cu. My ch c th p ng vi Access-Request mi ny vi mt Access-Accept, mt Access-Reject, hoc mt Access-Challenge khc. Nu c iu kin, danh sch cc gi tr cu hnh cho ngi s dng c t vo mt phn hi "Access-Accept". Nhng gi tr ny bao gm cc loi hnh dch v (v d: SLIP, PPP, ngi dng ng nhp) v tt c cc gi tr cn thit cung cp cc dch v mong mun. i vi SLIP v PPP, iu ny c th bao gm gi tr nh a ch IP, subnet mask, MTU, nn mong mun, v nhn dng lc gi mong mun. i vi nhng ngi dng ch k t, iu ny c th bao gm gi tr nh giao thc v my ch mong mun. Trong xc thc thch thc / phn hi, ngi s dng c cho mt s khng th on trc v thch thc m ha n v tr li kt qu. Ngi c y quyn u c trang b cc thit b c bit nh th thng minh hoc cc phn mm to thun li cho tnh ton ca cc phn hi chnh xc mt cch d dng. Ngi s dng tri php, thiu thit b thch hp hoc phn mm v khng bit kha b mt cn thit cnh tranh nh mt thit b hoc phn mm, ch c th on phn hi. Cc gi tin Access-Challenge thng c cha mt tin nhn tr li bao gm mt thch thc c hin th cho ngi dng, chng hn nh mt gi tr s khng bao gi c lp li. Ngi s dng sau i vo cc thch thc trong thit b ca mnh (hoc phn mm) v tnh ton mt phn hi, ngi dng nhp vo my khch ri my chuyn tip n ti my ch RADIUS thng qua mt Access-Request th hai. Nu phn hi
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
37
trng khp vi phn hi mong mun my ch RADIUS tr li vi mt Access-Accept, nu khng mt Access-Reject s c tr v my khch.
1 2 3 6 4 5
Ngi dng
ASA
My ch Radius ACS
RADIUS, my ch RADIUS s gi gi Access-Accept v cho Cisco ASA, nu thng s ngi dng nhp khng c th my ch RADIUS s gi gi Access-Reject v cho cisco ASA. 6) Cisco ASA s phn hi v cho my khch bit c php hay khng c php truy cp vo 1 dch v c th.
38
Accounting-Request cho n khi nhn c mt xc nhn, bng cch s dng mt s hnh thc ch truyn. Nu khng c phn hi c tr v trong mt khong thi gian, yu cu c gi li mt s ln. My khch cng c th chuyn tip yu cu ti mt my ch thay th hoc cc my ch trong trng hp my ch chnh ngng hot ng hoc khng th truy cp. Mt my ch thay th c th c s dng hoc sau khi mt s c gng n cc my ch chnh b li, hoc trong mt kiu vn hnh ln lt. My ch k ton RADIUS c th lm cho yu cu ca cc my ch khc p ng cc yu cu, trong trng hp n hot ng nh mt my khch. Nu my ch k ton RADIUS khng th thnh cng ghi li cc gi tin k ton, n khng phi gi mt xc nhn Accounting-Response cho my khch.
39
RFC RFC 2548 RFC 2865 RFC 2866 RFC 2867 RFC 2868 RFC 2869 RFC 3162 RFC 3579 RFC 5080 RFC 5997
Tiu Microsoft Vendor-specific RADIUS Attributes 9 Remote Authentication Dial In User Service (RADIUS) 0 RADIUS Accounting 0 RADIUS Accounting Modifications for Tunnel Protocol Support RADIUS Attributes for Tunnel Protocol Support RADIUS Extensions 0 RADIUS and IPv6 1 RADIUS Support for EAP 3 Common RADIUS Implementation Issues and Suggested Fixes Use of Status-Server Packets in the RADIUS Protocol 07 0
Ngy 3/199 6/200 6/200 6/200 6/200 0 6/200 8/200 9/200 12/20 8/201 0
40
8-bit.
Integers v dates by gi c xc nh l gi tr 32 bit khng du. Danh sch cp nht cc thuc tnh c th c bao gm trong Access-Challenge
v ng nhp t xa.
Gi tr them vo cho Service-Type, Login-Service, Framed-Protocol, Framed-
Compression, v NAS-Port-Type.
NAS-Port c th s dng tt c 32 bit. Cc v d hin nay bao gm hin th h thp lc phn ca cc gi d liu. Cng UDP ngun phi c s dng kt hp vi b nhn dng yu cu khi xc
nh cc bn sao.
Nhiu thuc tnh phc c th c cho php trong thuc tnh Vendor-Specific. Mt Access-Request by gi yu cu cha NAS-IP-Address hoc NAS-Identifier
duy tr kt ni.
Nu nhiu thuc tnh vi cc loi tng t c mt ng thi, th t cc thuc
dng UTF-8.
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
41
Thay th US-ASCII bng UTF-8. Thm ghi ch trong Proxy. Framed-IP-Address nn cha a ch IP thc t ca ngi s dng. Nu Acct-Session-ID c gi trong mt Access-Request, n phi c s Cc gi tr mi c thm vo Acct-Status-Type. Thm vo phn li khuyn ca IANA. Cp nht ti liu tham kho. Cc chui vn bn xc nh nh l mt tp hp con ca chui, lm r vic s
dng UTF-8.
42
thp d liu s dng trong cc mng quay s l dng phng tin RADIUS Accounting. Vic s dng RADIUS Accounting cho php d liu s dng quay s c thu thp ti mt v tr trung tm, hn l c lu tr ti mi NAS. thu thp d liu s dng v ng hm, thuc tnh RADIUS mi l cn thit, ti liu ny xc nh nhng thuc tnh ny. Ngoi ra, mt s gi tr mi cho cc thuc tnh Acct-Status-Type c xut. Kin ngh c th v v d v vic p dng cc thuc tnh ny cho giao thc L2TP c m t trong RFC 2809. Cc gi tr Acct-Status-Type mi:
Tunnel-Start: gi tr l 9, dng nh du vic to mt ng hm mi vi nt Tunnel-Stop: gi tr l 10, , dng nh du vic hy mt ng hm t hoc Tunnel-Reject: gi tr l 11, , dng nh du vic t chi to mt ng hm Tunnel-Link-Start: gi tr l 12, dng nh du s to thnh ca mt lin kt Tunnel-Link-Stop: gi tr l 13, dng nh du s ph hy mt lien kt ng Tunnel-Link-Reject: gi tr l 14, dng nh du vic t chi to nn mt lin
khc.
Acct-Tunnel-Connection: Thuc tnh ny c th c s dng cung cp mt Acct-Tunnel-Packets-Lost: Thuc tnh ny ch ra s gi d liu b mt trn mt
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
43
Cc thuc tnh RADIUS mi l cn thit chuyn cc thng tin ng hm t my ch RADIUS ti im cui ca ng hm. Cc thuc tnh mi:
Tunnel-Type: Thuc tnh ny ch ra giao thc ng hm s c s dng hoc Tunnel-Medium-Type: Thuc tnh ny ch ra phng tin c s dng to
cc giao thc ng hm ang c s dng. ng hm theo cc giao thc (nh l L2TP), iu ny c th c tc dng trn nhiu phng tin vn chuyn.
Tunnel-Client-Endpoint: Thuc tnh ny cha a ch ca ngi khi xng cui Tunnel-Server-Endpoint: Thuc tnh ny cha a ch ca my ch cui ca Tunnel-Password: Thuc tnh ny cha mt khu dng xc thc ti my ch Tunnel-Private-Group-ID: Thuc tnh ny ch ra ID nhm cho mt phin hm c Tunnel-Assignment-ID: Thuc tnh ny c s dng ch ra ngi khi Tunnel-Preference: Khi my ch RADIUS gi tr nhiu hn mt b thuc tnh
xng ng hm mt ng hm c th phn cng mt phin. ng hm v cho ngi khi xng ng hm, thuc tnh ny c gn vo trong mi b thuc tnh ng hm thit lp u tin cho mi ng hm.
Tunnel-Client-Auth-ID: Thuc tnh ny ghi r tn ngi khi xng ng hm Tunnel-Server-Auth-ID: Thuc tnh ny ghi r tn ngi tn cng ng hm s
s dng trong giai on xc nhn khi to ng hm. dng trong giai on xc nhn khi to ng hm.
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
44
tnh khng c trng m rng tri qua trc c nu ra v do b coi l th nghim. Extensible Authentication Protocol (EAP) l mt phn m rng PPP cung cp h tr cho cc phng php xc thc b sung bn trong PPP. RFC ny m t cch m thuc tnh EAP-Message v Message-Authenticator c s dng cung cp EAP h tr bn trong RADIUS. Tt c cc thuc tnh c bao gm chiu di bin Type-Length-Value 3-tuples. Gi tr thuc tnh mi c th c thm vo m khng lo ngi lm xo trn trin khai hin c ca giao thc.
III. ASA
1. Lch s ra i.
Thit b phn cng m nhn vai tr bo v h tng mng bn trong,trc y thng hiu PIX Firewall ca hng Cisco Systems ginh c mt trong nhng v tr hng u ca lnh vc ny.Tuy nhin,theo pht trin ca cng ngh v xu hng tch hp a chc nng trn cc kin trc phn cng hin nay (gi l Appliance) hng Cisco Systems cng nhanh chng tung ra dng sn phm bo mt a nng Cisco ASA (Adaptive Security Appliance).Dng thit b ny ngoi vic tha hng cc nh nng u im ca cng ngh dng trn Cisco PIX Firewall,Cisco IPS 4200 v Cisco VPN 3000 Concentrator, cn c tch hp ng thi 3 nhm chc nng chnh cho mt h tng bo v l Firewall, IPS v VPN.Thng qua vic tch hp nhng tnh nng nh trn,Cisco ASA s chuyn giao mt gii php hiu qu trong vic bo mt ho cc giao tip kt ni mng,nhm c th ch ng i ph trn din rng i vi cc hnh thc tn cng qua mng hoc cc him ha m t chc,doanh nghip thng phi ng u. c tnh ni bt ca thit b ASA l: + y cc c im ca Firewall,IPS,anti-X v cng ngh VPN IPSec/SSL . + C kh nng m rng thch nghi nhn dng v kin trc Mitigation Services. + Gim thiu chi ph vn hnh v pht trin.
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
45
ngun v ch .
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
46
Kim tra thng tin giao thc layer 4: port TCP/UDP ngun v ch .
Khi mt ACL c cu hnh ng, c th p dng vo interface lc lu lng. Cc thit b an ninh c th lc cc gi tin theo hng i vo(inbound) v i ra(outbound) t interface. Khi mt ACL c p dng i vo interface, cc thit b an ninh kim tra cc gi chng li cc ACE sau khi nhn c hoc trc khi truyn i. Nu mt gi c cho php i vo, cc thit b an ninh tip tc qu trnh ny bng cch gi n qua cc cu hnh khc. Nu mt gi tin b t chi bi cc ACL, cc thit b an ninh loi b cc gi d liu v to ra mt thng ip syslog ch ra rng nh mt s kin xy ra. Trong hnh 3-1, ngi qun tr thit b an ninh c p dng cho outside interface mt inbound ACL ch cho php lu lng HTTP ti 20.0.0.1. Tt c cc lu lng khc s b b ti interface ca cc thit b an ninh.
209.165.201.1 1
20.0.0.0/8
1 209.165.200.224/27
Bn ngoi
Internet My A
Hnh 3-1:M t qu trnh lc gi ca tng la Nu mt outbound ACL c p dng trn mt interface, cc thit b an ninh x l cc gi d liu bng cch gi cc packet thng qua cc qu trnh khc nhau (NAT, QoS, v VPN) v sau p dng cc cu hnh ACE trc khi truyn cc gi d liu ny. Cc thit b an ninh truyn cc gi d liu ch khi chng c php i ra ngoi. Nu cc gi d liu b t chi bi mt trong cc ACE, cc thit b an ninh loi b cc gi d liu v to ra mt thng ip syslog ch ra rng nh mt s kin xy ra. Trong hnh 3-1,
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
47
ngi qun tr thit b an ninh c p dng outbound ACL cho inside interface ch cho php lu lng HTTP ti 20.0.0.1.Tt c cc lu lng khc s b b ti interface ca cc thit b an ninh. Cc loi Access Control List: C nm loi ACL khc nhau cung cp mt cch linh hot v kh nng m rng lc cc gi tri php bao gm: + Standard ACL + Extended ACL + IPV6 ACL + Ethertype ACL + WebVPN ACL Standard ACL: Chun Standard ACL c s dng xc nh cc gi d liu da trn a ch IP ch.Cc ACL y c th c s dng phn chia cc lung lu thng trong truy cp t xa VPN v phn phi li cc lung ny bng s nh tuyn.Chun Standard ACL ch c th c s dng lc cc gi khi v ch khi cc thit b bo mng hot ng ch nh tuyn,ngn truy cp t mng con ny n mng con khc. Extended ACL:Chun Extended l mt chun ph bit nht,c th phn loi cc gi d liu da trn cc c tnh sau: a ch ngun v a ch ch. Giao thc lp 3. a ch ngun hoc a ch ca cng TCP v UDP. im n ICMP dnh cho cc gi ICMP. Mt chun ACL m rng c th c s dng cho qu trnh lc gi,phn loi cc gi QoS,nhn dng cc gi cho c ch NAT v m ha VPN. IPV6 ACL:Mt IPV6 ACL c chc nng tng t nh chun Extended ACL.Tuy nhin ch nhn bit cc lu lng l a ch IPV6 lu thng qua thit b bo mt ch nh tuyn. Ethertype ACL: Chun Ethertype c th c s dng lc IP hoc lc gi tin bng cch kim tra on m trong trng Ethernet phn u lp 2.Mt Ethertype ACL
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
48
ch c th c cu hnh ch khi cc thit b bo mt ang chy ch trong sut ( transparent ). Lu rng chun ny cc thit b bo mt khng cho php dng IPV6 lu thng qua,ngay c khi c php i qua IPV6 Ethertype ACL. WebVPN ACL: Mt WebVPN ACL cho php ngi qun tr h thng hn ch lu lng truy cp n t lung WebVPN.Trong trng hp c mt ACL WebVPN c xc nh nhng khng ph hp mt gi tin no ,mc nh gi tin s b loi b.Mc khc,nu khng c ACL xc nh,cc thit b bo mt s cho php lu thng qua n.ACL xc nh lu lng truy cp bng cch cho php hoc loi b gi tin khi n c gng i qua thit b bo mt.Mt ACE n gin l cho php tt c cc a ch IP truy cp t mt mng ny n mng khc,phc tp hn l n cho php lu thng t mt a ch IP c th mt cng ring bit n mt cng khc a ch ch.Mt ACE c thit k bng cch s dng cc lnh iu khin truy cp thit lp cho thit b bo mt.
49
applet khi cc gi d liu c gng i qua thng qua t my khng tin cy. Cisco ASA c th phn bit gia cc applet tin cy v applet khng tin cy. Nu mt trang web ng tin cy gi Java hoc ActiveX applet, cc thit b bo mt c th chuyn n cc my ch yu cu kt ni. Nu cc applet c gi t cc my ch web khng tin cy, thit b bo mt c th sa i ni dung v loi b cc nh km t cc gi tin. Bng cch ny, ngi dng cui khng phi l quyt nh n cc applet c chp nhn hoc t chi. H c th ti v bt k applet m khng phi lo lng.
50
Tnh linh hot v s d dng trong vic qun l NAT gip cho cc home user v cc doanh nghip nh c th to kt ni vi internet mt cch d dng v hiu qu cng nh gip tit kim vn u t.
51
dng m c s d liu ca ngi dng c th c t trn ASA hoc n c th c lu tr trn mt my ch RADIUS hoc TACACS +. Accounting (K ton): Qu trnh thu thp v gi thng tin ngi dng n mt my ch AAA c ghi li theo di cc ln ng nhp (khi ngi dng ng nhp v ng xut) v cc dch v m ngi dng truy cp. Thng tin ny c th c s dng thanh ton, kim tra, v mc ch bo co. Cisco ASA c th c cu hnh duy tr mt c s d liu ngi dng ni b hoc s dng mt my ch bn ngoi xc thc.
Hnh 3-2: M t kin trc c bn cho NAS/RADIUS/TACACS+/AAA Sau y l cc giao thc chng thc AAA v cc my ch c lu tr c s d liu nm bn ngoi:
Remote Authentication Dial-In User Service (Radius). Terminal Access Controller Access-Control System (Tacacs+). Rsa SecurID(SID). Win NT. Kerberos.
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
52
RADIUS l mt giao thc xc thc s dng rng ri c nh ngha trong RFC 2865. "Remote Authentication Dial-In User Service (RADIUS)." RADIUS hot ng trong mt m hnh khch hng / my ch. Mt khch hng RADIUS thng c gi l mt my ch truy cp mng (network access server :NAS).mt my NAS c trch nhim truyn thng tin ngi dng ti my ch RADIUS. Cisco ASA hot ng nh l mt NAS v xc thc ngi dng da trn phn ng ca my ch RADIUS. Cisco ASA h tr mt vi my ch RADIUS sau: CiscoSecure ACS
Cisco Access Registrar. Livingston. Merit. Funk Steel Belted. Microsoft Internet Authentication Server.
i vi mng xc thc, mt kha b mt c trao i gia cc my ch AAA/RADIUS v khch hng AAA. Cc kha b mt c chia s l khng bao gi c gi qua lin kt thit b m bo tnh ton vn. Khi RADIUS xc thc ngi s dng, phng php xc thc c th c s dng rt nhiu, RADIUS h tr xc thc qua Point-to-Point Protocol Challenge Handshake Authentication Protocol (PPP CHAP) v PPP Password Authentication Protocol (PAP),RADIUS l mt giao thc m rng cho php cc nh cung cp kh nng thm gi tr thuc tnh mi m khng to ra mt vn i vi cc thuc tnh gi tr hin ti. Mt khc bit ln gia TACACS v RADIUS l RADIUS khng xc thc v y quyn ring bit. RADIUS cng cung cp cho k ton tt hn. RADIUS hot ng theo giao thc UDP. RADIUS s dng cc cng 1645 v 1812 xc thc v 1646 v 1813 cho k ton. Cc cng 1812 v 1813 c to ra trong vic trin khai RADIUS mi hn. Vic s dng cc cng RADIUS 1645 trong lc trin khai gy ra xung t vi cc dch v "datametrics". Do , cng chnh thc l 1812.Giao thc RADIUS c xem l mt dch v kt ni. Cc vn lin quan n my ch sn sng, pht li, v ht gi c x l trn thit b ch khng phi l giao thc truyn ti.
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
53
Chc nng ny khc vi TACACS + tin cy trong giao thc ph thuc vo giao thc TCP. Hot ng RADIUS Sau y l qu trnh hot ng RADIUS qun l ng nhp: Bc 1. Mt thng tin ng nhp ngi dng to ra mt truy vn (Access-Request) t AAA khch hng n my ch RADIUS. Bc 2. Mt phn ng cho php hoc loi b(Access-Accept hoc Access-Reject) c tr v t my ch. Cc gi tin Access-Request cha tn ngi dng, mt khu m ha, a ch IP ca khch hng AAA, v cng nh dng gi tin RADIUS:
Code Identifier Length Request Authenticator Attributes Hnh 3-3 nh dng gi tin Radius Mi gi tin RADIUS gm cc thng tin sau y: + Code: 1 octet, nh ngha loi packet + Identifier: 1 octet, Kim tra yu cu, tr li v pht hin trng lp yu cu t RADIUS server. + Length: 2 octet, xc nh di ca ton b gi. + Request Authenticator: 16 octet, Cc octet quan trng nht c truyn i u tin, n xc nhn tr li t my ch RADIUS. Hai loi authenticators nh sau: -Request-Authenticator c sn trong gi Access-Request v Accounting-Request -Response-Authenticator c sn trong cc gi Access-Accept, Access-Reject, Access-Challenge, Accounting-Response. + Attributes: Thuc tnh b sung vo RADIUS h tr nh cung cp c th. Cc my ch RADIUS nhn c yu cu xc thc ngi dng v sau tr v thng tin cu hnh cn thit cho khch hng h tr cc dch v c th cho ngi
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
54
dng. Cc my ch RADIUS thc hin iu ny bng cch gi Internet Engineering Task Force (IETF) hoc cc thuc tnh nh cung cp c th. (Cc thuc tnh RADIUS chng thc c nh ngha trong RFC 2865.) Cisco ASA hot ng nh l mt NAS v my ch RADIUS l mt Cisco Secure Access Control Server (ACS). Ngi dng c gng kt ni vi Cisco ASA ( qun tr,vpn,thc hin tnh nng cut-though proxy). Cc Cisco ASA nhc nh ngi dng, yu cu tn ngi dng v mt khu ca mnh. Ngi s dng gi thng tin ca mnh cho ASA Cisco. Cc Cisco ASA gi yu cu xc thc (Access-Request) n my ch RADIUS. Cc my ch RADIUS gi mt message Access-Accept nu ngi dng l xc thc thnh cng hoc mt Access-Reject nu ngi dng khng xc thc thnh cng. Cisco ASA p ng cho ngi s dng v cho php truy cp vo cc dch v c th. Lu : Cc my ch RADIUS cng c th gi cc thuc tnh nh cung cp c th cho Cisco ASA ty thuc vo vic thc hin v cc dch v s dng. Nhng thuc tnh ny c th cha thng tin nh a ch IP gn cc thng tin khch hng v y quyn. RADIUS server xc thc v y quyn kt hp cc giai on thnh mt yu cu duy nht v chu k lin kt p ng.
1234567 78
123456 78
123456
55
Major_ver sion
Minor_ver sion
Seq_no
Flags
Hnh 3-4: nh dng gi tin Major_version y l s phin bn chnh ca TACACS. gi tr xut hin trong tiu nh TAC_PLUS_MAJOR_VER = 0xc. Minor_version:cung cp s serial cho giao thc TACACS. N cng cung cp cho kh nng tng thch ca giao thc. Mt gi tr mc nh, cng nh phin bn mt, c nh ngha cho mt s lnh. Nhng gi tr ny xut hin trong tiu TACACS nh TAC_PLUS_MINOR_VER_DEFAULT = 0x0 TAC_PLUS_MINOR_VER_ONE = 0x1. Nu mt my ch AAA chy TACACS nhn c mt gi TACACS xc nh mt phin bn nh hn khc phin bn hin ti, n s gi mt trng thi li tr li v yu cu cc minor_version vi phin bn gn nht c h tr. Loi ny phn bit cc loi gi tin. Ch c mt s loi l hp php. Cc loi gi hp php nh sau: - TAC_PLUS_AUTHEN = 0x01 y l loi gi ngha xc thc. - TAC_PLUS_AUTHOR-0x02 y l loi gi tin m ngha y quyn. - TAC_PLUS_ACCT = 0x03 y l loi gi tin m ngha k ton. Seq_no : xc nh s th t cho cc phin lm vic. TACACS c th khi to mt hoc nhiu phin TACACS cho mi khch hng AAA. Flags:c 2 c +TAC_PLUS_UNENCRYPTED_FLAG :xc nh m ha cagi TACACS. Gi tr 1 l cha m ha, gi tr 0 l gi tin c m ha. +TAC_PLUS_SINGLE_CONNECT_FLAG:Xc nh ghp hoc khng ghp cc phin tacacs trn mt kt ni tcp. Session_id y l mt gi tr ngu nhin ch nh cc phin hin ti gia khch hng v my ch AAA chy TACACS. Gi tr ny vn gi nguyn trong sut thi gian ca phin lm vic
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
56
Lengh: tng chiu di ca gi TACACS, khng bao gm tiu 12-byte. Khi nim xc thc TACACS + cng tng t nh RADIUS. NAS s gi mt yu cu chng thc vi TACACS + server .Cc my ch cui cng s gi bt k thng ip sau y tr v NAS: ACCEPT - Ngi dng c xc thc thnh cng v cc dch v yu cu s c cho php. Nu nh c ch cp quyn c yu cu,tin trnh cp quyn s c thc thi. REJECT - xc thc ngi dng b t chi. Ngi s dng c th c nhc th li chng thc ty thuc vo TACACS + server v NAS. ERROR - Mt s li xy ra trong qu trnh xc thc. Nguyn nhn gy ra li c th vn kt ni hoc vi phm c ch bo mt. CONTINUE - Ngi dng c nhc nh cung cp thng tin xc thc hn. Sau khi qu trnh xc thc hon tt, nu u quyn c yu cu TACACS + server vi s x l giai on k tip nu xc thc thnh cng.
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
57
6 7
5 8
Hnh 3-5: C ch xc thc 1.Ngi dng thc hin kt ni vi thit b bo mt Cisco ASA. 2.Cisco ASA bt u thc hin c ch xc thc. 3.Ngi s dng cung cp thng tin Username and Password. 4.Cisco ASA chuyn tip cc yu cu xc thc n my ch SDI. 5.Nu nh m bin mi c chp thun,my ch SDI xc thc ngi dung v yu cu mt Pin mi s dng khi ti mt phin xc thc ngi dung k tip. 6.Cisco ASA yu cu ngi dng cp mt Pin mi. 7.Ngi dng nhp vo Pin mi. 8.Cisco ASA gi thng tin Pin mi n my ch SDI.
4.4. Win NT
Cisco ASA h tr Windown NT xc thc cc kt ni truy cp t xa VPN.N giao tip vi my ch Windown NT s dng TCP cng 139.Ging nh SDI,c th s dng mt my ch Radius/Tacacs+,v cng ging nh CiscoSecure ACS c th y quyn xc thc n Windown NT cho cc dch v c h tr bi Cisco ASA.
4.5. Kerberos
L mt giao thc c xy dng nng cao an ton khi xc thc trong mi trng mng phn tn.Cisco ASA c th xc thc ngi dng VPN thng qua cc th mc Windown bn ngoi,m s dng Kerberos xc thc.C th s dng h iu hnh Unix hoc Linux chy my ch xc thc Kerberos.c h tr xc thc cc my khch VPN.Cisco ASA giao tip vi th mc tch cc v,hoc my ch Kerberos s dng UDP cng 88.
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
58
Cisco ASA h tr giao thc LDAP y quyn kt ni truy cp t xa VPN.Giao thc xc thc LDAP c r trong RFC 3377 v RFC 3771.LDAP cung cp cc dch v y quyn khi truy cp n c s d liu ca ngi dng vi thng tin cy th mc.Cisco ASA giao tip vi my ch LDAP thng qua TCP cng 389. LDAP ch cung cp cc dch v y quyn.V vy mt giao thc ring bit no cn phi xc thc dch v. LDAP l mt chun giao thc truy cp th mc n gian, hay l mt ngn ng client v severs s dng giao tip vi nhau.LDAP l mt giao thc lightweight c ngha l y l mt giao thc c tnh hiu qu, n gin v d dng ci t. trong khi chng s dng cc hm mc cao. iu ny tri ngc vi giao thc heavyweight nh l giao thc truy cp th mc X.500 (DAP) s dng cc phng thc m ho qu phc tp. LDAP s dng cc tp cc phng thc n gin v l mt giao thc thuc tng ng dng. Phng thc hot ng ca LDAP M hinh LDAP client/server: u tin xem xt LDAP nh l giao thc giao tip client/server. Giao thc client/sever: l mt m hnh giao thc gia mt chng trnh client chy trn mt my tnh gi mt yu cu qua mng n cho mt my tnh khc ang chy mt chng trnh sever (phc v), chng trnh ny nhn ly yu cu v thc hin sau tr li kt qu cho chng trnh client. tng c bn ca giao thc client/server l cng vic c gn cho nhng my tnh c ti u ho lm thc hin cng vic .V d tiu biu cho mt my server LDAP c rt nhiu RAM(b nh) dng lu tr ni dung cc th mc cho cc thao tc thc thi nhanh v my ny cng cn a cng v cc b vi x l tc . LDAP L mt giao thc hng thng ip.Do client v sever giao tip thng qua cc thng ip, Client to mt thng ip (LDAP message) cha yu cu v gi n cho server. Server nhn c thng ip v s l yu cu ca client sau gi tr cho client cng bng mt thng ip LDAP. V d: khi LDAP client mun tm kim trn th mc, client to LDAP tm kim v gi thng ip cho server. Sever tm trong c s d liu v gi kt qu cho client trong mt thng ip LDAP. Qua trinh kt ni gia LDAP server va client:
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
59
LDAP client v server thc hin theo cc bc sau: Client m mt kt ni TCP n LDAP server v thc hin mt thao tc bind. Thao tc bind bao gm tn ca mt directory entry v u nhim th s c s dng trong qu trnh xc thc, u nhim th thng thng l pasword nhng cng c th l chng ch in t dng xc thc client. Sau khi th mc c c s xc nh ca thao tc bind, kt qu ca thao tc bind c tr v cho client.
6. Kt thc phin lm vic 7.Thao tc unbind 8. ng kt ni Hnh 3-6: Qu trnh kt ni gia Client v Server
M hnh kt ni gia Client / Server 1. M kt ni va bind ti server. 2. Client nhn kt qua bind. 3. Client pht ra cc yu cu tm kim. 4. Server thc hin x l v tr v kt qu 1 cho client. 5. Server tr v kt qu 2 cho client. 6. Server gi thng ip kt thc vic tm kim.
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
60
7. Client pht ra yu cu unbind, vi yu cu ny server bit rng client mun hu b kt ni. 8. Server ng kt ni
6. Kh nng chu li v d phng (failover and redundancy) 6.1. Kin trc chu li
Khi hai ASA c thit lp trong ch failover, mt trong Cisco ASA c gi l cc ch ng (active ) c trch nhim to ra trng thi v chuyn i a ch, chuyn giao cc gi d liu, v gim st cc hot ng khc,mt ASA khc gi l ch ch(standby),c trch nhim theo di tnh trng ch ch ng. Ch ch ng v ch ch trao i thng tin chu li vi nhau thng qua mt ng link kt ni ny c bit nh l mt link chu li (link failover).Khi c s c xy ra trn ch ch ng th ch ch s thc hin vai tr ca ch ch ng cho n khi ch ch ng khi phc li trng thi. ng chu li gia hai ASA trao i cc thng tin:
Trng thi ch ng hoc trng thi ch Trng thi lin kt mng Thng ip hello Trao i a ch MAC Cu hnh ng b ha GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
61
Lin kt chu li
62
Kim tra s hot ng ca h thng bng cch ping broadcast th nghim nu sau nm giy khng nhn c tn hiu tr li xem nh cng b li v x l qu trnh chu li..
63
Hnh 3-8: Minh ha cch mt gi c x l trong cc thit b an ninh khi i qua cc cng c QoS. Khi ri khi c ch QoS gi tin s c chuyn n interface cho vic chuyn i d liu.Thit b an ninh thc hin QoS cho mi gi mc khc nhau m bo cho vic truyn nhn m ni tin khng c trong danh sch u tin.Qu trnh x l gi tin da vo su ca hng i u tin thp v cc iu kin ca vng truyn.Vng truyn s c khng gian b m c thit b an ninh s dng gi cc gi tin trc khi truyn chng cho cc cp iu khin.Nu c tc nghn xy ra th cc gi tin trong hng i c chuyn xung hng i u tin thp cho ti khi gi tin hng i u tin cao trng,nu hng i u tin cao c lu lng truy cp th s c phc v trc.Thng
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
int erf ac e
Xp xp u tin
u tin
64
qua vic gii hn lu lng thit b an ninh thc hin mt c ch nh git khi gi tin khng ph hp vi thng tin cu hnh QoS.Cisco ASA ghi lai s kin ny thng qua my ch lu tr syslog hoc ti trn thit b.
65
H thng IDS da trn mng s dng b d v b b cm bin ci t trn ton mng. Nhng b d ny theo di trn mng nhm tm kim nhng lu lng trng vi nhng m t s lc c nh ngha hay l nhng du hiu. Nhng b b cm bin thu nhn v phn tch lu lng trong thi gian thc. Khi ghi nhn c mt mu lu lng hay du hiu, b cm bin gi tn hiu cnh bo n trm qun tr v c th c cu hnh nhm tm ra bin php ngn chn nhng xm nhp xa hn. NIDS l tp nhiu sensor c t ton mng theo di nhng gi tin trong mng so snh vi vi mu c nh ngha pht hin l tn cng hay khng. c t gia kt ni h thng mng bn trong v mng bn ngoi gim st ton b lu lng vo ra. C th l mt thit b phn cng ring bit c thit lp sn hay phn mm ci t trn my tnh. Ch yu dng o lu lng mng c s dng. Tuy nhin c th xy ra hin tng nghn c chai khi lu lng mng hot ng mc cao.
66
- c lp vi OS
NIDS bo l c intrusion. Khng th phn tch cc traffic c encrypt (vd: SSL, SSH, IPSec) NIDS i hi phi c cp nht cc signature mi nht thc s an ton - C tr gia thi im b attack vi thi im pht bo ng. Khi bo ng c pht ra, h thng c th b tn hi. Khng cho bit vic attack c thnh cng hay khng. Mt trong nhng hn ch l gii hn bng thng. Nhng b d mng phi nhn tt c cc lu lng mng, sp xp li nhng lu lng cng nh phn tch chng. Khi tc mng tng ln th kh nng ca u d cng vy. Mt gii php l bo m cho mng c thit k chnh xc cho php s sp t ca nhiu u d. Khi m mng pht trin, th cng nhiu u d c lp thm vo bo m truyn thng v bo mt tt nht. Mt cch m cc k xm nhp c gng nhm che y cho hot ng ca h khi gp h thng IDS da trn mng l phn mnh nhng gi thng tin ca h. Mi giao thc c mt kch c gi d liu gii hn, nu d liu truyn qua mng ln hn kch c ny th gi d liu s c phn mnh. Phn mnh n gin ch l qu trnh chia nh d liu ra nhng mu nh. Th t ca vic sp xp li khng thnh vn min l khng xut hin hin tng chng cho. Nu c hin tng phn mnh chng cho, b cm bin phi bit qu trnh ti hp li cho ng. Nhiu hacker c gng ngn chn pht hin bng cch gi nhiu gi d liu phn mnh chng cho. Mt b cm bin s khng pht hin cc hot ng xm nhp nu b cm bin khng th sp xp li nhng gi thng tin mt cch chnh xc.
67
thp c. H thng da trn my ch cng theo di OS, nhng cuc gi h thng, lch s s sch (audit log) v nhng thng ip bo li trn h thng my ch. Trong khi nhng u d ca mng c th pht hin mt cuc tn cng, th ch c h thng da trn my ch mi c th xc nh xem cuc tn cng c thnh cng hay khng. Thm na l, h thng da trn my ch c th ghi nhn nhng vic m ngi tn cng lm trn my ch b tn cng (compromised host). Khng phi tt c cc cuc tn cng c thc hin qua mng. Bng cch ginh quyn truy cp mc vt l (physical access) vo mt h thng my tnh, k xm nhp c th tn cng mt h thng hay d liu m khng cn phi to ra bt c lu lng mng (network traffic) no c. H thng da trn my ch c th pht hin cc cuc tn cng m khng i qua ng cng cng hay mng c theo di, hay thc hin t cng iu khin (console), nhng vi mt k xm nhp c hiu bit, c kin thc v h IDS th hn c th nhanh chng tt tt c cc phn mm pht hin khi c quyn truy cp vt l. Mt u im khc ca IDS da trn my ch l n c th ngn chn cc kiu tn cng dng s phn mnh hoc TTL. V mt host phi nhn v ti hp cc phn mnh khi x l lu lng nn IDS da trn host c th gim st chuyn ny. HIDS thng c ci t trn mt my tnh nht inh. Thay v gim st hot ng ca mt network segment, HIDS ch gim st cc hot ng trn mt my tnh. HIDS thng c t trn cc host xung yu ca t chc, v cc server trong vng DMZ thng l mc tiu b tn cng u tin. Nhim v chnh ca HIDS l gim st cc thay i trn h thng, bao gm (not all): - Cc tin trnh. - Cc mc ca Registry. - Mc s dng CPU. - Kim tra tnh ton vn v truy cp trn h thng file. - Mt vi thng s khc. Cc thng s ny khi vt qua mt ngng nh trc hoc nhng thay i kh nghi trn h thng file s gy ra bo ng.
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
68
8.2.1. Li th ca HIDS
- C kh nng xc inh user lin quan ti mt s kin (event). - HIDS c kh nng pht hin cc cuc tn cng din ra trn mt my, NIDS khng c kh nng ny. - C th phn tch cc d liu m ho. - Cung cp cc thng tin v host trong lc cuc tn cng din ra trn host ny.
8.2.2. Hn ch ca HIDS
- Thng tin t HIDS l khng ng tin cy ngay khi s tn cng vo asa thnh cng. - Khi tng la asa b "h" do tn cng, ng thi HIDS cng b "h". - HIDS phi c thit lp trn tng host cn gim st . - HIDS khng c kh nng pht hin cc cuc d qut mng (Nmap, Netcat). - HIDS cn ti nguyn trn host hot ng. - HIDS c th khng hiu qu khi b DOS.
IV. M phng
1. Mc tiu ca m phng
M phng gip thy c tnh nng v thy r c nguyn l hot ng cng nh cc bc cu hnh AAA server . Thc hin tnh nng remote t xa thng qua vpn trn ASA chng thc vi giao thc Radius.
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
69
2. M hnh m phng
4. Cc bc m phng
1. Chy phn mm ACS 4.2 Chn Network Configuration bn tri , bm vo Add Entry trong phn aaa client.
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
70
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
71
nh du vo 2 mc
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
72
73
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
74
Cu hnh trn ASA cho php vpn chng thc vi AAA(Radius) Server. Bc 1:t dy ip cho php ngi dung t xa kt ni vo h thng ip local pool mypool 172.16.1.100-172.16.1.200 mask 255.255.255.0 ! Bc 2: To mt ACL cho php dy ip ngi dng t xa kt ni vo h thng access-list vpnclientgroup standard permit 192.168.1.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0 nat (inside) 0 access-list inside_nat0_outbound Bc 3: Thit lp chng thc user group ti my ch bn trong aaa-server vpnclientgroup protocol radius aaa-server vpnclientgroup host 192.168.1.2 key 123456 Bc 4:Thit lp chnh sch i vi ngi dng t xa group-policy vpnclientgroup internal group-policy vpnclientgroup attributes dns-server value 192.168.1.2 vpn-tunnel-protocol IPSec split-tunnel-policy tunnelspecified split-tunnel-network-list value vpnclientgroup default-domain value da.com Bc 5:To mt ng hm cho php kt ni vi chnh sch dnh cho ngi dng v phng thc chng thc v kha chia s tunnel-group vpnclientgroup type ipsec-ra tunnel-group vpnclientgroup general-attributes address-pool mypool authentication-server-group vpnclientgroup default-group-policy vpnclientgroup tunnel-group vpnclientgroup ipsec-attributes pre-shared-key 123456
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
75
Bc 6: Xc nh phng thc m ha v chng thc chuyn i d liu c m ha v chng thc thng qua ng truyn crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto dynamic-map outside_dyn_map 20 set pfs crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 Cu hnh my khch Tip theo cu hnh khch remote access ti ASA vo truy cp my ch web,ftp trong ni b . M phn mn Ugent VPN ca cisco v in thng tin group v pre share key kt ni
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
76
M wireshark ln bt gi radius
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
77
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
78
5. Kt qu t c
Thng qua qu trnh m phng hiu r hn v qu trnh xc thc radius ging nh m t trong l thuyt. Nm r v hot ng cng nh cc tnh nng ca tng la cisco asa. Gi lp c firewall asa trn nn gns3. Qun l gim st c ngi dng truy cp vo h thng thng qua c ch vpn. p ng an ton thng tin d liu di v bo v ca firewall vi cc c ch m ha,xc thc,quyn hn truy cp.
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
79
o Chia s kha b mt. Tng la cisco asa l mt thit b m bo an ton thng tin ,bo mt h thng tuy nhin vn cn mc phi mt s h hng ,khng c g l an ton tuyt i tuy nhin khc phc hn ch ri ro nn thng xuyn cp nht cc bn v li cng nh cc phin bn mi t trang ch cisco. Do thi gian hn hp v ngun nhn lc c hn nn ti khng trnh khi thiu st mong l trong thi gian ti s khc phc n c hon chnh hn.
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
80
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
81
Ti liu tham kho: RFC 2865: Remote Authentication Dial In User Service (RADIUS) Link: http://www.ietf.org/rfc/rfc2865.txt RFC 2866: RADIUS Accounting Link: http://www.ietf.org/rfc/rfc2866.txt Firewall Fundamentals by Wes Noonan, Ido Dubrawsky Publisher: Cisco Press - 2/6/2006 RADIUS by Jonathan Hassell Publisher: OReilly 10/2002 Cisco ASA and PIX Firewall Handbook by Dave Hucaby Publisher: Cisco Press 7/1/2005 Cisco ASA: All-in-one Firewall, IPS and VPN Adaptive Security Appliance by Jazib Frahim, Omar Santos Publisher: Cisco Press 21/10/2005 Cisco ASA: All-in-one Firewall, IPS, Anti-X and VPN Adaptive Security Appliance (Second Edition) by Jazib Frahim, Omar Santos Publisher: Cisco Press 21/10/2005 Cisco Access Control Security: AAA Administrative Services by Brandon Carroll Publisher: Cisco Press 27/5/2004
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079