Do An VPN Khmt1k3 2

LI NI U
Ngy nay, cng ngh vin thng ang pht trin rt nhanh, trong cng ngh mng ng vai tr ht sc quan trng trong vic thng tin d liu. Ch xt v gc kinh doanh, nhu cu truyn thng ca cc cng ty, t chc l rt ln. Mt cng ty c mt mng ring cho php chia s ti nguyn gia cc my tnh ni b. Nhng cng mun cc chi nhnh, vn phng, nhn vin di ng hay cc i tc t xa c th truy cp vo mng cng ty. C nhiu dch v c cung cp nh Modem quay s, ISDN server hay cc ng WAN thu ring t tin. Nhng vi s pht trin rng ri ca Internet, mt s cng ty c th kt ni vi nhn vin, i tc t xa bt c u, thm ch trn ton th gii m khng cn s dng cc dch v t tin trn. Nhng c mt vn l mng ni b cng ty cha ti nguyn, d liu quan trng m ch cho php ngi dng c quyn hn, c cp php mi c truy cp vo mng trong khi Internet l mng cng cng v khng bo mt. Do , Internet c th l mi nguy him cho h thng mng, c s d liu quan trng ca cng ty. S thng tin qua mi trng Internet c th b lm sai lch hoc b nh cp. V y chnh l ch mng o (VPN - Virtual Private Network) chng t kh nng. VPN cung cp gii php thng tin d liu ring t an ton thng qua mi trng mng Internet cng cng vi chi ph thp, hiu qu m vn rt bo mt. Sau thi gian c hc trng vi s dy d v nh hng ca cc thy c gio trong khoa, chng em chn ti H thng mng o VPN lm n tt nghip cng nh hc hi thm kin thc sau ny p dng vo thc t cng vic ca chng em. Do thi gian v kin thc cn hn ch nn quyn n ny ca chng em s cn nhiu thiu st. Knh mong s hng dn, gp thm ca thy c v bn b. Chng em xin chn thnh cm n!
Nhm SV: Trn Ngc H o Duy m Nguyn Th Thu Trang
LI CM N
Li u tin chng em mun gi li cm n chn thnh ti thy Nguyn Tin Li - Khoa Cng ngh thng tin - Trng i hc Cng nghip H Ni tn tnh hng dn chng em v to iu kin tt nht chng em hon thnh ti tt nghip ny. Chng em cng xin cm n cc thy c gio trong khoa Cng ngh thng tin - Trng i hc Cng nghip H Ni gip chng em trong sut kha hc ti trng i hc cng nghip H Ni. Cng nh s ng gp qu bu ca cc thy c i vi ti tt nghip ny ca chng em. Li cm n sau cng chng em xin gi ti ton th cc bn b, ng nghip lm vic trong lnh vc cng ngh thng tin ng gp cho chng em nhng kinh nghim qu bu v b ch.
MC LC
L I NI U................................................................................................................................ 1 L I C M N.................................................................................................................................2 M C L C....................................................................................................................................... 3 DANH M C HNH V ................................................................................................................. 5 THU T NG VI T T T............................................................................................................ 8 PH N M U.........................................................................................................................12 CH NG 1 T NG QUAN TI.....................................................................................14
1.1 Tnh c p thi t c a ti.................................................................................................................14 1.2 Tnh hnh nghin c u th c t ...........................................................................................................15 1.3 V n t ra c a ti..................................................................................................................15 1.4 - M c ch v ngha........................................................................................................................16 1.4.1 Mc ch...................................................................................................................................................16 1.4.2 ngha......................................................................................................................................................17 1.5 - H ng ti p c n, ph m vi v k t qu th c hi n.............................................................................18 1.5.1 Hng tip cn.........................................................................................................................................18 1.5.2 Phm vi.....................................................................................................................................................18 1.5.3 Kt qu thc hin.....................................................................................................................................18 1.6. So snh u nh c i m v nh ng sai thi u v i nh ng ti khc.................................................18
CH NG 2 - C S L THUY T......................................................................................... 21
2.1 - T ng quan v m ng cn b n, qu n tr m ng, Windows Server 2008, Domain, AD, VPN v m t s d ch v m ng [1][2]...............................................................................................................................21 2.1.1 Tng quan v mng cn bn....................................................................................................................21 2.1.2 Tng quan v qun tr mng...................................................................................................................22 2.1.3 Tng quan v Windows Server 2008........................................................................................................23 2.1.4 Tng quan v Domain..............................................................................................................................27 2.1.5 Tng quan v AD......................................................................................................................................28 2.1.6 Tng quan v VPN [3],[7],[8],[9],[10]...................................................................................................29 2.1.7 Mt s dch v mng khc........................................................................................................................33 2.2 - Pht tri n ti.............................................................................................................................36
CH NG 3 - CC GIAO TH C NG H M VPN.........................................................38
3.1 Giao th c nh h ng l p 2 L2F [4],[6],[12]...................................................................................38 3.1.1 Cu trc gi ca L2F...............................................................................................................................38 3.1.2 u nhc im ca L2F.........................................................................................................................39 3.1.3 Thc hin L2F .......................................................................................................................................39 3.2 Giao th c ng h m i m-i m PPTP [4],[6],[12],[8]....................................................................41 3.2.1 Kin trc ca PPTP.................................................................................................................................42 3.2.2 S dng PPTP.........................................................................................................................................50 3.2.3 Kh nng p dng trong thc t ca PPTP.............................................................................................52 3.3 Giao th c ng h m l p 2 - L2TP [4],[6],[12].................................................................................52 3.3.1 Dng thc ca L2TP................................................................................................................................53 3.3.2 S dng L2TP...........................................................................................................................................59 3.3.3 Kh nng p dng trong thc t ca L2TP..............................................................................................61 3.4 Giao th c b o m t IP IPSEC [4],[6],[12]..........................................................................................62 3.4.1 Khung giao thc IPSec.............................................................................................................................62 3.4.2 Hoat ng ca IPSec................................................................................................................................70 3.4.3 V d v hot ng ca IPSec...................................................................................................................79
CH NG 4 - B O M T TRONG VPN.................................................................................82
4.1 Qu trnh xc th c [2],[4],[8]............................................................................................................82 4.1.1 Xc thc ngun gc d liu......................................................................................................................82 4.1.2 Xc thc tnh ton vn d liu ...............................................................................................................87 4.2 M ho [2],[4],[6],[8].......................................................................................................................91 4.2.1 Thut ton m ho kho b mt (hay i xng).......................................................................................92 4.2.2 Thut ton m ho kho cng cng ........................................................................................................96
CH NG 5 - NG D NG, CI T H TH NG M NG O......................................100
5.1 - Ci t v tri n khai h th ng lab o b ng VMWARE [1]............................................................100 5.1.1 - VPN client to site................................................................................................................................100 5.1.2 VPN Site to Site......................................................................................................................................120 5.2 nh gi k t qu th c hi n............................................................................................................130
K T LU N V H NG PHT TRI N..............................................................................132 TI LI U THAM KH O........................................................................................................134
DANH MC HNH V
HNH 2.1: VPN= NG H M + M HO........................................................................29 HNH 2.2: M HNH H TH NG M NG O.....................................................................30 HNH 2.3: VPN REMOTE ACCESS..........................................................................................32 HNH 2.4: VPN SITE TO SITE................................................................................................33 HNH 3.1: KHUN D NG GI C A L2F..............................................................................38 HNH 3.2: M HNH C TR NG L2F................................................................................40 HNH 3.3: KI N TRC C A PPTP........................................................................................42 HNH 3.4: CC GIAO TH C S D NG TRONG M T K T N I PPTP.......................44 HNH 3.5 : B C GI PPTP/ GRE...........................................................................................44 HNH 3.6: C U TRC GI D LI U TRONG NG H M PPTP..............................45 HNH 3.7: S NG GI PPTP......................................................................................46 HNH 3.8 : NG H M B T BU C V NG H M T NGUY N....................47 HNH 3.9: M HO GI TRONG PPTP................................................................................49 HNH 3.10 : NG H M K T N I LAN-LAN................................................................50 HNH 3.11: CC THNH PH N C B N C A M T VPN S D NG PPTP...............50 HNH 3.12: KI N TRC C A L2TP......................................................................................53 HNH 3.13: CC GIAO TH C S D NG TRONG M T K T N I L2TP.....................54 HNH 3.14: B C GI L2TP.....................................................................................................54 HNH 3.15: C U TRC GI D LI U TRONG NG H M L2TP............................55 Nhm SV: Trn Ngc H o Duy m Nguyn Th Thu Trang
HNH 3.16: S NG GI L2TP...................................................................................56 HNH 3.17: CC NG H M T NGUY N V B T BU C.......................................57 HNH 3.18: NG H M K T N I LAN-LAN.................................................................59 HNH 3.19: CC THNH PH N C B N C A L2TP.......................................................60 HNH 3.20: KHUNG GIAO TH C C S D NG TRONG IPSEC.............................63 HNH 3.21: KHUN D NG GI AH.....................................................................................64 HNH 3.22: KHUN D NG GI ESP.....................................................................................66 HNH 3.23: KHUN D NG GI TIN IPV4 TR C V SAU KHI X L AH...............68 HNH 3.24: KHUN D NG GI TIN IPV6 TR C V SAU KHI X L AH...............69 HNH 3.25: KHUN D NG GI TIN IPV4 TR C V SAU KHI X L ESP.............69 HNH 3.26: KHUN D NG GI TIN IPV6 TR C V SAU KHI X L ESP.............70 HNH 3.27: 5 B C HO T NG C A IPSEC.................................................................71 HNH 3.28 : IKE PHASE 1...................................................................72 HNH 3.29: T P CHNH SCH IKE.......................................................................................73 HNH 3.30: XC TH C CC I TC.................................................................................75 HNH 3.31: THO THU N CC THNG S B O M T IPSEC......................................75 HNH 3.32: T P CHUY N I IPSEC............................................................76 HNH 3.33 : CC K T H P AN NINH..................................................................................77 HNH 3.34: NG H M IPSEC C THI T L P..............................78 HNH 3.35: K T THC NG H M .............................................79 HNH 3.36: QU TRNH TRAO I THNG TIN.............................................................79 HNH 4.1: H TH NG P NG THCH NG I DNG.......................................83 1 Nhm SV: Trn Ngc H o Duy m Nguyn Th Thu Trang
HNH 4.2: HM BM THNG D NG MD5, SHA-1...........................................................88 HNH 4.4: XC TH C TNH TON V N D LI U D A TRN XC TH C B N TIN MAC..............................................................................................................................................90 HNH 4.5: CH K S.............................................................................................................91 HNH 4.6: M HO KHO B M T HAY I X NG.......................................................92 HNH 4.7: S THU T TON DES.................................................................................94 HNH 4.8: M NG FIESEL.........................................................................................................95 HNH 4.9: THU T TON M HO KHO CNG C NG..................................................96
THUT NG VIT TT
T vit tt 3DES AD ADSL AES AH API ATM ARIN BGP BICC B-ISDN CA CIR CHAP CR CSU DCE DES DHCP DNS DSL T y Triple Data Encryption Standard Analog to Digital Asymmetric Digital Subscriber Line Advanced Encryption Standard Authentication Header Application Programming Interface Asynchronous Tranfer Mode American Registry for Internet Number ngha Thut ton mt m 3DES Chuyn i tng t sang s Cng ngh truy nhp ng dy thu bao s bt i xng Chun mt m cao cp Giao thc tiu xc thc Giao din chng trnh ng dng Cng ngh truyn ti khng ng b Tiu chun M cho a ch Internet
Border Gateway Protocol Giao thc nh tuyn cng min Bearer Independent Call Control Giao thc iu khin cuc gi c Protocol lp vi knh mang Broadband Integrated Service Digital Network Certificate Authority Committed Information Rate Challenge Handshake .Authentication Protocol Cell Relay Channel Service Unit Data Communication Equipment Data Encryption Standard Dynamic Host Configuration Protocol Domain Name System Digital Subcriber Line Mng s a dch v bng rng Nh phn phi chng thc s Tc thng tin cam kt Giao thc xc thc yu cu bt tay Cng ngh chuyn tip t bo n v dch v knh Thit b truyn thng d liu Thut ton mt m DES Giao thc cu hnh host ng h thng tn min ng dy thu bao s
1 Nhm SV: Trn Ngc H o Duy m Nguyn Th Thu Trang
DSP DSU EAP ESP FCS FR GVPNS ICMP IETF IKE IGP IN IP IP-Sec ISAKMP ISDN ISO ISP L2F L2TP LAC LAN LCP LNS MAC MD5 MG
Digital Signal Processors Data Service Unit Extensible Authentication Protocol Encapsulating Security Payload Frame Check Sequence Frame Relay Global VPN Service Internet Control Message Protocol Internet Engineering Task Force Internet Key Exchange Interior Gateway Protocol Intelligent Network Internet Protocol Internet Protocol Security Internet Security Asociasion and Key Management Protocol Integrated Service Digital Network International Standard Organization Internet Service Provider Layer 2 Forwarding Layer 2 Tunneling Protocol L2TP Access Concentrator Local Area Network Link Control Protocol L2TP Network Server Message Authentication Code Message Digest 5 Media Gateway
B x l tn hiu s n v dch v d liu Giao thc xc thc m rng Giao thc ti an ninh ng gi Chui kim tra khung Chuyn tip khung d liu Dch v VPN ton cu Giao thc bn tin iu khin Internet C quan chun Internet Giao thc trao i kho Internet Giao thc nh tuyn trong min Mng thng minh Giao thc Internet Giao thc an ninh Internet Giao thc qun l kho v kt hp an ninh Internet Mng s a dch v T chc chun quc t Nh cung cp dch v internet Giao thc chuyn tip lp 2 Giao thc ng ngm lp 2 B tp trung truy cp L2TP Mng cc b Giao thc iu khin lin kt My ch mng L2TP M xc thc bn tin Thut ton MD5 Cng kt ni phng tin
MGC MGCP MIB MPLS MPPE MTU NAS NCP NDIS NGN NSA PAP PDU PKI POP PPP PPTP PVC QoS RAS RADIUS RRAS SA SDH SG SIG
Media Gateway Controller Media Gateway Control Protocol Management Information Base Multi Protocol Laber Switching Microsoft Point-to-Point Encryption Maximum Transfer Unit Network Access Server Network Control Protocol Network Driver Interface Specification Next Generation Network National Security Agency Passwork Authentication Protocol Protocol Data Unit Public Key Infrastructure Point of presence Point to Point Protocol Point to Point Tunneling Protocol Permanrnent Virtual Circuit Quality of Service Remote Access Service Remote Authentication Dial-In User Service Routing and Remote Access Server Securty Association Synchronous Digital Hierachy Signling Gateway Session Initiation Protocol
Thit b iu khin truy nhp Giao thc iu khin cng kt ni phng tin C s d liu thng tin qun l B nh tuyn chuyn mch nhn M ho im-im ca Microsoft n v truyn ti ln nht My ch truy nhp mng Giao thc iu khin mng Xc nh giao din mng Mng th h sau C quan an ninh quc gia M .Giao thc xc thc mt khu n v d liu giao thc C s h tng kho cng khai .im truy cp truyn thng Giao thc im ti im Giao thc ng ngm im ti im Mng o c nh Cht lng dch v Dch v truy nhp t xa Xc thc ngi dng quay s t xa My ch truy cp nh hng v .truy vp t xa Kt hp an ninh Phn cp s ng b Cng kt ni bo hiu Giao thc khi to phin
SONET SPI RTP SVC TCP TE UNI UDP VC VCI VNS VPI VPN WAN
Synchronous Optical Network Sercurity Parameter Index Real Time Protocol Switched Virtual Circuit Transmission Control Protocol Terminal Equipment User Network Interface User Datagram Protocol Virtual Circuit Virtual Circuit Identifier Virtual Network Service Virtual Path Identifier Virtual Private Network Wide Area Network
Mng quang ng b Ch s thng s an ninh Giao thc thi gian thc Mch o chuyn mch Giao thc iu khin ng truyn Thit b u cui Giao din mng ngi s dng Giao thc UDP Knh o Nhn dng knh o Dch v mng o Nhn dng ng o Mng ring o Mng din rng
PHN M U
Ngy nay, vi s pht trin nhanh chng ca khoa hc k thut c bit l Cng ngh thng tin v Vin thng gp phn quan trng vo s pht trin kinh t th gii. Cc t chc, doanh nghip c nhiu chi nhnh, cc cng ty a quc gia trong qu trnh hot ng lun phi trao i thng tin vi khch hng, i tc, nhn vin ca h. Chnh v vy i hi phi lun nm bt c thng tin mi nht, chnh xc nht, ng thi phi m bo tin cy cao gia cc chi nhnh ca mnh trn khp th gii, cng nh vi cc i tc v khch hng. p ng c nhng yu cu trong qu kh c hai loi hnh dch v Vin thng m cc t chc, doanh nghip c th chn la s dng cho kt ni l: - Th nht, thu cc ng Leased-line ca cc nh cung cp dch v kt ni tt c cc mng con ca cng ty li vi nhau. Phng php ny rt tn km cho vic xy dng ban u cng nh trong qu trnh vn hnh, bo dng hay m rng sau ny. - Th hai, h c th s dng Internet lin lc vi nhau, tuy nhin phng php ny li khng p ng c tnh bo mt cao. S ra i ca k thut mng ring o VPN dung ho hai loi hnh dch v trn, n c th xy dng trn c s h tng sn c ca mng Internet nhng li c c cc tnh cht ca mt mng cc b nh khi s dng cc ng Leased-line. V vy, c th ni VPN chnh l s la chn ti u cho cc doanh nghip kinh t. Vi chi ph hp l, VPN c th gip doanh nghip tip xc ton cu nhanh chng v hiu qu hn so vi cc gii php mng din rng WAN. Vi VPN, ta c th gim chi ph xy dng do tn dng c c s h tng cng cng sn c, gim chi ph thng xuyn, mm do trong xy dng. Vit Nam, khi nn kinh t cng ang trong thi k pht trin v hi nhp quc t th nhu cu s dng VPN va p ng c cc yu cu v thng tin, va gii quyt c nhng kh khn v kinh t. Vi ti: "H thng mng o VPN trong n Tt nghip, chng em hy vng n c th gp phn tm hiu Cng ngh VPN, ng thi gp phn ph bin rng ri k thut VPN. Ni dung tm hiu ca n gm 5 chng s ln lt trnh by cc vn c bn nht ca mng VPN.
Chng 1: Nu mt s khi nim tng quan, tnh cp thit ca ti, hng tip cn ti, ngha ca vic s dng H thng mng o VPN trong thc tin. T lm c s pht trin ti, a ra cc thun li v kh khn khi s dng cc loi hnh VPN . Chng 2: y l chng gii thiu v cc dch v mng, nh ngha nhng ng dng trong qun tr mng, a ra cc khi nim v VPN v cc loi hnh VPN, phn loi mng VPN. Chng 3: y l chng trng tm gii thiu v cc giao thc, cc c im v hot ng ca cc giao thc ng hm L2F, PPTP, L2TP, v IPSec c s dng trong VPN. Chng 4: Nu vn bo mt trong VPN, y l mt phn quan trng trong VPN. Bo mt trong VPN bao gm: qu trnh mt m v xc thc. Trong chng ny s gii thiu cc gii php, thut ton m ho v xc thc trong VPN. Chng 5: Da vo nhng kin thc tm hiu cc chng trc xy dng cc dng mng o VPN trn lab o a vo ng dng thc t ti cc doanh nghip, cng ty. Do nhiu mt cn hn ch nn ni dung ca ti khng trnh khi nhng sai st. Chng em rt mong nhn c kin ng gp ca cc thy c v bn c.
Chng 1 TNG QUAN TI

Ngy nay vic ng dng h thng cng ngh thng tin vo cuc sng c trin khai, ng dng v pht trin mnh m, vi nhng tin b vt bc. Vic pht trin nghnh cng ngh thng tin cng ch ra rng t nc ang pht trn ti mc no. Khi h thng mng my tnh pht trin v c a vo ng dng th km theo sau n l hng lot cc dch v ng dng cng pht trin theo nhm phc v cho nhu cu cng vic ca con ngi, lm cho cng vic ngy mt thun tin hn v nhanh chng hn. Trong nhng cng ngh ko theo c H thng mng o VPN. H thng mng o VPN c a ra nhm gip cho nhng cng ty, doanh nghip, hay nhng i tc ca nhau nhng xa nhau v mt a l c th lin kt li c vi nhau thng qua h thng mng Internet m vn m bo c v mt bo mt, an ton d liu. 1.1 Tnh cp thit ca ti Cng vi s ra i ca h thng mng my tnh th cng ngh mng pht trin mt cch vt bc. Cch y mt thi gian th mng mng my tnh cn l mt khi nim xa vi. Nhng by gi n tr thnh hin thc v l mt trong nhng nhu cu ln ca cc h thng cng ty v nhng doanh nghip. Vic xy dng v pht trin h thng mng c ngha sng cn i vi mi n v. Vic p dng h thng mng vo cng vic mang li nhiu li ch to ln. Nhng li ch m h thng mng mang li khng ai c th ph nhn l vic h tr trong cng vic, vic truyn ti thng tin d liu mt cch nhanh chng thun tin. Tuy nhin vic ra i h thng mng Internet cng ko theo nhiu h ly ca chng l vic ph hoi h thng ca mt s i tng xu. Vic giao tip v truyn ti d liu trn mng c th b can thip, nh cp ca mt s phn t xu li dng h thng mng Internet. V vy m bo vic kt ni v truyn ti d liu cc n v c th la chn mt trong hai dch v vin thng cho kt ni l: Thu mt ng truyn ring Leased Line ca nh cung cp kt ni cc mng con ca cng ty li vi nhau. Tuy nhin vic thu ng truyn ring s rt t v tn km chi ph. Vy kt ni h thng gia cc cng ty cha v con l bt kh thi? Hay s dng mng internet lin lc vi nhau, tuy nhin phng php ny khng mang tnh bo mt cao, d b nghe trm v nh cp thng tin.
V Microsoft cho ra i mt khi nim hon ton mi l thit lp mt h thng mng o Virtual and Private Network (VPN). Vic xy dng h thng mng o VPN c ngha ht sc to ln trong cng cuc cch mng mng. VPN ra i dung ha c hai khi nim trn, n c xy dng trn nn tng c sn ca mng Internet, nhng li c c nhng tnh cht ca ca mt mng cc b nh khi s dng cc ng Leased line. VPN cho php thit lp mt knh kt ni hay mt ng hm ring gia h thng cc cng ty cha v con. Gip cho vic truyn ti d liu v trao i thng tin din ra mt cch an ton v hiu qu. V vy, c th ni VPN chnh l s la chn ti u cho cc doanh nghip kinh t. Vi chi ph hp l, VPN c th gip doanh nghip tip xc ton cu nhanh chng v hiu qu hn so vi cc gii php mng din rng WAN. Vi VPN, ta c th gim chi ph xy dng do tn dng c c s h tng cng cng sn c, gim chi ph thng xuyn, mm do trong xy dng. 1.2 Tnh hnh nghin cu thc t Vi s h tr to ln v mt kin thc ca cc thy c gio trong khoa Khoa hc my tnh - Trng i hc Cng nghip H Ni v ngun tri thc v hn t h thng mng Internet. Vic nghin cu v pht trin ti l thc s c h tr v pht huy hiu qu, ton din. Thng qua vic tm hiu cc ti v H thng mng o VPN khc c nghin cu v xy dng. T rt ra c nhng im mnh v hn ch nhng khuyt im trong qu trnh nghin cu thc t. Tuy nhin bn cnh nhng mt thun li l nhng kh khn ln. Mc d h thng mng o c pht trin v xy dng t lu, song vi lng kin thc cn h ch nn vic nghin cu ti cn l mt vn ln. Vic xy dng ti lm sao c th pht huy ht c ngun tri thc ca nhn loi v pht huy ht kh nng ca h thng mng o (VPN) vo thc t cng vic cn ph thuc vo rt nhiu yu t khc na. 1.3 Vn t ra ca ti Xy dng mt h thng mng o c th p dng vo thc t hin nay. Vic xy dng H thng mng o VPN c ngha sng cn trong cc doanh nghip ln, n gip tit kim chi ph v m bo an ninh d liu. Vit Nam, khi nn kinh t cng ang trong thi k pht trin v hi nhp quc t th nhu cu s dng VPN va p ng c cc yu cu v thng tin, va gii quyt c nhng kh khn v kinh t.
1.4 - Mc ch v ngha 1.4.1 Mc ch VPN l mt mng ring s dng h thng mng cng cng (Thng l Internet) kt ni cc a im hoc ngi s dng t xa vi mt mng LAN tr s trung tm. Thay v dng kt ni tht kh phc tp nh ng dy thu bao s, VPN to ra cc lin kt o c truyn qua Internet gia mng ring ca mt t chc vi a im hoc ngi s dng xa. Gii php VPN (Virtual Private Network) c thit k cho nhng t chc c xu hng tng cng thng tin t xa v a bn hot ng rng (trn ton quc hay ton cu). Ti nguyn trung tm c th kt ni ti t nhiu ngun nn tit kim c chi ph v thi gian. Mc ch ca VPN l vic s dng Internet v tnh ph cp ca n. Tuy nhin, do Internet l ngun thng tin cng cng nn c th c truy cp bi bt k ai, bt k lc no, bt k ni u v vic trao i thng tin trn mng c th b nghe trm, nh cp. S trao i d liu v truy cp bt hp php ca tin tc. Mc ch ca VPN l cung cp tnh nng bo mt d liu, tnh hiu qu v tin cy trong mng trong khi vn m bo tnh cn bng v gi thnh cho ton b qu trnh xy dng mng. VPN c hiu l m rng ca mt mng Intranet c kt ni thng qua mng cng cng nhm m bo an ton v tng hiu qu gi thnh kt ni gia hai u ni. C ch v gii hn bo mt tinh vi cng c s dng m bo tnh an ton cho vic trao i d liu d b nh cp thng qua mt mi trng khng an ton. C ch an ton bao gm nhng khi nim sau y: * Encryption (M ha): M ha d liu l mt qu trnh x l thay i d liu theo mt chun nht nh v d liu ch c th c c bi ngi dng mong mun. c c d liu ngi nhn bt buc phi c chnh xc mt m kha gii m d liu. Theo phng php truyn thng, ngi nhn v gi d liu s c cng mt kha c th gii m v m ha d liu. Lc public-key s dng hai kha, mt kha c xem nh mt public-key (kha cng cng) m bt c ai cng c th dng m ha v gii m d liu. * Authentication (Chng thc): L mt qu trnh x l m bo chc chn d liu s c chuyn n ngi nhn ng thi cng m bo thng tin c nguyn vn. hnh thc c bn Authentication i hi t nht phi tun th vic phi nhp vo Username v Password c th truy cp vo ti nguyn. Trong mt s tnh hung phc tp, s c thm secret-key hoc public-key m ha d liu.
* Authorization (y quyn): y l qu trnh x l cp quyn truy cp hoc ngn cm vo ti nguyn trn mng sau khi thc hin Authentication. 1.4.2 ngha Vic xy dng h thng mng o VPN da trn h thng mng Internet thc s mang li ngha v kt qu to ln. l vic thit lp dng mng ring trn nn mng cng cng sn c bng c ch m ha, to ra cc ng hm o thng sut v bo mt. Mng ring o ra i p ng nhu cu ca cc doanh nghip mun duy tr mt mng ring kt ni gia cc tr s chi nhnh v cc nhn vin hot ng ngoi cng ty vi mc chi ph thp hot ng n nh v bo mt cao. V c thit lp mt knh ring nn mang tnh bo mt cao v thun tin cho vic trin khai v m rng. - VPN lm gim chi ph thng xuyn: VPN cho php tit kim chi ph thu ng truyn v gim chi ph pht sinh cho nhn vin xa nh vo vic h truy cp vo h thng mng ni b thng qua cc im cung cp dch v a phng POP (Point of Presence), hn ch thu ng truy cp ca nh cung cp dn n gi thnh cho vic kt ni Lan to Lan gim i ng k so vi vic thu ng Leased-Line. - Gim chi ph qun l v h tr: Vi vic s dng dch v ca nh cung cp, chng ta ch phi qun l cc kt ni u cui ti cc chi nhnh mng khng phi qun l cc thit b chuyn mch trn mng. ng thi tn dng c s h tng ca mng Internet v i ng k thut ca nh cung cp dch v t cng ty c th tp trung vo cc i tng kinh doanh. - VPN m bo an ton thng tin, tnh ton vn v xc thc: D liu truyn trn mng c m ho bng cc thut ton, ng thi c truyn trong cc ng hm (Tunnel) nn thng tin c an ton cao. - VPN d dng kt ni cc chi nhnh thnh mt mng cc b: Vi xu th ton cu ho, mt cng ty c th c nhiu chi nhnh ti nhiu quc gia khc nhau. Vic tp trung qun l thng tin ti tt c cc chi nhnh l cn thit. VPN c th d dng kt ni h thng mng gia cc chi nhnh v vn phng trung tm thnh mt mng LAN vi chi ph thp. - VPN h tr cc giao thc mng thng dng nht hin nay nh TCP/IP
Bo mt a ch IP : thng tin c gi i trn VPN c m ha do cc a ch trn mng ring c che giu v ch s dng cc a ch bn ngoi Internet. 1.5 - Hng tip cn, phm vi v kt qu thc hin 1.5.1 Hng tip cn Tip cn theo cch quy np, i t nhng kin thc c bn rng v su vo tng qut. S dng phng php t nghin cu kt hp vi vic hc hi v trau di t thy c gio thng qua nhng bui gp mt hng dn t xy dng h thng my o hon chnh c th p dng vo thc tin. Tm hiu nhng thng tin v ti trn mng Internet v sch bo c lin quan ti ti thc tp H thng mng o VPN. 1.5.2 Phm vi ti ny c xy dng da trn vic nghin cu ng dng ca cng ngh mng ring o VPN trn nn h iu hnh Windows Server 2008, p dng cho h thng mng ca tr s BHXH tnh Lai Chu. ti i su vo vic lm sao c th xy dng c h thng mng o VPN trn nn my o VMWare, c th p dng vo thc tin cng vic. 1.5.3 Kt qu thc hin Xy dng h thng my o hon chnh, vi cc site v h thng my ch s dng Windows Server 2008 v cc my trm s dng h iu hnh Windows 7 v Windows XP. Sau khi bo v ti ra trng c th s dng ti ny p dng ngay cho thc t cng vic ti n v. 1.6. So snh u nhc im v nhng sai thiu vi nhng ti khc Trong qu trnh tm hiu v xy dng bo co ny chng em c tham kho t nhng trang web, sch bo, t cc thy c gio v vi 2 ti khc cng ni v h thng mng ring o VPN. ti ca tc gi on Thanh Bnh vi ti l n tt nghip i hc v Cng ngh mng ring o VPN, cc giao thc ng hm v bo mt. ti th hai l ca nhm tc gi Phan B Tu, Nguyn Minh Tm, Nguyn Thanh Hng SV trng i hc Quc gia thnh ph H Ch Minh vi ti Virtual Private Network. Qua tm hiu nhng ti trn chng em nhn thy: * u im:
- C 2 ti u rt chi tit v c th, trong ti a ra c cho ngi c nhng khi nim tng quan nht v h thng mng ring o VPN. - Nhng nh ngha v khi nim, cc phng thc bo mt trong qu trnh xy dng mng ring o VPN. * Nhc im: i vi ti ca tc gi on Thanh Bnh th li qu i su vo l thuyt m khng ni ti thc hnh, lm sao c th xy dng c mt h thng mng ring o VPN n gin p dng vo thc t da trn nhng l thuyt c sn. Cn i vi ti ca nhm tc gi trng i hc Quc gia Thnh ph H Ch Minh th c hng dn nhng cha c th. T nhng im trn chng em c gng thu nhn nhng thnh tu ca 2 ti gp phn hon thin quyn n H thng mng o VPN. T chng em a ra nhng u v nhc im trong ti m chng em thc hin. * V u im: - Trong bi bo co chng em c kt c mt s khi nim lin quan ti ti v mt s dch v ng dng trong qun tr mng. - Ngn gn d hiu, trnh bi theo hng ngi s dng v nghin cu. - C hnh nh v hng dn thc hin c th, chi tit. Thng qua bo co ngi c c th t mnh tm hiu v H thng mng o VPN v xy dng c mt s m hnh ng dng. - Vn dng c nhng kin thc trong cc bi bo co khc vo bi ca chng em. * Song bn cnh vn cn mt s khuyt im: - Vic nghin cu ti cn cha thc s su sc. - Vn cn thiu st nhiu v kin thc. - Do lng kin thc cn hn ch nn trong quyn n tt nghip ny chng em vn cha th a ra ht c nhng im hay v d ca h thng mng o VPN. Knh mong thy v cc bn b xung gp . Kt lun chng 1: Qua ni dung ca chng 1 chng ta c th thy c tm quan trng, tnh cp thit ca h thng mng o VPN trong vic sng cn ca cc cng ty, doanh nghip hin nay, n p ng c hu ht nhu cu v vic trao i lin lc v mt hnh chnh, chuyn d liu gia cc chi nhnh cng ty vi nhau.
Tuy nhin bn cnh vic ng dng thc t trin khai h thng mng o VPN vo thc t vn cn kh khn do cn thiu nhn lc cht lng cao trong lnh vc qun tr mng ti cc cng ty, doanh nghip.
Chng 2 - C S L THUYT
Cm t Virtual Private Network (mng ring o) thng c gi tt l VPN l mt k thut xut hin t lu, tuy nhin n thc s bng n v tr nn cnh tranh khi xut hin cng ngh mng thng minh vi pht trin mnh m ca Internet. Thng qua h thng mng m H thng mng ring o VPN c xy dng v pht trin nhm phc v cho cng vic. Trong chng 2 ny s cp ti nhng c s l thuyt v h thng mng, h tng mng, h iu hnh v nhng dch v mng i km, l nh ngha, nn tng c th xy dng mt h thng mng o VPN hon chnh, p ng c nhu cu cng vic. 2.1 - Tng quan v mng cn bn, qun tr mng, Windows Server 2008, Domain, AD, VPN v mt s dch v mng [1][2] 2.1.1 Tng quan v mng cn bn * nh ngha mng my tnh Mng my tnh l mt tp hp cc my tnh c ni vi nhau bi ng truyn theo mt cu trc no v thng qua cc my tnh trao i thng tin qua li cho nhau. ng truyn l h thng cc thit b truyn dn c dy hay khng dy dng chuyn cc tn hiu in t t my tnh ny n my tnh khc. Cc tn hiu in t biu th cc gi tr d liu di dng cc xung nh phn (on - off). Tt c cc tn hiu c truyn gia cc my tnh u thuc mt dng sng in t. Ty theo tn s ca sng in t c th dng cc ng truyn vt l khc nhau truyn cc tn hiu. y ng truyn c kt ni c th l dy cp ng trc, cp xon, cp quang, dy in thoi, sng v tuyn ... Cc ng truyn d liu to nn cu trc ca mng. Hai khi nim ng truyn v cu trc l nhng c trng c bn ca mng my tnh. * Phn loi mng my tnh Do hin nay mng my tnh c pht trin khp ni vi nhng ng dng ngy cng a dng cho nn vic phn loi mng my tnh l mt vic rt phc tp. Ngi ta c th chia cc mng my tnh theo khong cch a l ra lm hai loi: Mng din rng v Mng cc b. Mng cc b (Local Area Networks - LAN) l mng c thit lp lin kt cc my tnh trong mt khu vc nh trong mt to nh, mt khu nh.
Mng din rng (Wide Area Networks - WAN) l mng c thit lp lin kt cc my tnh ca hai hay nhiu khu vc khc nhau nh gia cc thnh ph hay cc tnh. S phn bit trn ch c tnh cht c l, cc phn bit trn cng tr nn kh xc nh vi vic pht trin ca khoa hc v k thut cng nh cc phng tin truyn dn. Tuy nhin vi s phn bit trn phng din a l a ti vic phn bit trong nhiu c tnh khc nhau ca hai loi mng trn, vic nghin cu cc phn bit cho ta hiu r hn v cc loi mng. 2.1.2 Tng quan v qun tr mng Ngy nay, mng my tnh l mt khi nim tr nn quen thuc vi hu ht tt c mi ngi c bit chim v tr ht sc quan trng vi cc doanh nghip. Vi xu th pht trin mnh m ca h thng mng nh: Mng Internet, h thng thng mi in t, h thng thng tin trong cc c quan, doanh nghip, ... vn qun tr v an ninh mng tr nn ht sc cn thit. Lm th no thit k mt mng my tnh ti u cho tng t chc, doanh nghip v lm th no mng my tnh hot ng tt vi tnh bo mt cao? hng n mt x hi thng tin an ton v c tin cy cao, c th trin khai c cc dch v, tin ch qua mng phc v i sng x hi, chnh tr, qun s, ... th vn qun tr v an ninh mng phi c cn nhc v nh gi ng tm quan trng ca n. * Qun tr mng li (Network Administration) c nh ngha l cc cng vic qun l mng li bao gm cung cp cc dch v h tr, m bo mng li hot ng hiu qu, m bo cht lng mng li cung cp ng nh ch tiu nh ra. * Qun tr h thng (System Administration) c nh ngha l cc cng vic cung cp cc dch v h tr, m bo s tin cy, nng cao hiu qu hot ng ca h thng v m bo cht lng dch v cung cp trn h thng ng nh ch tiu nh ra. Mt nh ngha khi qut v cng tc qun tr mng l rt kh v tnh bao hm rng ca n. Qun tr mng theo ngha mng my tnh c th c hiu khi qut l tp bao gm ca cc cng tc qun tr mng li v qun tr h thng. C th khi qut cng tc qun tr mng bao gm cc cng vic sau: * Qun tr cu hnh, ti nguyn mng: Bao gm cc cng tc qun l kim sot cu hnh, qun l cc ti nguyn cp pht cho cc i tng s dng khc nhau.
* Qun tr ngi dng, dch v mng: Bao gm cc cng tc qun l ngi s dng trn h thng, trn mng li v m bo dch v cung cp c tin cy cao, cht lng m bo theo ng cc ch tiu ra. * Qun tr hiu nng, hot ng mng: Bao gm cc cng tc qun l, gim st hot ng mng li, m bo cc thit b, h thng, dch v trn mng hot ng hiu qu, n nh. Cc cng tc qun l, gim st hot ng ca mng li cho php ngi qun tr tng hp, d bo s pht trin mng li, dch v, cc im yu, im mnh ca ton mng, cc h thng v dch v ng thi gip khai thc ton b h thng mng vi hiu sut cao nht. * Qun tr an ninh, an ton mng: Bao gm cc cng tc qun l, gim st mng li, cc h thng m bo phng trnh cc truy nhp tri php, c tnh ph hoi h thng, dch v, hoc mc tiu nh cp thng tin quan trng ca cc t chc, cng ty hay thay i ni dung cung cp ln mng vi dng xu. Vic phng chng, ngn chn s ly lan ca cc loi virus my tnh, cc phng thc tn cng DoS lm t lit hot ng mng hay dch v cng l mt phn cc k quan trng ca cng tc qun tr an ninh, an ton mng. c bit hin nay khi nhu cu kt ni ra mng Internet tr nn thit yu th cc cng tc m bo an ninh, an ton c t ln hng u, c bit l vi cc c quan cn bo mt ni dung thng tin cao (ngn hng, cc c quan lu tr, cc bo co in t, tp on kinh t mi nhn, ...). 2.1.3 Tng quan v Windows Server 2008 Microsoft Windows Server 2008 l th h tip theo ca HH Windows Server gip cc chuyn gia CNTT kim sot c c s h tng ti u nht m vn m bo kh nng qun l, tnh sn sng, mi trng my phc v mnh m, n nh v bo mt hn nhiu so vi trc y. Windows Server 2008 mang li gi tr mi cho t chc v mi ngi d ang bt c u cng nhn c y mi dch v ca mng. Windows Server 2008 cng gip hiu bit su sc hn v h iu hnh cng kh nng chn on s c cc nh qun tr mng c nhiu thi gian tp trung to thm gi tr nghip v. Windows Server 2008 da trn s thnh cng v sc mnh ca h iu hnh Windows Server 2003 c khen ngi v trn cc ci tin trong Service Pack 1 v Windows Server 2003 R2. Tuy vy, Windows Server 2008 khng ch ci tin cc h iu hnh trc m c thit k mang li cho t chc mt nn tng c nng sut cao nht phc v cc ng dng, mng v cc dch v Web t nhm lm vic n trung tm d liu, bng tnh nng mi, gi tr v hp dn cng nhng ci tin ln trong h iu hnh c s. * Cc ci tin trong h iu hnh Windows Server
Ngoi tnh nng mi, Windows Server 2008 cn c nhiu ci tin ln trong h iu hnh c s so vi Windows Server 2003. Cc ci tin ng ch gm c nhng ci tin v mng, cc tnh nng bo mt nng cao, truy cp ng dng t xa, qun l cc vai tr ca my phc v trung tm, cc cng c gim st tin cy v vn hnh, kt ni server d phng s c/kt ni chuyn dch server khi c s c, trin khai v h thng tp tin. Nhng ci tin ny v nhiu ci tin khc na s gip t chc ti u ho mc linh hot, tnh sn sng v kh nng kim sot cc my phc v ca mnh. * Cc li ch ca Windows Server 2008 Windows Server 2008 mang li li ch trong bn lnh vc chnh:
Li ch Web Miu t
Windows Server 2008 mang li kh nng chuyn giao kinh nghim v web phong ph mt cch hiu qu v thc t, nh kh nng qun tr v chn on s c trn mng tt hn, cng c lp trnh v pht trin ng dng tt hn v chi ph b ra .cho c s h tng thp hn n gin ho vic qun l my phc v Web nh c Internet Information Services 7.0, l nn tng lm Web mnh cho ng dng v dch v. Nn tng kiu module ny c giao din qun l theo tc v v n gin, c kh nng kim tra cho mnh hn, ci tin v bo mt v qun l hot ng thng nht .cho mi Web service Cc giao din theo tc v gip n gin ho vic qun l chung cc tc v ca my phc v Web Kh nng sao chp lin site gip bn sao chp thit lp ca trang Web qua nhiu my phc v Web m khng cn cu .hnh thm Qun tr ng dng v site chuyn bit nn bn c th giao quyn kim sot cc phn khc nhau ca my phc v Web .cho ngi cn giao Chuyn giao cc ng dng ton din v linh hot gip ni kt cc ngi dng v d liu li vi nhau, lm cho h c .th o ho, chia s v tc ng ln thng tin
o ho
Vi cng ngh o ho my phc v c sn, Windows Server 2008 gip ta gim chi ph, tng tn sut s dng phn cng, ti u ho c s h tng v nng cao tnh sn sng ca .my phc v Nh kh nng o ho c sn trong h iu hnh v chnh sch cp php uyn chuyn hn, n gin hn, nn tn dng c li ch v tit kim chi ph. Tnh nng o ho c sn s o ho nhiu h iu hnh - Windows, Linux v cc h iu .hnh khc trn mt my phc v Truy cp ng dng tp trung v tch hp lin mch cc ng dng phn b t xa. Cc ci tin cn gip kt ni ng dng t xa qua cc tng la khng dng VPN, v th bn c th p .ng yu cu ca ngi dng nhanh chng, d h ang u Cc ty chn trin khai mi c cc phng php trin .khai thch hp cho mi trng ca bn nht .Tng tc vi mi trng sn c Cng ng k thut gii v mnh m h tr kinh .nghim phong ph trong sut vng i sn phm
Bo mt
Windows Server 2008 l my phc v Windows bo mt nht t trc n nay. Nhng ci tin v bo mt v h iu hnh qua ti luyn, gm Network Access Protection, Federated Rights Management v Read-Only Domain Controller c nhiu .cp bo v mng, bo v d liu v cng ty cha tng c Bo v my phc v bng nhng ci tin bo mt lm gim tn cng b mt ca trung tm h iu hnh, nn mi .trng phc v cng bo mt hn v mnh hn Bo v truy cp mng bng Network Access Protection nn c th cch ly cc my tnh khng tun th chnh sch bo mt nh. Kh nng bt buc tun th cc yu cu v bo mt l cng c mnh bo v mng Cc gii php to chnh sch v quy tc thng minh mi gip tng kh nng kim sot v bo v khi ni mng, cho ta
.mt mng hot ng theo chnh sch Bo v d liu m bo ch ngi dng no c mt m ng mi c truy cp v lun sn sng khi phn cng b hng .hc Chng li cc phn mm c hi bng User Account .Control vi cch xc thc ngi dng mi Tng cng kim sot thit lp ca ngi dng bng Expanded Group Policy
Solid Foundation for Business Workloads
Windows Server 2008 l h iu hnh Windows Server mnh nht v linh hot nht t trc ti nay. Vi cc cng ngh v tnh nng mi nh Server Core, PowerShell, Windows Deployment Services, cng ngh ni mng v kt cm my phc v ci tin, Windows Server 2008 mang li nn tng Windows ng tin cy v a nng nht cho mi ng dng v .khi lng cng vic Tng tin cy bng cc ci tin v tin cy tt hn nhm gim thiu tn tht v truy cp, cng vic, thi gian, d .liu v kim sot Qun l c s h tng CNTT n gin ho bng nhng cng c mi c chung mt giao din tp trung mt u mi cu hnh my phc v v gim st, cng nh t ng ho cc tc .v thng ngy Ci t v qun l Windows Server 2008 hp l hn bng cch ch ci t nhng tnh nng v vai tr cn thit m thi. Chuyn bit ho cu hnh my phc v theo nhu cu gip n gin ho vic bo tr v t b tn cng b mt hn v t phi .cp nht phn mm hn Xc nh chnh xc v gii quyt s c hiu qu bng nhng cng c chn on mnh gip nhn thy mi vic ang .xy ra trn my phc v, c o ln trn thc t Tng cng kim sot cc my phc v xa, nh cc chi nhnh chng hn. Vi kh nng qun l my phc v v sao chp d liu ti u, ngi dng c dch v tt hn m nh qun .tr mng cn au u v mt qun l
2.1.4 Tng quan v Domain Mt trong nhng khi nim quan trng nht ca mng Windows l domain (tc min hay vng). Mt domain l tp hp cc ti khon ngi dng v ti khon my tnh c nhm li vi nhau qun l mt cch tp trung. V cng vic qun l l dnh cho cc domain controller (B iu khin min) nhm gip ti nguyn c khai thc d dng hn. Domain controller thc s rt quan trng. Trong mng, bt k my trm (workstattion) no ang chy h iu hnh Windows XP cng c mt nhm ti khon ngi dng to sn no . Windows XP thm ch cn cho php bn to mt s ti khon b xung nu thy cn thit. Nu my trm c chc nng nh mt h thng c lp hoc mt phn ca mng ngang hng th ti khon ngi dng mc my trm (c gi l ti khon ngi dng cc b) khng th iu khin truy cp ti nguyn trn mng. Chng ch c dng iu chnh truy cp my cc b v hot ng nh vi chc nng m bo cho qun tr vin c th thc hin cng vic bo dng, duy tr my trm, khng cho php ngi dng cui kh nng can thip vo cc thit lp trn my trm. Ti khon ngi dng cc b trn mt my trm nht nh khng c php iu khin truy cp ti nguyn nm ngoi my trm l n tng thm gnh nng qun l rt ln. Ti khon ngi dng cc b ch nm trn cc my trm ring r. Nu mt ti khon l c chc nng bo mt chnh trong mng, qun tr vin s phi di chuyn vt l ti my tnh c ti khon bt k khi no phi thc hin thay i quyn hn cho ti khon. Vn ny khng gy ra tc ng g ln trong mng nh, nhng s tr nn cc k nng n vi mt mng ln hay khi cn p dng thay i rng cho tt c mi ti khon. Mt l do khc l khng ai mun phi chuyn ti khon ngi dng t my ny sang my khc. Chng hn nu my tnh ca mt ngi dng b ph hoi, ngi khng th ng nhp vo my tnh khc lm vic. V ti khon ca h ch c tc dng trn my c. Nu mun lm c vic ngi phi to ti khon mi trn my khc. Ch l mt trong s rt nhiu l do khin vic s dng ti khon ngi dng cc b cho vic truy cp an ton ti nguyn mng l khng thc t. Thm ch nu bn mun trin khai bo mt ny, Windows cng khng cho php. Ti khon ngi dng cc b ch c th dng ti nguyn cc b trn mt my trm nht nh. Domain c nhim v gii quyt cc vn va nu v mt s vn khc na. Chng s tp trung ha ti khon ngi dng (hay cu hnh khc, cc i tng lin quan n bo mt). iu ny gip vic qun tr d dng hn v cho php
ngi dng ng nhp t bt k my tnh no c trn mng (tr khi bn gii hn quyn truy cp ngi dng). V mt nguyn l, khi mt ngi dng no mun truy cp ti nguyn nm trn 1 my ch (server), ti khon ngi dng mc server s c dng iu khin truy cp. Tuy nhin cn nhiu vn m Domain cung cp cho ngi dng hn na. Mi mt Domain l duy nht, hot ng c lp khng bao gi lp li nhng nguyn tc hot ng ging nhau. Trong domain tch hp thm thnh phn Active Directory (AD) cy th mc qun l v thm nh ngi dng trong Domain. AD hot ng nh mt ni lu tr cc i tng th mc (directory), trong c ti khon ngi dng (user account). V mt trong cc cng vic chnh ca b iu khin tn min l cung cp dch v thm nh. (iu ny s c nghin cu su hn phn sau ca bo co ny). Domain controller cung cp dch v thm nh (Authetication) ch khng phi l dich v cp php (Athoriztion). Tc l, khi mt ngi dng no ng nhp vo mng, mt b iu khin s kim tra tnh hp l ca Username v password h nhp vo c chnh xc v khp vi d liu lu trong my ch hay khng. Nhng domain controller khng ni vi ngi dng h c quyn truy cp ti nguyn no. Ti nguyn trn mng Windows c bo v bi cc danh sch iu khin truy cp (ACL - Acscess Control List). Mt ACL l danh sch ch r ai c quyn lm g. Khi ngi dng c gng truy cp ti nguyn, h a ra nhn dng ca mnh cho my ch cha ti nguyn . My ch s kim tra chc chn rng nhn dng ngi dng ny c thm nh. Sau tham chiu cho n ACL xem ngi dng c quyn lm g. Domain Controller ng vai tr ht sc quan trng trong Windows Server. 2.1.5 Tng quan v AD Active Director l mt dch v th mc (directory service) c ng k bn quyn bi Microsoft, n l mt phn khng th thiu trong kin trc Windows. Ging nh cc dch v th mc khc, chng hn nh Novell Directory Services (NDS), Active Directory l mt h thng chun v tp trung, dng t ng ha vic qun l d liu ngi dng, bo mt v cc ngun ti nguyn c phn phi, cho php tng tc vi cc th mc khc. Thm vo , Active Directory c thit k c bit cho cc mi trng kt ni mng c phn b theo mt kiu no .
Active Directory c th c coi l mt im pht trin mi so vi Windows 2000 Server v c nng cao, hon thin tt hn trong Windows Server 2003, tr thnh mt phn quan trng ca h iu hnh. Windows Server 2003 Active Directory cung cp mt tham chiu, c gi l directory service, n tt c cc i tng trong mt mng, gm c user, groups, computer, printer, pocicy v permission. Vi ngi dng hoc qun tr vin, Active Directory cung cp mt khung hnh mang tnh cu trc t d dng truy cp v qun l tt c cc ti nguyn trong mng. 2.1.6 Tng quan v VPN [3],[7],[8],[9],[10] a) VPN l g? Mng ring o hay cn c bit n vi t vit tt VPN, y khng phi l mt khi nim mi trong cng ngh mng. VPN c th c nh ngha nh l mt dch v mng o c trin khai trn c s h tng ca h thng mng cng cng vi mc ch tit kim chi ph cho cc kt ni im-im. Mt cuc in thoi gia hai c nhn l v d n gin nht m t mt kt ni ring o trn mng in thoi cng cng. Hai c im quan trng ca cng ngh VPN l ''ring'' v ''o" tng ng vi hai thut ng ting anh (Virtual and Private). VPN c th xut hin ti bt c lp no trong m hnh OSI, VPN l s ci tin c s h tng mng WAN, lm thay i v lm tng thm tch cht ca mng cc b cho mng WAN.
Hnh 2.1: VPN=ng hm + M ho
Hnh 2.2: M hnh h thng mng o b) Li ch ca VPN em li : * VPN lm gim chi ph thng xuyn: VPN cho php tit kim chi ph thu ng truyn v gim chi ph pht sinh cho nhn vin xa nh vo vic h truy cp vo h thng mng ni b thng qua cc im cung cp dch v a phng POP(Point of Presence), hn ch thu ng truy cp ca nh cung cp dn n gi thnh cho vic kt ni Lan to Lan gim i ng k so vi vic thu ng Leased-Line Gim chi ph qun l v h tr: Vi vic s dng dch v ca nh cung cp, chng ta ch phi qun l cc kt ni u cui ti cc chi nhnh mng khng phi qun l cc thit b chuyn mch trn mng. ng thi tn dng c s h tng ca mng Internet v i ng k thut ca nh cung cp dch v t cng ty c th tp trung vo cc i tng kinh doanh. * VPN m bo an ton thng tin, tnh ton vn v xc thc D liu truyn trn mng c m ho bng cc thut ton, ng thi c truyn trong cc ng hm(Tunnel) nn thng tin c an ton cao. * VPN d dng kt ni cc chi nhnh thnh mt mng cc b Vi xu th ton cu ho, mt cng ty c th c nhiu chi nhnh ti nhiu quc gia khc nhau. Vic tp trung qun l thng tin ti tt c cc chi nhnh l cn
thit. VPN c th d dng kt ni h thng mng gia cc chi nhnh v vn phng trung tm thnh mt mng LAN vi chi ph thp. * VPN h tr cc giao thc mng thng dng nht hin nay nh TCP/IP Bo mt a ch IP : thng tin c gi i trn VPN c m ha do cc a ch trn mng ring c che giu v ch s dng cc a ch bn ngoi Internet c) Cc thnh phn cn thit to nn kt ni VPN: User authentication : cung cp c ch chng thc ngi dng, ch cho php ngi dng hp l kt ni vo h thng VPN Address management : cung cp a ch IP hp l cho ngi dng sau khi gia nhp h thng VPN c th truy cp ti nguyn trn mng ni b Data Encryption : cung cp gii php m ha d liu trong qu trnh truyn nhm bo m tnh ring t v ton vn d liu. Key Management: cung cp gii php qun l cc kha dng cho qu trnh m ha v gii m d liu . d) Cc loi VPN: * VPN c chia thnh 2 loi : * VPN Remote Accesss * VPN Site to Site + VPN Intranet + VPN Extranet
Hnh 2.3: VPN Remote Access * VPN Remote Access VPN Remote Access : Cung cp kt ni truy cp t xa n mt mng Intranet hoc Extranet da trn h tng c chia s. VPN Remote Access s dng ng truyn Analog, Dial, ISDN, DSL, Mobile IP v Cable thit lp kt ni n cc Mobile user. Mt c im quan trng ca VPN Remote Access l: Cho php ngi dng di ng truy cp t xa vo h thng mng ni b trong cng ty lm vic. thc hin c VPN Remote Access cn: C 01 VPN Getway(c 01 IP Public). y l im tp trung x l khi VPN Client quay s truy cp vo h thng VPN ni b. Cc VPN Client kt ni vo mng Internet
Hnh 2.4: VPN Site to Site * VPN Site - to - Site: VPN Site - to - Site c chia lm hai loi nh l VPN Intranet v VPN Extranet + Intranet VPN : Kt ni vn phng trung tm, cc chi nhnh v vn phng xa vo mng ni b ca cng ty da trn h tng mng c chia s. Intranet VPN khc vi Extranet VPN ch n ch cho php cc nhn vin ni b trong cng ty truy cp vo h thng mng ni b ca cng ty. + Extranet VPN : Kt ni b phn khch hng ca cng ty, b phn t vn, hoc cc i tc ca cng ty thnh mt h thng mng da trn h tng c chia s. Extranet VPN khc vi Intranet VPN ch cho php cc user ngoi cng ty truy cp vo h thng. thc hin c VPN Site - to Site cn C 02 VPN Getway(Mi VPN Getway c 01 IP Public). y l im tp trung x l khi VPN Getway pha bn kia quay s truy cp vo. Cc Client kt ni vo h thng mng ni b. 2.1.7 Mt s dch v mng khc Cng nh cc h iu hnh khc Windows NT cng c nhng u, khuyt im ca n, tuy nhin Windows NT hin nay chinh phc c nhiu ngi dng vi nhng u im khng th chi ci. L h iu hnh mng cho php t chc qun l mt cch ch ng theo nhiu m hnh khc nhau: peer-to-peer, clien/server. N thch hp vi tt c cc kin trc mng hin nay nh: hnh sao
(start), ng thng (bus), vng (ring) v phc hp. N c mt s c tnh u vit bo m thc hin cng lc nhiu chng trnh m khng b li. Bn thn Windows NT p ng c hu ht cc giao thc ph bin nht trn mng v cng h tr c rt nhiu nhng dch v truyn thng trn mng. N va p ng c cho mng cc b (LAN) v cho c mng din rng (WAN). Windows NT cho php dng giao thc Windows NT TCP/IP, vn l mt giao thc c s dng rt ph bin trn hu ht cc mng din rng v trn Internet. Giao thc TCP/IP dng tt cho nhiu dch v mng trn mi trng Windows NT. a) Internet Information Server (IIS) Internet Information Server l mt ng dng chy trn Windows NT, tch hp cht vi Windows NT, khi ci t IIS, IIS c a thm vo tin ch mn hnh kim sot (Performance monitor) mt s mc nh thng k s lng truy cp, s trang truy cp. Vic kim tra ngi dng truy cp cng da trn c ch qun l ngi s dng ca Windows NT. Sau khi ci t IIS, trong th mc InetSrv s c cc th mc gc tng ng cho tng dch v chn ci t. IIS bao gm 3 dch v: World Wide Web (WWW), chuyn file (FTP - File Transfer Protocol) v Gopher. C 3 dch v ny u s dng kt ni theo giao thc TCP/IP. * Cc dch v trong IIS +) WWW (World Wide Web) : L mt trong nhng dch v chnh trn Internet cho php ngi s dng xem thng tin mt cch d dng, sinh ng. D liu chuyn gia Web Server v Web Client thng qua nghi thc HTTP (Hypertext Transfer Protocol). Ngi qun tr c th xem cc thng tin nh cc ngi dng truy cp, cc trang c truy cp, cc yu cu c chp nhn, cc yu cu b t chi. thng qua cc file c th c lu di dng c s d liu. +) FTP (File Transfer Protocol) S dng giao thc TCP chuyn file gia 2 my v cng hot ng theo m hnh Client/Server, khi nhn c yu cu t client, u tin FTP Server s kim tra tnh hp l ca ngi dng thng qua tn v mt m. Nu hp l, FTP Server s kim tra quyn ngi dng trn tp tin hay th mc c xc nh trn FTP Server. Nu hp l v h thng file l NTFS th s c thm kim tra mc th
mc, tp tin theo NTFS. Sau khi tt c hp l, ngi dng s c quyn tng ng trn tp tin, th mc . +) Gopher L mt dch v s dng giao din menu Gopher Client tm v chuyn bt k thng tin no m Gopher Server c cu hnh. Gopher cng s dng kt ni theo giao thc TCP/IP. b) Dynamic Host Configuration Protocol (DHCP) : Trong mt mng my tnh, vic cp cc a ch IP tnh c nh cho cc host s dn n tnh trng lng ph a ch IP, v trong cng mt lc khng phi cc host hot ng ng thi vi nhau, do vy s c mt s a ch IP b tha. khc phc tnh trng , dch v DHCP a ra cp pht cc a ch IP ng trong mng. Trong mng my tnh NT khi mt my pht ra yu cu v cc thng tin ca TCPIP th gi l DHCP client, cn cc my cung cp thng tin ca TCPIP gi l DHCP server. Cc my DHCP server bt buc phi l Windows NT server. Cch cp pht a ch IP trong DHCP: Mt user khi log on vo mng, n cn xin cp 1 a ch IP, theo 4 bc sau : - Gi thng bo n tt c cc DHCP server yu cu c cp a ch. - Tt c cc DHCP server gi tr li a ch s cp n cho user . - User chn 1 a ch trong s cc a ch, gi thng bo n server c a ch c chn. - Server c chn gi thng bo khng nh n user m n cp a ch. c) Dch v Domain Name Service (DNS) Hin nay trong mng Internet s lng cc nt (host) ln ti hng triu nn chng ta khng th nh ht a ch IP c, Mi host ngoi a ch IP cn c mt ci tn phn bit, DNS l 1 c s d liu phn tn cung cp nh x t tn host n a ch IP. Khi a ra 1 tn host, DNS server s tr v a ch IP hay 1 s thng tin ca host . iu ny cho php ngi qun l mng d dng trong vic chn tn cho host ca mnh DNS server c dng trong cc trng hp sau : Chng ta mun c 1 tn domain ring trn Interner c th to, tch ri cc domain con bn trong n.
Chng ta cn 1 dch v DNS iu khin cc b nhm tng tnh linh hot cho domain cc b ca bn. Chng ta cn mt bc tng la bo v khng cho ngi ngoi thm nhp vo h thng mng ni b ca mnh C th qun l trc tip bng cc trnh son tho text to v sa i cc file hoc dng DNS manager to v qun l cc i tng ca DNS nh: Servers, Zone, Cc mu tin, cc Domains, Tch hp vi Win, . d) Remote Access Service (RAS) Ngoi nhng lin kt ti ch vi mng cc b (LAN) cc ni kt t xa vo mng LAN hin ang l nhng yu cu cn thit ca ngi s dng. Vic lin kt cho php mt my t xa nh ca mt ngi s dng ti nh c th qua ng dy in thoi thm nhp vo mt mng LAN v s dng ti nguyn ca n. Cch thng dng nht hin nay l dng modem c th truyn trn ng dy in thoi. Windows NT cung cp Dch v Remote access Service cho php cc my trm c th ni vi ti nguyn ca Windows NT server thng qua ng dy in thoi. RAS cho php truyn ni vi cc server, iu hnh cc user v cc server, thc hin cc chng trnh khai thc s liu, thit lp s an ton trn mng. Vi nhng kh nng to ln ca mnh trong cc dch v mng, h iu hnh Windows NT l mt trong nhng h iu hnh mng tt nht hin nay. H iu hnh Windows NT va cho php giao lu gia cc my trong mng, va cho php truy nhp t xa, cho php truyn file, va p ng cho mng cc b (LAN) va p ng cho mng din rng (WAN) nh Intranet, Internet. Vi nhng kh nng nh vy hin nay h iu hnh Windows NT c nhng v tr vng chc trong vic cung cp cc gii php mng trn th gii. 2.2 - Pht trin ti Vi qu trnh tm hiu v thc tp v vn mng ring o, th chng ta thy rng vic ng dng n vo pht trin h thng h tng cng ngh thng tin hon ton ph hp vi xu hng v mang tnh sng cn. H thng gip tit kim chi ph, ct gim cc th tc hnh chnh rm r khng cn thit. Vic xy dng ti trong bi thc tp mi ch c ng dng trn h thng my o nn vn cn nhiu tn ti v khc so vi thc t nu a vo trin khai. Tuy nhin ti ny l tin ng dng vo thc t ti nhng c quan, cng s hnh chnh nh nc m ngy nay ang hng ti vn tin hc ha h
thng. Cng vi s gip ca cc thy c gio v ngun tri thc t cng ng ng dng cng ngh thng tin trong i sng. ti ny s c tip tc nghin cu v trin khai ti tr s BHXH tnh Lai Chu v Bo him x hi cc huyn th x trong tnh Lai Chu. Kt lun chng 2: Qua chng 2 a ra cho chng ta c nhng nh ngha, khi nim tng quan v vic qun tr mng cng nh nhng ng dng ca chng trong vic trin khai v qun tr h thng mng. Qua chng ta cng c mt ci nhn tng quan v khi nim v h thng mng o VPN, phn loi h thng mng o VPN. t p dng vo thc t.
Chng 3 - CC GIAO THC NG HM VPN

Hin nay c nhiu gii php gii quyt hai vn v ng gi d liu v an ton d liu trong VPN, da trn nn tng l cc giao thc ng hm. Mt giao thc ng hm s thc hin ng gi d liu vi phn Header (v c th c Trailer) tng ng truyn qua Internet. Giao thc ng hm l ct li ca gii php VPN. C 4 giao thc ng hm c s dng trong VPN l: - Giao thc nh hng lp 2 - L2F (Layer 2 Forwarding) - Giao thc ng hm im-im-PPTP (Point to Point Tunneling protocol) - Giao thc ng hm lp 2 - L2TP (Layer 2 tunneling protocol) - Giao thc bo mt IP - IPSec (Internet Protocol Security) 3.1 Giao thc nh hng lp 2 L2F [4],[6],[12] Giao thc nh hng lp 2 L2F do Cisco pht trin c lp v c pht trin da trn giao thc PPP (Point-to-Point Protocol). L2F cung cp gii php cho dch v quay s o bng cch thit lp mt ng hm bo mt thng qua c s h tng cng cng nh Internet. L2F l giao thc c pht trin sm nht, l phng php truyn thng cho nhng ngi s dng xa truy cp vo mt mng cng ty qua thit b truy cp t xa. L2F cho php ng gi cc gi PPP trong L2F, nh ng hm lp lin kt d liu. 3.1.1 Cu trc gi ca L2F 1bit F 1bi t K 1bit 1bit P 8bit 1bit 3bit 8bit Protocol 8bit Sequence Client ID Offset Key Data
S Reserved
C Version Multiplex ID Length
Ckecksums Hnh 3.1: Khun dng gi ca L2F Trong : F: Trng Offset c mt nu bit ny c thit lp.
K: Trng Key c mt nu bit ny c thit lp. P_ priority: Gi ny l mt gi u tin nu bit ny c thit lp. S: Trng Sequence c mt nu bit ny c thit lp. Reserved: Lun c t l: 00000000. Version : Phin bn chnh ca L2F dng to gi. 3 bit ny lun l 111. Protocol : Xc nh giao thc ng gi L2F. Sequence: S chui c a ra nu trong L2F Header bit S=1. Multiplex ID: Nhn dng mt kt ni ring trong mt ng hm (tunnel). Client ID: Gip tch ng hm ti nhng im cui. Length: Chiu di ca gi (tnh bng Byte) khng bao gm phn checksum. Offset: Xc nh s Byte trc L2F Header, ti d liu ti tin c bt u. Trng ny c khi bit F=1. Key: Trng ny c trnh by nu bit K c thit lp. y l mt phn ca qu trnh nhn thc. Checksum: Kim tra tng ca gi. Trng checksum c nu bit C=1. 3.1.2 u nhc im ca L2F * u im: - Cho php thit lp ng hm a giao thc. - c cung cp bi nhiu nh cung cp. * Nhc im: - Khng c m ho. - Yu trong vic xc thc ngi dng. - Khng c iu khin lung cho ng hm. 3.1.3 Thc hin L2F L2F ng gi nhng gi lp 2 v trong trng hp ny l ng gi PPP, truyn xuyn qua mt mng. L2F s dng cc thit b: NAS: Hng lu lng n v i t my khch xa (remote client) v gateway home. H thng ERX hot ng nh NAS.
Tunne:l nh hng ng i gia NAS v home gateway. Mt ng hm gm mt s kt ni. Home gateway: Ngang hng vi NAS. Kt ni (connection): L mt kt ni PPP trong ng hm. Trong CLI, mt kt ni L2F c xem nh l mt phin. im ch (Destination): L im kt thc u xa ca ng hm. Trong trng hp ny th Home gateway l im ch.
R A D IU S S e rv e r
T unnel D a ta NAS R e m o te U se r M n g c a IS P H ome g ate w a y M n g ri n g
Hnh 3.2: M hnh c trng L2F 3.1.4 Hot ng ca L2F Hot ng L2F bao gm cc hot ng: thit lp kt ni, ng hm v phin lm vic. Ta xem xt v d minh ho hot ng ca L2F: * Mt ngi s dng xa quay s ti h thng NAS v khi u mt kt ni PPP ti ISP. * H thng NAS v my khch trao i cc gi giao thc iu khin lin kt LCP (Link Control Protocol). * NAS s dng c s d liu cc b lin quan ti tn vng (domain name) hay nhn thc RADIUS quyt nh c hay khng ngi s dng yu cu dch v L2F. * Nu ngi s dng yu cu L2F th qu trnh tip tc: NAS thu nhn a ch ca gateway ch (home gateway).
* Mt ng hm c thit lp t NAS ti gateway ch nu gia chng cha c ng hm no. S thnh lp ng hm bao gm giai on nhn thc t ISP ti gateway ch chng li tn cng bi nhng k th ba. * Mt kt ni PPP mi c to ra trong ng hm, iu ny tc ng ko di phin PPP t ngi s dng xa ti home gateway. Kt ni ny c thit lp nh sau: Home gateway tip nhn cc la chn v tt c thng tin nhn thc PAP/CHAP, nh tho thun bi u cui ngi s dng v NAS. Home gateway chp nhn kt ni hay n tho thun li LCP v nhn thc li ngi s dng. * Khi NAS tip nhn lu lng d liu t ngi s dng, n ly gi v ng gi lu lng vo trong mt khung L2F v hng n vo trong ng hm. * Ti home gateway, khung L2F c tch b, v d liu ng gi c hng ti mng cng ty. 3.1.5 Qun l L2F Khi h thng thit lp nhng im ch, nhng ng hm tunnel, v nhng phin kt ni ta phi iu khin v qun l lu lng L2F nh sau: * Ngn cn to nhng im ch, nhng ng hm tunnel, nhng phin mi. * ng v m li tt c hay chn la nhng im ch, nhng ng hm tunnel, nhng phin lm vic. * C kh nng kim tra tng UDP. * Thit lp thi gian ri cho h thng v lu gi c s d liu vo ca nhng ng hm v nhng kt ni. S thay i mt im ch lm nh hng ti tt c nhng ng hm v phin ti im ch ; S thay i mt ng hm lm nh hng ti tt c cc phin trong ng hm . 3.2 Giao thc ng hm im-im PPTP [4],[6],[12],[8] Giao thc ng hm imim PPTP c a ra u tin bi mt nhm cc cng ty c gi l PPTP Forum. Nhm ny bao gm 3 cng ty: Ascend, Microsoft, ECI Telematicsunication v US Robotic. tng c s ca giao thc ny l tch cc chc nng chung v ring ca truy cp t xa, li dng c s h tng Internet sn c to kt ni bo mt gia ngi dng xa (client) v mng ring. Ngi dng xa ch vic quay s ti nh cung cp dch v Internet a phng l c th to ng hm bo mt ti mng ring ca h.
Giao thc PPTP c xy dng da trn chc nng ca PPP, cung cp kh nng quay s truy cp to ra mt ng hm bo mt thng qua Internet n site ch. PPTP s dng giao thc bc gi nh tuyn chung GRE (Generic Routing Encapsulation) c m t li ng gi v tch gi PPP, giao thc ny cho php PPTP mm do x l cc giao thc khc khng phi IP nh: IPX, NETBEUI. Do PPTP da trn PPP nn n cng s dng PAP, CHAP xc thc. PPTP c th s dng PPP m ho d liu nhng Microsoft a ra phng thc m ho khc mnh hn l m ho im im MPPE (Microsoft Point- to- Point Encryption) s dng cho PPTP. Mt u im ca PPTP l c thit k hot ng lp 2 (lp lin kt d liu) trong khi IPSec chy lp 3 ca m hnh OSI. Bng cch h tr vic truyn d liu lp th 2, PPTP c th truyn trong ng hm bng cc giao thc khc IP trong khi IPSec ch c th truyn cc gi IP trong ng hm. 3.2.1 Kin trc ca PPTP
PP P
PP P
G i th m i u t ha
G i th x c i u t th c
Bcg i h n tu c u g y n hn
Hnh 3.3: Kin trc ca PPTP a) PPP v PPTP PPP tr thnh giao thc quay s truy cp vo Internet v cc mng TCP/IP rt ph bin hin nay. Lm vic lp lin kt d liu trong m hnh OSI, PPP bao gm cc phng thc ng, tch gi cho cc loi gi d liu khc nhau truyn ni tip. c bit, PPP nh ngha hai b giao thc: giao thc iu khin lin kt LCP (Link Control Protocol) cho vic thit lp, cu hnh v kim tra kt ni; Giao thc iu khin mng NCP (Network Control Protocol) cho vic thit lp v cu hnh cc giao thc lp mng khc nhau.
PPP c th ng cc gi IP, IPX, NETBEUI v truyn i trn kt ni imim t my gi n my nhn. vic truyn d liu c th din ra th mi PPP phi gi gi LCP kim tra cu hnh v kim tra lin kt d liu. Khi mt kt ni PPP c thit lp th ngi dng thng c xc thc. y l giai on tu chn trong PPP, tuy nhin n lun lun c cung cp bi cc ISP. Vic xc thc c thc hin bi PAP hay CHAP. Vi PAP mt khu c gi qua kt ni di dng vn bn n gin v khng c bo mt trnh khi b tn cng th v li. CHAP l mt phng thc xc thc mnh hn, CHAP s dng phng thc bt tay 3 chiu. CHAP chng li cc v tn cng quay li bng cch s dng cc gi tr thch (challenge value) duy nht v khng th on trc c. CHAP pht ra gi tr thch trong sut v sau khi thit lp xong kt ni, lp li cc thch c th gii hn s ln b t vo tnh th b tn cng. PPTP c thit k da trn PPP to ra kt ni quay s gia khch 43ung v my ch truy cp mng. PPTP s dng PPP thc hin cc chc nng: - Thit lp v kt thc kt ni vt l. - Xc thc ngi dng. - To cc gi d liu PPP. PPP thit lp kt ni, PPTP s dng cc quy lut ng gi ca PPP ng cc gi truyn trong ng hm. tn dng u im ca kt ni to ra bi PPP, PPTP nh ngha hai loi gi: Gi iu khin; Gi d liu v gn chng v 2 knh ring l knh iu khin v knh d liu. Sau PPTP phn tch cc knh iu khin v knh v knh d liu thnh lung iu khin vi giao thc TCP v lung d liu vi giao thc IP. Kt ni TCP c to gia client PPTP v my ch PPTP c s dng tryn thng bo iu khin. Cc gi d liu l d liu thng ca ngi dng. Cc gi iu khin c gi theo chu k ly thng tin v trng thi kt ni v qun l bo hiu gia client PPTP v my ch PPTP. Cc gi iu khin cng c dng gi cc thng tin qun l thit b, thng tin cu hnh gia hai u ng hm. Knh iu khin c yu cu cho vic thit lp mt ng hm gia client PPTP v my ch PPTP. Phn mm client c th nm my ngi dng t xa hay nm ti my ch ca ISP.
M n g ri n g o V P N
M n g ri n g o c b o v
C lie n t
C o m p u te r
C o m p ute r
In te rne t
T ru y c p t x a c a IS P
C lie n t
M y ch
C o m p u te r
T i u p h n p h i m i tr n g T iu IP T i u m i tr n g k h u n g T iu G R E G i ti P P P G i d li u,IP X N E T B E U I IP , K h u n g E th e rn et
Hnh 3.4: Cc giao thc s dng trong mt kt ni PPTP ng hm c thit lp th d liu ngi dng c truyn gia client v my ch PPTP. Cc gi PPTP cha cc gi d liu IP. Cc gi d liu c ng gi bi tiu GRE, s dng s ID ca Host cho iu khin truy cp, ACK cho gim st tc d liu truyn trong ng hm. PPTP hot ng lp lin kt d liu, nn cn phi c tiu mi trng truyn trong gi bit gi d liu truyn trong ng hm theo phng thc no? Ethernet, Frame Relay hay kt ni PPP?
M i tr n g
IP
GRE
PPP
T i P P P
Hnh 3.5 : bc gi PPTP/ GRE PPTP cng c c ch iu khin tc nhm gii hn s lng d liu truyn i. C ch ny lm gim ti thiu d liu phi truyn li do mt gi. b) Cu trc gi ca PPTP *ng gi d liu ng hm PPTP D liu ng hm PPTP c ng gi thng qua nhiu mc: ng gi khung PPP, ng gi cc gi GRE, ng gi lp lin kt d liu. Cu trc gi d liu c ng gi
T i PP P c T i u T i u T i u T i u P hn ui m ho li n k t d liIP u G R E P P P (IP, IP X N E T B E U I n k t d li u , ) li
Hnh 3.6: Cu trc gi d liu trong ng hm PPTP + ng gi khung PPP Phn ti PPP ban u c mt m v ng gi vi phn tiu PPP to ra khung PPP. Sau , khung PPP c ng gi vi phn tiu ca phin bn sa i giao thc GRE. i vi PPTP, phn tiu ca GRE c s i mt s im sau: Mt bit xc nhn c s dng khng nh s c mt ca trng xc nhn 32 bit. Trng Key c thay th bng trng di Payload 16bit v trng nhn dng cuc gi 16 bit. Trng nhn dng cuc goi Call ID c thit lp bi PPTP client trong qu trnh khi to ng hm PPTP.
-
Mt trng xc nhn di 32 bit c a vo.
GRE l giao thc cung cp c ch chung cho php ng gi d liu gi qua mng IP. + ng gi cc gi GRE Tip , phn ti PPP c m ho v phn tiu GRE c ng gi vi mt tiu IP cha thng tin a ch ngun v ch cho PPTP client v PPTP server. + ng gi lp lin kt d liu Do ng hm ca PPTP hot ng lp 2 Lp lin kt d liu trong m hnh OSI nn lc d liu IP s c ng gi vi phn tiu (Header) v phn kt thc (Trailer) ca lp lin kt d liu. V d: Nu IP datagram c gi qua giao din Ethernet th s c ng gi vi phn Header v Trailer Ethernet. Nu IP datagram c gi thng qua ng truyn WAN im ti im th s c ng gi vi phn Header v Trailer ca giao thc PPP. * X l d liu ng hm PPTP Khi nhn c d liu ng hm PPTP, PPTP client hay PPTP server s thc hin cc bc x l:
-
X l v loi b phn Header v Trailer ca lp lin kt d liu.

X l v loi b IP Header. X l v loi b GRE Header v PPP Header. Gii m hoc/v gii nn phn PPP payload nu cn thit. X l phn payload nhn hoc chuyn tip.
* S ng gi PPTP
IP
IP X
N e tB E U I
N D IS N D IS W A N
PPTP
L2T P
A sy n c
X.2 5
IS D N
T i u T i P P P cP h n u i T i u T li n k tT i u i u m ho li n k t IP G R E P P P (IP, IP X N E T B E)U I d li u , d li u
Hnh 3.7: S ng gi PPTP
c) ng hm PPTP cho php ngi dng v ISP c th to ra nhiu loi ung hm khc nhau. Ngi dng c th ch nh im kt thc ca ng hm ngay ti my tnh ca mnh nu c ci PPTP, hay ti my ch ca ISP (my tnh ca ISP phi h tr PPTP). C hai lp ng hm: ng hm t nguyn v ng hm bt buc. ng hm t nguyn: c to ra theo yu cu ca ngi dng. Khi s dng ng hm t nguyn, ngi dng c th ng thi m mt ng hm bo mt thng qua Internet v c th truy cp n mt Host trn Internet bi giao thc TCP/IP bnh thng. ng hm t nguyn thng c s dng cung cp tnh ring t v ton vn d liu cho lu lng Intranet c gi thng qua Internet. ng hm bt buc c to ra khng thng qua ngi dng nn n trong sut i vi ngi dng. im kt thc ca ng hm bt buc nm my ch
truy cp t xa. Tt c d liu truyn i t ngi dng qua ng hm PPTP u phi thng qua RAS. Do ng hm bt buc nh trc im kt thc v ngi dng khng th truy cp phn cn li ca Internet nn n iu khin truy nhp tt hn so vi ng hm t nguyn. Nu v tnh bo mt m khng cho ngi dng truy cp Internet cng cng th ng hm bt buc ngn khng cho h truy cp Internet cng cng nhng vn cho php h thng qua Internet truy cp VPN (ngha l ch cho truy cp v c cc site trong VPN m thi). Mt u im na ca ng hm bt buc l mt ung hm c nhiu im kt ni. c tnh ny lm gim yu cu bng thng cho cc ng dng a phin lm vic. Mt khuyt im ca ng hm bt buc l kt ni t RAS n ngi dng nm ngoi ng hm nn d b tn cng.
M n g ri n g
C lie n t
C om p u te r
C o m p ute r
In te rn e t
C lie n t
M y ch
C o m p u te r
n g h m t n g u y n
C o m p u ter
C o m p uter
C o m p u te r
C o m pu te r
In te rn e t
M y ch
C o m p uter
M y ch ng hm bt buc
C o m pu te r
M n g ri n g c bo v
Hnh 3.8 : ng hm bt buc v ng hm t nguyn
M n g ri n g c bo v
S dng RADIUS cung cp ng hm bt buc c mt vi u im l: Cc ng hm c th c nh ngha v kim tra da trn xc thc ngi dng v tnh cc da vo s in thoi, cc phng thc xc thc khc nh th bi (token) hay th thng minh (smart card). d) Xc thc ngi dng quay s t xa (RADIUS)
RADIUS (Remote Authentication Dial-In User Service) s dng kiu client/ server chng nhn mt cch bo mt v qun tr cc kt ni mng t xa ca cc ngi dng trong cc phin lm vic. RADIUS client/server s dng my ch truy cp mng NAS qun l kt ni ngi dng. Ngoi chc nng ca my ch truy cp mng n cn c mt s chc nng cho RADIUS client. NAS s nhn dng ngi dng, thng tin v mt khu ri chuyn n my ch RADIUS. My ch RADIUS s tr li trng thi xc thc l chp nhn hay t chi d liu cu hnh cho NAS cung cp dch v cho ngi dng. RADIUS to mt c s d liu tp trung v ngi dng, cc loi dch v sn c, mt di modem a chng loi. Trong RADIUS thng tin ngi dng c lu trong my ch RADIUS. RADIUS h tr cho my ch Proxy, l ni lu gi thng tin ngi dng cho mc ch xc thc, cp quyn v tnh cc, nhng n khng cho php thay i d liu ngi dng. My ch Proxy s nh k cp nht c s d liu ngi dng t my ch RADIUS. RADIUS c th iu khin vic thit lp mt ng hm, n cn phi lu cc thuc tnh ca ng hm. Cc thuc tnh ny bao gm: giao thc ng hm c s dng (PPTP hay L2TP), a ch ca my ch v mi trng truyn dn trong ng hm c s dng. Khi kt hp ng hm vi RADIUS, c t nht 3 tu chn cho xc thc v cp quyn: - Xc thc v nhn cp quyn mt ln ti RAS t ti cui ng hm. - Xc thc v nhn cp quyn mt ln ti RAS t ti cui ng hm v c gng chuyn p ng ca RADIUS n u xa ca ng hm. - Xc thc ti hai u ca ng hm. Tu chn th nht c tin cy rt km do ch yu cu mt mnh ISP iu khin tin trnh truy cp mng. Tu chn th hai c tin cy trung bnh, n ph thuc cch RADIUS tr li xc thc. Tu chn th ba c tin cy cao v lm vic tt nu nh s dng my ch Proxy RADIUS. e) Xc thc v m ho Cc client PPTP c xc thc cng tng t nh cc client RAS c xc thc t my ch PPP. Microsoft h tr xc thc CHAP, PAP, MS-CHAP. MSCHAP s dng hm bm MD4 to th bi thch t mt khu ca ngi dng. PAP v CHAP c nhc im l c hai da trn mt khu lu ti my u xa v ti my cc b. Nu nh my tnh b iu khin bi k tn cng t mng th mt khu s thay i. Vi PAP v CHAP khng th gn cc c quyn truy cp mng khc nhau cho nhng ngi dng khc nhau ti cng mt my tnh xa. Bi v khi cp
quyn c gn cho mt my tnh th mi ngi dng ti my tnh u c c quyn truy cp mng nh nhau. Vi PPTP th d liu c m ho theo m ha im-im ca Microsoft MPPE (Microsoft point-to-Point Encryption). Phng thc ny da trn chun RSA RC4, giao thc iu khin nn CCP (Compression Control Protocol) c s dng bi PPP tho hip vic m ho. MS-CHAP c dng kim tra tnh hp l ngi dng u cui ti tn min Windows NT.
M n g rin g c b o v
C om puter
C om puter
Internet
M y ch M y ch tru y cp m n g
C lie n t
C om puter
LAN
PPP GRE PPP IP, IP X, N E T B E U I IP, IP X, N E T B E U I GRE PPP IP, IP X, N E T B E U I
D liu
Hnh 3.9: M ho gi trong PPTP
D liu
D liu
f) ng hm kt ni LAN-LAN Giao thc PPTP nguyn thu ch tp trung h tr cho vic quay s kt ni vo mt mng ring thng qua mng Internet, nhng ng hm kt ni LAN-LAN khng c h tr. Mi n khi Microsoft gii thiu my ch nh hng v truy cp t xa (Routing and Remote Access Server) cho NT server 4.0 th mi h tr ng hm kt ni LAN-LAN. K t cc nh cung cp khc cng cung cp cc my ch tng thch vi PPTP c h tr ng hm kt ni LAN-LAN. ng hm kt ni LAN-LAN din ra gia hai my ch PPTP, ging nh IPSec dng 2 cng ni bo mt kt ni 2 mng LAN. Tuy nhin, do kin trc PPTP khng c h thng qun l kho nn vic cp quyn v xc thc c iu khin bi CHAP hoc thng qua MS-CHAP. to ng hm gia hai site, my ch PPTP ti mi site s c xc thc bi PPTP site kia. Khi my ch PPTP tr thnh client PPTP ca my ch PPTP u bn kia v ngc li, do mt ng hm t nguyn c to ra gia hai site.
M n g ri n g c bo v
M n g ri n g oc bo v
C o m p u te r C o m p u te r C o m p u te r
C o m p u te r
I n te r n e t
M y ch PPTP M y ch PPTP
C o m p u te r
C o m p u te r
LAN
LAN
Hnh 3.10 : ng hm kt ni LAN-LAN Do ng hm PPTP c th c ng gi bi bt k giao thc mng no c h tr (IP, IPX, NETBEUI), ngi dng ti mt site c th truy cp vo ti nguyn ti site kia da trn quyn truy cp ca h. iu ny c ngha l cn phi c site qun l m bo ngi dng ti mt site c quyn truy cp vo site kia. Trong Windows NT mi site s c min bo mt ring v cc site phi thit lp mt mi quan h tin cy gia cc min cho php ngi dng truy cp vo ti nguyn ca cc site. 3.2.2 S dng PPTP Tng qut mt PPTP VPN yu cu phi c: mt my ch truy cp mng dng cho phng thc quay s truy cp bo mt vo VPN, mt my ch PPTP, v PPTP client.
C lient PPT P C lient PPT P
K t ni C lient-L A N
N AS
C om puter
C om puter
C om puter
Com puter
Internet
M y ch M y ch mngPPT P mng PPT P K t ni B tp trung L A N A N truy cp mng P PTP -L
C om puter
Com puter
M ng ring c bo v
M ng ring c bo v
C lient PPT P
Hnh 3.11: Cc thnh phn c bn ca mt VPN s dng PPTP Cc my ch PPTP c th t ti mng ca cng ty v do mt nhm ngi ca cng ty qun l nhng NAS phi do ISP h tr. a) My ch PPTP
My ch PPTP thc hin hai chc nng chnh l: ng vai tr l im kt ni ca ng hm PPTP v chuyn cc gi n t ng hm ti mng LAN ring. My ch PPTP chuyn cc gi n my ch bng cch x l gi PPTP c a ch mng ca my tnh ch. My ch PPTP cng c kh nng lc gi bng cch s dng lc gi PPTP. Lc gi PPTP c th cho php my ch ngn cm, ch cho php truy cp vo Internet , mng ring hay c hai. Thit lp mt my ch PPTP ti site mng gy nn mt gii hn nu nh my ch PPTP nm sau tng la. PPTP c thit k sau cho ch c mt cng TCP/IP (1723) c s dng chuyn d liu i. S khim khuyt ca cu hnh cng ny c th lm cho tng la d b tn cng hn. Nu nh tng la c cu hnh lc gi th phi thit lp n cho php GRE i qua. Mt thit b khc c khi xng nm 1998 bi hng 3Com c chc nng tng t my ch PPTP c gi l chuyn mch ng hm. Mc ch ca chuyn mch ng hm l m rng ng hm t mt mng n mt mng khc, tri rng ng hm t mng ca ISP n mng ring. Chuyn mch ng hm c th c s dng ti tng la lm tng kh nng qun l truy cp t xa vo ti nguyn ca mng ni b, n c th kim tra cc gi n v v, giao thc ca cc khung PPP hoc tn ca ngi dng t xa. b) Phn mm client PPTP Nu nh cc thit b ca ISP h tr PPTP th khng cn phn cng hay phn mm no cho cc client, ch cn mt kt ni PPP chun. Nu nh cc thit b ca ISP khng h tr PPTP th mt client Win NT (hoc phn mm tng t) vn c th to kt ni bo mt bng cch: u tin quay s kt ni ti ISP bng PPP, sau quay s mt ln na thng qua cng PPTP o c thit lp client. Client PPTP c sn Win NT, Win 9x v cc h iu hnh sau ny. Khi chn client PPTP cn phi so snh cc chc nng ca n vi my ch PPTP c. Khng phi tt c cc phn mm client PPTP u h tr MS-CHAP, nu thiu cng c ny th khng th tn dng c u im m ho trong RRAS. c) My ch truy cp mng RAS My ch truy cp mng NAS cn c tn gi khc l My ch truy cp t xa (Remote Access Services) hay b tp trung truy cp (Access Concentrator). NAS cung cp kh nng truy cp ng dy da trn phn mm v c kh nng tnh cc v c kh nng chu ng li ti ISP POP. NAS ca ISP c thit k cho php mt s lng ln ngi dng c th quay s truy cp vo cng mt lc.
Nu mt ISP cung cp dch v PPTP th cn phi ci mt NAS cho php PPTP, h tr cc client chy trn cc nn khc nhau nh Unix, Windows, Macintosh. Trong trung hp ny, my ch ISP ng vai tr nh mt client PPTP kt ni vi my ch PPTP ti mng ring v my ch ISP tr thnh mt im cui ca ng hm, im kt thc cn li l my ch ti u mng ring. 3.2.3 Kh nng p dng trong thc t ca PPTP PPTP l mt gii php tm thi v hu ht cc nh cung cp u c k hoch thay th PPTP bng L2TP khi m giao thc ny c chun ho. PPTP thch hp cho quay s truy cp vi s lng ngi dung gii hn hn l cho VPN kt ni LANLAN. Mt vn ca PPTP l x l xc thc quyn ngi dng thng qua Windows NT hay thng qua RADIUS. My ch PPTP cng qua ti vi mt s lng ngi dng quay s truy cp hay mt lu lng ln d liu tryn qua, m iu ny l mt yu cu ca kt ni LAN LAN. Khi s dng VPN PPTP m c h tr thit b ca ISP th mt s quyn qun l phi chia s cho ISP. Tnh bo mt ca PPTP khng mnh bng IPSec. Tuy nhin, qun bo mt trong PPTP li n gin hn. 3.3 Giao thc ng hm lp 2 - L2TP [4],[6],[12] Giao thc ng hm lp 2 L2TP l s kt hp gia hai giao thc PPTP v L2F- chuyn tip lp 2. PPTP do Microsoft a ra cn L2F do Cisco khi xng. Hai cng ty ny hp tc cng kt hp 2 giao thc li v ng k chun ho ti IETF. Ging nh PPTP, L2TP l giao thc ng hm, n s dng tiu ng gi ring cho vic truyn cc gi lp 2. Mt im khc bit chnh gia L2F v PPTP l L2F khng ph thuc vo IP v GRE, cho php n c th lm vic mi trng vt l khc. Bi v GRE khng s dng nh giao thc ng gi, nn L2F nh ngha ring cch thc cc gi c iu khin trong mi trng khc. Nhng n cng h tr TACACS+ v RADIUS cho vic xc thc. C hai mc xc thc ngi dng: u tin ISP trc khi thit lp ng hm, Sau l cng ni ca mng ring sau khi kt ni c thit lp. L2TP mang c tnh ca PPTP v L2F. Tuy nhin, L2TP nh ngha ring mt giao thc ng hm da trn hot ng ca L2F. N cho php L2TP truyn thng qua nhiu mi trng gi khc nhau nh X.25, Frame Relay, ATM. Mc d nhiu cng c ch yu ca L2TP tp trung cho UDP ca mng IP, nhng c th thit lp mt h thng L2TP m khng cn phi s dng IP lm giao thc ng hm. Mt mng ATM hay frame Relay c th p dng cho ng hm L2TP.
Do L2TP l giao thc lp 2 nn n cho php ngi dng s dng cc giao thc iu khin mt cch mm do khng ch l IP m c th l IPX hoc NETBEUI. Cng ging nh PPTP, L2TP cng c c ch xc thc PAP, CHAP hay RADIUS. Mc d Microsoft lm cho PPTP tr nn cch chn la ph bin khi xy dng VPN bng cch h tr giao thc ny sn c trong h iu hnh Windows nhng cng ty cng c k hoch h tr thm L2TP trong Windows NT 4.0 v Windows 98. 3.3.1 Dng thc ca L2TP Cc thnh phn chc nng ca L2TP bao gm: giao thc im-im, ng hm, h thng xc thc v m ho. L2TP c th s dng qun l kho tng thm bo mt. Kin trc ca L2TP nh hnh v:
PP P L2T P
G oth cE P ia S
G oth cA ia H
G i th i u t m h o
G i th i u t x cth c
DI O
Q lk o un h
Hnh 3.12: kin trc ca L2TP a) PPP v L2TP L2TP da trn PPP to kt ni quay s gia client v my ch truy cp mng NAS. L2TP s dng PPP to kt ni vt l, tin hnh giai on xc thc ban u, to gi d liu PPP v ng kt ni khi kt thc phin lm vic. Sau khi PPP to kt ni xong, L2TP s cc nh NAS ti site chnh c chp nhn ngi dng v sn sng ng vai tr l im kt thc ca ng hm cho ngi dng . Sau khi ng hm c thit lp, L2TP s ng cc gi PPP ri truyn ln mi trng m ISP gn cho ng hm . L2TP c th to nhiu ng hm gia NAS ca ISP v my ch mng, gn nhiu phin lm vic cho ng hm. L2TP to ra cc s nhn dng cuc gi (Call ID) cho mi phin lm vic v chn vo tiu L2TP ca mi gi ch ra n thuc phin lm vic no?
Ta c th thc hin chn v gn mt phin lm vic ca ngi dng vo mt ng hm thay v ghp nhiu phin lm vic vo mt ng hm, vi cch ny cho php gn cc ngi dng khc nhau vo cc mi trung ng hm tu theo cht lng dch v.
M n g rin g o V P N M n g ri n g oc bo v
C lie n t
C o m pu ter
C om puter
Intern et
T ru y c p t x a c a IS P
C lie n t
M y ch
C om puter
T i u p h n p h i m i tr n g (IP, A T MX.2 5) , T iu m i tr n g k h u n g T i u IP G i t i P P P K h u n g E th e rn e t
G i d li u, IP X, N E T B E U I IP
Hnh 3.13: cc giao thc s dng trong mt kt ni L2TP Ging nh PPTP, L2TP cng nh ngha hai loi thng bo l thng bo iu khin v thng bo d liu. Thng bo iu khin c chc nng iu khin vic thit lp, qun l v gii phng phin lm vic trn ng hm. Thng bo iu khin cng cho ta bit tc truyn v tham s ca b m iu khin lung cc gi PPP trong mt phin lm vic. Tuy nhin, L2TP truyn c hai loi thng bo ny trn cng gi d liu UDP v chung trn mt lung. Do L2TP lm vic lp th hai- lp lin kt d liu trong m hnh OSI nn trong thng bo d liu L2TP bao gm tiu mi trng ch ra ng hm lm vic trong mi trng no? Tu thuc vo ISP m mi trng c th l Ethernet, X.25, Frame Relay, ATM, hay lin kt PPP.
M i tr n g
L2T P
PPP
T i PPP
Hnh 3.14: Bc gi L2TP L2TP cung cp c ch iu khin lung gia NAS (hay b tp trung truy cp L2TP_ LAC (L2TP Access Concentrator)) v my ch ca mng ring (hay my ch mng L2TP _LNS ( L2TP network Server) ). b) Cu trc gi d liu L2TP
*ng gi d liu ng hm L2TP ng hm d liu L2TP c thc hin thng qua nhiu mc ng gi. Hnh v ch ra cu trc cui cng ca d liu ng hm L2TP trn nn IPSec.
T i u T i P P PP h n u P h n u Pi h n u i T i u i T i u E S P T i u T i u T i u IP X (IP, , E S P n h n th c EliPn k t li n k t S d li u IP IP S e c U D P L2T P P P P N e tB E) U I IP S e c IP S e c d li u c m ho c x c th c
Hnh 3.15: Cu trc gi d liu trong ng hm L2TP Do ng hm L2TP hot ng lp 2 ca m hnh OSI- lp lin kt d liu nn cc IP datagram cui cng s c ng gi vi phn header v trailer tng ng vi k thut lp ng truyn d liu ca giao din vt l u ra. V d, khi cc IP datagram c gi vo mt giao din Ethernet th Ipdatagram ny s c ng gi vi Ethernet header v Ethernet Trailer. Khi cc IP datagram c gi trn ng truyn WAN im-ti-im (chng hn ng dy in thoi hay ISDN, ) th IPdatagram c ng gi vi PPP header v PPP trailer. * X l d liu ng hm L2TP trn nn IPSec Khi nhn c d liu ng hm L2TP trn nn IPSec, L2TP client hay L2TP server s thc hin cc bc sau: - X l v loi b header v trailer ca lp ng truyn d liu. - X l v loi b IP header. - Dng IPSec ESP Authentication xc thc IP payload v IPSec ESP header. - Dng IPSec ESP header gii m phn gi mt m. - X l UDP header v gi gi L2TP ti lp L2TP.
- L2TP x l Tunnel ID v Call ID trong L2TP header xc nh
ng hm L2TP c th. - Dng PPP header xc nh PPP payload v chuyn tip n ti dng giao thc x l. * S ng gi L2TP trn nn IPSec S ng gi L2TP qua kin trc mng t mt VPN client thng qua mt kt ni VPN truy cp t xa s dng mt modem tng t nh hnh v:
IP S e c
IP
IP X
N e tB E U I
N D IS N D IS W A N
PPTP
L2T P
A s y n c X.2 5
IS D N
T i u T i P P PP h n u P h n u Pi h n u i T i u i Tt i u E S P T i u T i u T i u IP X (IP, , E S P n h n th c E liPn k t li n k S IP IP S e c U D P L2T P P P P N e tB E)U I IP S e c d li u d li u IP S e c c m ho c x c th c
Hnh 3.16: S ng gi L2TP
c) ng hm L2TP L2TP s dng nhng lp ng hm tng t nh PPTP, tu theo ngi s dng l client PPP hay client L2TP m s dng ng hm l t nguyn hay bt buc. ng hm t nguyn c to ra theo yu cu ca ngi dng cho mc ch c th. Khi s dng ng hm t nguyn th ngi dng c th ng thi m ng hm bo mt thng qua Internet, va c th truy cp vo mt host bt k trn Internet theo giao thc TCP/IP bnh thng. im kt thc ca ng hm t nguyn nm my tnh ngi dng. ng hm t nguyn thng c s dng cung cp tnh ring t v ton vn d liu cho lu lng Intranet gi thng qua Internet.
M n g ri n g
C lie n t2T P L
C o m p uter
C om puter
In te rn e t
C lie n t2T P L
M y ch m n g 2T P L
C om puter
ng hm t n g u y n P (L2T )
C om pute r
C om puter
C om pute r
C om puter
In tern e t
M y ch m n g 2T P L
C om puter
M y ch m n g 2T P L n g h m b t b(L2T P uc )
C om pu ter
M n g ri n g c bo v
Hnh 3.17: Cc ng hm t nguyn v bt buc
M n g ri n g c b o v
ng hm bt buc c to t ng khng cn bt k hnh ng no t pha ngui dng v khng cho php ngi dng chn la. Do ng hm bt buc c to ra khng thng qua ngi dng nn n trong sut i vi ngi dng u cui. ng hm bt buc nh trc im kt thc, nm LAC ca ISP v nn kiu ng hm ny iu khin truy cp tt hn so vi ng hm t nguyn. Nu nh v tnh bo mt m khng cho ngi dng truy cp vo Internet cng cng nhng vn cho php s dng Internet truy nhp VPN. Mt u im ca ng hm bt buc l mt ng hm c th ti nhiu kt ni, iu ny lm gim bng thng mng cho cc ng dng a phin lm vic. Mt khuyt im ca ng hm bt buc l kt ni t LAC n ngi s dng nm ngoi ng hm nn b tn cng. Mc d ISP c th chn cch thit lp tnh nh ngha ng hm cho ngi dng, nhng iu ny gy lng ph ti nguyn mng. C cch khc cho php s dng ti nguyn hiu qu hn bng cch thit lp ng hm ng. Nhng ng hm ng ny c thit lp trong L2TP bng cch kt ni vi my ch RADIUS.
RADIUS c th iu khin vic thit lp mt ng hm th n cn phi lu cc thuc tnh ca ng hm. Cc thuc tnh ny bao gm: giao thc ng hm c s dng (PPTP hay L2TP), a ch ca my ch v mi trng truyn dn trong ng hm c s dng. S dng my ch RADIUS thit lp ng hm bt buc c mt s u im nh:
-
Cc ng hm c th c nh ngha v kim tra da trn xc thc Tnh cc th da trn s in thoi hoc cc phng thc xc thc
ngi dng. khc. d) Xc thc v m ha trong L2TP Qu trnh xc thc ngi dng trong L2TP in ra trong 3 giai on: giai on 1 din ra ti ISP, giai on 2 v giai on 3 (tu chn) in ra my ch ca mng ring. Trong giai on u, ISP s dng s in thoi ca ngi dng hoc tn ngi dng xc nh dch v L2TP c yu cu v khi to kt ni ng hm n my ch mng ring. Khi ng hm c thit lp, LAC ca ISP ch nh mt s nhn dng cuc gi (Call ID) mi nh danh cho kt ni trong ng hm v khi to phin bng cch chuyn thng tin xc thc n my ch ca mng ring. My ch ca mng ring s tin hnh tip bc th 2. Giai on 2, my ch ca mng ring quyt nh chp nhn hay t chi cuc gi. Cuc goi t ISP chuyn n c th mng thng tin CHAP, PAP hay bt k thng tin xc thc no, my ch s da vo cc thng tin ny quyt nh chp nhn hay t chi. Thng tin cuc gi c chp nhn th my ch c th khi ng giai on th 3 ca qu trnh xc thc (ti lp PPP), y l giai on tu chn. bc ny xem nh my ch xc thc mt ngi dng quay s truy cp vo thng my ch. Kt qu ca 3 giai on ny cho php ngi dng, ISP v my ch ca mng ring xc nh c tnh chnh xc ca cuc gi nhng vn cha bo mt cho d liu. vic xc thc trong L2TP hiu qu th cn phi phn phi kho. Mc d phn phi bng tay c th kh thi trong mt s trng hp nhng v c bn th cn phi c mt giao thc qun l kho. e) ng hm kt ni LAN-LAN Mc ch ban u ca L2TP l quay s truy cp VPN s dng client PPP, nhng L2TP cng thch hp cho kt ni LAN-LAN trong VPN.
ng hm kt ni LAN-LAN c thit lp gia hai my ch L2TP nhng t nht mt trong 2 my ch phi c kt ni ti ISP khi to phin lm vic PPP. Hai my ch ng vai tr va l LAC, va l LNS v c th khi to hay kt thc ng hm khi cn.
M n g ri n g c b o v M n g r i n g oc bo v
C o m p u te r C o m p u te r C o m p u te r
C o m p u te r
In te r n e t
M y ch L2T P M y ch L2T P
C o m p u te r
C o m p u te r
LAN
LAN
Hnh 3.18: ng hm kt ni LAN-LAN f) Qun l kho Khi hai i tng mun chuyn giao d liu mt cch bo mt v kh thi th cn phi m bo chc chn rng c hai bn x l d liu nh nhau. C hai bn phi cng s dng chung gii thut m ho, cng chiu di t kho, cng chung mt kho d liu. iu ny c x l thng qua bo mt kt hp SA. 3.3.2 S dng L2TP Bi v chc nng chnh ca L2TP l quay s truy cp VPN thng qua Internet nn cc thnh phn ca L2TP bao gm: b tp trung truy cp mng, my ch L2TP, v cc L2TP client. Thnh phn quan trng nht ca L2TP l nh ngha im kt thc mt ng hm, LAC v LNS. LNS c th ci t ngay ti cng ty v iu hnh bi mt nhm lm vic ca cng ty cn LAC th thng c h tr ca ISP. Cc thnh phn c bn ca L2TP nh hnh v:
C lie n t 2T P L
C lie n t 2T P L
K t ni C lien-L A N t
C om puter
C o m puter
C om pu ter
C om puter
Internet
M y ch M y ch m n g 2T P L m n g 2T P L K t n i B tp tru n g L A N A N tru y c p m n2T P -L gL
C om p uter
C om puter
M n g rin g c bo v
M n g ri n g c bo v
C lie n t 2T P L
Hnh 3.19: Cc thnh phn c bn ca L2TP
a) My ch mng L2TP My ch L2TP c hai chc nng chnh l: ng vai tr l im kt thc ca ng hm PPTP v chuyn cc gi n t ng hm n mng LAN ring v ngc li. My ch chuyn cc gi n my tnh ch bng cch x l gi L2TP c c a ch mng ca my tnh ch. Khng ging nh my ch PPTP, my ch L2TP khng c kh nng lc cc gi. Chc nng lc gi trong L2TP c thc hin bi tng la.Tuy nhin trong thc t, ngi ta tch hp my ch mng v tng la. Vic tch hp ny mang li mt s u im hn so vi PPTP, l: L2TP khng i hi ch c mt cng duy nht gn cho tng la nh trong PPTP. Chng trnh qun l c th tu chn cng gn cho tng la, iu ny gy kh khn cho k tn cng khi c gng tn cng vo mt cng bit trong khi cng c th thay i. Lung d liu v thng tin iu khin c truyn trn cng mt UDP nn vic thit lp tng la s n gin hn. Do mt s tng la khng h tr GRE nn chng tng thch vi L2TP hn l vi PPTP. b) Phn mm client L2TP Nu nh cc thit b ca ISP h tr L2TP th khng cn phn cng hay phn mm no cho cc client, ch cn kt ni chun PPP l . Tuy nhin, vi cc thit lp trn th khng s dng c m ho ca IPSec. Do vy ta nn s dng cc client tng thch L2TP cho L2TP VPN.
Mt s c im ca phn mm client L2TP: Tng thch vi cc thnh phn khc ca IPSec nh: my ch m ho, giao thc chuyn kho, gii thut m ho, a ra mt ch bo r rng khi IPSec ang hoat ng. H tr ti SA v. Hm bm (hashing) x l c cc a ch IP ng. C c ch bo mt kho (m ho kho vi mt khu). C c ch chuyn i m ho mt cch t ng v nh k. - Chn hon ton cc lu lng khng IPSec. c) Cc b tp trung truy cp mng Mt ISP cung cp dch v L2TP cn phi ci mt NAS cho php L2TP h tr cho cc client L2TP chy trn cc nn khc nhau nh Unix, Windows, Macintosh. Cc ISP c th cung cp cc dch v L2TP m khng cn phi thm cc thit b h tr L2TP vo my ch truy cp ca h, iu ny i hi tt c ngi dng phi c client L2TP ti my ca h. iu ny cho php ngi dng c th s dng dch v ca nhiu ISP khi m m hnh mng ca h rng ln v mt a l. 3.3.3 Kh nng p dng trong thc t ca L2TP Vic la chn mt nh cung cp dch v L2TP c th thay i tu theo yu cu thit k mng. Nu thit k mt VPN i hi m ho u cui-u cui th cn ci cc client tng thch L2TP ti cc host t xa v tho thun vi ISP l s x l m ho t my u xa n tn my ch ca mng VPN. Nu xy dng mt mng vi mc bo mt thp hn, kh nng chu ng li cao hn v ch mun bo mt d liu khi n i trong ng hm trn Inernet th tho thun vi ISP h h tr LAC v m ho d liu ch t on LAC n LNS ca mng ring. L2TP l mt th h giao thc quay s truy cp mi ca VPN. N phi hp nhng c tnh tt nht ca PPTP v L2F. Hu ht cc nh cung cp sn phm PPTP u a ra cc sn phm tng thch L2TP hoc s gii thiu sau ny. Mc d L2TP ch yu chy trn mng IP, nhng kh nng chy trn cc mng khc nh Frame Relay, ATM lm n tr nn ph bin. L2TP cho php mt lng ln client t xa c kt ni vo VPN hay cho cc kt ni LAN-LAN c dung lng ln. L2TP c c ch iu khin lung lm gim tc nghn trn ng hm L2TP.
L2TP cho php thit lp nhiu ng hm vi cng LAC v LNS. Mi ng hm c th gn cho mt ngi dng xc nh, hoc mt nhm cc ngi dung v gn cho cc mi trng khc nhau tu theo thuc tnh cht lng phc v QoS ca ngi dng. 3.4 Giao thc bo mt IP IPSEC [4],[6],[12] Cc giao thc nguyn thu TCP/IP khng bao gm cc c tnh bo mt vn c. Trong giai on u ca Internet khi m ngi dng thuc cc trng i hc v cc vin nghin cu th vn bo mt d liu khng phi l vn quan trng nh by gi khi m Internet tr nn ph bin, cc ng dng thng mi c mt khp ni trn Internet v i tng s dng Internet rng hn bao gm c cc Hacker. thit lp tnh bo mt trong IP cp gi, IETF a ra h giao thc IPSec. H giao thc IPSec u tin c dng cho xc thc, m ho cc gi d liu IP, c chun ho thnh cc RFC t 1825 n 1829 vo nm 1995. H giao thc ny m t kin trc c bn ca IPSec bao gm hai loi tiu c s dng trong gi IP, gi IP l n v d kiu c s trong mng IP. IPSec nh ngha 2 loi tiu cho cc gi IP iu khin qu trnh xc thc v m ho: mt l xc thc tiu IP AH (IP Authentication Header) iu khin vic xc thc v thc hin ng gi ti tin an ton ESP (Encapsulation Security Payload) cho mc ch m ho. IPSec khng phi l mt giao thc. N l mt khung ca cc tp giao thc chun m cho php nhng nh qun tr mng la chn thut ton, cc kho v phng php nhn thc cung cp s xc thc d liu, tnh ton vn d liu, v s tin cy d liu. IPSec l s la chn cho bo mt tng th cc VPN, l phng n ti u cho mng ca cng ty. N m bo truyn thng tin tin cy trn mng IP cng cng i vi cc ng dng. Ipsec to nhng ng hm bo mt xuyn qua mng Internet truyn nhng lung d liu. Mi ng hm bo mt l mt cp nhng kt hp an ninh bo v lung d liu gia hai Host. IPSec c pht trin nhm vo h giao thc IP k tip l Ipv6, nhng do vic trin khai Ipv6 cn chm v s cn thit phi bo mt cc gi IP nn IPSec c thay i cho ph hp vi Ipv4. Vic h tr cho IPSec ch l tu chn ca Ipv4 nhng i vi Ipv6 th c sn IPSec. 3.4.1 Khung giao thc IPSec IPSec l khung ca cc chun m, c pht trin bi IETF.
Hnh 3.20: Khung giao thc c s dng trong IPSec Mt s giao thc chnh c khuyn khch s dng khi lm vic vi IPSec. Giao thc bo mt IP (IPSec) + AH (Authentication Header) + ESP (Encapsulation Security Payload) M ho bn tin + DES (Data Encryption Standard) + 3 DES (Triple DES) Cc chc nng ton vn bn tin + HMAC (Hash ased Message Authentication Code) + MD5 (Message Digest 5) + SHA-1 (Secure Hash Algorithm -1)
-
Nhn thc i tc (Peer Authentication) + Rivest, Shamir, and Adelman (RSA) Digital Signatures + RSA Encrypted Nonces
Qun l kho + DH (Diffie- Hellman) + CA (Certificate Authority)
Kt hp an ninh + IKE (Internet Key Exchange)

+ ISAKMP (Internet Security Association and Key Management Protocol) IPSec l tp hp nhng tiu chun m lm vic cng nhau thit lp tnh bo mt, ton vn d liu v nhn thc gia cc thit b ngang hng. Nhng im ngang hng c th l nhng cp Host hay nhng cp cng ni bo mt (nhng b nh tuyn, nhng tng la, nhng b tp trung VPN ) hay c th gia mt host v mt cng ni bo mt, nh trong VPN truy cp t xa. Hai giao thc chnh ca IPSec l AH (Authentication Header) v ESP (Encapsulation Security Payload ). AH: Cho php xc thc v kim tra tnh ton vn d liu ca cc gi IP truyn gia hai h thng. N l mt phng tin kim tra xem d liu c b thay i trong khi truyn khng. Do AH khng cung cp kh nng mt m d liu nn cc d liu u c truyn di dng bn r. ESP: L mt giao thc an ton cho php mt m d liu, xc thc ngun gc d liu, kim tra tnh ton vn d liu. ESP m bo tnh b mt ca thng tin thng qua vic mt m lp IP. Tt c cc lu lng ESP u c mt m gia hai h thng.
-
a) Giao thc AH Khun dng AH

8 bits 8 bits 16 bits
Next Header
Payload Length
Reserved
Security Parameters Index (SPI) Sequence Number Authentication Data 32 bits
Hnh 3.21: Khun dng gi AH + Next header (8bit): Xc nh kiu d liu ca phn Payload tip sau AH. Gi tr ca trng ny c la chn t tp cc gi tr s giao thc IP c nh ngha bi IANA (TCP_6; UDP_ 17). + Payload length (8bit): Xc nh di ca AH theo n v 32bit (4 Byte).
+ Reserved (16 bit): trng ny dng d tr s dng trong tng lai. Gi tr ca trng ny c th t bng 0 v c tham gia trong vic tnh Authentication Data. + Security Parameter Index (SPI): SPI l mt s 32 bit bt k, cng vi a ch IP ch v giao thc an ninh ESP cho php nhn dng duy nht SA cho gi d liu ny. Cc gi tr SPI t 1255 c dnh ring s dng trong tng lai. SPI thng c la chn bi pha thu khi thit lp SA. SPI l trng bt buc. Gi tr SPI 0 c s dng cc b. C th s dng gi tr ny ch ra cha c SA no tn ti. + Sequence number (SN): Trng 32 bit khng du cha mt gi tr m tng dn. SN l trng bt buc cho d pha thu khng thc hin dch v chng trng lp cho mt SA c th no. Vic x l SN tu thuc pha thu, ngha l pha pht lun phi truyn trng ny, cn pha thu c th khng cn phi x l n.
-
B m ca pha pht v pha thu u c khi to 0 khi mt SA c thit lp (gi u tin c truyn i s dng SA s c SN=1). Nu dch v anti-replay c la chn th c pht i s khng c lp li (bng cch thit lp mt SA mi, v do l mt kho mi) trc khi truyn gi th 232 ca mt SA.
-
+ Authentication Data: Trng ny c di bin i cha mt mt gi tr kim tra tnh ton vn ICV (integrity Check Value) cho gi tin. di ca trng ny bng s nguyn ln 32 bit (hay 4 Byte). Trng ny c th cha mt phn d liu m kiu tng minh (Explicit padding) m bo di ca AH header l s nguyn ln 32 bit (i vi Ipv4) hoc 64 bit (i vi Ipv6). b) Giao thc ESP Khun dng ESP
Hnh 3.22: Khun dng gi ESP Trong : + Security Parameter Index (SPI): SPI l mt s 32 bit bt k, cng vi a ch IP ch v giao thc an ninh ESP cho php nhn dng duy nht SA cho gi d liu ny. Cc gi tr SPI t 1255 c dnh ring s dng trong tng lai. SPI thng c la chn bi pha thu khi thit lp SA. SPI l trng bt buc. Gi tr SPI 0 c s dng cc b. C th s dng gi tr ny ch ra cha c SA no tn ti. + Sequence number (SN): Trng 32 bit khng du cha mt gi tr m tng dn (SN). SN l trng bt buc cho d pha thu khng thc hin dch v chng trng lp cho mt SA c th no. Vic x l SN tu thuc pha thu, ngha l pha pht lun phi truyn trng ny, cn pha thu c th khng cn phi x l n.
-
B m ca pha pht v pha thu u c khi to 0 khi mt SA c thit lp (gi u tin c truyn i s dng SA s c SN=1). Nu dch v anti-replay c la chn th c pht i s khng c lp li (bng cch thit lp mt SA mi, v do l mt kho mi) trc khi truyn gi th 232 ca mt SA.
-
+ Payload Data
Trng ny c di bin i cha d liu m t trong Next header. Payload Data l trng bt buc v c di bng s nguyn ln Byte. + Padding Nu thut ton mt m c s dng yu cu bn r (cleartext hay plaintext) phi l s nguyn ln khi cc Byte (trong mt m khi) th Padding field c s dng dng vo Plaintext c kch thc yu cu. Padding cn thit m bo phn d liu mt m s kt thc bin gii 4 Byte phn bit r dng vi trng Authentication Data. Ngoi ra padding cn c th c s dng che du di thc ca Payload, tuy nhin mc dch ny phi c cn nhc v n nh hng ti bng tn truyn dn. Bn gi c th dng 0255 Padding Byte. + Pad length Trng ny xc nh s padding Byte dng vo. Cc gi tr hp l l 0255. Pad length l trng bt buc. + Next header (8bit) L mt trng bt buc. Next header xc nh kiu d liu cha trong Payload Data. Gi tr ca trng ny c la chn t tp ccgi tr IP Protocol Numbers nh ngha bi IANA.. + Authentication Data Trng c di bin i cha mt gi tr kim tra tnh ton vn ICV (Integrity Check Value) tnh trn d liu ca ton b gi ESP tr trng Authentication Data. di ca trng ph thuc vo hm xc thc c la chn. trng ny l tu chn v ch c dng vo nu dch v Authentication c la chn cho SA ang xt. Thut ton xc thc phi ch ra di ca ICV v cc bc x l cng nh cc lut so snh cn thc hin kim tra tnh ton vn ca gi tin. c) Hot ng ca AH v ESP trong cc ch (mode) AH v ESP u c th c s dng cho cc gi tin IP theo hai cch khc nhau tng ng vi hai mode: Transport mode v Tunnel mode. + Transport mode: c s dng ph bin cho nhng kt ni gia cc host hay gia cc thit b c chc nng nh nhng host. V d, mt cng ni IPSec ( c th l b nh tuyn phn mm IOS, FIX Firewall, hay b tp trung VPN 3000 ca Cisco) c th
xem nh l mt host khi c truy nhp bi mt nh qun l cu hnh hay nhng hot ng iu khin khc. Transport mode cho php bo v phn ti tin ca gi d liu, cung cp c ch bo mt cho cc giao thc lp trn, nhng khng bo v IP header v phn IP header lun dng clear. Trong Transport mode, AH c chn vo sau tiu IP v trc cc giao thc lp trn (TCP, UDP) hoc bt k tiu IPSec c chn vo trc . + Tunnel mode: c s dng gia cc cng ni nh cc b nh tuyn, nhng FIX Firewwall, nhng b tp trung. Tunnel mode cng c s dng ph bin khi mt host kt ni ti mt trong nhng cng ni gia tng truy nhp ti cc mng c iu khin bi cng ni , nh trong trng hp nhng ngi dng t xa quay s truy cp ti mt b nh tuyn hay b tp trung.
T r c k h i th m A H IP v T i u T C P D li u 4 IP g c S a u k h i th m(TA H s p o rt m o d e ra n ) IP v 4 T i u IP g c A H T C P D li u
X c th c (tr c c tr n g b)i n i S a u k h i th(Tm nA Hl m) o d e u ne IP v 4 T i u I P mA H T i u i T C P D li u (tu c h ) n IP g c X c th c (T r c c tr n g b i n i ) ti u m i
Hnh 3.23: Khun dng gi tin Ipv4 trc v sau khi x l AH
T r c k h i th m A H hC I P v T i u C c ti u p T P D li u 6 IP g c (n u )c S a u k h i th m Aa n s p o r t ) o d e (T r H m p i I P 6 T i u H o-n -H o ,p c h A H c h T C P D li u v IP g c n h tu ,yphn n m n h tu c h n X c th c (tr c c tr n g b i n i ) S a u k h i th m u nH e l m) o d e (T A n h IP v T i u C c ti u pA H T i u T i u p h T C P D li u 6 (n u )c IP g c (n u c ) IP m i X c th c (tr c c tr n g b i n i ti u IP m i )
Hnh 3.24: Khun dng gi tin Ipv6 trc v sau khi x l AH

T r c k h i th m E S P IP v T iu T C P D liu 4 IP g c S a u k h i th m E(T P sp o rt m o d e S ran ) IP v4 T iu T iu IP g c E S P C T C P D liuP h n u i p q u y n ESP ESP c m h o c x c th c S au k h i th m (T u n n el m o)d e ESP IP v 4 T iu IP m i ESP T iu D liuP h n u Cip Q u y n IP g c T C P ESP ESP c m h o c x c th c
Hnh 3.25: Khun dng gi tin Ipv4 trc v sau khi x l ESP
T r c k h i th m E S P IP v T i u C c ti u pTh C P D li u 6 I P g c (n u )c S a u k h i th m EaSn P p o r t )m o d e (T r s p i u I P 6 T i u H o-n -H o,p c h E S P c h T C P D liPuh n C ip q u y n v I P g c n h tu, y n n m n h tu c h n ph ESP ESP c m ho c x c th c S a u k h i th m u nS nPe l m o d e (T E ) C u IP 6 T i u c ti u ES P T i u T i u pThC P D liPuh n C ip q u y n v IP m i p h m i I P g c (n u )c ESP ESP c m ho c x c th c
Hnh 3.26: Khun dng gi tin Ipv6 trc v sau khi x l ESP c th p dng AH v ESP trong ch Transport mode v Tunnel mode, IPSec yu cu phi h tr c cho t hp ca transport mode v Tunnel mode. iu ny c thc hin bng cc s dng Tunnel mode m ho v xc thc cc gi v tiu ca n ri gn AH hoc ESP, hoc dng c hai trong ch transport mode bo mt cho tiu mi c to ra. AH v ESP khng th s dng chung trong Tunnel mode bi v ESP c c ch tu chn xc thc, tu chn ny nn s dng trong Tunnel modekhi cc gi cn phi m ho v xc thc. 3.4.2 Hoat ng ca IPSec Ta bit rng, mc ch chnh ca IPSec l bo v lung d liu mong mun vi cc dch v bo mt cn thitv hot ng ca IPSec c th chia thnh 5 bc chnh nh sau:
SA
A gi lu lng cn bo v ti B Router A v B tho thun mt phin trao i IKE Phase 1 IKE IKE Phase IKE SA Router A v B tho thun mt phin trao i IKE Phase 2
IPSec SA
IKE Phase IPSec SA
Thng tin c truyn dn qua ng hm IPSec Kt thc ng hm IPSec Hnh 3.27: 5 bc hot ng ca IPSec.
Bc 1: Lu lng cn c bo v khi to qu trnh IPSec. y, cc thit b IPSec s nhn ra u l lu lng cn c bo v chng hn thng qua trng a ch. Bc 2: IKE Phase 1 IKE xc thc cc i tc IPSec v mt tp cc dch v bo mt c tho thun v cng nhn (tho thun cc kt hp an ninh IKE SAs (Security associations)). Trong phase ny, thit lp mt knh truyn thng an ton tin hnh tho thun IPSec SA trong Phase 2. Bc 3: IKE Phase 2 IKE tho thun cc tham s IPSec SA v thit lp cc IPSec SA tng ng hai pha. Nhng thng s an ninh ny c s dng bo v d liu v cc bn tin trao i gia cc im u cui. Kt qu cui cng ca hai bc IKE l mt knh thng tin bo mt c to ra gia hai pha. Bc 4: Truyn d liu D liu c truyn gia cc i tc IPSec da trn c s cc thng s bo mt v cc kho c lu tr trong c s d liu SA. Bc 5: Kt thc ng hm IPSec kt thc cc SA IPSec do b xo hoc do ht hn (time out). Sau y s trnh by c th hn v 5 bc hot ng ca IPSec: Bc 1- Kch hot lu lng cn bo v.
Vic xc nh lu lng no cn c bo v l mt phn vic trong chnh sch an ninh (Security Policy) ca mt mng VPN. Chnh sch c s dng quyt nh lu lng no cn c bo v v khng cn bo v (lu lng dng bn r (clear text) khng cn bo v). Chnh sch sau s c thc hin giao din ca mi i tc IPSec.
i vi mi gi d liu u vo v u ra s c ba la chn: Dng IPSec, cho qua IPSec, hoc hu gi d liu. i vi mi gi d liu c bo v bi IPSec, ngi qun tr h thng cn ch r cc dch v bo mt c s dng cho gi d liu. Cc c s d liu, chnh sch bo mt ch r cc giao thc IPSec, cc node, v cc thut ton c s dng cho lung lu lng. V d, cc danh sch iu khin truy nhp (ACLs Access Control Lists) ca cc router c s dng bit lu lng no cn mt m. ALCs nh ngha bi cc dng lnh. Chng hn: - Lnh Permit: Xc nh lu lng phi c mt m - Lnh Deny : Xc nh lu lng phi c gi i di dng khng mt m. Khi pht hin ra lu lng cn bo v th mt i tc IPSec s kch hot bc tip theo: Tho thun mt trao i IKE Phase 1. Bc 2 - IKE Phase 1 Mc ch c bn ca IKE Phase 1 l tho thun cc tp chnh sch IKE (IKE policy), xc thc cc i tc ngang hng, v thit lp knh an ton gia cc i tc. IKE Phase 1 c hai ch : Ch chnh (main mode) v ch nhanh (Aggressive mode).
Hnh 3.28 : IKE Phase 1 Ch chnh c 3 trao i hai chiu gia bn khi to v bn nhn: - Trao i th nht Cc thut ton mt m v xc thc (s dng bo v cc trao i thng tin IKE) s c tho thun gia cc i tc.
- Trao i th hai S dng trao i DH to cc kho b mt chung (shared secret keys), trao i cc s ngu nhin (nonces) khng nh nhn dng ca mi i tc. Kho b mt chung c s dng to ra tt c cc kho mt m v xc thc khc. - Trao i th ba xc minh nhn dng ca nhau (xc thc i tc). Kt qu chnh ca ch chnh l mt ng truyn thng an ton cho cc trao i tip theo ca hai i tc. Ch nhanh thc hin t trao i hn (tt nhin l t gi d liu hn). Hu ht mi th u c thc hin trong trao i th nht: Tho thun tp chnh sch IKE; to kho cng cng DH; v mt gi nhn dng (identify packet), c th s dng xc nh nhn dng thng qua mt bn th ba (third party). Bn nhn gi tr li mi th cn thit hon thnh (complete)vic trao i. cui cng bn khi to khng nh (confirm) vic trao i. * Cc tp chnh sch IKE Khi thit lp mt kt ni an ton gia Host A v Host B thng qua Internet, mt ng hm an ton c thit lp gia Router A v Router B. Thng qua ng hm, cc giao thc mt m, xc thc v cc giao thc khc c tho thun. Thay v phi tho tng giao thc mt, cc giao thc c nhm thnh cc tp, chnh l tp chnh sch IKE (IKE policy set). Cc tp chnh sch IKE c trao i trong IKE Phase 1 ch chnh v trong trao i th nht. Nu mt chnh sch thng nht (matching policy) c tm thy hai pha th ch chnh tip tc. Nu khng tm thy chnh sch thng nht no th ng hm s b loi b.
Hnh 3.29: Tp chnh sch IKE
V d, Router A gi cc tp chnh sch IKE Policy 10 v IKE Policy 20 ti Router B. Router B so snh vi tp chnh sch ca n, IKE Policy 15, vi cc tp chnh sch nhn c t Router A. Trong trng hp ny, mt chnh sch thng nht c tm thy: IKE Policy 10 ca Router A v IKE Policy 15 ca Router B l tng ng. Trong nhiu ng dng im - ti im, mi bn ch cn nh ngha mt tp cc chnh sch IKE. Tuy nhin mng trung tm c th phi nh ngha nhiu chnh sch IKE p ng nhu cu ca tt c cc i tc t xa. * Trao i kho Diffie-Hellman Trao i kho Diffie-Hellman l mt phng php mt m kho cng khai cho php hai bn thit lp mt kho b mt chung qua mt mi trng truyn thng an ton. Kho mt m ny s c s dng to ra tt c cc kho xc thc v m ho khc. Khi hon thnh vic tha thun cc nhm, kho b mt chung SKEYID s c tnh. SKEYID c s dng to ra 3 kho khc SKEYID_a, SKEYID_e, SKEYID_d. Mi kho c mt mc ch ring: SKEYID_a c s dng trong qu trnh xc thc. SKEYID_e c s dng trong qu trnh mt m. SKEYID_d c s dng to ra cc kho cho cc kt hp an ninh khng theo giao thc ISAKMP (non-ISAKMP Sas). C bn kho trn u c tnh trong IKE Phase 1. Khi bc ny hon thnh, cc i tc ngang hng c cng mt mt m chia s nhng cc i tng ny khng c xc thc. Qua trnh ny din ra qu trnh th 3, qu trnh xc thc i tc. * Xc thc i tc Xc thc i tc l bc trao i cui cng c s dng xc thc cc i tc ngha l thc hin kim tra xem ai ang bn kia ca ng hm. Cc thit b hai u ng hm VPN phi c xc thc trc khi ng truyn thng c coi l an ton. Trao i cui cng ca IKE Phase 1 c mc ch l xc thc i tc.
Hnh 3.30: Xc thc cc i tc Ba phng php xc thc ngun gc d liu: - Pre-shared keys (Cc kho chia s trc) mt gi tr kho b mt c nhp vo bng tay xc nh i tc. - RSA signatures (Cc ch k RSA) s dng vic trao i cc chng nhn s (digital certificates) xc thc i tc. - RSA encryption nonces Cc s ngu nhin (nonces_mt s ngu nhin c to ra bi mi i tc) c m ho v sau c trao i gia cc i tc ngang hng, 2 nonce c s dng trong sut qu trnh xc thc i tc ngang hng. Bc 3 - IKE Phase 2 Mc ch ca IKE Phase 2 l tho thun cc thng s bo mt IPSec c s dng bo mt ng hm IPSec.
Hnh 3.31: Tho thun cc thng s bo mt IPSec IKE Phase 2 thc hin cc chc nng sau: Tho thun cc thng s bo mt IPSec (IPSec security parameters), cc tp chuyn i IPSec (IPSec transform sets). Thit lp cc kt hp an ninh IPSec (IPSec Security Associations). nh k tho thun li IPSec SAs m bo tnh an ton ca ng hm.
Thc hin mt trao i DH b xung (khi cc SA v cc kho mi c to ra, lm tng tnh an ton ca ng hm). IKE Phase 2 ch c mt ch c gi l: Quick Mode Ch ny din ra khi IKE thit lp c ng hm an ton IKE Phase 1. IKE Phase 2 tho thun mt tp chuyn i IPSec chung , to cc kho b mt chung s dng cho cc thut ton an ninh IPSec v thit lp cc SA IPSec. Quick mode trao i cc nonce m c s dng to ra kho mt m chung mi v ngn cn cc tn cng Replay t vic to ra cc SA khng c tht. Quick mode cng c s dng tho thun li mt SA IPSec mi khi SA IPSec c ht hn. * Cc tp chuyn i IPSec Mc ch cui cng ca IKE Phase 2 l thit lp mt phin IPSec an ton gia cc im u cui. Trc khi thc hin c iu ny th mi cp im cui cn tho thun mc an ton cn thit (v d, cc thut ton xc thc v mt m dung trong phin ). Thay v phi tho thun tng giao thc ring l, cc giao thc c nhm thnh cc tp, chnh l cc tp chuyn i IPSec. Cc tp chuyn i ny c trao i gia hai pha trong Quick Mode. Nu tm thy mt tp chuyn i tng ng hai pha th qu trnh thit lp phin tip tc, ngc li phin s b loi b.
Hnh 3.32: tp chuyn i IPSec V d: Router A gi IPSec transform set 30 v 40 ti Router B , Router B so snh vi IPSec transform set 55 ca n v thy tng ng vi IPSec transform
set 30 ca Router A, cc thut ton xc thc v mt m trong cc tp chuyn i ny hnh thnh mt kt hp an ninh SA. * Kt hp an ninh (SA) Khi mt tp chuyn i c thng nht gia hai bn, mi thit b VPN s a thng tin ny vo mt c s d liu. Thng tin ny bao gm cc thut ton xc thc, mt m; a ch ca i tc, Ch truyn dn, thi gian sng ca kho .v.v. Nhng thng tin ny c bit n nh l mt kt hp an ninh SA. Mt SA l mt kt ni logic mt chiu cung cp s bo mt cho tt c lu lng i qua kt ni. Bi v hu ht lu lng l hai chiu nn phi cn hai SA, mt cho u vo v mt cho u ra. Thit b VPN sau s nh s SA bng mt s SPI (Security Parameter Index ch s thng s bo mt). Thay v gi tng thng s ca SA qua ng hm, mi pha ch n gin chn s SPI vo ESP Header. Khi bn thu nhn c gi s tm kim a ch ch v SPI trong c s d liu ca n SAD (Security Association database), sau x l gi theo cc thut ton c ch nh bi SPI / ra trong SPD
Hnh 3.33 : Cc kt hp an ninh IPSec SA l mt s t hp ca SAD v SPD. SAD c s dng nh ngha a ch IP i tc ch, giao thc IPSec, s SPI. SPD nh ngha cc dch v bo mt c s dng cho i tc SA, cc thut ton m ho v xc thc, mode, v thi gian sng ca kho. V d, i vi mt kt ni mng Cng ty Ngn hng, mt ng hm rt an ton c thit lp gia hai pha, ng hm ny s dng 3DES, SHA, tunnel
mode, v thi hn ca kho l 28800, gi tr SAD l 192.168.2.1, ESD v SPI l 12. Vi ngi s dng t xa truy nhp vo e-mail th ng hm c mc bo mt thp hn c tho thun, s dng DES, MD5, tunnel mode, thi hn ca kho l 28800, tng ng vi SPI l 39. * Thi hn (lifetime) ca mt kt hp an ninh Vn tng ng vi thi hn ca mt mt khu s dng mt khu trong my tnh, thi hn cng di th nguy c mt an ton cng ln. Cc kho v cc SA cng vy, m bo tnh an ton cao th cc kho v cc SA phi c thay i mt cch thng xuyn. C hai thng s cn c xc nh thay i kho v SA: Lifetime type- Xc nh kiu tnh l theo s Byte hay theo thi gian truyn i. Duration Xc nh n v tnh l Kbs d liu hay giy. V d: lifetime l 10000Kbs d liu truyn i hoc 28800s. Cc kho v SAs cn hiu lc cho n khi lifetime ht hn hoc c mt nguyn nhn bn ngoi, chng hn mt bn ngt ng hm, khi kho v SA b xo b. Bc 4 - ng hm mt m IPSec Sau khi hon thnh IKE Phase 2 v quick mode thit lp cc kt hp an ninh IPSec SA, lu lng trao i gia Host A v Host B thng qua mt ng hm an ton. Lu lng c mt m v gii m theo cc thut ton xc nh trong IPSec SA.
Hnh 3.34: ng hm IPSec c thit lp Bc 5 - Kt thc ng hm
Hnh 3.35: Kt thc ng hm Cc kt hp an ninh IPSec SA kt thc khi b xo hoc ht hn. Mt SA ht hn khi lng thi gian ch ra d ht hoc mt s lng Byte nht nh truyn qua ng hm. Khi cc SA kt thc, cc kho cng b hu. Lc cc IPSec SA mi cn c thit lp, mt IKE Phase 2 mi s c thc hin, v nu cn thit th s tho thun mt IKE Phase 1 mi. Mt ho thun thnh cng s to ra cc SA v kho mi. Cc SA mi c thit lp trc cc SA c ht hn m bo tnh lin tc ca lung thng tin. 3.4.3 V d v hot ng ca IPSec tm tt ton b qu trnh hot ng ca IPSec, ta xt mt v d nh trong hnh v.
E n c r y p te d C le a r te x t D ig ita l C e rtific a tio n M n g ri n g c bo v C e rtif ic a te A u th o r ityD li u IK E S e s s io n SA M n g ri n g oc bo v In te r n a l N e tw o rk
I n te r n a l N e tw o rk `
I n te r n e t
A u th e n tic a te d E n c ry p tio n T u n n e l LAN
LAN
Hnh 3.36: Qu trnh trao i thng tin Trong v d ny, B mun truyn thng an ton vi A. Khi gi d liu ti Router B, Router ny s kim tra chnh sch an ninh v nhn ra gi ny cn c bo v. Chnh sch an ninh c cu hnh trc cng cho bit Router A s l im
cui pha bn kia ca ng hm IPSec. Router B kim tra xem c IPSec SA no c thit lp vi Router A cha? Nu cha th yu cu mt qu trnh IKE thit lp IPSec SA. Nu hai Router tho thun c mt IPSec SA th IPSec SA c th c to ra tc thi. Trong trng hp, hai Router cha tho thun mt IKE SA th u tin chng phi tho thun mt IKE SA trc khi tho thun cc IPSec SA. Trong qu trnh ny, hai Router trao i cc chng thc s, cc chng thc ny phi c k trc bi mt CA m hai pha cng tin tng. Khi phin IKE c thit lp, hai Router c th tho thun IPSec SA. Khi IPSec SA c thit lp, hai Router s thng nht c thut ton mt m (chng hn DES), thut ton xc thc (chng hn MD5), v mt kho phin s dng chung. Ti y, Router B c th mt m gi tin ca B, t n vo trong mt gi IPSec mi, sau gi ti Router A. Khi Router A nhn gi IPSec, n tm kim IPSec SA, x l gi theo yu cu, a v dng gi tin ban u v chuyn ti A. Qu trnh phc tp ny c thc hin hon ton trong sut i vi A v B. 3.4.4 Cc vn cn tn ng trong IPSec Mc d IPSec sn sng a ra cc c tnh cn thit cho vic bo mt mt VPN thng qua mng Internet nhng n vn cn trong giai on pht trin hng ti hon thin. Tt c cc gi c s l theo IPSec s lm tng kch thc gi tin phi thm vo cc tiu IPSec lm cho thng lng ca mng gim xung. iu ny c th c gii quyt bng cch nn d liu trc khi m ha, nhng iu ny cha c chun ha. IKE vn l cng ngh cha c chng minh. Phng thc chuyn kho bng tay li khng thch hp cho mng c s lng ln cc i tng di ng. -
IPSec c thit k ch iu khin lu lng IP m thi.
Vic tnh ton cho nhiu gii thut trong IPSec vn cn l mt vn i vi cc trm lm vic v my PC c. Vic phn phi cc phn cng v phn mm mt m vn cn b hn ch i vi chnh ph mt s nc. S dng IPSec ch ng hm cho php cc nt c th c nhng a ch IP khng hp l nhng vn c th lin lc c vi cc nt khc. Nhng khi chuyn xung bo mt mc Host th cc a ch phi c qun l cn thn sao cho nhn dng c nhau.
-
Kt lun chng 3: Trong h thng mng o VPN th vic yu cu cao nht chnh l cc giao thc truyn thng trn mng. N quyt nh s sng cn ca h thng mng o VPN. Qua chng 3 ny chng ta c tm hiu v cc giao thc
s dng trong h thng mng o VPN, m trong giao thc c s dng thng xuyn v an ton nht l giao thc L2TP. N quan trng v an ton do d liu c x l trong lp 2 ca m hnh OSI.
Chng 4 - BO MT TRONG VPN

Mt trong nhng mi quan tm chnh ca bt k cng ty no l vic bo mt d liu ca h. Bo mt d liu chng li cc truy nhp v thay i tri php khng ch l mt vn trn cc mng. Vic truyn d liu gia cc my tnh hay gia cc mng LAN vi nhau c th lm cho d liu b tn cng v d b thm nhp hn l khi d liu vn cn trn mt my tnh n. Bo mt khng phi l vn ring ca VPN m thc t l mi quan tm v thch thc ca tt c cc t chc c nhu cu s dng mi trng mng Internet trao i thng tin. thc hin bo mt cho d liu trong mng VPN ngi ta thc hin hai qu trnh l xc thc (Authentication) v mt m (Encryption). 4.1 Qu trnh xc thc [2],[4],[8] Xc thc l mt phn khng th thiu c trong kin trc bo mt ca mt mng VPN. Xc thc c da trn ba thuc tnh: Ci g ta c (mt kho hay mt card token); ci g chng ta bit (mt mt khu); hay ci g chng ta nhn dng (ging ni, qut vng mc, du vn tay,..). Xc thc l thut ng dng chung, n bao gm hai khi nim: Xc thc ngun gc d liu v xc thc tnh ton vn d liu. 4.1.1 Xc thc ngun gc d liu a) Mt khu truyn thng Thc t cho thy, cc loi xc thc n gin, nh s nhn dng ID ca ngi dng, mt khu khng mnh cho vic bo mt truy cp mng. Mt khu c th b n bt v gi ly trong sut qu trnh truyn d liu ca mng. H thng mt khu mt ln l phng php tt s dng mt khu truyn thng. * H thng mt khu mt ln ngn chn vic s dng tri php, cc mt khu b gi li v ngn khng cho chng khng c dng tr li, bng cch cu mt mt khu mi cho phin lm vic mi. Nhng h thng ny, th mi khi ngi dng ng nhp vo mng th lun lun phi chn mt mt khu mi cho mi phin lm vic k tip. Do khc phc kh khn ny bng cch to ra mt cch t ng mt danh sch mt khu c th chp nhn c cho ngi dng. Nhc im ca cc h thng ny l kh c th qun tr nhng danh sch mt khu cho mt s lng ln ngi dng. b) Giao thc xc thc mt khu PAP
Giao thc xc thc mt khu PAP (Passwork Authentication Protocol) c thit k mt cc n gin cho mt my tnh t xc thc n mt my tnh khc khi giao thc im-im PPP c s dng lm giao thc truyn thng. PAP l mt giao thc bt tay hai chiu; l, my tnh ch to kt ni gi nhn dng ngi dng v mt khu kp (Passwork pair) n h thng ch m n c gng thit lp mt kt ni v sau h thng ch xc thc rng my tnh c xc thc ng v c chp nhn cho vic truyn thng. Xc thc PAP c th c dng khi bt u ca kt ni PPP, cng nh trong sut mt phin lm vic ca PPP xc thc kt ni. Khi mt kt ni PPP c thit lp, xc thc PAP c th c th c din ra trong kt ni . im ngang hng gi mt nhn dng ngi dng v mt khu n b xc thc cho n khi b xc thc chp nhn kt ni hay kt ni b hu b. PAP khng bo mt bi v thng tin xc thc c truyn i r rng v khng c kh nng bo mt chng li tn cng tr li hay lp li qu nhiu bi nhng ngi tn cng nhm c gng d ra mt khu ng hay mt cp nhn dng ngi dng. c) Giao thc xc thc yu cu bt tay CHAP Giao thc xc thc mt khu yu cu bt tay CHAP (Challenge Handshake Authentication Protocol) c thit k cho vic s dng tng t nh PAP nhng l mt phng php bo mt tt hn i vi xc thc cc kt ni PPP.
Y u c u tr u y c p 1 T hch 2 p ng N gi dng 3 C ho php M y tn h x c th c
Hnh 4.1: H thng p ng thch ngi dng CHAP l mt giao thc bt tay ba chiu bi v n bao gm ba bc thc hin kim tra mt kt ni, sau khi kt ni c khi to u tin hay ti bt k thi im no sau khi kt ni c thit lp. Thay v dng mt mt khu hay tin trnh chp nhn ging nh trong PAP, CHAP s dng mt hm bm mt chiu (one-way hashing function). 1. My tnh xc thc gi mt bn tin thch (challenge massage) n my tnh ngang cp (peer).
2. My tnh ngang cp tnh ton mt gi tr s dng mt hm bm mt chiu v gi li cho my tnh xc thc. 3. My tnh xc thc c th p ng chp nhn nu gi tr gi li tng ng vi gi tr mong mun. Tin trnh ny c th lp li ti bt k thi im no trong sut qu trnh kt ni m bo rng kt ni lun c nm quyn v khng b suy yu trong mi trng hp. My ch iu khin qu trnh xc thc ti CHAP. PAP v CHAP c nhc im ging nhau, l: u ph thuc vo mt mt khu b mt c lu tr trn my tnh ca ngi dng xa v my tnh ni b. Nu bt k mt my tnh no chu s iu khin ca mt k tn cng mng v b thay i mt khu b mt th khng th xc thc c. Khng th ng k ch nh nhng c quyn truy cp mng khc nhau n nhng ngi dng xa khc nhau s dng cng mt my ch. CHAP l mt phng php mnh hn PAP cho vic xc thc ngi dng quay s nhng CHAP khng th p ng nhng yu cu mang tnh m rng mng. Cho d khi khng c b mt no truyn qua mng th phng php ny vn yu cu mt lng ln cc b mt dng chung chy qua hm bm, nn yu cu bng thng ln nhng hiu sut mng li thp. d) H thng iu khin truy cp b iu khin truy cp u cui TACACS TACACS (Terminal Access Controler Access Control System) l h thng c pht trin khng ch cung cp c ch xc thc m cn thc hin chc nng: cho php (authorization) v tnh cc (accouting). TACACS c thi k nh mt h thng client/server mm do hn v c bit trong vic qun l bo mt mng. Trung tm hot ng ca TACACS l mt my ch xc thc TACACS. My ch xc thc TACACS gi cc yu cu xc thc t phn mm client c ci t ti mt gateway hay mt im truy cp mng. My ch duy tr mt c s d liu nhn dng ngi dng, mt khu, PIN v cc kho b mt c s dng c chp nhn hay b t chi cc yu cu truy cp mng. Tt c xc thc, cp quyn v d liu tnh cc c hng n my ch trung tm khi mt ngi dng truy nhp mng. u im ca TACACS l n hot ng nh mt my ch Proxy i vi nhng h thng xc thc khc. Cc kh nng ca Proxy lm cho vic chia s d liu
bo mt ca VPN vi ISP c d dng hn, iu ny cn thit khi mt VPN l ngun xut. e) Dch v xc thc ngi dng quay s t xa- RADIUS RADIUS (Remote Authentication Dial-In Use Service) cng s dng kiu client/server chng nhn mt cch bo mt v qun tr cc kt ni mng t xa ca cc ngi dng vi cc phin lm vic. RADIUS gip cho vic iu khin truy cp d qun l hn v n c th h tr cc kiu xc thc ngi dng khc nhau bao gm PAP, CHAP. Kiu RADIUS client/server dng mt my ch truy cp mng NAS qun l cc kt ni ngi dng. NAS c trch nhim chp nhn cc yu cu kt ni ca ngi dng, thu thp cc thng tin nhn dng ngi dng, mt khu ng thi chuyn thng tin ny mt cch bo mt ti my ch RADIUS. My ch RADIUS thc hin xc thc chp nhn hay t chi cng nh khi c bt k d liu cu hnh no c yu cu NAS cung cp cc dch v n u cui ngi dng. Cc client RADIUS v my ch RADIUS truyn thng vi nhau thng vi nhau mt cch bo mt bng vic s dng cc b mt dng chung cho vic xc thc v m ho trong truyn mt khu ngi dng. RADIUS to c s d liu n v tp trung v c lu gi ti my ch RADIUS nhm qun l vic xc thc ngi dng v cc dch v. Mt ngi dng xa s dng RADIUS client s c quyn truy cp n cc dch v nh nhau t bt k mt my ch no ang truyn thng vi my ch RADIUS. f) Cc h thng phn cng c bn + Smart card Card thng minh (Smart card) l thit b c kch thc ging nh mt th tn dng, bao gm: mt b vi x l c gn cht vo card v mt b nh. Mt thit b c tng ng cho Smart card c yu cu giao tip vi Smart Card. Smart Card c th lu gi mt kho ring ca ngi dng cng vi mt s ng dng nhm n gin ho tin trnh xc thc. Mt s Smart Card hin nay gm mt b ng x l m ho v gii m lm cho vic m ho d liu d dng hn v nhanh hn. Cc h thng chng nhn in t c s dng trong Smart Card, n yu cu ngi dng nhp vo mt s nhn dng c nhn PIN tin hnh qu trnh xc thc, thng th s PIN c lu trn Smart Card. + Cc thit b th bi (Token Devices)
Cc h thng th bi thng c da trn cc phn cng ring bit dng hin th cc m nhn dng (passcode) thay i m ngi dng sau phi nhp vo my tnh thc hin vic xc thc. C ch hot ng ca th bi: mt b x l bn trong th bi lu gi mt tp cc kho m ho b mt c dng pht cho cc m nhn dng mt ln. Cc m nhn dng ny chuyn n mt my ch bo mt trn mng, my ch ny kin tra tnh hp l t a ra cc quyt nh cp quyn hay khng? Sau khi cc m c lp trnh, khng c ngi dng hay nh qun tr no c quyn truy cp n chng. Trc khi cc ngi dng c php xc thc, cc tht b th bi yu cu mt PIN, sau s dng mt trong ba c ch khc nhau xc nh ngi dng l ai. - C ch p ng thch (Challenge response): l c ch thng dng nht, theo c ch ny th my ch s pht ra mt con s ngu nhin khi ngi dng ng nhp vo mng. Mt s thch xut hin trn mn hnh ca ngi dng v ngi dng nhp vo cc con s trong th bi. Th bi m ho con s thch ny vi kho b mt ca n v hin th kt qu ln mn hnh v sau ngi dng nhp kt qu vo trong my tnh. Trong khi , my ch m ho con s thch vi cng mt kho v nu nh hai kt qu ny ph hp th ngi dng s c php truy cp vo mng. - C ch s dng s ng b thi gian (Time Synchronization), c ch ny th hin th mt s c m ho vi kho b mt m kho ny s thay i sau 60 giy. Ngi dng c nhc cho con s khi c gng ng nhp vo my ch. Do cc ngh trn my ch v th c ng b nn my ch c th xc thc ngi dng bng cch gii m con s th v so snh cc kt qu. - C ch ng b s kin (event Synchronzation); theo c ch ny, mt b m ghi li s ln vo mng c thc hin bi ngi dng. Sau mi ln vo mng, b m c cp nht v mt m nhn dng khc c to ra cho ln ng nhp sau. g) H hng sinh trc hc H thng sinh trc hc da vo mt s du vt c nhn duy nht xc thc ngi dng nh: vn tay, ging ni, vng mcTuy nhin h thng c s dng rng ri trong thc t bi v gi thnh t v cc h thng bo mt ny thng tch hp trong mt, lm cho chng kh khn trong vic giao tip vi cc h thng khc. H thng sinh trc hc ch ph hp cho nhng ni cn bo mt cao nht v trong mt phm vi nh.
4.1.2 Xc thc tnh ton vn d liu Xc thc tnh ton vn d liu (Data integrity) bao gm hai vn : Pht hin cc bn tin b li (corrupted message): Pht hin cc li bit ng thi xc nh nguyn nhn li l do phng tin truyn dn hoc do thit b x l, lu tr. Gii php cho vn ny l s dng mt gin lc thng ip MD (Message Digest) cho mi bn tin. MD hot ng nh mt du vn tay cho php xc nh duy nht mt bn tin. Bo v chng sa i bt hp php bn tin (unauthorized modification): Pht hin ra nhng bn tin b sa i mt cch bt hp php trong qu trnh truyn dn. C hai gii php cho vn ny trn c s s dng mt m kho i xng v mt m kho cng cng. Gii php kho i xng to ra mt m xc thc bn tin MAC (Message Authentication Code) da trn mt hm gin lc thng ip c kho tc ng (Keyed message digest function). Gii php kho cng cng to ra mt ch k s (digital signature) bng cch mt m gin lc thng ip MD vi kho cng khai ca ngi gi. a) Gin lc thng ip MD da trn hm bm mt chiu MD l phng php s dng pht hin li truyn dn, n c thc hin bng cc hm bm mt chiu. Cc hm bm mt chiu c s dng tnh MD. Mt hm bm c coi l tt nu tho m cc yu cu: Vic tnh MD n gin, hiu qu cho php tnh MD ca cc bn tin c kch thc nhiu GB. Khng c kh nng tnh ngc li bn tin ban u khi bit gi tr MD ca n. y l l do c tn gi l hm bm mt chiu. Gi tr MD phi ph thuc vo tt c cc bit ca bn tin tng ng. D ch mt bit trong bn tin b thay i, thm vo hoc xo bt th s c khong 50% cc bit trong MD s thay i gi tr mt cch ngu nhin. Hm bm c kh nng thc hin nh x message-to-digest gi ngu nhin, ngha l vi hai bn tin gn ging ht nhau th m hash ca chng li hon ton khc nhau. - Do bn cht ngu nhin ca hm bm v s lng cc ln cc gi tr hash c th, nn hu nh khng c kh nng hai bn tin phn bit c cng gi tr hash. Vi cc ng dng thc t hin nay c th coi u ra ca hm bm thc hin trn mt bn tin l du vn tay duy nht cho bn tin .
T i li u h o c b n tin
H m h ash M D 5
S H -A 1
M e s s a g e D ig 1 2 t8 it es b
1 6 0 it b
Hnh 4.2: Hm bm thng dng MD5, SHA-1 MD c di c nh hot ng nh mt du vn tay duy nht cho mt bn tin c di tu . Vi di thng thng ca mt MD t 128 n 256 bit th c th i din cho 10381070 gi tr vn tay khc nhau. C hai hm bm thng dng l MD5 (Message Digest #5) v SHA (Security Hash Function). MD5 do Ron Rivest (RSA Security Inc) pht minh, tnh gi tr hash 128 bit (16 Byte) t mt bn tin nh phn c di tu . SHA c pht trin bi NIST (US National Institute of Standards and Technology) vi s cng tc ca NSA (National Security Agency). SHA-1 tnh gi tr hash 160 bit (20 Byte) t mt bn tin nh phn c di tu . Thut ton ny tng t nh MD5 nhng an ton hn v kch thc ln hn. Thut ton SHA-2 vi kch thc hash l 256, 384, v 512 bit c NIST cng b vo thng 10 nm 2000 thch ng vi cc kho c di ln ca thut ton m ho AES. * Cu trc c bn ca hm bm mt chiu MD5/SHA C MD5 v SHA u lm vic vi khi d liu u vo 512 bit. Nh vy bn tin ban u c phn thnh s nguyn ln cc khi d liu ny. iu ny c thc hin bng cch thm mt trng Length 64 bit vo cui bn tin, sau chn 0512 bit m vo trc trng Length khi d liu cui cng c di ng 512 bit.
T i li u h o c b P atind inL ge n g th n d 5 b it X N 12
B lo c1k 5 1 2 it b
B lo c2k 5 1 2 it b
B lo c k N 5 1 2 it b
I V
H m h ash H m h ash H a sh H ash MD HA 5/S MD HA 5/S
H m h a sh H ash MD HA 5/S
M D ca b n tin Hnh 4.3: Cu trc c bnca MD5/SHA
Vic x l theo tng khi ny cho php tnh gi tr hash ca cc bn tin ln theo kiu ni tip. Vector khi to IV (Initialization Vector) v gi tr hash: Ngoi 512 bit khi d liu u vo, hm bm cn yu cu mt vector khi to IV c kch thc bng kch thc ca hash (128 bit i vi MD5, 160 bit i vi SHA-1). Trong vng u tin, IV ly gi tr nh ngha trc trong cc chun MD5, SHA. Mt gi tr hash s c tnh da trn khi 512 bit u vo u tin. Gi tr hash ny ng vai tr IV trong vng th hai. Qu trnh tip tc vi gi tr hash vng trc l IV ca vng sau. Sau khi khi d liu 512 bit cui cng c x l th gi tr hash tnh c l MD ca ton b bn tin. b) M xc thc bn tin MAC (Message Authentication Code) L do xy dng m xc thc bn tin MAC l v bn thn MD khng cung cp bt k bo v no chng li vic thay i bt hp php ni dung ca bn tin. Khi mt ngi no thay i ni dung ca bn tin trn ng truyn th anh ta c th tnh li gi tr hash MD5 hoc SHA da trn ni dung ca bn tin thay i v nh vy ti pha thu, gi tr hash vn hon ton hp l. MAC l phng php bo v chng sa i bt hp php ni dung ca bn tin. MAC c thc hin da trn hm bm mt chiu kt hp vi kho b mt.
P h a p h t
P h a t h u
K ey
K n h tru y n d n K e y
K ey H ash F u n c tio n
K ey H ash F u n c tio n MAC So Snh
MAC
MAC
Hnh 4.4: Xc thc tnh ton vn d liu da trn xc thc bn tin MAC gii quyt vn ny, MAC s dng mt kho b mt trong qu trnh tnh MD ca bn tin th mi m bo chng li nhng nhng thay i bt hp php. Pha pht, ni c kho b mt to ra mt gin lc thng ip hp l (valid MD) v c gi l m xc thc bn tin MAC. Pha thu s dng kho b mt s dng kha b mt xc nh tnh hp l ca bn tin bng cch tnh li gi tr MAC v so snh vi gi tr MAC m pha pht truyn ti. Thng thng gi tr MAC cui cng c to ra bng cch ct ngn gi tr hash thu c bi MD5 (128 bit) hay SHA-1 (160 bit) xung cn 96 bit. Mc d vic ct gim ny lm gim ng k s cc t hp cn th i vi mt tn cng kiu brute force, nhng n c tc dng che du trng thi bn trong ca thut ton bm v s kh khn hn rt nhiu cho k tn cng c th i t u ra ca vng bm th hai ti kt qu trung gian ca vng bm th nht. Phng php m xc thc tnh ton vn s dng MAC c u im l thc hin nhanh v hiu qu v vic to MAC da trn hm bm tng i n gin, do thng c s dng xc thc cc cm d liu tc cao (s dng cho cc gi tin IPSec). Nhc im ca phng php ny l pha thu phi bit c kho b mt th mi kim tra c tnh ton vn ca bn tin, dn n vn phi phn phi kho mt cch an ton. c) Ch k s (Digital Signature)
Ch k s l mt phng php khc bo v chng sa i bt hp php ni dung bn tin. Ch k s c thc hin bng cch mt m gi tr hash thu c t mt hm bm mt chiu. Gi tr hash (MD5 hoc SHA) ca bn tin c mt m vi kho b mt ca pha pht to thnh ch k s v c truyn i cng vi bn tin tng ng.
P h a p h t T i li u h o c b n tin P h a t h u T i li u h o c b n tin
H m h a sh
G i tr h a s h
K nh sn h tr u y n d n G i tr h a s h G i tr h a s h M ho vi k h o r i n g M ho vi kho cng cng
So
C h k
C h k Hnh 4.5: Ch k s
Pha thu tnh li m hash t bn tin thu c, ng thi gii m ch k s i km vi bn tin. Nu gi tr gii m trng khp vi gi tr hash tnh c th kt lun c tnh ton vn ca bn tin, v ch c pha pht mi c ng kho b mt mt m ch k . Do kho cng cng c phn phi rng ri, nn bt c ngi dng no cng c th xc nh tnh ton vn ca bn tin. Phng php ny trnh c vn phn phi kho an ton, nhng qu trnh mt m v gii m s dng kho b mt/cng khai thc hin rt chm. V vy phng php ny ch c s dng xc thc i tc ti mi thi im ban u ca phin trao i thng tin. 4.2 M ho [2],[4],[6],[8] M ho c thc hin da trn hai thnh phn: l mt thut ton v mt kho. Mt thut ton m ho l mt chc nng ton hc ni phn vn bn hay cc thng tin d hiu vi mt chui cc s gi l kho to ra mt vn bn mt m kh hiu.
C rt nhiu thut ton m ho khc nhau, c mt vi thut ton m ho c bit khng s dng kho c sn nhng vi cc thut ton s dng cc kho c s dng nhiu hn. M ho trn mt h thng kho c bn cung cp hai u im quan trng l: bng vic dng mt kho th c th s dng cng mt thut ton truyn thng vi nhiu ngi, mi mt ngi dng s dng mt kho. Nu nh bn tin c m ho b b gy, ch cn chuyn mt kho mi bt u m ho bn tin li m khng cn phi i mt thut ton mi thc hin qu trnh Mt thut ton m ho tt phi c c cc tnh cht: Bo mt chng li cc tn cng ti cryptographic. Kh nng m rng, cc chiu di kho thy i.
Bt k thay i ti vn bn li vo m ho s lm thay i ln li ra c m ho. Khng hn ch nhp vo hay xut ra.
C nhiu kiu thut ton m ho khc nhau c s dng. Tuy nhin, c hai kiu thut ton m ho s dng kho c s dng ph bin l: thut ton m ho kho b mt (secret key) hay cn gi l m ho i xng (symmetric) v thut ton m ho kho cng cng (Public key). S kho m thut ton c th cung cp ph thuc vo s bit trong kho. V d, mt kho di 8 bit cho php c 28=256 kho, kho di 40 bit cho php c 240 kho. S kho cng ln th kh nng mt bn tin c m ho b b kho cng thp. Mc kh ph thuc vo chiu di ca kho. 4.2.1 Thut ton m ho kho b mt (hay i xng)
Shared Secret Key Shared Secret Key
Clear M essage
Encrypt
Ecryption Message
D ecrypt
C lear M essage
Hnh 4.6: M ho kho b mt hay i xng

Thut ton i xng oc nh ngha l mt thut ton kho chia s s dng m ho v gii m mt bn tin. Cc thut ton m ho i xng s dng chung mt kho m ho v gii m bn tin, iu c ngha l c bn gi v bn nhn tho thun, ng s dng cng mt kho b mt m ho v gii m. Khi ta c nhiu s trao i vi N ngi khc nhau th ta phi gi v du N kho b mt vi mi kho c dng cho mi s trao i. u im ca m ho kho i xng: - Thut ton ny m ho v gii m rt nhanh, ph hp vi mt khi lng ln thng tin - Chiu di kho t 40168 bit. - Cc tnh ton ton hc d trin khai trong phn cng. Ngi gi v ngi nhn chia s chung mt mt khu. C ch m ho i xng ny sinh vn l: vic nhn thc bi v c im nhn dng ca nhn dng ca mt bn tin khng th chng minh c. Do hai bn cng chim gi mt kho ging nhau nn u c th to v m ho v cho l ngi khc gi bn tin . iu ny gy nn cm gic khng tin cy v ngun gc ca bn tin . Mt s thut ton i xng nh DES (Data Encryption Standard) c di kho l 56 bit, 3DES c di kho l 168 bit v AES (Advanced Encryption Standard) c di kho l 128 bit, 256 bit hoc 512 bit. Tt c cc thut ton ny s dng cng mt kho m ho v gii m thng tin. a) Thut ton DES (Data Encryption Standard) Chun mt m d liu DES c a ra t nm 1977 ti M v c s dng rng ri. DES l c s xy dng thut ton tin tin hn l 3DES. Hin nay DES vn c s dng cho nhng ng dng khng i hi tnh an ton cao, v khi chun mt m AES cha chnh thc thay th n.
P a in t e x t B lo c k K e y 4b t (6 ) (6 4b it ) H o n v k h i t oB P a r(5 6y it (I P) b it ) R o u n1 d R o u n2 d
R o u n1 d 6 H o n v (R Po ) C ip h e r t e x t B lo c k (6 4b its ) Hnh 4.7: S thut ton DES
DES l s kt hp ca hai k thut c bn trong mt m l xo trn (confusion) v xp li (defusion). Hai k thut ny c thc hin trong mt vng (round) vi u vo l khi d liu plaintext v kho. DES c 16 vng, v hai k thut trn c thc hin trn khi plaintext 16 ln. Mi vng ca thut ton DES u c mt kho 48 bit ring bng cch lin tc dch v hon v kho 56 bit trong tng vng mt. di kho l 56 bit nhng thc cht l 64 bit, trong c 8 bit kim tra chn l v cc bit ny b loi b khi kho c a vo thut ton DES. Trc khi thc hin thut ton DES, khi plaintext 64 bit i qua bc hon v khi to IP (Initial Permutation), khng ph thuc vo kho. Sau khi thc hin 16 vng lp, d liu i qua bc hon v o RP (Reversed Permutation) v to thnh mt khi bn tin m ho (ciphertext). Thc cht cc bc hon v ny khng lm tng tnh an ton cho DES. Trung tm ca vng x l DES l mng Fiestel (tn ca nh khoa hc ti IBM). S mng Fiestel nh hnh v:
Li-1 32
Ri-1
32 H on v m rn g 48
K h oi-1
D c h D c h 56 H on v n n 48
M n g F ie s t e l
S-B o (T h a y )th x 32 P-B o (H o n) v x 32

Ri
32
Li
56 K h oi
Hnh 4.8: Mng Fiesel Khi 64 bit plaintext u vo c chia thnh hai khi 32 bit: khi phi (Ri-1) v khi tri (Li-1). Khi phi u vo thnh khi tri u ra (L i). Khi phi cng i vo mt mch x l: u tin, n c chuyn thnh 48 bit bi hon v m rng EP (Expansion Permutation); sau thc hin php ton logic XOR vi mt kho 48 bit; 48 bit sau khi XOR vi kho c a ti 8 khi thay th S-Box (Box substitution), mi khi c 6 u vo, 4 u ra; 32 bit sau khi i ra khi cc khi thay th S c a ti khi hon v P-Box (P_ Box permutation). u ra ca mch x l c XOR vi khi tri (Li-1) v tr thnh khi phi ca d liu u ra (Ri). Mi vng trong thut ton DES u c mt kho 48 bng cch lin tc dch v hon v kho 56 bit trong tng vng mt. Mt phin bn ca DES l 3 DES c gi nh th bi v thut ton thc hin ba hot ng m ho d liu. N thc hin mt qu trnh m ho, mt qu trnh gii m v sau l qu trnh m ho khc, mi qu trnh thc hin vi mt kho 56 bit khc nhau. Qa trnh ny to ra mt kho kt hp 168 bit, cung cp phng thc m ho mnh. Tt c cc sn phm v phn mm Cisco VPN u h tr thut ton m ho 3DES vi kho 168 bit v thut ton DES 56 bit. b) Gii thiu v AES Hin nay c nhiu t chc uy tn ngh a ra thut ton cho AES v d nh: thut ton MARS (IBM), RC6 (RSA), Twofish (Bruce Schneier), Rijndael (Joan Daemen/ Vincent Rijmen).v.v. Nm 2000 NIST (US National Institute of Standard and Technology) chn thut ton Rijndael: thc hin mng hon v thay th ci tin, 10 vng cho chun AES.
Trong tng lai, AES s l chun mt m khi i xng v s c thc hin trn c phn cng v phn mm. AES s c thit k tng di kho khi cng thit. di khi d liu ca AES l 128 bit, cn di kho k=128, 192, 256 bit. 4.2.2 Thut ton m ho kho cng cng Thut ton m ho kho cng cng c nh ngha l mt thut ton s dng mt cp kho m ho v gii m bo mt mt bn tin. Theo thut ton ny th s dng mt kho m ho v mt kho khc gii m nhng hai kho ny c lin quan vi nhau to thnh mt cp kho duy nht ca mt bn tin, ch c hai kho ny mi c th m ho v gii m cho nhau.
T r a n s fe r s P u b lic K e y R e c e iv e s P u b lic K e y
c le a r M essa g e
E n c r My e sps a g e D e c r y Mp e s st a g e t
Hnh 4.9: Thut ton m ho kho cng cng
E n c r y p te d
c le a r
u im ca thut ton m ho kho cng cng Kho cng cng ca kho i c th c phn pht mt cc sn sang m khng s rng iu ny lm nh hng n vic s dng cc kho ring. Khng cn phi gi mt bn sao chp kho cng cng cho tt c cc p ng m chng ta c th ly n t mt my ch c duy tr bi mt cng ty hay l nh cung cp dch v. Cho php xc thc ngun pht ca bn tin.
Nhc im ca m ho kho cng cng l qu trnh m ho v gii m rt chm, chm hn nhiu so vi m ho kho b mt. Do n thng c s dng m ho cc kho phin, mt lng d liu nh. Mt s thut ton s dng m ho kho cng cng nh RSA, Diffie-Hellman. a) H thng mt m kho cng khai RSA K thut m ho kho cng cng RSA c pht trin nm 1977, v ci tn RSA bt ngun t tn ca ba nh pht trin l: Ron Rivest, Adir Shamir v Leonard Adleman.
C s ca thut ton da trn tnh phc tp ca php phn tch mt s t nhin ln thnh cc c s nguyn t, c hiu l c th d dng nhn A v B c kt qu l C nhng khng d dng suy ra A v B khi bit C, vi A, B l nhng s tng i ln. Hm mt chiu trong thut ton RSA c dng y= f(x)= Xe Cc bc thc hin thut ton RSA Bc 1: To kho - To hai s nguyn ln p,q - Tnh n = p.q; 0(n)=(p-1)(q-1) - Chn ngu nhin 1<e<0(n) tho gcd (0(n), e)=1
- Tnh d=e-1mod 0(n)
- Kho cng khai Ku=[e,n] - Kho b mt Kr=[d,n] Bc 2: Mt m - on tin x<n

- Mt m y=Xemod n
Bc 3 Gii m - Khi tin m:y

- Gii m y=Xemod n.
Kho RSA bao gm ba gi tr s c bit c s dng trong cc cp m ho v gii m d liu. Kho cng cng RSA gm mt gi tr kho cng cng (thng l 317 hay 65.537) v mt mch ton modulus ly gi tr tuyt i. Modulus l sn phm ca hai s ln chnh c chn mt cch ngu nhin, c lin kt mt cch ton hc n kho cng cng c chn. Kho ring c tnh ton t hai s chnh pht ra t modulus v gi tr kho cng cng. Thc t, thc hin thut ton mt m kho cng khai RSA cn phi lin quan n mt lot cc vn l thuyt s phc tp, nh thut ton Euclide tm SCLN ca hai s nguyn, thut ton Miller-Rabin kim tra tnh nguyn t ca cc s t nhin ln. K thut ny to ra cc kho cng cng ph hp vi cc kho ring c bit. iu ny to cho RSA nhng u im l cho php ngi gia mt kho ring m
ho d liu vi kho , v th bt k ngi no c mt bn sao ca kho cng cng u c th gii m n sau . b) K thut Diffie-Hellman K thut Diffie-Hellman l thut ton m ho kho cng cng thc t u tin v trong thc t k thut ny c ng dng rt nhiu cho vic qun l kho. Thut ton DH cho php t ng bo mt trao i kho qua mt mng khng an ton. Vi DH, mi i tng ngang hng to ra mt cp kho chung v ring. Kho ring c to ra bi mi i tng ngang hng v c gi b mt, khng bao gi chia s. Kho chung c tnh ton t kho ring bi mi i tng ngang hng v c truyn trn knh khng an ton. Mi i tng t hp kho chung ca i tng ngang hng khc vi kho ring ca chng, v tnh ton tao ra cng mt s mt m chia s. S mt m chia s oc bin i thnh mt kho chia s. Kho mt m chia s lun truyn trn mt knh khng an ton. Trao i kho DH l mt phng thc trao i kho chung cung cp cho hai i tng ngang hng IPSec thit lp mt mt m chia s m ch chng bit. Qu trnh DH c th chia thnh 5 bc: 1- Qu trnh DH bt u vi mi i tng ngang hng to ra mt s nguyn ln p v q. Mi i tng ngang hng gi cho i tng khc s nguyn ny ca chng. V d, A gi p ti B. Mi i tng ngang hng sau s s dng gi tr p, q to ra g, p l primitive root. 2- Mi i tng to ra mt kho DH ring A l Xa, B l Xb. 3- Mi i tng ngang hng to ra mt kho DH chung. Kho ring ca mi i tng l s kt hp ca s Prime p v primitive root g. i vi A l Ya = g^Xa mod p, vi B l Yb=g^Xb mod p. 4- Cc kho chung Ya v Yb c trao i trong cng cng. 5- Mi i tng ngang hng to ra mt s mt m chia s ZZ bng cch t hp kho chung nhn c t i tng ngang hng tng ng vi kho ring ca n. i vi A l ZZ= YbXa mod p, i vi B l ZZ= YaXb mod p. S mt m chia s ZZ c s dng trong vic tm ra cc kho mt m v xc thc. V d m t hot ng ca thut ton trao i kho DH
1. T o ra m t s nguy n l p rt l n 1. T o ra m t s nguy n l q rt l n gi p n B gi p n A N hn q N hn p T o ra g T o ra g 2. T o ra kho cc b X a 2. T o ra kho cc b X b 3. T o ra kho chung 3. T o ra kho chung Y =g^X a m od p a Y =g^X b m od p b 4. Gi kho chung Y a 4. Gi kho chung Y b 5. T o ra s m t m chia s Z Z a m od p 5. T o ra s m t m chia s ZZ b m od p =Y b^X =Y a ^X 6. T o ra kho m t m chia s t Z Z 6. T o ra kho m t m chia s t Z Z D ES ESho A ES ( ,3D , c ) D ES ESho A ES ( ,3D , c )
Kt lun chng 4: Trong chng 4 ny chng ta i tm hiu v vn bo mt trong H thng mng o VPN. Nhng thut ton m ha m ha d liu khi truyn ti trn mng Internet. Qua ngn chn c nhng s xm nhp tri php t bn ngoi bi hacker. Lm tng s an ton cho ton b h thng mng o VPN.
Chng 5 - NG DNG, CI T H THNG MNG O

T nhng khi nim v nh ngha v h thng mng o c tm hiu qua cc chng trc chng ta s bt tay vo vic trin khai v ci t h thng trn lab o thng qua vic s dng phn mm h tr l VMWARE v s dng h iu hnh windows server 2008. Trong chng ny chng ta s tm hiu v 3 dng ca H thng mng o VPN: + VPN Client to site using RADIUS. + VPN Client to site using CA. + VPN site to site. 5.1 - Ci t v trin khai h thng lab o bng VMWARE [1] 5.1.1 - VPN client to site a) Client Using RADIUS (Remote Authentication Dial In User Sevice) xy dng mt h thng mng o VPN l iu d dng c th thc hin c, tuy nhin khi thc hin VPN vo mt h thng mng m c ch bo mt v xc thc khng c thc hin tt s rt nguy him bi nguy c t bn ngoi Internet. Khi mt User thc hin kt ni VPN s rt d b hacker bt trm gi tin trn mng. Vic ny thc s l rt nguy him. Chnh v th m khi xy dng VPN chng cn phi tnh ti vic bo mt sao cho an ton nht. Thng qua vic xc thc v s dng cc cng ngh mi chng ta c th yn tm v mng VPN ca chng ta c bo v. Ti y chng ta s dng cng ngh VPN chng thc bng RADIUS. Trong m hnh ny theo khuyn co my ch VPN khng nn l thnh vin ca domain, bi nh th s rt b tn cng t hacker. M hnh ny rt nguy him nu bo mt khng cn thn. Vy lm sao ta c th to ra kt ni VPN t bn ngoi vo h thng domain khi m khng kt ni vo domain th khng th ly c User Name v Password. T Microsoft xy dng ln mt h thng my ch RADIUS. Ta xy dng h thng my ch l RADIUS Server, chc nng ca n l mc ni cc user trn AD ca domain cung cp cho VPN server thc hin kt ni VPN. Khi
VPN server s l RADIUS Client. Thng qua RADIUS chng ta c th trin khai cho rt nhiu dch v mng v ng dng khc. Vy xy dng mt kt ni VPN vo h thng Domain s dng RADIUS chng ta s thc hin nh sau: M hnh h thng
Trong m hnh lab ny chng ta s dng h thng gm 3 my tnh. 2 Server v mt Client l ngi dng t ngoi h thng mng Internet kt ni vo Domain thng qua vic s dng VPN. Ti y my ch Domain s l my ch RADIUS lun, n thc hin vic cp cc chng thc Radius cho my ch VPN Server v ly thng tin User name, Password t AD cho cc my VPN client. My ch Server s dng Windows server 2008 bn Enterprise. N ng vai tr l Domain Controller i din cho mng ca h thng cng ty. Ni m chng ta s kt ni VPN tr ti. My ch VPN Server cng s dng h iu hnh Windows Server 2008 Enterprise. N s dng 2 card mng. Mt card mng kt ni ra Internet, mt card mng kt ni vo h thng mng ni b. My VPN client s dng h iu hnh Windows XP Propessional. L mt my t ngoi h thng mng Internet ca ngi s dng truy cp t xa. y ta c 2 phn on mng. Mt mng LAN cng ty cng kt ni ti 1 HUB trung tm hay1 switch, ti y ta s dng cc a ch 192.168.1.0/24 cho cc my ca h thng mng cng ty. Di y l cch thc hin cho tng my trong h thng. * Ci t cho my DC Trn my DC ta s dng h iu hnh Windows Server 2008 Enterprise v trin khai Domain Controller, s dng 1 card mng c gn a ch IP nh sau:
Tip theo ta tin hnh xy dng Domain Controller, chy Active Directory Installation Wizard (Thc thi lnh dcpromo.exe) to mt Domain mi vi tn l bhxh.com. Trong qu trnh ci t ta nn Domain Function Level l Windows Server 2003 (Bi v c mt s dch v khng h tr trn Windows Server 2000). Trong qu trnh ci t h thng hi thm vic c ci t DNS, ta s ci t lun dch v ny. Qu tnh ci t ny s din ra trong vng vi pht sau my s khi ng li. Tip theo chng ta s ci t v cu hnh dch v RADIUS xc thc VPN. Dch v ny s c ci t lun trn my ch Domain Controller. Khi my ch DC s thm chc nng l Server RADIUS. ci t RADIUS chng ta s lm nh sau: Vo Server Manager sau chn Roles v add thm 1 Roles, khi trnh Wizard s m ra mt form mi chng ta nhn next ti form tip theo chn roles l Network Policy and Access Services v nhn Next tip tc ti form tip theo ta chn dch v Network Policy Server ri Next v cui cng chn Install v i mt khong thi gian ci t dch v.
Qu trnh ci t xong. V by gi tin hnh cu hnh cho RADIUS. Vo Start -> Administrator Tools -> Network Policy Server. Khi s xut hin 1 ca s cho php cu hnh RADIUS. Ta chn RADIUS Client -> New RADIUS Client
Nhp vo thng tin nh trong hnh -> OK. Sau khi xong ta phi ly thng tin User ca Domainn cho RADIUS (V VPN server ko join domain nn khng th ly User xc thc, thao tc ny s gip ly User ca domain cho cc my VPN client xc thc). Llu nhng thng tin ca AD vo trong NPS bng cch
Nh vy ti y l ta cu hnh xong cho RADIUS Server * Ci t v cu hnh VPN Server Vi VPN Server ta cng s dng h iu hnh Windows Server 2008 ci t v cu hnh. Ti VPN Server ta s dng 2 card mng (1 Host-only v 1 Vmnet2), mt card kt ni LAN thuc di mng 192.168.1.0/24, card cn li ni ra Internet, thuc di mng Internet 203.113.150.1. My VPN server ny khng c Join vo Domain Controller (N cng c th l mt thit b phn cng ca Cissco). Card mng In c a ch nh sau:
Card mng Out c a ch nh sau:
Sau tip tc ci t cc dch v trn VPN Server bng cch Add thm Roles. Chy Server Manager v chn cc Roles Add. Ta chn Roles c tn l Netwok Policy and Access Services -> Next v chn ci t Role Services l Routing and Remote Access Services ->Next. Qu trnh ci t s din ra trong t pht. Sau khi ci t xong chng ta s tin hnh cu hnh cho dch v Routing and Remote Access bng cch. Vo Start -> Administrator Tools -> Routing and Remote Access ->
Khi ca s cu hnh hin ra ta chn nh trn. Trong ca s tip theo ta chn Custom configuration -> check chn mc VPN access -> Nhn Finish v Start dch v ln. Tip theo ta nhp chn nh sau:
Ca s tip theo hin ra ta chn th Sercurity v chn phng thc xc thc l RADIUS Authentication v chn Configure -> Ti y ta Add tn Server (Add chnh xc tn Server) v nhp key kt ni vi Server RADIUS ri chn OK. Tip theo trong mc Accounting Provider chn tip l RADIUS Accouting v cng cu hnh cho n tng t nh trn. Tip theo bn th IPv4 ta add thm 1 di IP cp cho cc my VPN Client khi n kt ni vo bn trong mng ->
Sau chn OK -> Apply Nh vy ta cu hnh cho VPN Server xong. Tip theo ta to kt ni trn my VPN Client (S dng Windows XP) my ny i din cho ngi s dng truy cp t xa nh sau: Trn VPN Client s dng 1 card mng thuc VMnet2 c IP l 203.113.150.2 v Subnet mask l: 255.255.255.0 Sau tin hnh to kt ni nhng trc trn Domain Controller phi to 1 User cho php ng nhp vo Domain kt ni v xc thc. ( to User trn DC ta vo AD v chn cch thm mi 1 User v cho php User ny c php Remote trong th Dial in). To kt ni cho VPN Client bng cch chn New Connectiong Wizard -> Chn check Connect to the network at my workplace -> Chn Virtual Private Network connection -> Ti y ta t tn cho connection (VPN Using RADIUS) -> Tip theo ta nhp a ch IP ca my ch VPN Server (ta nhp a ch ca card mng kt ni ra Internet 203.113.150.1) -> Finish.
Sau khi to xong kt ni ta s kt ni vo Site bng cch nhp vo User name v Password c to trn AD ca DC. Qu trnh xc thc thnh cng v by gi ta c th thao tc vi mng ni b nh mt my c kt ni trc tip trong mng LAN ca cng ty. b) VPN Using CA (Certificate Authencation) Vi cc phng php xc thc thng thng th vn cha mang tnh bo mt cao, vn c th b tn cng bi nhng ngi c xu. Vic xc thc bng Certificate Authencation l mang tnh bo mt cao nht, v thng dng nht s dng phng php xc thc EAP-TLS mnh nht. Ngi ta dng Smar Card hay chng ch. Nu nh cc cch xc thc bng User, password th thng l cc file text c gi qua internet s rt d b bt c v nh cp c, d b gii m, nn tnh bo mt khng cao. EAP-TLS l ch vit tt ca Extensible Authentication Protocol - Transport Layer Security (giao thc thm nh quyn truy cp c th m rng bo mt lp truyn dn). Kt ni da trn giao thc ny i hi c mt chng nhn ngi s dng (user certificate) trn c my khch v my ch IAS ca mng VPN. y l c ch c mc an ton nht cp ngi s dng. M hnh h thng:
Trong m hnh lab ny chng ta s dng h thng gm 3 my tnh. 2 Server v mt Client l ngi dng t ngoi h thng mng Internet kt ni vo Domain thng qua vic s dng VPN. Ti y my ch Domain s l my ch CA lun, n thc hin vic cp cc chng thc CA cho my ch VPN Server cho cc my VPN client. My ch Server s dng Windows server 2008 bn Enterprise. N ng vai tr l Domain Controller i din cho mng ca h thng cng ty. Ni m chng ta s kt ni VPN tr ti. My ch VPN Server cng s dng h iu hnh Windows Server 2008 Enterprise. N s dng 2 card mng. Mt card mng kt ni ra Internet, mt card mng kt ni vo h thng mng ni b.
My VPN client s dng h iu hnh Windows XP Propessional. L mt my t ngoi h thng mng Internet ca ngi s dng truy cp t xa. y ta c 2 phn on mng. Mt mng LAN cng ty cng kt ni ti 1 HUB trung tm hay1 switch, ti y ta s dng cc a ch 192.168.1.0/24 cho cc my ca h thng mng cng ty. Di y l cch thc hin cho tng my trong h thng. * Xy dng my ch Domain Controller, CA Server Tng t nh m hnh bn trn chng ta cng i xy dng my ch Domain v ci t thm mt s roles phc v cho vic cp pht cc chng ch ngi s dng. Trn Server Roles ta chn Roles c tn l Active Directory Cerfiticate Services v roles Web Server (IIS) v dch v CA cp chng ch thng qua dch v IIS m ngi dng truy cp vo Request. Nhn Next i tip -> cc thng s mc nh ri nhn Next v tin hnh ci t dch v. Sau khi ci t xong ta s cu hnh cho CA Server nh sau: Trc ht ta phi cp cho VPN Server 1 chng ch chng thc thng qua vic thc hin trong GPO. Nhng trc ht my ch VPN Server phi c Join vo Domain, t nhn chng ch. Ta lm nh sau: Vo Start -> Administrator Tools -> Group Policy Managerment -> Khi ca s m ra chn Default Domain Policy v Edit chnh sch ca ton Domain p dng cho Computer -> Tm ti Computer Configuration\Windows Settings\Security Settings\Public Key Policies -> trong Automatic Certificate ta chn New -> Automatic Certificate Request -> Chn p dng cho Computer. Sau khi to xong ta bm chn Auto-Enrollment Properties ->
Ta Enabled ch Auto-Enrollment ln. Sau chn OK Chy Update li GPO p dng chnh sch. Sau khi ng li my VPN Server n c th nhn c chng ch . Sau khi khi ng li VPN Server chng ta vo Run->mmc xem chng ch c cp cho VPN Server cha. Khi ca s ca mmc chy ln ta vo add thm 1 snap-in add Certificate vo v kim tra -> Khi add chng ch trong Certificates snap-in ta chn Computer account -> Finish.
Ti y ta thy rng VPN Server c cp 1 chng ch dnh cho Computer. Dch v CA chy trn nn IIS nn sau khi ci t my ch CA v IIS xong th mc nhin n tr thnh CA Server ri. Ta khng phi cu hnh g thm trn CA Server na. Lc ny ta tin hnh to User trn AD v cho php kt ni sau khi cu hnh xong c th kt ni vo c. Trn DC ta to 2 User, 1 user cho kt ni VPN thng v 1 VPN cho kt ni VPN s dng chng thc CA. Vo Start -> Administrative Tools -> Active Directory Users and Computers -> Vo AD tin hnh to User.
Nhp tn User, ti khon ng nhp v password -> Chn Finish. Sau vo thuc tnh ca User chn tab Dial-in v check vo mc Allow access cho php User c th truy cp vo mng ni b cng ty. Tng t ta cng to thm 1 user l bnv@bhxh.com ng nhp bng c ch xc thc CA. Sau ta tin hnh cu hnh cho my VPN Server * Trn my VPN Server ta cu hnh nh sau: Trc ht ta cn ci dch v Network Policy and Access Services, dch v ny cng ging vi vic ta ci t trn VNP Server phn RADIUS chng ta ci. Sau khi ci t xong ta cng tin hnh cu hnh cho n, tng t nh vic cu hnh phn RADIUS. Nhng trn tab Security -> Authentication Methods -> EAP Methods
Chn v bm OK -> Sau chuyn sang tab IPv4 v nhp di IP cp pht khi my VPN kt ni vo h thng
Ri bm OK Sau chuyn sang cu hnh dch v Network Policy Server (Chnh sch p dng cho mng). Vo Start -> Administrative Tools -> Network Policy Server.
Trong Policy ta chn Network Policy -> New to mt chnh sch mi. Trong Policy Name ta nhp tn chnh sch v trong mc Type of network access server chn Remote Access Server (VPN-Dial up) -> Sau Add cc nhm c php Remote vo chnh sch. Tip theo trong mc Specify Access Permission ta chn Access granted v Accepts delemined bny User Dial-in properties (which overrride NPS policy) -> Next
Chn Ok ri chn Next -> mc nh ri Finish. Nh vy l chng ta cu hnh xong cho VPN Server. V cui cng l i cu hnh my trm v kt ni my trm vo h thng Trn my trm trc ht ta phi to ra mt kt ni VPN thng, t kt ni vo nhn chng ch t CA Server. Chn New Connection Wizard -> Connect to the network at my workplace -> Virtual Private Network Connection -> t tn cho connect (VPN Thng) -> Nhp a ch IP ca VPN Server m kt ni ny kt ni ti. Cui cng chn Finish. Sau kt ni VPN vo Domain bng User v Password c cp trc to mt kt ni ti Server DC.
Sau khi kt ni thnh cng ta s tin hnh xc thc cho user bnv@bhxh.com thng qua my ch CA nh sau:
Chn User cn xc thc -> Chn Request a certificate -> Chn User Certificate -> Chn Submit -> Chn Install this certificate
Ti y chng ta xc thc xong cho User bnv v bt u cu hnh kt ni cho User ny Sau khi to kt ni c tn l VPN Using CA. Trn ca s xc thc chng ta khng nhp User Name v Password m chn Properties -> Chn tab Security -> Advanced (Custom settings) -> Settings.. ->
Ti y chn Option l Use -> V chn Smart card or other Certificate -> Chn tip Properties ->
Ti y check chn vo nh trn -> Ok
Khi s c 1 thng bo nh th ny -> vic kt ni hon tt. Ti y ta c th thao tc vi h thng mng ni b LAN.
5.1.2 VPN Site to Site

Bng vic s dng mt thit b chuyn dng v c ch bo mt din rng, mi cng ty c th to kt ni vi rt nhiu cc site qua mt mng cng cng nh Internet. VPN Site to Site n gin l kt ni VPN gia hai chi nhnh vi nhau. Thng qua vic kt ni ny m cc cng ty c th lin h v lm vic vi nhau mt cch thun li v an ton. Mt hnh VPN Site to Site trn nn tng Windows c p dng vi nhng cng ty c quy m nh, c yu cu cng vic khng cao. C ngn sch v chi ph thp. M hnh h thng:
Trong mt hnh ny chng ta xy dng mt h thng kt ni VPN Site to Site trn nn Windows.Vi 2 site l 2 u Internet, vi c ch cng gn ging vi VPN Client, nhng y s dng User 2 chiu kt ni. y ta dng 3 di IP khc nhau tng ng vi 3 mng l mng ca Site H Ni, mng ca Internet v mng ca Site H Ch Mnh. Trong s dng 2 Server i din cho 2 site s dng h iu hnh Windows Server 2008 v 2 my trm s dng windows xp. Sau y s l cch thc xy dng h thng mt cch c th: * Xy dng VPN Server H Ni
Trn my ch ny s dng 2 card mng thuc 2 lp mng l host-only v Vmnet2. V c a ch IP ln lt nh sau:
Trn my ch c xy dng Domain Controller v dch v AD cp User name v Password i din cho Site H Ni. Sau tip hnh ci t thm dch v Routing and Remote Access bng cch Add thm 1 roles l Network Policy Access Services -> Qu trnh ci t din ra tng t nh khi ci t m hnh Client to Site. Sau khi ci t xong dch v ny chng ta bt u cu hnh cho dch v. Qu trnh cu hnh dch v cng gn ging vi vic cu hnh trong cu hnh Client to Site. Trong VPN server chng ta m dch v Routing and Remote Access -> Configure and Enable -> sau n la chn cc phng thc kt ni l VPN (v c bn kt ni Site to Site cng ging nh kt ni Client to site). -> Chn Finish kt thc. Sau ta tin hnh cp di a chi IP cho cc my ca Site th 2 khi kt ni vo h thng nh sau:
Sau bm OK Ti y c im khc l vic thit lp kt ni
Ta s dng 1 kt ni mi l New Demand dial-interface sau tin hnh thit lp cc thng s cho kt ni ny. Ca s tip theo hin ra ta nhp tn kt ni -> Chn kiu kt ni l Connect Using virtual private network -> Chn giao thc l Point to Point Tunneling Protocol (PPTP) -> Nhp a ch ca Server VPN TP H Ch Minh -> chn giao thc v phng thc bo mt cho kt ni xc thc khi site bn kia kt ni vo -> Sau gn mt route tnh m bo mt nh tuyn (Network ny cho remote site). Route ny gip 2 mng thng nhau.
Sau nhn ok -> Tip theo ta cu hnh cho Password ca User s kt ni vo site -> Sau ti thit lp cho Dial-Out Credential l thit lp cho thng tin m user s t trong mng kt ni ra ngoi -> Finish.
Vy l ta to c mt kt ni xc thc v kt ni ti site tp H Ch Minh. * Xy dng VPN Server TP H Ch Minh Trn Server ny chng ta cng s dng 2 card mng c a ch ip nh sau:
Trong Server ny ta cng ci t v cu hnh tng t nh cu hnh i vi Server VPN H Ni. Nhng khi cu hnh Demand dial-interface th s lm ngc li so vi kt ni trn. Ta thc hin nh sau: Ta cp di IP cho VPN site H Ni kt ni vo.
Trong Demand dial-interface ta s cu hnh cc thng s ngc li Site H Ni c th kt ni vo.

t tn inteface l hn -> Next -> Chn phng thc kt ni -> Chn giao thc kt ni PPTP -> Nhp a ch IP ca Server VPN H Ni
Sau chn Next->
Ri Add di Route tnh
Sau nhp Password cho User site H Ni connect vo mng -> Xc thc cc thng tin ca Dial-Out Credential s kt ni ra bn ngoi Site -> Finish. n y vic thit lp kt ni xong v ta tin hnh kt ni 2 Server VPN ca 2 site nh sau:
Kch chut phi vo Interface hn v chn connect -> Sau ch 1 khong thi gian thy trng thi kt ni l Conneted v kim tra bn site cn li thy trng thi l Connected th chng t kt ni gia 2 Site thnh cng.
kim tra kt ni chng ta s dng 1 my client VPN kim tra. My VPN Client HN c 1 card mng c a ch IP nh sau: IP: 192.168.1.2 Subnet mask: 255.255.255.0 Default Gateway: 192.168.1.1 T my trm ta dng lnh ping ti a ch 192.168.2.1 l a ch ca mng khc thy tn hiu tr v. Kt ni thnh cng.
Sau khi thc hin kt ni
5.2 nh gi kt qu thc hin Vic xy dng mt h thng mng ring o l mt vn cp thit v rt cn thit trong cng vic hin nay ca cc cng ty hay cc tp on ln. Da vo nhu cu cng vic v kh nng ti chnh ca mi cng ty, doanh nghip v tp on khc nhau m s s dng cc cng ngh kt ni khc nhau. C th l s dng phn cng hoc phn mm, nhng v c bn cc h thng s dng mng ring o VPN l ging nhau bi cch thc xy dng v phng thc bo mt. Vi vic xy dng h thng mng o trn VMWARE nh trn, th vic p dng vo thc tin cng vic khng cn l kh khn na. Vic p dng cc m hnh c xy dng trong bi bo co ny vo m hnh ca cc cng ty, c quan thc
s pht huy mt cch trit vo cng vic. Nht l nhng cng ty va v nh, c kinh ph thp. Thng qua vic xy dng h thng mng o VPN ny m vic a cng ngh thng tin v nhng ng dng to ln ca n vo cuc sng, cng vic ca con ngi l ht sc d dng, hiu qu, an ton bi ngha m n mang li. Kt lun chng 5: Trong chng 5 ny chng ta xy dng c 3 loi hnh ca H thng mng o VPN trn h thng lab o. T h thng lab o ny c th p dng trc tip trin khai vo h thng mng nh ti cc doanh nghip, cng ty vi mc chi ph l thp nht nhng li mang li hiu qu cao. m bo yu cu cng vic v i hi ngy mt cao hn ca x hi cng ngh thng tin.
KT LUN V HNG PHT TRIN

Cng ngh mng ring o VPN cho php tn dng c s h tng mng cng cng xy dng mng WAN ring, vi nhng u im v mt gi thnh, phm vi khng hn ch, linh hot trong trin khai v m rng mng. Ngy nay, VPN rt hu ch v s cng hu ch trong tng lai. Cc chun c thi hnh, iu s ci tin kh nng lin vn hnh v qun l. Cht lng mng trn cc VPN cng s c ci thin, cho php cung cp cc ng dng mi nh hi ngh truyn hnh, in thoi IP, cc dch v a phng tin. Trong quyn n ny chng em tm hiu mt s vn k thut lin quan n vic thc hin VPN, ni dung gm nhng vn chnh: - Cc khi nim c bn, c im ca cc giao thc ng hm L2F, PPTP, L2TP v IPSec. Nguyn tc hot hot ng ca VPN da trn cc giao thc ng hm. - Trong s cc giao thc ng hm hin c, IPSec p ng c tt cc nhu cu cao v an ton d liu, l gii php chnh cho bo mt cc VPN ca cc t chc, cng ty. Tuy nhin, IPSec ch h tr lung IP mt chiu; nu cc gi d liu IP mt chiu c ng hm ho, sau mt kiu ng gi duy nht c cung cp bi IPSec l v n gin cu hnh v sa cha. - to ng hm cho IP nhiu hng ta c th s dng L2TP, vi lung lu lng mng s dng mng, thit b ca Microsoft th L2TP l s la chn tt nht. L2TP cng ph hp vi cc VPN truy cp t xa h tr a giao thc. Tuy nhin, L2TP khng h tr m ho d liu v tnh ton vn d liu v th s dng IPSec kt hp vi L2TP l gii php ton vn. - Cc thnh phn mng c bn ca VPN, cc vn cn ch v cc yu cu i vi ISP cng nh vi cc thit b phn cng, phn mm xy dng mng VPN. Mt iu thun li l hin nay do s pht trin ca cng ngh nn cc thit b phn cng hay phn mm c tch hp nhiu chc nng, tr thnh mt thit b duy nht rt d s dng, qun l. Hn na, c s h tng mng cng cng ngy mt hon thin nn vic xy dng mng VPN d dng hn v cht lng ca VPN cng tt hn, p ng c cc dch v mi. Trong bo co thc tp chng em cng c xy dng c mt s m hnh s dng VPN p dng vo thc t.
Mt s vn v bo mt trong VPN, bo mt d liu chng li cc truy cp v thay i tri php. Thng qua mt s giao thc v xc thc trong h thng. Cc vn v qun l VPN, bao gm: qun l bo mt, qun l a ch v qun l cht lng. Trong xu th ton cu ho, thng mi ho cc mng IP c thit k truyn thng thng nht xung quanh World Wide Web (WWW) v Extranet, ph hp vi cc ng dng trong giao dch thng mi, kinh doanh. Extranet thng c thit lp gia cc i tc kinh doanh v c thc y bi nhu cu cho cc ng dng kinh doanh chi tit, x l nhanh hn iu khin b kim ton tt hn cn VPN c pht trin vi nhu cu cung cp lin lc bo mt trn Internet chung, bt k loi lu lng no m khng cn quan tm n ng dng nn trong tng lai s m rng cc VPN n Extranet. Ta c th xy dng Extranet trn c s ca mt VPN, cc bc chnh trong vic m rng mt VPN n mt Extranet l chuyn nhng quyn truy cp cc i tc Extranet n cc ti nguyn c bit bn trong v b sung c s d liu v i tc n cc h thng xc thc. Cui cng, do VPN lin quan n nhiu giao thc v thut ton phc tp v thi gian v phm vi tm hiu c khng y v hon thin nn trong quyn n ny ca chng xem vn cn nhiu thiu st. Knh mong thy v cc bn b xung gp bi bo co ca chng em c hon thin hn na.
TI LIU THAM KHO

Ting Vit [1]- Gio trnh ging dy chng trnh MCITP ca Hc vin mng cng ngh thng tin BKACAD [2]- T hc bo mt v qun tr mng, Nxb Vn ha Thng tin, Tr Vit - H Thnh [3]- Xy dng mng VPN vi giao thc PPTP, Nxb Giao thng vn ti, Vng Phc. [4]- Cng ngh bo mt, Nxb Thng k, Hng Phc, KS.Nguyn Ngc Tun. Ting Anh [5]- Cisco Secure Virtual Private Networks (Volume 1,2), Copyright 2001, Cisco System, Inc. [6]- Security Protocols Overview, Copyright 1999, RSA Data Security, Inc. [7]- VPN technologies: Definitions and Requirements, Copyright 2002, VPN Consortium.
Web
[8] Trang http://quantrimang.com [9] Trang http://nhatnghe.com [10] Trang http://thuviendientu.org/ [11] Trang http://www.microsoft.com/ [12] Trang http://tailieudientu.net

Do An VPN Khmt1k3 2

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Do An VPN Khmt1k3 2

Uploaded by

Copyright:

Available Formats

LI NI U

Nhm SV: Trn Ngc H o Duy m Nguyn Th Thu Trang

Nhm SV: Trn Ngc H o Duy m Nguyn Th Thu Trang

Nhm SV: Trn Ngc H o Duy m Nguyn Th Thu Trang

K T LU N V H NG PHT TRI N..............................................................................132 TI LI U THAM KH O........................................................................................................134

Nhm SV: Trn Ngc H o Duy m Nguyn Th Thu Trang

Nhm SV: Trn Ngc H o Duy m Nguyn Th Thu Trang

Nhm SV: Trn Ngc H o Duy m Nguyn Th Thu Trang

Nhm SV: Trn Ngc H o Duy m Nguyn Th Thu Trang

Chng 1 TNG QUAN TI

Nhm SV: Trn Ngc H o Duy m Nguyn Th Thu Trang

Nhm SV: Trn Ngc H o Duy m Nguyn Th Thu Trang

Hnh 2.1: VPN=ng hm + M ho

Nhm SV: Trn Ngc H o Duy m Nguyn Th Thu Trang

Nhm SV: Trn Ngc H o Duy m Nguyn Th Thu Trang

Nhm SV: Trn Ngc H o Duy m Nguyn Th Thu Trang

Nhm SV: Trn Ngc H o Duy m Nguyn Th Thu Trang

Nhm SV: Trn Ngc H o Duy m Nguyn Th Thu Trang

Chng 3 - CC GIAO THC NG HM VPN

C Version Multiplex ID Length

T unnel D a ta NAS R e m o te U se r M n g c a IS P H ome g ate w a y M n g ri n g

Nhm SV: Trn Ngc H o Duy m Nguyn Th Thu Trang

Nhm SV: Trn Ngc H o Duy m Nguyn Th Thu Trang

Nhm SV: Trn Ngc H o Duy m Nguyn Th Thu Trang

Nhm SV: Trn Ngc H o Duy m Nguyn Th Thu Trang

Mt trng xc nhn di 32 bit c a vo.

X l v loi b phn Header v Trailer ca lp lin kt d liu.

Hnh 3.7: S ng gi PPTP

Hnh 3.8 : ng hm bt buc v ng hm t nguyn

Hnh 3.9: M ho gi trong PPTP

T i u T i P P PP h n u P h n u Pi h n u i T i u i Tt i u E S P T i u T i u T i u IP X (IP, , E S P n h n th c E liPn k t li n k S IP IP S e c U D P L2T P P P P N e tB E)U I IP S e c d li u d li u IP S e c c m ho c x c th c

Hnh 3.16: S ng gi L2TP

Nhm SV: Trn Ngc H o Duy m Nguyn Th Thu Trang

Hnh 3.17: Cc ng hm t nguyn v bt buc

Nhm SV: Trn Ngc H o Duy m Nguyn Th Thu Trang

Nhm SV: Trn Ngc H o Duy m Nguyn Th Thu Trang

Hnh 3.19: Cc thnh phn c bn ca L2TP

Nhm SV: Trn Ngc H o Duy m Nguyn Th Thu Trang

Qun l kho + DH (Diffie- Hellman) + CA (Certificate Authority)

Kt hp an ninh + IKE (Internet Key Exchange)

a) Giao thc AH Khun dng AH

Security Parameters Index (SPI) Sequence Number Authentication Data 32 bits

Nhm SV: Trn Ngc H o Duy m Nguyn Th Thu Trang

Nhm SV: Trn Ngc H o Duy m Nguyn Th Thu Trang

X c th c (tr c c tr n g b)i n i S a u k h i th(Tm nA Hl m) o d e u ne IP v 4 T i u I P mA H T i u i T C P D li u (tu c h ) n IP g c X c th c (T r c c tr n g b i n i ) ti u m i

Hnh 3.23: Khun dng gi tin Ipv4 trc v sau khi x l AH

Nhm SV: Trn Ngc H o Duy m Nguyn Th Thu Trang

Hnh 3.24: Khun dng gi tin Ipv6 trc v sau khi x l AH

Nhm SV: Trn Ngc H o Duy m Nguyn Th Thu Trang

IKE Phase IPSec SA

Nhm SV: Trn Ngc H o Duy m Nguyn Th Thu Trang

Hnh 3.29: Tp chnh sch IKE

Nhm SV: Trn Ngc H o Duy m Nguyn Th Thu Trang

Nhm SV: Trn Ngc H o Duy m Nguyn Th Thu Trang

Hnh 3.34: ng hm IPSec c thit lp Bc 5 - Kt thc ng hm

Nhm SV: Trn Ngc H o Duy m Nguyn Th Thu Trang

IPSec c thit k ch iu khin lu lng IP m thi.

Nhm SV: Trn Ngc H o Duy m Nguyn Th Thu Trang

Chng 4 - BO MT TRONG VPN

Y u c u tr u y c p 1 T hch 2 p ng N gi dng 3 C ho php M y tn h x c th c

Nhm SV: Trn Ngc H o Duy m Nguyn Th Thu Trang

Nhm SV: Trn Ngc H o Duy m Nguyn Th Thu Trang

Nhm SV: Trn Ngc H o Duy m Nguyn Th Thu Trang