Está en la página 1de 25

IPsec ton tp

IPsec (IP security) bao gm mt h thng cc giao thc bo mt qu trnh truyn thng tin trn nn tng Internet Protocol (IP). Bao gm xc thc v/hoc m ho (Authenticating and/or Encrypting) cho mi gi IP (IP packet) trong qu trnh truyn thng tin. IPsec cng bao gm nhng giao thc cung cp cho m ho v xc thc Ni dung 1. Tng quan 2. Cu trc bo mt 3. Cc chun ho 4. Thit k v s dng theo yu cu. 5.1. Transport mode 5.2. Tunnel mode 6. Phng thc 6.1. Authentication header (AH) 6.2. Encapsulating Security Payload (ESP) 7. trin khai s dng 1. Tng quan Giao thc IPsec c lm vic ti tng Network Layer layer 3 ca m hnh OSI. Cc giao thc bo mt trn Internet khc nh SSL, TLS v SSH, c thc hin t tng transport layer tr ln (T tng 4 ti tng 7 m hnh OSI). iu ny to ra tnh mm do cho IPsec, giao thc ny c th hot ng t tng 4 vi TCP, UDP, hu ht cc giao thc s dng ti tng ny. IPsec c mt tnh nng cao cp hn SSL v cc phng thc khc hot ng ti cc tng trn ca m hnh OSI. Vi mt ng dng s dng IPsec m (code) khng b thay i, nhng nu ng dng bt buc s dng SSL v cc giao thc bo mt trn cc tng trn trong m hnh OSI th on m ng dng s b thay i ln. 2. Cu trc bo mt IPsec c trin khai (1) s dng cc giao thc cung cp mt m (cryptographic protocols) nhm bo mt gi tin (packet) trong qu trnh truyn, (2) phng thc xc thc v (3) thit lp cc thng s m ho. Xy dng IPsec s dng khi nim v bo mt trn nn tng IP. Mt s kt hp bo mt rt n gin khi kt hp cc thut ton v cc thng s (v nh cc kho keys) l nn tng trong vic m ho v xc thc trong mt chiu. Tuy nhin trong cc giao tip hai chiu, cc giao thc bo mt s lm vic vi nhau v p ng qu trnh giao tip. Thc t la chn cc thut ton m ho v xc thc li ph thuc vo ngi qun tr IPsec bi IPsec bao gm mt nhm cc giao thc bo mt p ng m ho v xc thc cho mi gi tin IP. Trong cc bc thc hin phi quyt nh ci g cn bo v v cung cp cho mt gi tin outgoing (i ra ngoi), IPsec s dng cc thng s Security Parameter Index (SPI), mi qu trnh Index (nh th t v lu trong d liu Index v nh mt cun danh b in thoi) bao gm Security Association Database (SADB), theo sut chiu di ca a ch ch trong header ca gi tin, cng vi s nhn dng duy nht ca mt tho hip bo mt (tm dch t - security association) cho mi gi tin. Mt qu trnh tng t cng c lm vi gi tin i vo (incoming packet), ni IPsec thc hin qu trnh gii m v kim tra cc kho t SADB. Cho cc gi multicast, mt tho hip bo mt s cung cp cho mt group, v thc hin cho ton b cc receiver trong group . C th c hn mt tho hip bo mt cho mt group, bng cch s dng cc SPI khc nhau, tuy

nhin n cng cho php thc hin nhiu mc bo mt cho mt group. Mi ngi gi c th c nhiu tho hip bo mt, cho php xc thc, trong khi ngi nhn ch bit c cc keys c gi i trong d liu. Ch cc chun khng miu t lm th no cc tho hip v la chn vic nhn bn t group ti cc c nhn. 3. Hin trng IPsec l mt phn bt bc ca IPv6, c th c la chn khi s dng IPv4. Trong khi cc chun c thit kt cho cc phin bn IP ging nhau, ph bin hin nay l p dng v trin khai trn nn tng IPv4. Cc giao thc IPsec c nh ngha t RFCs 1825 1829, v c ph bin nm 1995. Nm 1998, c nng cp vi cc phin bn RFC 2401 2412, n khng tng thch vi chun 1825 1929. Trong thng 12 nm 2005, th h th 3 ca chun IPSec, RFC 4301 4309. Cng khng khc nhiu so vi chun RFC 2401 2412 nhng th h mi c cung cp chun IKE second. Trong th h mi ny IP security cng c vit tt li l IPsec. S khc nhau trong quy nh vit tt trong th h c quy chun bi RFC 1825 1829 l ESP cn phin bn mi l ESPbis. 4. Thit k theo yu cu. IPsec c cung cp bi Transport mode (end-to-end) p ng bo mt gia cc my tnh giao tip trc tip vi nhau hoc s dng Tunnel mode (portal-to-portal) cho cc giao tip gia hai mng vi nhau v ch yu c s dng khi kt ni VPN. IPsec c th c s dng trong cc giao tip VPN, s dng rt nhiu trong giao tip. Tuy nhin trong vic trin khai thc hin s c s khc nhau gia hai mode ny. Giao tip end-to-end c bo mt trong mng Internet c pht trin chm v phi ch i rt lu. Mt phn b l do tnh ph thng ca no khng cao, hay khng thit thc, Public Key Infrastructure (PKI) c s dng trong phng thc ny. IPsec c gii thiu v cung cp cc dch v bo mt: 1. M ho qu trnh truyn thng tin 2. m bo tnh nguyn ven ca d liu 3. Phi c xc thc gia cc giao tip 4. Chng qu trnh replay trong cc phin bo mt. 5. Modes Cc mode C hai mode khi thc hin IPsec l: Transport mode v tunnel mode. Transport mode Trong Transport mode, ch nhng d liu bn giao tip cc gi tin c m ho v/hoc xc thc. Trong qu trnh routing, c IP header u khng b chnh sa hay m ho; tuy nhin khi authentication header c s dng, a ch IP khng th bit c, bi cc thng tin b hash (bm). Transport v application layers thng c bo mt bi hm bm (hash), v chng khng th chnh sa (v d nh port number). Transport mode s dng trong tnh hung giao tip host-to-host. iu ny c ngha l ng gi cc thng tin trong IPsec cho NAT traversal c nh ngha bi cc thng tin trong ti liu ca RFC bi NAT-T. Tunnel mode

Trong tunnel mode, ton b gi IP (bao gm c data v header) s c m ho v xc thc. N phi c ng gi li trong mt dng IP packet khc trong qu trnh routing ca router. Tunnel mode c s dng trong giao tip network-to-network (hay gia cc routers vi nhau), hoc host-to-network v host-to-host trn internet. 6. Technical details. C hai giao thc c pht trin v cung cp bo mt cho cc gi tin ca c hai phin bn IPv4 v IPv6: IP Authentication Header gip m bo tnh ton vn v cung cp xc thc. IP Encapsulating Security Payload cung cp bo mt, v l option bn c th la chn c tnh nng authentication v Integrity m bo tnh ton vn d liu. Thut ton m ho c s dng trong IPsec bao gm HMAC-SHA1 cho tnh ton vn d liu (integrity protection), v thut ton TripleDES-CBC v AES-CBC cho m m ho v m bo an ton ca gi tin. Ton b thut ton ny c th hin trong RFC 4305. a. Authentication Header (AH) AH c s dng trong cc kt ni khng c tnh m bo d liu. Hn na n l la chn nhm chng li cc tn cng replay attack bng cch s dng cng ngh tn cng sliding windows v discarding older packets. AH bo v qu trnh truyn d liu khi s dng IP. Trong IPv4, IP header c bao gm TOS, Flags, Fragment Offset, TTL, v Header Checksum. AH thc hin trc tip trong phn u tin ca gi tin IP. di y l m hnh ca AH header. 5. Cc modes thc hin

0 - 7 bit

8 - 15 bit

16 - 23 bit

24 - 31 bit

Next header

Payload length

RESERVED

Security parameters index (SPI)

Sequence number

Authentication data (variable)

ngha ca tng phn: Next header Nhn dng giao thc trong s dng truyn thng tin. Payload length ln ca gi tin AH. RESERVED S dng trong tng lai (cho ti thi im ny n c biu din bng cc s 0).

Security parameters index (SPI) Nhn ra cc thng s bo mt, c tch hp vi a ch IP, v nhn dng cc thng lng bo mt c kt hp vi gi tin. Sequence number Mt s t ng tng ln mi gi tin, s dng nhm chng li tn cng dng replay attacks. Authentication data Bao gm thng s Integrity check value (ICV) cn thit trong gi tin xc thc. b. Encapsulating Security Payload (ESP) Giao thc ESP cung cp xc thc, ton vn, m bo tnh bo mt cho gi tin. ESP cng h tr tnh nng cu hnh s dng trong tnh hung ch cn bo m ho v ch cn cho authentication, nhng s dng m ho m khng yu cu xc thc khng m bo tnh bo mt. Khng nh AH, header ca gi tin IP, bao gm cc option khc. ESP thc hin trn top IP s dng giao thc IP v mang s hiu 50 v AH mang s hiu 51.

0 - 7 bit

8 - 15 bit

16 - 23 bit

24 - 31 bit

Security parameters index (SPI)

Sequence number

Payload data (variable)

Padding (0-255 bytes) Pad Length Authentication Data (variable) Next Header

ngha ca cc phn: Security parameters index (SPI) Nhn ra cc thng s c tch hp vi a ch IP. Sequence number T ng tng c tc dng chng tn cng kiu replay attacks. Payload data Cho d liu truyn i

Padding S dng vi block m ho Pad length ln ca padding. Next header Nhn ra giao thc c s dng trong qu trnh truyn thng tin. Authentication data Bao gm d liu xc thc cho gi tin. 7. Implementations - thc hin IPsec c thc hin trong nhn vi cc trnh qun l cc key v qu trnh thng lng bo mt ISAKMP/IKE t ngi dng. Tuy nhin mt chun giao din cho qun l key, n c th c iu khin bi nhn ca IPsec. Bi v c cung cp cho ngi dng cui, IPsec c th c trin khai trn nhn ca Linux. D n FreeS/WAN l d n u tin hon thnh vic thc hin IPsec trong m ngun m c th l Linux. N bao gm mt nhn IPsec stack (KLIPS), kt hp vi trnh qun l key l deamon v rt nhiu shell scripts. D n FreeS/WAN c bt u vo thng 3 nm 2004. Openswan v strongSwan tip tc d n FreeS/WAN. D n KAME cng hon thnh vic trin khai s dng IPsec cho NetBSB, FreeBSB. Trnh qun l cc kho c gi l racoon. OpenBSB c to ra ISAKMP/IKE, vi tn n gin l isakmpd (n cng c trin khai trn nhiu h thng, bao gm c h thng Linux).

Trin khai h thng IPSec/VPN trn Windows Server 2003

Nhu cu truy cp t xa (ngoi vn phng) mng ni b trao i d liu hay s dng ng dng ngy cng ph bin. y l nhu cu thit thc, tuy nhin do vn bo mt v an ton thng tin nn cc cng ty ngi "m" h thng mng ni b ca mnh cho php nhn vin truy cp t xa

Bi vit ny trnh by gii php truy cp t xa VPN trn Windows Server 2003 c c ch m ha da trn giao thc IPSec nhm m bo an ton thng tin. VPN VPN (virtual private network) l cng ngh xy dng h thng mng ring o nhm p ng nhu cu chia s thng tin, truy cp t xa v tit kim chi ph. Trc y, truy cp t xa vo h thng mng, ngi ta thng s dng phng thc Remote Access quay s da trn mng in thoi. Phng thc ny va tn km va khng an ton. VPN cho php cc my tnh truyn thng vi nhau thng qua mt mi trng chia s nh mng Internet nhng vn m bo c tnh ring t v bo mt d liu. cung cp kt ni gia cc my tnh, cc gi thng tin c bao bc bng mt header c cha nhng thng tin nh tuyn, cho php d liu c th gi t my truyn qua mi trng mng chia s v n c my nhn, nh truyn trn cc ng ng ring c gi l tunnel. bo m tnh ring t v bo mt trn mi trng chia s ny, cc gi tin c m ho v ch c th gii m vi nhng kha thch hp, ngn nga trng hp "trm" gi tin trn ng truyn. Cc tnh hung thng dng ca VPN: - Remote Access: p ng nhu cu truy cp d liu v ng dng cho ngi dng xa, bn ngoi cng ty thng qua Internet. V d khi ngi dng mun truy cp vo c s d liu hay cc file server, gi nhn email t cc mail server ni b ca cng ty. - Site To Site: p dng cho cc t chc c nhiu vn phng chi nhnh, gia cc vn phng cn trao i d liu vi nhau. V d mt cng ty a quc gia c nhu cu chia s thng tin gia cc chi nhnh t ti Singapore v Vit Nam, c th xy dng mt h thng VPN Site-to-Site kt ni hai site Vit Nam v Singapore to mt ng truyn ring trn mng Internet phc v qu trnh truyn thng an ton, hiu qu. - Intranet/ Internal VPN: Trong mt s t chc, qu trnh truyn d liu gia mt s b phn cn bo m tnh ring t, khng cho php nhng b phn khc truy cp. H thng Intranet VPN c th p ng tnh hung ny. trin khai mt h thng VPN chng ta cn c nhng thnh phn c bn sau y: - User Authentication: cung cp c ch chng thc ngi dng, ch cho php ngi dng hp l kt ni v truy cp h thng VPN. - Address Management: cung cp a ch IP hp l cho ngi dng sau khi gia nhp h thng VPN c th truy cp ti nguyn trn mng ni b. - Data Encryption: cung cp gii php m ho d liu trong qu trnh truyn nhm bo m tnh ring t v ton vn d liu. - Key Management: cung cp gii php qun l cc kho dng cho qu trnh m ho v gii m d liu. IPSEC (IP SECURITY PROTOCOL) Nh chng ta bit, cc my tnh trn h thng mng LAN/WAN hay Internet truyn thng vi nhau, chng phi s dng cng mt giao thc (ging nh ngn ng giao tip trong th gii con ngi) v giao thc ph bin hin nay l TCP/IP. Khi truyn cc gi tin, chng ta cn phi p dng cc c ch m ha v chng thc bo mt. C nhiu gii php

thc hin vic ny, trong c ch m ha IPSEC hot ng trn giao thc TCP/IP t ra hiu qu v tit kim chi ph trong qu trnh trin khai. Trong qu trnh chng thc hay m ha d liu, IPSEC c th s dng mt hoc c hai giao thc bo mt sau: - AH (Authentication Header): header ca gi tin c m ha v bo v phng chng cc trng hp "ip spoofing" hay "man in the midle attack", tuy nhin trong trng hp ny phn ni dung thng tin chnh khng c bo v - ESP (Encapsulating Security Payload): Ni dung thng tin c m ha, ngn chn cc trng hp hacker t chng trnh nghe ln v chn bt d liu trong qu trnh truyn. Phng thc ny rt hay c p dng, nhng nu mun bo v lun c phn header ca gi tin th phi kt hp c 2 giao thc AH v ESP. IPSec/VPN trn Windows Server 2003 Chng ta tham kho tnh hung thc t ca cng ty Green Lizard Books, mt cng ty chuyn xut bn v phn phi vn ho phm. Nhm y mnh hiu qu kinh doanh, b phn qun l mun cc nhn vin kinh doanh trong qu trnh cng tc bn ngoi c th truy cp bo co bn hng (Sale Reports) chia s trn File Server v c th tng tc vi my tnh ca h trong vn phng khi cn thit. Ngoi ra, i vi cc d liu mt, nhy cm nh bo co doanh s, trong qu trnh truyn c th p dng cc c ch m ha cht ch nng cao an ton ca d liu. Green Lizard Books cn c mt ng truyn ADSL vi a ch IP tnh phc v cho qu trnh kt ni v truyn thng gia trong v ngoi cng ty. Cc ngi dng xa (VPN Client) s kt ni n VPN Server gia nhp h thng mng ring o ca cng ty v c cp pht a ch IP thch hp kt ni vi cc ti nguyn ni b ca cng ty. Chng ta s dng 1 my Windows Server 2003 lm VPN Sever (t tn l SRV-1), c 1 card mng kt ni vi h thng mng ni b (IP: 192.168.1.1) v mt card ADSL (IP tnh, nu dng IP ng th phi s dng kt hp vi cc dch v Dynamic DNS nh DtnDNS.Org hay No-IP.Com) kt ni vi bn ngoi (Internet). qun l ngi dng trn h thng v ti nguyn chng ta cn c 1 domain controler ci t trn Windows Server 2003 tn l SRV-11 (IP: 192.168.0.11).

Trong m hnh ny, chng ta s dng mt my client bn ngoi chy h iu hnh Windows XP, kt ni VPN vi c ch chng thc v m ha d liu da trn IPSec ESP. y ti ch trnh by nhng buc chnh trong qu trnh trin khai, chi tit ci t v cu hnh cc bn c th tham kho cc tp tin video (.avi) ti v website www.pcworld.com.vn. Bc 1: To domain controler (dcpromo-srv-11-greenlizardbooks-domain-controller.avi)

Bc 2: a SRV-1 (VPN Server) vo domain

(join_srv-1_server_to_domain.avi) a SRV-1 (VPN Server) vo domain(join_srv-1_server_to_domain.avi)

Bc 3: ci t VPN Server trn SRV-1 (install_vpn_server_on_srv-1.avi)

Bc 4: Thit lp VPN Client Client-1 kt ni n VPN Server (create_vpn_client_1_and_connect_to_srv-1_vpn_server.avi) Thit lp VPN Client Client-1 kt ni n VPN Server(create_vpn_client_1_and_connect_to_srv-1_vpn_server.avi)

Bc 5: Kt ni VPN Client Client-1 vo domain (join-vpn-client-1-to-greenlizardbooks_domain.avi) Bc 6: Yu cu cp pht chng ch in t (certificate) cho VPN Server v Client dng chng thc v m ha. (request_certificate_for_vpn_server_and_client.avi) Kt ni VPN Client Client-1 vo domain(join-vpn-client-1-to-greenlizardbooks_domain.avi) Yu cu cp pht chng ch in t (certificate) cho VPN Server v Client dng chng thc v m ha. (request_certificate_for_vpn_server_and_client.avi)

Bc 7: Thit lp kt ni VPN dng giao thc L2TP/IPSEC (establish_L2TP_VPN_connection.avi) Thit lp kt ni VPN dng giao thc L2TP/IPSEC (establish_L2TP_VPN_connection.avi)

KT LUN VPN l cng ngh c s dng ph bin hin nay nhm cung cp kt ni an ton v hiu qu truy cp ti nguyn ni b cng ty t bn ngoi thng qua mng Internet. Mc d s dng h tng mng chia s nhng chng ta vn bo m c tnh ring t ca d liu ging nh ang truyn thng trn mt h thng mng ring. Gii php VPN "mm" gii thiu trong bi vit ny thch hp cho s lng ngi dng nh, p ng s lng ngi dng ln hn, c th phi cn n gii php VPN phn cng.

S dng IPSec Policy trong Windows


Thng tin quan trng ca bn truyn trn mng, bn c chc chn thng tin khng b k xu nh cp. Hin nay c rt nhiu phng php bo mt d liu truyn trn mng. Ph thng nht v hiu qu hin nay l IPSec. PHN 1 Thng tin quan trng ca bn truyn trn mng, bn c chc chn thng tin khng b k xu nh cp. Vy chng ta b tay sao, tht may mn hin nay c rt nhiu phng php bo mt d liu truyn trn mng. Ph thng nht v hiu qu hin nay l IPSec, Trong bi vit ny ti s mang n cc kin thc v: Th no l IPSec, cc IPSec Policy trong h thng Windows, cch trin khai p dng IPSec Policy trong bo mt d liu truyn trn mng. IPSec l tp hp y cc giao thc m bo thng tin truyn gia hai my tnh c m ha v bo mt trong h thng mng khng bo mt. Mng khng bo mt in hnh nht l Internet. IPSec c hai tc dng chnh l bo mt gi tin IP (IP Packet) v chng li cc tn cng. IPSec bao gm ba qu trnh l Encryption, Decryption v Signing. Encryption p ng yu cu d liu phi c m ha trc khi truyn, Decryption p ng yu cu khi d liu n ng ngi nhn th ngi mi c th gii m c, Signing p ng yu cu ch nhn nhng d liu t ngun tin cy. Trc khi qu trnh truyn d liu hai my tnh phi tin hnh vic thng lng, thng lng phng thc m ha, thng lng phng thc gii m. V d v m ha thi xa xa: M ha v gii m c p dng t khi cha my tnh khi nhng bc th quan trng c gi i. Thi h ngh ra

mt cch l vit th ch l cc con s nh cc ta ca ch trong cun sch no (v d "33 32 10" trang 33, dng 32, ch th 5), cch m ha c hai u phi bit khi c nhng con s 33 32 10 l g l qu trnh thng lng m ha. Khi ngi nhn th nhn c bc th ny bn thn vn khng th c c hay gii m c, ngi phi gi li bc th khc l ti nhn c bc th ca ng ri. Khi ngi gi nhn c tn hiu l bc th n ni th gi tip mt bc th khc chng hn ng s dng cun tiu thuyt no m gii m. Lc ngi nhn, nhn c hai hai bc th mt m ha, hai l phng thc gii m th c th gii m v ly thng tin. Trong trng hp ngi a th b mt mt trong hai bc th th k ly c n cng khng lm g c. C ngi ni vy ly c c hai bc thu th sao, iu ny l khng th khi ngi nhn phi xc thc li l ti nhn ng bc th th ngi gi mi gi tip Key gii m. Vi ngha trn ta c th thy IPSec c ng dng nhiu nht trong VPN khi kt ni Site to Site, mi thng tin truyn gia hai my ch VPN u c m ha v m bo tnh bo mt. S dng IPSec trong qu trnh truyn d liu gia hai my bng cch no, trong bi vit ny ti gii thiu vi cc bn cch s dng IPSec Policy trong Group Policy ca Windows. Cch truy cp vo group policy thit lp IPSec policy

Hnh 1 cch truy cp vo IPSec Policy trong GPO Trong IPSec Policy ca Windows c ba chnh sch mc nh l: Server (Request Security) Client (Respond Only) Secure Server (Require Security) Lu trong mt GPO bn ch c th thc hin mt trong ba thit lp trn. Mun thit lp nhiu chnh sch chng ta to ra nhiu GPO ri link ti nhng OU cn thit trong domain.

1. Server (Request Security). Khi my ch thit lp chnh sch ny, khi c mt kt ni n n hay t n i ti my khc th my ch ny s yu cu thng lng phng thc bo mt (trong Windows tt c cc my tnh trong mt domain u c th thng lng bo mt vi nhau qua giao thc Kerberos). Vi cc my tr li l c th thng lng bo mt v nh cng trong domain c th s dng Kerberos th hai my s s dng phng thc m ha v truyn d liu vi nhau. Nhng khi n yu cu thng lng bo mt mt s my khng trong domain th s khng th thng lng c th qu trnh truyn d liu vn c thc hin nhng khng c m ha thng tin v khng p ng yu cu bo mt cao.

Hnh 2: Rules security trong Server (Request Security) Thit lp mc nh ny my ch s yu cu ton b cc giao tip IP phi thng lng bo mt trc khi truyn v t ng tr li cho qu trnh thng lng bo mt. Nu thng lng tht bi qu trnh truyn d liu khng c m ha. Gi ICMP khng lun lun c cho php v khng cn m ha. Trong thit lp mc nh ca Server (Request Security) bao gm ba Rule Security: All IP Traffic, All ICMP Traffic v <Dynamic> a. All IP Traffic thit lp

Hnh 3: Cc thit lp trong Rule Security: All IP Traffic Vi thit lp mc nh ny s c p dng cho ton b cc giao tip thng qua IP (All IP Traffic), c p dng vi Port, IP ngun (source) l My IP a t chnh my yu cu, Port v IP ch (Destination) l Any IP. Vi thit lp h thng s yu cu bo mt khi my tnh giao tip vi tt c cc my khc. Trong Filter Action c ba mc l Permit, Request Security, Require Security. Rule ny vi thit lp mc nh phi l Request Security. Authentication Methods mc nh ch s dng Kerberos xc thc m thi, bn c th add thm hai phng thc xc thc khc l CA v Preshare key. Trong tab tunnel setting cho php bn thc hin cu hnh to ng hm o vi ton b cc giao tip hay ch vi mt a ch mng hay a ch host m thi. Connection Type c p dng cho nhng dng kt ni no, vi mc nh l Any Connection bn c th ch cn p dng cho cc kt ni t xa nh VPN, hay LAN m thi. b. All ICMP Traffic

Hnh 4: cc thit lp trong Rule Security: All ICMP Traffic. Vi thit lp mc nh s cho php ton b cc gi ICMP i ra v ti my tnh ny. Tab filter lc ton b gi ICMP, tab action thit lp allow, khng cn xc thc .. c. <dynamic> rule

Hnh 5: Dynamic Rule Vi thit lp trong Dynamic Security Rule ny m bo h thng s tr li cc request security no. Trong bng trn th hin nhng phng thc m chng c th tr li nh 3DES, DES, SH, MD5 Phng thc xc thc s dng Kerberos 2. Client (Respond Only) Nu cc client chu chnh sch ny trong domain s t ng tr li cc qu trnh thng lng bo mt (trong domain s t ng s dng Kerberos).

Vi thit lp ny h thng s tr li ton b cc request security thng qua giao thc xc thc Kerberos. Thit lp ny chnh l <dynamic> rule Security trong Server (Request Security). Do nu bn s dng chnh sch Server (Request Security) bn khng cn s dng chnh sch Client (Respond only) na, v cui phn ny ti s gii thch ti sao li ch s dng mt trong ba chnh sch, Server (Request Security) v Client (Respond only), Server Secure (Require Security).

PHN 2:
3. Server Secure (Require Security). Khi chnh sch Require Security c enable ln ton b qu trnh giao tip ti n u c yu cu thng lng phng thc bo mt. Nu thng lng thnh cng th qu trnh truyn d liu c tin hnh. Khc vi Server (Request Security) l vi chnh sch ny c enable nu qu trnh thng lng bo mt b tht bi n s hy b qu trnh giao tip.

Trong thit lp mc nh ny cng bao gm ba Security Rule l All IP Traffic, All ICMP Traffic, <dynamic>. Nu l thit lp mc nh nh vy n yu cu bt buc phi bo mt t my ch ti ton b cc my khc nhng t cc my khc th khng th n c n. Do vy khi chng ta mun cho php cc my client khc trong domain c kh nng truy cp c vo my ch enable chnh sch ny bn phi chnh sa li: Source Port v Source IP l (Any) thay v l (My IP). Cch thc hin chn Rule All IP Traffic nhn vo Edit trong rule ny chn tab IP filter list chn All IP Traffic nhn Edit, trong ca s nhn tip Edit.

Chuyn Source IP t My IP thnh Any khi s cho php nhng giao tip bo mt t n i ti my khc v t my khc ti n. Vi thit lp ny ch nhng my cho domain c th giao tip vi nhau m thi cc my ngoi domain khng th giao tip c vi nhau. Khc vi thit lp ca Server (Request Security) thit lp All IP Traffic trong Server Secure (Require Security). l thit lp trong action filter l Require Security. Bt buc tt c cc giao tip ra bn ngoi u phi c bo mt khng ging nh Request Security nu c bo mt th thng lng khng c th truyn khng bo mt. Require Security bt buc ch cho php nhng qu trnh truyn thng tin phi m bo tnh bo mt m thi. Cc Security Rule trong Server Secure (Require Security) khc u tng t vi (Request Security). 4. Custom Policy Nu bn khng mun s dng hay cu hnh li cc chnh sch c t trc bn c th to ra mt chnh sch mi. Vo Group Policy Editor trong phn thit lp cc chnh sch cho IPSec bn chut phi chn Create IP Security Policy.

Bn ch c la chn phng thc xc thc l Kerberos, CA, Preshare Key. Sau khi hon thnh cng vic to mi mt IP Security Policy bn phi add thm cc rule tng t nh All IP Traffic hay All ICMP traffic, phng thc xc thc, tunnel, apply cho cc dng kt ni no. ngha ca n tng t nh phn All IP Traffic trong phn 1 ca bi vit. 5. Cch thc p dng IPSec Policy vo thc t. Chng ta hy quan tm ti mt v d sau: "Bn c mt domain vi tn VNE.NET bn c hai my ch cha d liu l Server1.vne.net v Server2.vne.net. Trong my ch Server1.vne.net cha d liu rt quan trng cho cng ty, d liu cha trn my ch Server2.vne.net cha d liu public. Ngi qun l ni vi bn rng ng y mun ngoi vic bo mt share d liu s dng NTFS Permission v Share Permission ra cc my ch cn phi p ng. Ton b qu trnh truyn d liu gia cc my client v Server1.vne.net u c m ha m bo tnh bo mt, v ch cho nhng my tnh trong domain c truy cp vo my ch . Nhng my tnh khng trong domain s khng th truy cp c vo my ch nhm m bo tnh bo mt cho d liu. Ton b qu trnh truyn d liu gia client vi Server2.vne.net phi p ng: Nu qu trnh truyn d liu vi nhng my tnh trong domain phi c m ha, nhng vn m bo cho ngi dng khng trong domain vn truy cp vo bnh thng." Vi v d ny bn cn phi thc hin nhng yu cu sau: Do my ch Server1.vne.net yu cu ton b cc giao tip phi c bo mt v ch cho php giao tip vi cc my trong cng domain. Nh chng ta bit trong cng domain s c mt giao thc xc thc trung l Kerberos. Chng hon ton c th thng lng bo mt vi nhau, ngi ngoi domain th khng c c ch xc thc Kerberos. Chng ta phi p dng chnh xch Server Secure (Require Security) cho my ch Server1.vne.net s p ng ton b yu

cu ca bi ton. Cn trong my ch Server2.vne.net s p dng chnh sch l Server (Request Security) Bi yu cu bt buc cc my tnh trong domain giao tip vi my ch ny phi c m ha, cn my ch ny cng cho php ngi khc khng trong domain cng c th giao tip c vi n. Cch thc hin. Vo Active Directory Users and Computers To hai OU mi l: Secure v Public sau chuyn my ch Server1.vne.net vo OU Secure v Server2.vne.net vo OU Public.

Chut phi vo OU Secure chn Properties chuyn sang tab Group Policy, nhn vo New to ra mt GPO mi t tn cho GPO mi, nhn tip vo Edit s bt ra ca s Group Policy Editor

Vo phn thit lp ca IPSec policy trong GPO chut phi vo Server Secure (Require Security) chn assign apply chnh sch cho OU ny.

Lm tng t vi OU Public v assign Server (Request Security) cho my ch Server2.vne.net. y ti ch to GPO mi link trc tip ti OU m khng thc hin vi domain bi khi enable nhiu GPO trong cng domain khi c thit lp no c enable ca GPO trc th GPO sau c cu hnh th cng khng c tc dng. Lu rng trong Rule All IP Traffic chng ta phi chnh li source IP l ANY thay cho My IP, nu bn assign chnh sch Secure Server (Require Security) m cha c thay i ny th bt k my tnh no cng khng th giao tip c vi my tnh khc.

Khi thc hin song cc bc ny cc bn s thy ch cc my tnh trong domain mi c kh nng truy cp vo my ch Server1.vne.net, cc my tnh khng trong domain ch c th Ping c cho my ch ny m thi. V Server2.vne.net khi request thng lng bo mt my tnh trong domain tr li khi truyn thng tin s c bo mt. Nu cc my khng tr li th giao tip s c tin hnh nhng khng bo mt.

Bo v th mc dng chung vi IPSec


Gii php VLAN thng c trin khai cch ly cc my tnh ni mng nhng thc t nhiu n v khng c iu kin trang b switch h tr VLAN. Trng hp ny, dng IPSec l gii php hu hiu bo v ti nguyn mng chng hn nh th mc dng chung.

Trong m hnh v d c 2 nhm my tnh, gi l nhm 1 v nhm 2. Ta s thc hin cu hnh IPSec ch c cc my tnh trong cng 1 nhm c th truy cp th mc dng chung ca nhau. truy cp th mc dng chung, h iu hnh XP/2000/2003 dng giao thc TCP port 139 v port 445. Nh vy ta s to 1 policy lc cc cng ny. 1. To mi v cu hnh IP Secutity Policy cho my tnh u tin Bc 1: Chn Start, Run v g MMC, nhn Enter m trnh Microsoft Manangement Console. Bc 2: Trong ca s Console, chn File, ri chn Add/Remove Snap-in. Bc 3: Trong hp thoi mi m, nhn Add. Trong hp thoi Add Stanalone Snap-in ta chn IP Security Policy Management ri nhn Add. Bc 4: Trong hp thoi Select Computer or Domain ta chn Local computer ri nhn Finish. Bc 5: Tip theo nhn Close, ri OK tr v mn hnh ca MMC Bc 6: Nhn phi chut vo mc IP Security Policies on Local Computer v chn Create IP Security Policy. Nhn Next tip tc. Bc 7: Tip theo, g tn ca Policy cn to vo name, v d "Lc cng 445 v 139". Nhn Next tip tc. Bc 8: Chn Activate the default response rule, ri nhn Next. Tip theo, ti Default Response Rule Authentication Method, bn chn Use this string to protect the key exchange (preshared key) v g vo "1234". Nhn Next tip tc. Bc 9: Chn Edit properties, ri nhn Finish hon tt. Bc 10: Trong hp thoi "Lc cng 445 v 139", bn b mc chn phn <Dynamic> v nhn Add. Tip tc, bn chn Next v chn This rule does not specify a tunnel. Nhn Next, chn All Connection, ri nhn Next. Bc 11: Trong hp thoi IP Filter List, bn chn Add. Ti mc name, bn g vo tn ca danh sch, v d "Cng 445, 139 ra - vo" (nn t tn cho d nh). Nhn Add, ri Next tip tc. Bc 12: Trong hp thoi IP Filter Wizard, bn g m t vo Description, v d "445 ra". Nhn Next tip tc. Bc 13: Ti mc IP Traffic Source Address bn chn My IP Address. Nhn Next tip tc. Ti mc IP Traffic Destination Address bn chn Any IP Address. Nhn Next tip tc.

Ti mc Select a protocol type bn chn TCP. Nhn Next tip tc. Ti mc hp thoi IP Protocol Port bn chn To this port v g vo gi tr 445. Nhn Next ri Finish hon tt. Bc 14: Lp li t bc 12 n bc 13 thm 3 ln na vi cc tham s nh sau: - Ln 1: * Descripton : Cng 445 vo * Source Address : My IP Address * Destination Address: Any IP Address * Protocol Type: TCP * IP Protocol Port: Chn From this port gi tr 445 - Ln 2: * Descripton: Cng 139 ra * Source Address: My IP Address * Destination Address: Any IP Address * Protocol Type: TCP * IP Protocol Port: Chn To this port gi tr 139 - Ln 3: * Descripton: Cng 139 vo * Source Address: My IP Address * Destination Address: Any IP Address * Protocol Type: TCP * IP Protocol Port: Chn From this port gi tr 139 Kt thc ta thu c kt qu nh hnh. Nhn OK tip tc. Bc 15: Trong hp thoi Security Rile Wizard, ta chn mc Cng 445, 139 ra - vo. Nhn Next tip tc. Bc 16: Ti hp thoi Filter Action ta chn mc Require Security. Nhn Edit thay i tham s ca Filter Action. Bc 17: Trong hp thoi Require Security Properties, ta chn mc Use session key perfect forward secrecy (PFS). Nhn OK quay tr li ri nhn Next tip tc. Bc 18: Tip theo trong hp thoi Authentication Method, bn chn Use this string to protect the key exchange (preshared key) v g vo "1234". Bn c th dng chui khc phc tp hn, tuy nhin phi nh rng cc my tnh trong cng 1 nhm s c preshared key ging nhau. Ti hp thoi ny cn c 2 mc trn chng ta khng chn c ngha nh sau: - Active Directory default (Kerberos V5 protocol): Ch chn khi my tnh ca bn l thnh vin c ng nhp vo my ch (Windows Server 2000/2003) c ci Active Directory (hay cn gi tt l AD). Kerberos V5 l giao thc c m ha d liu s dng gia cc user nm trong AD. - Use a certificate from this certification authority (CA): S dng phng thc xc thc da trn Certificate Authority (CA). Mun dng phng thc ny, bn cn kt ni n mt my ch c ci Certificate Service thc hin yu cu v ci t CA dng cho IPSec. Nhn Next tip tc, ri Finish tr v. Bc 19: Trong hp thoi Edit Rule Properties bn chn mc "Cng 445, 139 ra - vo" v nhn Apply ri OK tr v. Bc 20: Nhn phi chut vo mc IP Security Policy va to (Lc cng 445 v 139) v chn Assign.

2. Sao chp IP Security cho my tip theo Ta c th tin hnh 20 bc trn cho my 2, ri my 3. Tuy nhin, nh vy s rt mt thi gian v c th xy ra nhm ln dn n khng th lin lc c vi nhau. Ta dng cng c netsh thc hin thao tc Export IPsec Policy xut policy ra 1 file, sau nhp (Import) file ny vo my tnh khc. Cch thc hin nh sau: Bc 1: Chun b Chn Start, Run v g cmd v n Enter. Ti du nhc ca DOS ta g lnh sau to ra th mc Ipsec a C: md C:\Ipsec Bc 2: Xut IPSec policy ra file c tn Loc445va139.ipsec G lnh sau: netsh ipsec static exportpolicy file = c:\Ipsec\Loc445va139 (phn m rng ipsec do netsh t thm vo) Bc 3: Nhp IPSec Policy t file Loc445va139.ipsec Chp file Loc445va139.ipsec vo th mc C:\IPsec my 2 v g lnh sau: netsh ipsec static importpolicy file = c:\Ipsec\Loc445va139.ipsec Ti my 2, tip tc cc bc t 1 n 5 mc 1, c c mn hnh qun l IP Security Management. Nhn phi chut vo mc IP Security Policy (Lc cng 445 v 139) v chn Assign. Tip tc bc 3 vi my 3. 3. Thc hin vi nhm 2 i vi my 4, 5 trong nhm 2, ta tin hnh tng t vi nhm 1 nh trnh by trn. Tuy nhin gi tr preshared key phi khc l gi tr ca nhm 1.