Está en la página 1de 211

B GI O D C V O TO TR NG I HC HOA SEN KHOA KHOA HC V CNG NGH

XY DNG FIREWALL ASA V IPS BO V MNG


Ging vin h ng dn : Thy inh Ng c Luyn Trn Kim Ph ng L Trung T n Lp : VT071 Nh m sinh vin thc hin:

Thng 12 /n m 2010

TRCH YU LUN N
Trong thi gian thc hi n kha lun tt nghip, ch ng t i nghin cu v nh ng c ng ngh bo mt sau: Tm hiu cc c ng ngh chung ca tng la ti l p Network, Transport v Application. Phn tch cc dng, phng thc hot ng v giao thc cng nh thut ton trong VPN. Phn tch nguy n l hot ng, cch pht hin tn c ng trn IDS/IPS. Xy dng t ng la h th ng m ng trng i h c Hoa Sen, trin khai VPN v IDS/IPS.

Nh vic s d ng thnh cng ph n m m m ph ng cc thit b mng, nhm ch ng ti c th t tay xy d ng h th ng m ng trng i H c Hoa Sen t giai on phn t ch yu cu, x c nh cc t i khon ng i dng, thit k, phc tho m hnh mng n khi i vo cu hnh trn cc ph n m m m ph ng. Qua , chng t i t c nh ng kt qu ng khch l sau: Hiu thm v tng la, ki n trc cng nh chc n ng t ng la. Ngoi ra, chng t i cn i su ph n t ch cc c ng ngh chung ca t ng l a ti lp Network, Transport v Application trong m hnh OSI. Nghi n cu v VPN, giao thc s dng trong VPN ng thi t m hiu cch thc ho t ng VPN. Tm hiu nguy n l hot ng IDS/IPS, phn t ch cc phng thc pht hi n tn c ng, l i ch c ng nh h n ch tng phng thc. Hiu c cc bc xy d ng h th ng m ng doanh nghip, t giai o n ph n t ch yu cu, thit k s mng n bc trin khai cu hnh ng th i ng dng gii php VPN v h th ng IDS/IPS. i su t m hiu m t s c ng ngh tri n khai thm nhm t ng tnh bo mt an to n d liu nhm bo m h th ng mng lu n sn sng hot ng lin t c ngay c khi gp s c, tn dng t i a ti nguy n h th ng c ng nh ph n chia ti m ng cho d y tng l a kim tra nh Load Balancing, Failover, HSRP; xc thc ng i d ng vi k thut IEEE 802.1x v c ng ngh VOIP nhm cung cp d ch v thoi cho ngi d ng.

MC LC
Trang Trch yu lu n n ----------------------------------------------------------------------------------- i Mc lc ----------------------------------------------------------------------------------------------ii Danh sch hnh-------------------------------------------------------------------------------------- vi Danh sch b ng ------------------------------------------------------------------------------------ ix L i cm n ------------------------------------------------------------------------------------------x Nh n xt ca ging vin hng dn ------------------------------------------------------------- xi L i m u ---------------------------------------------------------------------------------------- xii

Ph n 1: Tng quan Bo Co
1.1 1.2 1.3 1.4 Mc tiu nghi n cu------------------------------------------------------------------------1 Phng php nghi n cu-------------------------------------------------------------------1 Gi i hn ti-------------------------------------------------------------------------------1 Kt cu lu n v n ----------------------------------------------------------------------------1

Ph n 2: Cng ngh k thut chung ca tng la ti lp Network, Transport v Application


2.1 2.2 Tm quan tr ng ca vic bo mt v an to n thng tin --------------------------------2 T ng quan v tng la --------------------------------------------------------------------3 2.2.1 Gi i thiu ---------------------------------------------------------------------------3 2.2.2 Ch c n ng --------------------------------------------------------------------------4 2.3 C ng ngh k thut chung ca tng la ti cc lp -----------------------------------5 2.3.1 L p Network v Transport -------------------------------------------------------5 2.3.1.1 2.3.1.2 2.3.1.3 Packet Filtering -------------------------------------------------------5 NAT Firewall ---------------------------------------------------------7 Stateful Packet Filtering ---------------------------------------------8

2.3.2 L p Application -------------------------------------------------------------------9

2.3.2.1

Proxy Firewall --------------------------------------------------------9

2.3.2.2 2.4

Stateful Inspection Firewall (SIF) -------------------------------- 13

Trin khai t ng la trong h th ng m ng doanh nghip --------------------------- 14 2.4.1 Bastion Host --------------------------------------------------------------------- 14 2.4.2 Screened Subnet------------------------------------------------------------------ 15 2.4.3 Dual Firewall -------------------------------------------------------------------- 16

Ph n 3: Xy dng VPN gia hai c s ca i hc Hoa Sen


3.1 S cn thit ca VPN trong doanh nghip -------------------------------------------- 18 3.1.1 Ti sao VPN ra i -------------------------------------------------------------- 18 3.1.2 VPN tht s cn thit ----------------------------------------------------------- 18 3.2 T ng quan v VPN ----------------------------------------------------------------------- 19 3.2.1 Khi nim VPN ------------------------------------------------------------------ 19 3.2.2 L i ch VPN --------------------------------------------------------------------- 19 3.2.3 C s h tng k thut xy d ng VPN ---------------------------------------- 20 3.2.3.1 3.2.3.2 K thut mt m ---------------------------------------------------- 20 Public Key Infrastructure ----------------------------------------- 22

3.2.4 Cc giao thc VPN -------------------------------------------------------------- 26 3.2.4.1 3.2.4.2 3.2.4.3 3.2.4.4 PPTP (Point to Point Tunneling Protocol) ------------------ 26 L2TP (Layer 2 Tunneling Protocol) ----------------------------- 27 GRE ----------------------------------------------------------------- 28 IPSec (Internet Protocol Security) ------------------------------- 28

3.2.5 Cc lo i VPN -------------------------------------------------------------------- 45 3.2.5.1 3.2.5.2 3.2.5.3 Easy VPN ----------------------------------------------------------- 45 Site to Site VPN ---------------------------------------------------- 46 SSL VPN ------------------------------------------------------------ 47

Ph n 4: Xy dng IPS & IDS


4.1 T ng quan IPS v IDS ------------------------------------------------------------------- 51 4.1.1 Gi i thiu ------------------------------------------------------------------------- 51 4.1.2 Lch s hnh thnh -------------------------------------------------------------- 52 4.1.3 Nguyn nh n IPS ra i v thay th IDS ------------------------------------- 52

4.2

Phn loi ---------------------------------------------------------------------------------- 53 4.2.1 Host-based Intrusion Prevention System (HIPS) ---------------------------- 53 4.2.2 Network-based Intrusion Prevention System (NIPS) ----------------------- 55

4.3

Nguyn l hot ng ca h th ng ----------------------------------------------------- 58 4.3.1 Phn tch lu ng d liu --------------------------------------------------------- 59 4.3.2 Pht hi n t n c ng --------------------------------------------------------------- 59 4.3.2.1 4.3.2.2 4.3.2.3 4.3.2.4 Du hiu t n cng (Signature-based Detection) ---------------- 59 Du hiu bt thng (Statistical Anomaly-based Detection) - 60 Giao thc ------------------------------------------------------------ 61 Chnh sch ---------------------------------------------------------- 62

4.3.3 Phn ng ------------------------------------------------------------------------- 62 4.4 Mt s thut ng ------------------------------------------------------------------------- 63

Ph n 5: Xy dng t ng la cho h th ng m ng trng i hc Hoa Sen


5.1 5.2 5.3 Gi i thiu --------------------------------------------------------------------------------- 64 Yu cu ------------------------------------------------------------------------------------ 64 Trin khai --------------------------------------------------------------------------------- 65 5.3.1 S h th ng m ng ti tr s chnh ----------------------------------------- 65 5.3.1.1 5.3.1.2 5.3.1.3 M hnh mng ------------------------------------------------------ 65 Xc nh cc nh m ngi dng ---------------------------------- 69 Cc quy nh kim tra gi tin trn t ng la ------------------- 71

5.3.2 X y dng cc chnh sch ------------------------------------------------------- 74 5.3.2.1 5.3.2.2 5.3.2.3 5.3.2.4 5.3.2.5 Switch Layer 2 ----------------------------------------------------- 74 Switch Layer 3 ----------------------------------------------------- 75 Firewall Inside ------------------------------------------------------ 75 Firewall Outside ---------------------------------------------------- 83 Router bin --------------------------------------------------------- 89

5.3.3 Cc cng ngh s dng --------------------------------------------------------- 89 5.4 Mt s cng ngh trin khai thm ------------------------------------------------------ 90 5.4.1 Failover --------------------------------------------------------------------------- 90

5.4.2 HSRP (Hot Standby Redundancy Protocol) ---------------------------------- 93 5.4.3 Firewall Load Balancing ------------------------------------------------------- 98 5.4.4 Ch ng thc 802.1x ------------------------------------------------------------- 101 5.4.5 H th ng VOIP ----------------------------------------------------------------- 105 Kt lun ------------------------------------------------------------------------------------------- 107 Ti liu tham kho ------------------------------------------------------------------------------- 108

DANH SCH HNH


Hnh 1 - Biu th hin s gia tng m c hi------------------------------------------------2 Hnh 2 - Biu th hin cc loi tn c ng nhiu nht hin nay-------------------------------2 Hnh 3 - H th ng tng la -----------------------------------------------------------------------3 Hnh 4 - Tng la trong h th ng mng (Network Firewall) ---------------------------------3 Hnh 5 - Tng la c nhn (Personal Firewall hay Desktop Firewall) -----------------------4 Hnh 6 - Chc n ng ca tng la-----------------------------------------------------------------4 Hnh 7 - C ch hot ng ca Packet Filtering -------------------------------------------------5 Hnh 8 - Cch kim tra gi tin ca Packet Filtering ---------------------------------------------6 Hnh 9 - C ch hot ng ca Stateful Packet Filtering ---------------------------------------8 Hnh 10 - C ch hot ng ca Proxy Firewall ----------------------------------------------- 10 Hnh 11 Circuit Level Gateway---------------------------------------------------------------- 10 Hnh 12 Quy trnh ho t ng ca k thut Application Level Gateway ------------------ 11 Hnh 13 Deep Packet Inspection--------------------------------------------------------------- 12 Hnh 14 Bastion Host --------------------------------------------------------------------------- 14 Hnh 15 Screened subnet ----------------------------------------------------------------------- 15 Hnh 16 Dual Firewall -------------------------------------------------------------------------- 16 Hnh 17 Mng VPN ----------------------------------------------------------------------------- 19 Hnh 18 S Public Key Confidentiality Scenario ---------------------------------------- 21 Hnh 19 S Public Key Authentication Scenario ---------------------------------------- 21 Hnh 20 S C S H Tng Kh a Cng Khai (PKI) ------------------------------------ 22 Hnh 21 S hot ng ----------------------------------------------------------------------- 26 Hnh 22 Kt ni VPN qua giao thc PPTP --------------------------------------------------- 27 Hnh 23 L2TP VPN ----------------------------------------------------------------------------- 27 Hnh 24 IPSec trong m hnh OSI------------------------------------------------------------- 28 Hnh 25 Cc thnh phn trong IPSec---------------------------------------------------------- 29

Hnh 26 Transport mode------------------------------------------------------------------------ 30 Hnh 27 Tunnel Mode -------------------------------------------------------------------------- 30 Hnh 28 ESP Transport mode packet --------------------------------------------------------- 31 Hnh 29 - ESP Tunnel mode packet ------------------------------------------------------------- 31 Hnh 30 ESP fields ------------------------------------------------------------------------------ 32 Hnh 31 AH Transport Mode ------------------------------------------------------------------ 33 Hnh 32 AH Tunnel Mode --------------------------------------------------------------------- 33 Hnh 33 AH Header ----------------------------------------------------------------------------- 33 Hnh 34 Gi tin h tr NAT-Traversal-------------------------------------------------------- 35 Hnh 35 Cc thc hot ng ca DH---------------------------------------------------------- 36 Hnh 36 So snh chun m h a, thut ton bm, phng thc ch ng thc--------------- 39 Hnh 37 - Cc bc m ph n giai o n 1------------------------------------------------------ 39 Hnh 38 i chiu cc tham s bo mt ------------------------------------------------------ 40 Hnh 39 IKE giai on 1 s dng Pre-shared key trong main mode ---------------------- 41 Hnh 40 - IKE giai o n 1 s dng Pre-shared key trong aggressive mode ---------------- 42 Hnh 41 - IKE giai o n 1 s dng Digital Signature trong main mode -------------------- 43 Hnh 42 IKE giai on 2------------------------------------------------------------------------ 44 Hnh 43 Easy VPN ------------------------------------------------------------------------------ 45 Hnh 44 Kt ni cc doanh nghip qua m ng cng cng ----------------------------------- 47 Hnh 45 H th ng IPS (Intrusion Prevention System) -------------------------------------- 51 Hnh 46 H th ng HIPS ------------------------------------------------------------------------ 53 Hnh 47 - HIDS c ci t trn my t nh ---------------------------------------------------- 54 Hnh 48 H th ng NIPS ------------------------------------------------------------------------ 55 Hnh 49 Hot ng ca NIPS ------------------------------------------------------------------ 56 Hnh 50 S h th ng m ng trng i H c Hoa Sen ----------------------------------- 67 Hnh 51 Th i gian Failover pht hin l i ----------------------------------------------------- 92 Hnh 52 Giao thc HSRP----------------------------------------------------------------------- 93 Hnh 53 Qu trnh ho t ng ca HSRP ------------------------------------------------------ 94 Hnh 54 Bng ARP ca Router thnh vi n trong nhm------------------------------------- 94

vii

Hnh 55 Qu trnh chuy n i khi Active Router gp s c -------------------------------- 95 Hnh 56 Cc trng thi ca HSRP ------------------------------------------------------------- 96 Hnh 57 Multiple HSRP ------------------------------------------------------------------------ 98 Hnh 58 Firewall Load Balancing (FWLB) ------------------------------------------------- 100 Hnh 59 Kin trc 802.1x---------------------------------------------------------------------- 101 Hnh 60 Hot ng xc thc ng i d ng theo chun 802.1x------------------------------ 102 Hnh 61 Cch thc trao i Supplicant, Authenticator v Authentication Server------- 103 Hinh 62 M hnh VOIP n gin------------------------------------------------------------- 105

viii

DANH SCH BNG


Bng 1 Bng so snh cc dng SSL VPN ---------------------------------------------------- 49 Bng 2 Bng so snh cc ch c nng ca HIPS v NIPS------------------------------------ 58 Bng 3 Bng yu cu i vi cc phng ban------------------------------------------------- 65 Bng 4 Bng cc v ng mng trong h th ng tr ng i H c Hoa Sen ------------------- 68 Bng 5 L p a ch IP kt n i gia cc thit b ---------------------------------------------- 69 Bng 6 Bng VLAN cc phng ban----------------------------------------------------------- 70 Bng 7 Cc c s trin khai VOIP ------------------------------------------------------------ 71 Bng 8 Cc phng ban trin khai VOIP ------------------------------------------------------ 71 Bng 9 S th t ti khon ngi dng ------------------------------------------------------- 71 Bng 10 Bng quy lut cho cc phng ban trong mng n i b ---------------------------- 72 Bng 11 Bng quy lut l p ng dng t bn trong ra bn ngoi ------------------------ 73 Bng 12 Bng quy lut l p ng dng t bn ngoi vo DMZ --------------------------- 73 Bng 13 Bng quy lut i v i kt n i VPN ------------------------------------------------- 74 Bng 14 Cc ACL t trong ra ngoi ---------------------------------------------------------- 76 Bng 15 Chnh sch HTTP Inspection trn Firewall Inside -------------------------------- 77 Bng 16 Chnh sch FTP Inspection trn Firewall Inside ---------------------------------- 79 Bng 17 Block Yahoo Messenger v MSN Messenger ------------------------------------- 80 Bng 18 Cc ACL t ngoi vo Inside-------------------------------------------------------- 81 Bng 19 Cc chnh s ch Web VPN trn Firewall Inside------------------------------------ 83 Bng 20 Cc ACL t bn ngoi v o DMZ --------------------------------------------------- 83 Bng 21 Cc chnh s ch gii h n kt n i t ngoi vo DMZ ------------------------------ 84 Bng 22 Chnh sch HTTP Inspection trn Firewall Outside ------------------------------ 84 Bng 23 Cc chnh s ch Site to Site VPN trn Firewall Outside -------------------------- 85 Bng 24 Cc chnh s ch Easy VPN trn Firewall Outside --------------------------------- 86 Bng 25 Cc chnh s ch Web VPN trn Firewall Outside---------------------------------- 88 Bng 26 Bng so snh tnh nng tng la trn cc h th ng khc nhau ----------------- 99

ix

L I C M N
Trc tin, chng ti xin chn thnh c m n ton th Ban Gim Hiu i hc Hoa Sen Thnh ph H Ch Minh to i u kin cho chng ti hon thnh tt bi co co kha lu n tt nghip ny.

ng th i, chng ti cng gi n qu thy c trong khoa Khoa Hc v Cng Ngh trng i Hc Hoa Sen li cm n su sc v ch n thnh. Cc thy c tn tnh ch bo gip trong sut qu trnh thc hin kha lun. c bit l thy inh Ngc Luyn Ging vin khoa Khoa Hc v Cng Ngh, ngi trc ti p hng dn em hon thnh ti ny.

Tuy nhin, do thi gian c hn cng nh kin th c v kinh nghim cn hn ch nn bo co n y khng trnh khi nhng thi u s t. S g p chn thnh ca thy c s gip chng ti hon thin hn bi bo co ny cng nh tch l y th m kin thc v kinh nghim cho bn thn. y s l hnh trang gip chng ti t tin ng u v i cc th thch m i ngoi x hi

NHN XT CA GIO VIN HNG DN


Gio vin hng dn k tn

xi

LI M U
Trong thi k hi nhp, khi nhu cu trao i d liu qua h thng mng my tnh ngy cng tng cao, Internet cng tr nn v cng quan tr ng, nh hng n tt c cc lnh v c kinh t x hi, an ninh quc phng ca quc gia. Thc t Vit Nam, Internet c ng dng v pht trin rng ri (ph cp t i xp x 25% d n s ), dn n s ti ph m cng ngh cao ngy cng nhiu, c khng t cuc tn cng trn mng gy ra hu qu ht sc nghim trng, lm t lit h thng gim st an ninh hay ph hoi c s d liu quc gia, nh cp thng tin mt Nh nc i vi doanh nghi p, vn bo m an ninh, an ton thng tin trn mng l mi quan tm hng u ca hu ht cng ty, t chc v cc nh cung cp dch v. Cng vi s bng n khoa h c k thut, cc phng th c tn cng ngy cng tinh vi h n khi n h thng an ninh mng tr nn mt hiu q a. Bill Archer, Ch t ch hng AT&T ti ch u u, pht biu "Ch ng ti nhn thy mt tn cng trong vng 6 thng qua dy hn rt nhiu so vi hai n m trc". c bit Vit Nam, vn trn cng phi u t , xem xt hn bao gi ht. Theo kho st ca Trung tm ng cu khn cp my tnh Vit Nam (VNCERT) d a vo cc tiu chun an ton thng tin th 40% doanh nghip Vit Nam khng c h thng tng la, 70% khng c quy tr nh x l s c an ton thng tin v 85% khng c ch nh sch v an ninh mng. Hn na, theo phn t ch ca Kaspersky, n m 2010, Vit Nam ng th 5 th gii trong s nhng quc gia ch u nhiu thit hi nht do tn cng tr n mng (sau n v M, xp u bng l Trung Qu c v Nga). Vic xy dng h thng an ninh mng sao cho va m b o an ton, bo mt thng tin va tn d ng hiu n ng mng ang tr thnh cu hi au u i vi cc t chc doanh nghip khng nhng Vit Nam m cn trn to n th gii. Nhn thy nhng nguy c , xut pht t ni m say m nghin cu cc k thut bo mt mng, nhm chng ti quyt nh chn ti Xy dng Firewall ASA v IPS bo v mng, vi mong mun em li cho doanh nghip m hnh p ng c cc yu cu v bo mt m v n m bo hiu n ng hot ng mng. Qua , chng ti cng trang b cho m nh thm nhi u kin thc chun b th sc vi thch th c m i ngoi x hi.

xii

PHN 1: TNG QUAN BO CO


1.1 Mc tiu nghin cu Nh c p, nh m chng t i tp trung nghi n cu cc cng ngh chung ca tng la ti l p Network, Transport v Application ng thi ph n t ch k thut li n quan VPN, thit k x y dng h th ng VPN. Bn cnh , tng cng bo mt m ng, ch ng t i t m hiu IDS/IPS, nguy n l hot ng v cc loi IDS/IPS s d ng ph bin ng y nay. Cui cng, nh m chng ti xy d ng thnh cng cc k thut ny trn h th ng mng i H c Hoa Sen.

1.2

Gii hn t i

Do thi gian v chi ph u t cn h n ch, nh m chng t i x y dng, trin khai h th ng mng d a trn ph n mm m ph ng thit b th c t nh tng la, Switch, Routerm y ch yu l tng la Cisco ASA - m t trong nh ng tng l a ph bin hin nay, h tr: S kt hp hi ha, b sung cho nhau gi a Stateful Packet Filtering v Proxy. ASA cung cp ci nhn ton vn lu lng mng nh kim tra, phn t ch gi tin t l p 3 n l p 7. Xc thc (Authentication) v y quy n (Authorization). Tri n khai h th ng VPN, IPS/IDS. Kh nng d phng, cn bng t i khi gp s c.

1.3

Phng ph p nghin cu

Nh vic kt hp s dng cc ph ng php b n giy, phng php thc nghim x y d ng cc bi thc h nh nghi n cu t nh n ng c a tng l a v phng php t ng hp ph n t ch d a trn c s l thuyt bo mt v cc k t qu rt ra t thc t , chng t i hiu thm c nhiu cc cng ngh t ng la v cc k thut bo mt khc nhau trong h th ng m ng.

1.4

Cu trc trnh by

Phn 1: T ng quan bi bo co kha lun t t nghip, gi i thiu l do ch n ti, gii h n ti c ng cc phng php nghi n cu. Phn 2: Cng ngh k thut chung ca tng la lp Network, Transport v Application. Phn 3: Xy d ng VPN gia hai c s ca i H c Hoa Sen.

Phn 4: Xy d ng IDS/IPS. Phn 5: Xy d ng t ng la cho h th ng mng trng i H c Hoa Sen.

PHN 2: CNG NGH K THUT CHUNG CA TNG LA TI LP NETWORK, TRANSPORT V APPLICATION


2.1 Tm quan trng ca vic bo mt v an ton thng tin

Th ng tin ng vai tr v cng quan tr ng i vi hu ht t chc doanh nghip, nht l trong mi trng kinh doanh cnh tranh hi n nay. S ti n b vt bc c a khoa h c k thu t dn n cc th on tn c ng ng y cng tinh vi. Tp o n Symantec ng y 10/03/2010 chnh thc cng b kt qu Nghin cu ton cu v Hi n trng bo mt doanh nghip nm 2010, thng qua kho st 2.100 gim c th ng tin, gim c bo mt th ng tin v cc nh qu n tr CNTT t 27 nc khc nhau trn th gi i vo thng 1/2010. Nghin cu cho bit cc doanh nghip ngy cng phi chu nh ng cu c tn cng thng xuy n h n. Trong vng 12 thng tr li y, 75% t chc c kho st b tn cng mng t nht mt ln v mc t n tht trung bnh l 2 triu USD m i n m.

Hnh 1 Biu th hin s gia tng m c hi

Hnh 2 Biu th hin cc loi tn cng nhiu nht hin nay

Do , vi c bo mt thng tin ng y cng tr n n kh kh n, b i l thng tin lun chu s e da t rt nhiu ngu n khc nhau - bn trong t chc, bn ngoi, cc thm h a hay c c m c hi trn mng. Cng vi vic gia tng s dng cc cng ngh mi cho lu tr, truy n d n v thu thp thng tin, l s gia tng tng ng v s lng v ch ng loi cc m i e da. An ton bo mt th ng tin kh ng ch l c ng ngh m c n tc ng trc tip danh ti ng, qu trnh ho t ng cng nh s t n ti ca t chc. Ch ng t i d dng th ng nht rng vic x y dng h th ng bo mt thng tin l qu trnh, i h i u t nhiu thi gian v ti n bc.

2.2

Tng quan v t ng la 2.2.1 Gii thiu

Tng la l thit b c s d ng nhm hn ch s tn cng, bo v cc ngun thng tin quan tr ng b i cc chnh s ch an ninh do c nhn, doanh nghip hay cc t chc chnh ph t ra.

Hnh 3 H thng t ng la t sau Router bin, gia hai vng mng bo m vic l c lu lng ra vo h th ng m ng nhm kh a lu ng d liu c hi i vo trong khi vn cho php d liu cn thit i qua. Tng l a ng vai tr v cng quan tr ng v c n thit i v i hu ht t chc doanh nghip ng y nay, nht l khi cc cu c xm nhp ph hoi h th ng m ng ng y cng tng. D s dng bt k ki n trc no t tng la c nhn (Personal Firewall) chuy n bo v m y t nh c nh n n dy tng la trong h th ng m ng cc cng ty ln hay t chc chnh ph (Network Firewall) th m c tiu cu i cng l xy d ng h th ng mng b n v ng, ch ng li s xm nhp tri php ng thi bo m an to n d liu.

Hnh 4 Tng la trong h thng mng (Network Firewall)

Hnh 5 T ng la c nhn (Personal Firewall hay Desktop Firewall)

2.2.2 Ch c n ng Kim sot v thit lp c ch iu khi n lu ng d liu gia m ng cc b v Internet, c th: Cho php hoc cm nh ng dch v truy cp ra ngo i hay t ngoi truy cp vo. Theo di cc lu ng d liu di chuy n qua tng l a. Kim sot a ch truy nhp, cm a ch truy nhp. Xc nhn ngi d ng hp l v cc quy n c cp cho ngi . Kim sot n i dung thng tin lu chuy n trn mng.

Tng la kho st tt c cc lung lu lng ra vo h th ng mng xem c ph hp vi chnh sch t ra hay khng.

Hnh 6 Chc nng ca t ng la

Nu ph h p, lu ng d liu c nh tuy n gia cc mng, ngc li b h y. Ngoi ra, tng la c n qu n l vi c truy cp t b n ngoi vo ngun ti nguy n mng bn trong, ghi

li t t c c gng xm nhp m ng ri ng v a ra cnh bo nhanh chng khi pht hi n tn

cng. Tng la cn l c cc g i d liu d a vo a ch ngun, a ch ch v s cng. H n na, mc cao h n, t ng la cn l c c n i dung th ng tin lun chuyn trn h th ng.

2.3

Cng ngh k thu t chung ca t ng l a ti cc lp

ch ng li c c ph ng thc t n c ng ngy c ng tinh vi, con ngi kh ng ng ng nghin cu sng t o cc cng ngh m i nhm t ng bo mt tng la. Hin nay, d tng la cng hay mm, u c sn xut da trn cc cng ngh sau:

Packet filtering NAT Firewall Stateful packet filtering Proxy firewalls (hay Application Layer Gateways) Stateful Inspection Firewall (SIF)

Nhn chung, cc cng ngh n y xy d ng trn m hnh OSI (Open Systems Interconnection Reference Model), b i hu ht giao thc m ng u hot ng d a trn m hnh ny. Do , kim so t cht ch cc lu lng ra vo, tng la cng ng dng cng ngh khc nhau cc l p khc nhau, ch yu ti ba lp chnh sau: 2.3.1 L p Network v Transport 2.3.1.1 K Thut Lc G i Tin (Packet Filtering)

Lc bt u, tng la ch xc nh ngun g c v ch g i tin l p Network, s c ng hay kiu giao thc TCP/UDP lp Transport m khng x c nh trng thi hay n i dung g i tin. Vic kim sot truy cp mng thc hin bng danh sch iu khi n truy cp (Access Control List ACL) l c m t cch c bn ch ng xm nhp tri php. T , gi i hn lu lng c hi i vo, g i l K thut l c gi tin (Packet Filtering) - m t trong cc k thut n gi n nht s dng ph bi n trn tng la m m v cng, cung cp chc nng kh ng th thiu cho hu ht tng la. V trc khi kim tra n i dung hay trng thi g i tin, cn bo m g i tin n y truy n t i trn kt n i tin cy.

Hnh 7 C ch hot ng ca Packet Filtering V i k thut n y, t ng la cho php (Permit) hay t ch i (Deny) truy cp da trn kiu c a gi tin v cc trng khc nh ngha bi danh sch truy cp (ACL Access Control List) quyt nh xem on d liu c tho m n cc iu ki n l c hay khng, da trn cc thng tin u m i gi tin (Packet Header) v cc trng: a ch IP ngun (IP Source Address) a ch IP ch (IP Destination Address) Nhng th t c truy n tin (TCP, UDP, ICMP, IP Tunnel) Cng TCP/UDP ngu n (TCP/UDP Source Port) Cng TCP/UDP ch (TCP/UDP Destination Port) Dng thng bo ICMP (ICMP Message Type) Cng giao tip g i tin n (Incoming Interface of Packet) Cng giao tip g i tin i (Outgoing Interface of Packet)

Khi nh n c gi tin, t ng la l n lt so snh vi chnh sch ra nhm kim tra tnh hp l ca gi tin. Nu h p l, gi tin chuyn qua tng la, ngc li, b b i. Nh v y, tng la ng n cn kt n i vo m y ch hay vng tin c y, kho truy cp h th ng mng n i b t cc a ch khng cho php. Ngoi ra, tng la so snh header hin ti v header g i tin trc , gip phn t ch nhiu th ng tin h n cng nh xem xt c ng giao tip g i tin ra vo.

Hnh 8 - Cch kim tra gi tin ca Packet Filtering u im T c x l nhanh nn s dng ph bin bi hu ht tng l a hin nay. D trin khai, ci t v bo tr, chi ph tri n khai thp v c ch l c gi tin c t ch hp sn trn cc Router. ng d ng c lp, t tc ng n hiu nng m ng. Trong sut i vi ngi s d ng v cc ng dng. Khng yu cu ng i qun tr phi c ki n thc cao. Nhc im: Mt s vn v i Packet Filtering: Tt c gi tin u c th v t qua tng la nu ph hp cc chnh sch ra. K tn cng c th li dng im n y b ng cch chia nh d liu l ng vo gi tin h p l. M i ch nh sch th hin bng ACL (Access Control List), do x y dng h th ng hon chnh i h i vic cu hnh nhiu chnh sch. Tuy nhin, vn t ng hp, th ng nht v ti u cc chnh sch mi l m i quan t m h ng u hu ht doanh nghip. Vic trin khai k thut n y cho cc dch v c s cng kh ng xc nh l khng kh thi, i h i ng dng cc k thut kim tra cc l p cao hn (t lp Transport tr ln). Khng h tr tnh n ng xc thc ng i dng. Khng ngn chn t n c ng gi mo a ch. M c an ninh thp. Do cc tiu chun l c da trn cc trng u m i g i tin (Packet Header) nn kh ng kim sot c n i dung thng tin v trng thi gi tin.

2.3.1.2

T ng la NAT (NAT Firewall)

Ho t ng lp Network v Transport. NAT (Network Address Translation) thay i a ch IP gi tin nu c n thit v th NAT cho php ng i dng bn trong s dng a ch cng cng truy cp Internet m n i a ch tht s b n trong. Ngoi ra, NAT qu n l vic truy cp Internet bng cch quyt nh ng i d ng no c php s dng. C th h n, khi ng i dng kh i to kt n i ra ngoi, NAT thay i IP ngu n g i tin v g i i, ng th i ghi li trng thi trong b ng chuyn i (Translation Table). Khi g i tin t ngoi v, NAT tra bng v thay i IP n ca g i tin th nh IP ban u gi tin tr v ng ni xut pht. Ngoi ra,

k thut thay i c ng ngu n v ch gi tin g i l PAT (Port and Address Translation). Nh cp, NAT s dng b ng chuy n i (Translation Table) lu gi trng thi kt n i chuy n i, v th ng i dng b n ngoi khng th ch ng kh i t o kt n i vo bn trong.

u im Bo v m ng bn trong kh i s "dm ng" t bn ngoi. Xc nh c th dch v no d ng NAT, nh i v i cc m y trong h th ng. Ch vi m t a ch IP c ng c ng cc my t nh n i b u truy cp c Internet.

Nhc im V i TCP, vic x c nh khi no ng ng chuy n i a ch IP ht sc d dng v TCP l giao thc bt tay ba bc. Tuy nhin vi UDP, li l vn v UDP kh ng thit l p kt n i. Do NAT phi o n khi no kt n i kt thc, nu sai d n n mt kt n i.

2.3.1.3

K Thut Lc Gi Tin Ghi Nh Trng Thi (Stateful Packet Filtering)

Ho t ng lp Network, Trasport v Session, theo di v ghi nh n trng thi kt n i (lu lng TCP/UDP) ra vo h th ng nhm ph n bit gi tin hp l cho nhng kt n i khc nhau. Cch thc kim tra nh Packet Filtering, tuy nhin k thut n y cho php duy tr trng thi kt n i. Mi khi kt n i TCP/UDP khi to t m ng b n trong hay bn ngoi, thng tin trng thi kt n i c lu li trong bng trng thi (Stateful Session Flow Table). V i m i phi n lm vic c khi t o, cc thng s phin ny phi chnh x c so v i cc thng tin trong b ng trng thi th phi n n y mi c thit lp. Vi cch hot ng nh th, k thut ny ch y u hot ng trn kt ni ch kh ng ch lm vic trn tng gi tin ring l. Bng trng thi cha a ch IP ngun, IP ch, s cng, cc c trng thi ng v i m i kt n i v s th t (sequence number) ngu nhin trc khi gi tin chuy n i v ho n tt kt n i. Do , tt c gi tin t trong ra (Outbound) hay t ngoi vo (Inbound) c so snh i chi u cn thn trc khi chuy n tip, m bo kt n i thc hi n t m t hng t trong ra ngo i (Inside to Outside), ch kh ng theo hng ngc li nhm ng n ch n g i tin c hi i vo h th ng cng nh ng n cn m y t nh bn ngoi g i d liu vo cc m y bn trong.

Hnh 9 C ch hot ng ca Stateful Packet Filtering

y l phng thc t n tin h n so vi th h trc vi ba l do sau: Kim sot c kt n i v gi tin, hiu sut ho t ng cao hn. Lu gi trng thi kt n i TCP/UDP trong bng trng thi, dng tham kho, xc nh xem gi tin n y thu c v kt n i c thit lp t trc hay do truy cp tri php. Kh nng ph n t ch cng hot ng giao thc FTP, t cp nht bng trng th i gip lu lng FTP c th i qua tng la. Hn na, n cn t o ra s th t (sequence number) ng cho gi tin TCP v truy vn DNS. Nhng t nh n ng n y gim nguy him t n cng TCP RST flood v DNS cache poisoning. u im Phng thc bo v chnh trong mi trng hp, l c lu l ng vo ra h th ng mng. Bo v v ng ngoi, n i Router giao tip vng mng kh ng tin t ng. Phng tin t ng c ng kh n ng l c gi tin. Phng thc t i u ch ng tn c ng gi mo (Spoofing) v t ch i dch v (Denial of Service DoS) v trng thi t t c kt n i u c ghi nhn li vo bng trng thi, ch nh ng gi tin ph h p mi c php i qua, ngc li th b b i. Nhc im: Stateful Packet Filtering khng th: Chn cc cuc t n cng l p Application do khng th phn t ch n i dung d liu. H tr xc thc ng i d ng.

2.3.2 L p Application 2.3.2.1 Proxy Firewall

Khi cng ngh cng pht trin, nhu cu qu n l truy cp mng c ng c ch tr ng. Tn cng vo cc h n ch ca k thut l c gi tin, ngi dng d dng trnh cc bin php canh phng bo mt ca tng la m xm nhp h th ng tri php. Do , gia tng mc bo mt ca tng la, k thut Proxy Firewall th h tng la th hai - hot ng lp Network, Transport, Session v Application, thay mt m ng bn trong (Inside Network) giao tip b n ngo i (Outside Network), nh , che du m i d liu quan tr ng. Khi tng l a nh n c yu cu t pha ng i dng, n ti n h nh xc th c thng qua c c quy nh c cu hnh. Nu ti kho n ngi d ng hp l, tng la thay mt ng i dng

b n trong giao tip v i cc m y ngoi Internet. Proxy Firewall ch chuy n tip gi tin c lp Network v Transport ph hp v tr v gi tin c l p Session v Application thch hp.

Hnh 10 C ch hot ng ca Proxy Firewall

Proxy Firewall ngn cn trao i gi tin trc tip gia hai thit b. M i giao tip gi a cc thit b u phi th ng qua Proxy, gip kim tra gi tin nhanh v su h n so v i k thut truy n th ng, g m hai d ng: Circuit Level Gateway

Ho t ng tng i phc tp h n Packet Filtering, ngo i kh nng l c cc lu lng mng bi a ch IP v s cng, n c n kim tra qu trnh bt tay ca giao thc TCP lp Session.

Hnh 11 Circuit Level Gateway

Qu trnh hot ng Bc 1: My t nh ngun bt u kt n i, sau , t ng la kim tra thng tin kt n i da trn lut l ra, nu kt n i c cho php, t ng la cho php kt n i i qua. Bc 2: Thay mt m y b n trong, tng l a kt n i n my b n ngoi v gim st cht ch qu tr nh bt tay TCP. Qu trnh bt tay li n quan n vic trao i g i tin cha c (SYN hay ACK). Bc 3: Tng la xc thc m y bn trong v my bn ngoi l thnh ph n m t

phin lm vic. Sau , tng la sao chp v chuyn ti p d liu gia hai k t n i.

Tuy nhin, my ch s nh n th y kt n i n y n t h th ng t ng la, che du t t c thng tin bn trong. Khng c bt k d liu no c chuy n qua cho n khi tng la xc nhn tnh h p l kt n i n y. T ng la xc nh m t phin lm vic hp l nu c SYN, ACK v Sequence Number trong qu trnh bt tay gia cc kt n i l hp l.

Application Level Gateway (ALG)

Nh tn g i, Proxy Firewall lp ng d ng (Application Level Proxy Firewall) ch yu ho t ng lp Application, dng kim tra cc ng dng hay cc dch v c ch nh nh HTTP, FTP, DNS, telnet,... Ngoi ra, ALG cn pht hin nh ng giao thc khng mong mu n trn cc c ng kh ng nm trong s c ng tiu chun (Non-standard Port). Da trn dch v i di n (Proxy service - ch ng tr nh c bit ci trn gateway tng ng dng). Quy trnh kt n i s dng dch v thng qua tng la din ra theo 5 bc sau y:

Hnh 12 Quy trnh hot ng ca k thut Application Level Gateway

Bc 1: My trm g i yu cu ti my ch xa qua tng la. Bc 2: Tng la xc thc ng i d ng. Nu xc thc th nh c ng chuy n sang bc 3, ngc li qu trnh kt thc. Bc 3: Tng l a chuyn yu cu m y trm n my ch xa. Bc 4: My ch xa tr li chuyn n t ng l a. Bc 5: Tng l a chuyn tr li ca m y ch xa n my trm.

nh n bit ng d ng cn kim tra, ALG lu gi trng thi dch v ch nh t trc. Khi ngi dng kt n i trc tip n Application-Level Proxy yu cu cc dch v cn thit nh

web (HTTP/HTTPS), mail (SMTP) proxy l n lt thay mt ngi dng kt n i cc server b n trong. V proxy phi lu thng tin t t c dch v trong h th ng n n g y h n ch trong vic bo v an ton tt c ng dng. Cung c p s bo mt v tin c y h n so vi Packet Filtering bi v n c th qun l, gim st, kim tra, a ra cc chnh sch quy nh n i dung su b n trong lu ng d liu i qua da trn k thut DPI (Deep Packet Inspection). Do , vic trin khai ALG trn h th ng m ng c n xem xt cn th n bi t nhiu nh hng hiu nng hot ng ca mng. V vy, cn lu l ch trin khai proxy khi t n ng vn bo mt an ton th ng tin hn l hiu nng mng.

Hnh 13 Deep Packet Inspection

Nh p d ng DPI, tng la c th kim tra cc gi tin i qua. hnh 10a, ngi d ng g i gi tin HELO cho Mail Server thit lp kt n i SMTP. Sau khi kim tra t nh h p l gi tin, tng l a thay ng i d ng truy cp Mail server bn trong v tr li li cho ng i dng. Khi nh n tr l i t tng la, ngi dng tip t c gi cc cu l nh kh c. Ngc li, hnh 10b, ngi dng nh l nh VRFY ly th ng tin t i kho n trn server. Tng la kim tra gi tin v nh n thy kh ng th a chnh s ch nn lp t c t ch i kt n i. u im iu khi n t ng d ch v trn mng (quyt nh m y ch no truy cp d ch v no). Xc thc ng i d ng ch khng phi thit b, tng la ch chuy n tip d liu sau khi

ch ng thc v y quy n th nh cng.

Kh t n cng gi mo (Spoofing) v t ch i d ch v (Denial of Service DoS). Cho php gim st v l c d liu. Bt c yu cu no ca ng i dng u c ghi nh n r rng, d dng th ng k ghi nhn n i dung truy cp ca bt k ngi d ng no m i thi im. Ngoi ra, proxy c n cho php y quy n ai c lm g, kh ng c lm g thng qua kh n ng x c thc (Authentication) v y quy n (Authorization).

Theo di v gim st chi tit m i lu ng th ng tin i qua, thm ch xc nh c kiu tn cng c ng nh mc tiu b tn cng. H n na, cn gim st thng tin truy cp ng i dng nh t i nguy n c truy xu t, bng thng s dng v th i im truy cp.

C m i yu cu n proxy lu li thng tin trong b nh m, khi c yu cu khc truy cp thng tin n y proxy s truy xut trc tip t b nh m cung cp cho ng i dng, khng c n g i yu cu ra b n ngoi, gip t ng hiu n ng ca mng.

Thay mt ngi d ng truy vn b n ngo i, che du IP v cc thng tin nh y cm khc.

Nhc im T c ch m, hiu sut thp do x l trn nhiu tng. Kh n ng thay i m r ng (scalability) hn ch. Nu proxy b t n cng th mng b n trong cng b nh hng. Cc dch v h tr b h n ch, ch h tr vic kim sot m t s dch v quen thu c nh web (HTTP/HTTPS), FTP gy kh khn trong cu hnh thm dch v kh c. Kim tra tn su b n trong gi tin nn t nhiu lm gim hiu n ng mng. Ci t v bo tr phc tp do x l gi tin b ng chng trnh ng dng. H tr s lng nh ng i dng.

2.3.2.2

Stateful Inspection Firewall (SIF)

Ch yu s dng k thut SPI (Stateful Packet Inspection) th h ci ti n ca k thut l c gi tin (Packet Filtering), c pht trin b i Checkpoint vo nm 1993. SPI kt hp sc mnh ca cc k thut trc : Packet Filtering: hot ng tng mng, l c gi tin i v n da trn c c tham s kt n i nh a ch ngun, a ch ch, cng ngu n, c ng ch Circuit Level Gateway: xc nh g i tin trong phin lm vi c h p l da trn c ACK, SYN

v Sequence Number. Application Level Gateway: SIF a g i tin ln tng ng d ng v kim tra n i dung d li u ph hp v i cc chnh sch an ninh h th ng. SFI c th cu hnh loi b g i tin cha nhng

cu lnh xc nh (nh FTP PUT, FTP GET...). Ngoi ra, ci thin t nh nng ca k thut Application Level Gateway, SFI cho php ngi d ng kt n i trc tip v i server.

2.4

Trin khai tng la trong h thng mng doanh nghip

T y mc ch, s kin tr c h th ng mng m nh qun tr la ch n m hnh ph hp, t y kin thc, kinh nghim ngi qun tr . Nhn chung, cc m hnh kin tr c tng la v cng a dng nh ng khi qut li th bao g m ba d ng sau: 2.4.1 Bastion Host Bation Host, thut ng chung ch m t h th ng c xc nh bi ng i qu n tr tng l a nh l m t im an ninh cc k v ng chc trong h th ng mng y l mu ki n tr c tng l a n gi n nht, tng la t gia m ng n i b (Inside Network) v m ng b n ngoi (Outside Network) l c cc g i tin vo ra thng qua hai cng giao ti p: c ng kt n i trc tip Internet (Untrusted) v cng kt n i vi Intranet (Trusted), tn ti hai v ng vi bo mt (security level) kh c nhau. Ch yu d ng c ng ngh c ng ng d ng (Application Level Gateway), cng vng (Circuit Level Gateway) hay k t hp c hai. Dual homed host l v d i n hnh v Bation Host.

Hnh 14 - Bastion Host

M hnh Bastion Host thch h p cho h th ng mng n gin, kh ng c nhu cu qu ng b cc d ch v ra Internet, v nh v y nu server b ki m sot, ton b h th ng b n trong c ng b nh hng. H n n a, m hnh ny to ranh gii m ng manh gia m ng tin cy v khng tin cy. Nu ranh gi i ny ph v, ton b h th ng mng, ngun ti nguyn b n trong b khai thc. u im Chi ph tri n khai thp. D qun l, cu hnh.

Nhc im

bo mt thp, nu tng l a b tn c ng, ton b ti nguyn h th ng mng bn trong s b khai thc.

2.4.2 Screened subnet (hay triple homed host firewall) M hnh tng la c b n, so v i Bastion Host, h tr thm nhu cu qung b dch v ra Internet, nh vic nh ngha vng phi qu n s (Demilitarized Zone DMZ) - mng con bit lp gia Internet v m ng n i b . M hnh ny thch h p v i cng ty va v nh , va p ng nhu cu bo mt h th ng bn trong va cho php ngi dng b n ngoi truy cp cc dch v cn thit v nht l ph hp t i ti n n n y l m hnh c trin khai nhiu nht. Gi ng vi Bastion Host, screened subnet ch s dng m t tng la duy nht, vi ba card mng nhm ph n bit r rng Outside, Inside v DMZ. Nh ni, m hnh ny cung cp gii php cho php ngi dng bn ngo i truy cp cc d ch v c qung b trong v ng DMZ. bo mt cao hn so vi Bastion Host, kh nng m ng b n trong b t n cng t ng i thp v t bn ngoi ngi d ng ch c th truy cp cc d ch v trong DMZ, m khng th kh i t o kt n i vo bn trong.

Hnh 15 - Screened subnet u im Nu v ng DMZ b t n cng, h th ng mng b n trong cng kh ng b nh hng. bo mt t ng i cao so v i Bastion Host v ng i dng bn ngoi ch truy cp c cc dch v qung b trong DMZ m khng th kt n i trc tip mng n i b . Nhc im Nh m hnh Bastion host, nu lp bo v duy nht n y b ph v th ton b h th ng

mng bn trong s gp nguy him.

2.4.3 Dual firewall H th ng bao gm hai tng la, t an ton cao nht so v i hai m hnh trn. Tuy chi ph trin khai cao ng th i i h i nhiu s quan tm ca qu n tr vin dnh cho h th ng, vic cu hnh c ng t ng i phc tp nhng h th ng t tin cy cao, kh nh sp.

Hnh 16 - Dual Firewall

Cng gi ng vi m hnh 03 ch n, DMZ c tch bit vo m t vng ring n n cho d c b khai thc th cng khng tc ng n inside. Vic s dng 02 firewall s rt t n km, nh ng nu so snh gia vi c u t v tm quan tr ng ca d liu th s th y rt ng trin khai. t bit, m hnh n y s c c s an ton nh t khi s dng m i firewall m i hng khc nhau. Nu firewall vng ngo i b xuy n th ng th hacker cng kh ng th xuy n th ng firewall vng trong, hay t nht cng lm hacker mt mt khong thi gian nhn nh n v vt qua, vi khong th i gian ta d ng li firewall vng ngoi v i ph vi hacker. Ngoi ra, s dng nhiu firewall ng ngha vi vic c nhiu interface. iu ny c ngha l ta c th c nhiu vng v i nhiu level khc nhau do ta l a ch n, gip d dng qung l c ng nh cu hnh. Nhn chung, cc mu thit k trn u c nh ng u v nhc im trn. Vic l a ch n m hnh tng la no ch y u ph thuc nhu c u ca cc t chc doanh nghip v ng n sch d tr dnh cho vic u t bo mt ra sao. T , la ch n ra cc m hnh ph hp va p ng nhu cu doanh nghip va ph hp chi ph u t ca cc t chc doanh nghip. u im Mc bo mt cao h n so vi hai m hnh trc. xm nhp h th ng m ng n i b , k tn c ng phi vt qua hai tng bo mt: Tng la b n ngoi (Outside Firewall) v tng l a b n trong (Outside Firewall).

Cho php ng i d ng bn ngoi truy cp cc dch vu qu ng b trong vng DMZ. So vi screened subnet, nu vng DMZ b t n c ng, mng b n trong vn c bo v.

Nhc im Chi ph tri n khai cao. Vic qu n l h th ng tng l a i h i nh qu n tr phi c kinh nghim c ng nh ki n thc nht nh.

PHN 3: XY DNG VPN GIA HAI C S CA I HC HOA SEN


3.1 S cn thit ca VPN trong doanh nghip 3.1.1 Ti sao VPN ra i V i s pht trin nhanh chng ca c ng ngh tin h c v vin th ng, th gii ng y c ng thu nh v tr n n g n gi. Nhiu cng ty ang vt qua ranh gi i cc b v khu vc, vn ra th trng th gii. Nhiu doanh nghip tri r ng khp ton qu c thm ch v ng quanh th gi i v t t c u i mt vi m t nhu cu thit thc: cch thc duy tr nhng kt n i th ng tin k p thi, an ton v hiu qu cho d v n phng t ti bt c ni u. Cng v i s ln m nh ca Internet c v m hnh ln c ng ngh, p ng ph n no nhu c u ngi s dng. Internet kt n i nhiu mng kh c nhau v cho php thng tin chuy n n ngi dng t do v nhanh chng m kh ng xem xt n tnh bo mt th ng tin. Ngy nay, th trng ng y c ng pht tri n, ko theo l h ng lo t cc cng ngh, k thut, ng dng mi ln lt ra i. Cc d ch v nh gio dc t xa, mua hng trc tuy n, t vn y t dn dn tr nn quen thu c vi hu ht tt c m i ng i. Tuy nhin, chnh s r ng ln ca Internet th mnh ng thi l im yu duy nht gy ra khng t ri ro v tn tht cho doanh nghip. Vic qu n l c ng nh bo mt, an ton d liu trn Internet v cng kh khn b i Internet c phm vi to n cu, kh ng thu c s qun l ca bt k t chc no. T , vi mc ch tho mn yu cu trn m vn t n dng c s h tng Internet hi n c, m hnh mng ri ng o (Virtual Private Network - VPN) ra i.

3.1.2 VPN tht s cn thit i v i doanh nghip V i m hnh mi ny, kh ng phi u t thm nhiu c s h t ng m tin cy vn m bo, ng thi qun l c hot ng m ng n y. VPN cung cp cho ngi s dng kt n i bo mt an ton khi lm vic ti nh, trn ng hay cc vn ph ng chi nhnh thng qua Internet. VPN m bo an ton th ng tin gi a cc i l, ng i cung cp v cc i t c kinh doanh v i nhau trong mi trng truy n th ng rng ln. Trong nhiu trng hp VPN c ng gi ng nh WAN (Wide Area Network), tuy nhin c t nh quyt nh ca VPN l chng c th dng mng cng c ng nh Internet m m bo tnh ring t v tit kim h n nhiu. Trong th trng cnh tranh ng y nay, vic x y dng m ng VPN cho cc nh n vi n xa c th truy cp d liu cc my bn trong h th ng th ng qua m ng cng cng Internet ng y cng

cn thit i vi cc t chc doanh nghip, gip tng nng sut lm vic ca nh n vi n c ng ty cng nh khi i cng tc. Mt mng VPN in hnh bao gm m ng LAN chnh ti tr s (Vn phng chnh), cc m ng LAN kh c ti nh ng vn phng t xa, cc im kt n i hay ngi s dng (Nh n vin di ng) truy cp n t bn ngoi.

Hnh 17 Mng VPN

3.2

Tng quan VPN 3.2.1 Khi nim

S m r ng m ng ring (private network) th ng qua m ng c ng cng. V cn b n, VPN l mng ri ng l s dng mng chung (Internet) kt n i cng cc site (cc mng ring l) hay nhiu ngi dng t xa. Thay v s dng kt n i thc, chuyn d ng nh leased line, m i VPN dng kt n i o qua Internet t mng ri ng ca cng ty ti cc chi nhnh hay nhn vin xa. Cung cp cc c ch m ha d liu trn ng truy n to ra m t ng ng bo mt gia ni nh n v n i gi (VPN Tunnel) gi ng nh kt n i point-to-point trn mng ri ng. bo m an tan d liu trong khi truyn d n, d liu phi c m h a hay che giu i ch cung cp thng tin ng i n m y ch thng qua Internet. Do , nu cc gi tin b bt li trn ng th k tn cng cng kh ng th c c ni dung v khng c kh a gii m.

3.2.2 Li ch VPN: So v i trin khai cc mng truy n th ng, VPN mang li: Chi ph thp hn. n gin ho m hnh ki n trc mng. Cung cp nh ng c h i kt n i ton cu. Qun l d d ng: so v i vic s dng cc giao thc nh Frame Relay v ATM kt n i cc site vi nhau, VPN cung cp gii php n gin v linh ho t h n trong vi c qun l s lng ngi d ng (thm, xo knh kt n i lin t c, nhanh chng).

Tng c ng an ninh mng.

Cung cp kh n ng tng thch v i mng li bng thng r ng. H tr cc giao thc mng th ng d ng nht hin nay nh TCP/IP. Bo mt a ch IP: thng tin c g i i trn VPN c m ha do cc i ch bn trong m ng ri ng c che giu v ch s dng cc a ch bn ngoi Internet.

3.2.3 C s h tng k thu t xy dng VPN 3.2.3.1 a. K thu t mt m

Vai tr ca k thu t mt m trong bo v thng tin

Che du th ng tin mt. Ngy nay, vic nghe tr m hay l y cp th ng tin trn ng truy n kh ph bi n. Hng nm, s lng cu c tn c ng h thng m ng doanh ngy cng t ng. Do , k thut mt m cng quan tr ng v cn thit vi h u ht t chc doanh nghip, tr thnh i u ki n ti n quyt nhm bo mt d liu khi truy n d n trn cc knh truy n th ng c ng c ng.

b.

Cc dng mt m hc

Ngnh khoa h c mt m c hai nhnh chnh l mt m h c (cryptography) v phn t ch mt m (cryptanalysis). Trong , mt m h c nghin cu thut ton, gii php mt m v chia lm (chc (crack). Khng phi mi y, ng nh khoa h c mt m ra i t lu vo th k 18, tri qua th i gian, i t thp n cao, t n gi n n phc tp. Bt u bng vic m ha ch n gi n b ng vic thay k t ny bng m t k t, hoc mt s khc; r i hon i v tr cc k t cho nhau, hay d ng ma trn t a . Cho n nay, cc thut ton m ha phc tp m c siu m y tnh cng phi mt vi t nm gii m c ra i, v mt c bn chia lm hai d ng: ng b (Symmetric): dng chung m t kha cho m ha, gii m v th ngi gi v ng i nh n yu cu phi c kh a gi ng nhau m i gii m c. Ngo i ra, thut ton n y ho t ng nhanh hn, n gin h n, dng kh a ngn h n so vi thut ton bt ng b (Asymmetric) v thng s d ng kh a c di t 40 - 256 bit. V d nh DES, 3DES, AES, IDEA, RCx, Blowfish. Bt ng B (Asymmetric): c n gi thut ton public key, chm hn khong 1000 ln so vi thut ton ng b (Symmetric) v phi tin hnh nh ng bc t nh ton kh hai nhnh con l encryption (mc tiu confidentiality) v hashing nng authentication, verification); ph n tch mt m nghi n cu cch ph mt m

kh n vi cc con s h ng chc ch s . Chnh v vy, thut ton ny thng d ng cho ch k s. Tuy nhin, n li n gi n h n thut ton ng b (Symmetric) nhiu trong qun l kha b i thng thng m t trong hai kh a c c ng khai g i l kha cng khai (public key), cn li l kha ring t (private key). Vi c tnh ton chiu di chnh

xc ca kh a l kh ng th, c lng t 512 - 4096 bit v khng th trc tip so snh chiu di kha gia thut ton ng b (Symmetric) v bt ng b (Asymmetric). im gi ng nhau l u yu cu kh a m ha hay gii m. Tuy nhin, thut ton ng b (Symmetric) dng chung m t kh a cho m ha v gii m, cn bt ng b (Asymmetric) dng m t kha m h a v m t kh a gii m, t y ng d ng m hai kh a n y c gi l kh a cng khai (public key) hay ri ng t (private key), ch yu ty thu c hai trng h p sau: Public key Confidentiality Scenario: kha c ng khai (public key) dng m h a v kh a ring t (private key) gii m. V m i h th ng c m t kh a ring t (private key) khc nhau n n nu d ng kha c ng khai (public key) ca h th ng n y m ha th m bo khng h th ng no khc gii m ra c, thng dng trao i kha. Public key (Encrypt) + Private key (Decrypt) = Confidentiality

Hnh 18 S Public key Confidentiality Scenario

Public key Authentication Scenario: kh a ri ng t (private key) dng m ha v kh a c ng khai (public key) gii m. V kha ring t (private key) m i h th ng l khc nhau nn khi dng kh a ring t (private key) ca h th ng n y m h a th ch c kha cng khai (public key) ca h th ng mi gii m ra, thng dng xc thc. Private key (Encrypt) + Public key (Decrypt) = Authentication

Hnh 19 S Public key Authentication Scenario

c.

Phng thc m ha M ha theo kh i (Block cipher): d liu c chia lm tng kh i c chiu d i c nh v c m h a, nu chi u di c a d liu th (plaintext) t hn so v i kh i th d liu rc c thm v o cho m t khi, v th thng th ng chiu d i ca d liu m ha (ciphertext) ln hn chiu di d liu th (plaintext). Mt s thut ton ng dng cch thc m ha n y nh AES, IDEA.... M ha theo dng (Stream cipher): x l trn bit, kh ng thay i k ch thc d liu m ha (ciphertext) so vi d liu th (plaintext) ban u v nhanh h n so v i phng thc trn. Mt s thut ton ng dng cch thc n y nh RC4, SEAL

3.2.3.2

C s h

tng kha cng khai (PKI Public Key

Infrastructure) a. Gii thiu

H th ng c ng ngh mang tnh tiu chu n v ng d ng d ng khi to, lu tr v qun l cc ch ng th c i n t (digital certificate) cng nh cc m kho cng khai v ring t. PKI ra i nm 1995, khi cc t chc c ng nghip v chnh ph xy d ng tiu chu n chung da trn phng php m ho h tr h tng bo mt trn mng Internet. Ti thi im , mc tiu l x y dng b tiu chu n bo mt tng hp c ng cc cng c v l thuyt cho php ngi d ng v t chc to lp, lu tr v trao i th ng tin an ton trong phm vi c nh n v c ng cng.

Hnh 20 S C S H Tng Kha Cng Khai (PKI)

Trong mt m h c, PKI l s sp xp g n cc kh a c ng khai (public key) cho ng i dng

tng ng, xc nh b i nh cung cp ch ng th c s (CA - Certificate Authority) m nh danh m i ngi d ng phi l duy nht trong ton CA. Cc qu trnh n y thng c thit

lp thng qua vi c ng k v cp pht ch ng nh n ty vo mc m bo m c th c thc hin b i phn mm t t i trung t m hoc l d i s gim st ca con ngi. Public Keys Certificates (Digital Certificate hay Identity Certificate)

Ti liu i n t s dng ch k s (Digital Siganture) xc thc cc b n trao i, cp pht b i CA, nhm cp pht an ton kho cng khai t ng i gi (m ho) n ngi nh n (gii m). Trc ti n CA cp pht public key certificate, ng i dng phi ng k vi CA, gm cc qu trnh: ng k, k ch ho t v ch ng nh n v i PKI (CAs v RAs) din ra nh sau: Ngi d ng ng k vi CA hay RA. Trong qu trnh ng k , a ra cch nh n bit n CA, CA s xc th c u cu i, gi public key ca mnh n u cui. Ngi d ng t o ra cp kh a public/private v chuy n kh a cng khai (public key) cng vi y u c u ch ng nh n n Registration Authority (RA). RA s chu trch nhim ch p nhn hay t chi yu c u ngi d ng. Sau , RA gi yu cu n CA xc nh n cc chnh s ch v xin ch k t CA. CA k l n public key certificate vi kh a ring t (private key) ca mnh to public key certificate cho ngi d ng L c n y, ngi d ng u cu i c th yu cu public key certificate cho ngi khc, s dng CAs public key gi i m nhm b o m t nh hp l c a ch ng nh n.

b.

Cc thnh phn ca PKI: b o m cc kho c ng khai c qu n l an ton, CA ph i qu n l cc nhim v sau: Ch ng th c v ng k mt m u cui. Kim tra tnh ton v n c a kho c ng khai. Ch ng th c yu cu trong qu trnh bo qun cc kho c ng khai. B mt cp pht kho cng khai. Hu b kho cng khai khi n kh ng c gi tr di. Duy tr vic thu h i cc th ng tin v kho c ng c ng (CRL) v ph n b th ng tin (th ng qua CRL cp pht hoc p ng n Online Certificate Status Protocol [OCSP] messages). m b o an to n v ln ca kho.

n gi n h a ch c n ng v gim bt vic qu n l kh a cho CA, c c ch c n ng trn l n lt c chia cho ba b ph n sau:

Registration Authorities

Trong nhiu trng hp, CA s cung cp t t c cc dch v cn thit c a PKI qun l cc kh a cng khai b n trong mng. Tuy nhin c nhiu trng hp CA u nhim c ng vic RA. Mt s ch c n ng CA c th u nhim thay th RA nh: Ki m tra ngi d ng u cu i ng k kh a c ng khai (public key) vi CA c kh a ri ng t (private key) dng kt h p vi kh a c ng khai (public key). Pht cp kh a c ng khai v kh a ring t (public/private keypairs) d ng khi t o qu trnh ng k . X c nh n cc th ng s c a kh a c ng khai (public key). Pht gi n tip cc Certificate Revocation List (CRL).

Certificate Authorities

Cp pht ch ng nhn, xc th c PKI clients v khi cn thit thu h i chng nhn, i di n ngu n tin cy chnh c a PKI. CA l yu t duy nht pht Public Key Certificates n ng i dng u cui p ng s duy tr CRL v phc v CRL Issuer. PKI c th thit lp nhiu CA. Gip thit lp vi c nh n dng cc th c th giao tip vi nhau c ng n. CA kh ng ch chng th c PKI client m c n cho nh ng CA kh c bng c ch cp pht nh ng ch ng nh n s n ch ng. Nh ng CA c ch ng th c l n lt c th ch ng nh n cho nh ng CA khc n khi m i thc th c th u nhi m nh ng th c th khc c li n quan trong qu trnh giao dch. Validation Authorities: m b o xc nh n an ton, tin c y c a cc ch ng nh n s .

Mc ch: cho php Nh ng ngi tham gia x c th c l n nhau v s dng cc thng tin t chng nh n m ho v gi i m th ng tin trong qu trnh trao i. Cc giao dch i n t din ra b mt, ton v n v xc th c l n nhau m khng cn trao i th ng tin bo mt trc. Cung cp kho c ng khai v xc nh m i lin h gi a kho v nh d ng ng i dng. Nh v y, ngi d ng c th s dng trong mt s ng dng nh: o M ho Email hay x c th c ng i gi Email. o M ho hoc ch ng th c v n bn.

o Xc th c ngi d ng ng d ng. o Cc giao th c truyn thng an ton: trao i b ng kho bt i x ng, m ho b ng kho i xng. cung cp kh n ng m h a v xc th c, PKI s dng:

Thut ton bm

Bo m t nh ton v n ca d liu, n u c thay i nh cng pht hi n ngay. N hot ng mt chi u, vi bt k gi tr u vo n o th bm v n cho gi tr u ra c chiu di c n h. Tuy nhi n, thut ton bm kh ng m h a d li u, tiu bi u l MD5 v SHA-1. tng t nh b o mt, HMAC ra i. i vi thu t ton bm, tuy d liu thay i b pht hi n nh ng n u gi tr bm c ng thay i th kh ng th nhn ra, HMAC d ng kh a b mt (secrect key) cho qu trnh b m, tng kh n ng xc th c v chng t n c ng Man - in - the middle. Ch k s (Digital Signature)

Trong qu trnh giao tip, khng ch m b o d liu kh ng thay i khi truy n m c n ph i c gi t ngu n tin c y. Ch k s cung c p gii ph p cho vn n y b ng vic a ra b ng ch ng duy nht d liu g c, pht hi n nu c bt c thay i no, xc th c b ng kh a ri ng t (private key) k ln d liu, ch ng minh tnh xc th c v ton vn ch ng nh n. V c b n ch k s hot ng nh sau: khi A gi tin nh n cho B, tin nhn n y c k vi kh a ring t (private key) c a A (signature key) t o ra ch k s m ch c kh a ri ng t (private key) ca A mi c th to ra ch k n y. Sau , n c nh k m tin nh n ban u v gi cho B. Sau khi nh n c, B d ng kh a c ng khai (public key) ca A (verification key) gii m ph n ch k c a A, nu khc vi tin nh n th n i dung th ng ip thay i v ngc li; ng thi A kh ng th thoi thc tr ch nhim khi gi tin nhn n y, v ch c A mi to ra c ch k nh v y. Ch k s RSA (RSA Digital Signature): thu t ton bt ng b ph bin nht do Ron Rivest, Adi Sharmi v Len Adlemen x y dng v o 1977. Hot ng d a trn nh ng php tnh ph c t p vi con s l n n h ng ch c, h ng trm ch s . RSA s dng kh a cng khai (public key) c qu ng b rng r i v kh a ri ng t (private key) gi b mt tuyt i. Hot ng u tin tin nh n c bm, to ra gi tr bm; gi tr n y c k (m h a) vi kh a ri ng t (private key) ca A to ra ch k . Ch k n y nh km vi tin nh n gi cho B. Sau khi B nh n c ti n h nh hai c ng on, l y ch k gii m vi public key c a A c

gi tr H1 v l y tin nh n em i b m to ra H2. Nu H1 = H2 tin nh n khng b chnh s a tr n ng i v gi t A; nu kh ng ngc l i.

Hnh 21 S hot ng

3.2.4 Cc giao th c VPN 3.2.4.1 PPTP (Point-to-Point Tunneling Protocol)

Nh giao thc L2F (Layer 2 Forwarding), giao thc to ng hm im n i im (PPTP) ban u c thit k v pht trin to v duy tr ng hm VPN trn m ng c ng c ng da vo TCP/IP nh s d ng PPP - kt qu n lc chung ca tp o n Microsoft v h ng lo t nh cung cp gm Ascend Communications, 3Com/Primary Access, ECI Telematics S dng trn cc m y ngi dng vi h iu h nh Microsoft NT4.0 v Windows 95+, dng m h a d liu lu thng trn Mng LAN. PPTP c pht tri n da trn chu n RSA RC4 v h tr bi s m h a 40-bit hoc 128-bit. PPTP c dng bao b c cc khung PPP trong cc gi IP truy n trn Internet hoc bt k m ng khc TCP/IP c th truy cp cng c ng. Nu h th ng t xa h tr PPTP, th c th kt n i trc tip vi VPN Server. Ngc li, c th s dng PPP n i kt v i my kh i to kt n i VPN (L2TP Access Concentrator LAC) ca nh cung cp dch v Internet v sau s dng PPTP kt ni v i VPN Server.

Hnh 22 Kt ni VPN qua giao th c PPTP

PPTP kh ng pht trin trn LAN-to-LAN, gii hn 255 kt n i ti server v ch c m t ng hm VPN trn m t kt n i. Ngo i ra, PPTP khng cung cp kh n ng m ha cho cc cng vic ln nh ng li d ci t v trin khai v l gii php truy cp t xa ch c th lm c trn mng Microsoft. Giao thc ny th c dng tt trong Window 2000...

3.2.4.2

L2TP (Layer 2 Tunneling Protocol)

Ra i vo nm 1999 v c nh ngha trong RFC 2661, xut pht t vic k tha nh ng im mnh ca cc giao thc trc l L2F (Layer 2 Forwarding) ca Cisco v PPTP ca Microsoft. Phi n bn mi h n ca giao thc n y- L2TPv3 c pht h nh vo nm 2005, cung cp nh ng t nh nng bo mt khc nh kh nng m ha, c th mang nh ng li n kt d liu khc ngoi kt n i PPP trn mng IP nh l Frame Relay, Ethernet, ATM,

Hnh 23 L2TP VPN

To kt n i c lp, a giao thc cho m ng ring o quay s (Virtual Private Dail-up Network), cho php ngi dng kt n i thng qua chnh sch bo mt (security policies) to VPN hay VPDN. Tuy nhin, giao thc n y khng cung cp m h a. Hiu qu trong kt ni mng quay s, ADSL, v cc mng truy cp t xa kh c. Giao thc m rng n y s dng PPP cho php truy cp VPN b i nh ng ng i s dng t xa. Mt ng hm L2TP c thit lp thng qua ba dng: Voluntary Tunnel. Compulsory tunnel (cho cc kt n i i t i v cho dng quay s t xa). L2TP multi-hop connection.

3.2.4.3

GRE

a giao thc truy n th ng ng gi IP, CLNP v cc gi d li u b n trong ng ng IP (IP tunnel). V i GRE Tunnel, Cisco Router ng gi m i v tr m t giao thc c trng ch nh trong gi IP header, to ng kt n i o (virtual point-to-point) ti Cisco Router cn n v khi g i d liu n ch IP header s c m ra. Bng vic k t n i nhiu mng con v i cc giao thc khc nhau trn giao thc chnh. ng hm (GRE tunneling) cho php cc giao thc khc thu n li trong vic nh tuyn cho gi IP.

3.2.4.4 a. Gii thiu

IPSec (Internet Protocol Security)

Pht trin b i IETF nh ngha trong RFC 2401 - 2412, quy nh phng thc thit lp VPN (Virtual Private Network) s d ng IP address protocol nhm cung cp c cu bo mt l p Network. Do , IPSec h tr tt c ng dng, bo v v x c thc gi tin IP gia cc b n. IPSec khng r ng bu c bt k thut ton m h a, xc thc c th no m l t hp nhiu chu n m.

Hnh 24 IPSec trong m hnh OSI Nh , IPSec cho php ng d ng cc thut ton mi hn, tt hn m khng c n sa i

chu n c. IPSec cung cp kh n ng bo mt (Encryption Algorithm), ton v n d liu (Data Integrity), kh n ng xc th c (Authentication) cc bn lp Network, to nn ng truy n bo mt gia m t cp Gateway hay cp Host thm ch gia Gateway v Host.

Hnh 25 Cc th nh phn trong IPSec

Encryption: M c bo mt, kh thi ty vo chi u di kho m h a v thi gian x l thut ton. Do , vn t ra l ch n la thut ton no v i di kh a nh th no h th ng va bo mt va kh ng tiu t n qu nhiu hiu su t x l. Sau y l m t s thut ton v l n ca kh a khuyn khch d ng: DES (56 bit), 3DES (112 bit, 168 bit), AES (128 bit, 192 bit, 256 bit), RSA (512 bit, 768 bit, 1024 bit), SEAL (160 bit). Data Integrity: d liu truy n trn Internet c th b chnh s a. V th, IPSec s d ng thut ton HMAC - MD5 hoc HMAC - SHA - 1 bo ton d liu. Authentication: xc thc i tng giao tip l iu ht sc quan tr ng trc khi bt u thit lp kt ni gia hai b n. IPSec cung cp ba phng thc xc thc: Pre-shared Key: gi tr nhp bng tay vo m i bn, dng xc thc vi nhau. RSA signature: trao i nhau ch ng nh n, sau m i bn sinh ra m t gi tr bm t tin nh n v m ha vi kha ring t (private key) ca mnh, nh km tin nh n v g i cho nhau. Sau khi nhn c, m i bn dng kh a c ng khai (public key) gii m gi tr bm m h a. Nu trng gi tr bm tin nh n nhn c th x c thc thnh cng. RSA encrypted nonce: t ng t RSA signature. Tuy nhin kh ng dng ch ng nh n (certificate), thay vo , kha c ng khai (public key) nhp bng tay m i bn. IPSec hot ng hai mode: Transport mode: ch bo v payload ca g i tin, t ip header tr i v n kh ng i. Tuy nhin, nu nh AH c s d ng th ip header khng th thay i. Vic thay i

ip header s d n n g i tin b drop. V th ch hot ng tt gia host v host. Vn n y c gii quyt khi s dng NAT Traversal, s c cp sau.

Hnh 26 Transport mode

Tunnel mode: bo mt ton vn g i tin IP nh tuy n (Routable IP) trn Internet. So vi Transport mode, Tunnel mode hot ng tt hn, h tr c Gateway to Gateway. Tuy nhin, v hiu n ng mng th Tunnel mode khng bng Transport mode v Tunnel mode pht sinh thm trng IP header m i, cn Transport mode th khng.

Hnh 27 Tunnel Mode

b.

Tng hp cc giao thc v thu t ton c s dng Cc giao thc s dng ESP (Encapsulating Security Payload)

Mt trong hai giao thc chnh cu thnh IPSec. ESP bo mt cao, h tr nhiu thut to n m ha i x ng nh DES v 3DES. Ngoi ra, ESP h tr tnh ton vn d liu (Integrity) v

ch ng thc (Authentication).

Hot ng hai mode: transport mode v tunnel mode. Transport mode, ESP ch m h a v xc thc n i dung ca d liu v m t s thnh ph n kh c nh hnh 28.

Hnh 28 ESP Transport mode packet

i v i Tunnel Mode, ESP m ha to n b d liu g c v xc thc ph n d liu m ha ny cng v i ESP Header c thm vo cng vi IP header mi.

Hnh 29 ESP Tunnel mode packet

Cc trng trong gi tin ESP

Hnh 30 ESP fields

ESP thm m t header v trailer vo xung quanh ni dung m i gi tin. ESP Header c cu thnh bi hai trng: SPI (32 bits): u cu i m i k t n i IPSec tu ch n gi tr SPI. Pha nh n dng gi tr SPI v i IP ch v giao thc IPSec xc nh chnh sch SA duy nht m n c p cho gi tin. Sequence Number: cung cp dch v anti-replay. Khi SA c thit lp, ch s n y kh i u v 0. Trc khi m i g i tin c gi, ch s ny t ng l n 1 v t trong ESP Header. Phn k ti p ca g i tin l Payload, n c to bi Payload data ( c m ho) v Initialization Vector (IV) khng m ho. Gi tr IV trong sut qu trnh m ho l kh c nhau trong m i gi tin. Phn th ba ca g i tin l ESP Trailer, n cha t nht l hai trng: Padding ( 0-255 bytes): c th c thm vo cho kch thc ca m i g i tin. Pad length: chiu di ca Padding. Next header: xc nh kiu giao thc cha trong trng payload. Nu l IP th ch a gi tr l 4, nu l TCP th 6, UDP th 17. M i ESP Trailer cha m t gi tr Next Header. V cui cng l Authentication data cha gi tr Integrity Check Value (ICV) cho gi tin ESP. ICV c tnh ln to n b gi tin ESP c ng nh n cho trng d li u xc thc ca n.

ICV bt u trn ranh gii 4 byte v phi l b i s ca 32-bit (n v t).

AH (Authentication Header)

Cng ESP, AH l hai giao thc chnh cu th nh IPSEC, cung cp t nh ton vn d liu, xc thc. AH bm cc tr ng d liu trong gi tin k c IP header, ngoi tr nh ng trng thay i trn ng i nh TTL (Time To Live), trng AH header do hm bm sinh ra c thm vo gi tin. V trng IP header c bm n n n u trn ng i c NAT (Network Address Translation) th AH kh ng ho t ng c. AH hot ng nh ch k s m bo gi tin khng b gi mo nhng li kh ng cung cp kh n ng m ha v gii m. Cng nh ESP, AH c hai mode: transport mode v tunnel mode.

Hnh 31 AH Transport mode

Hnh 32 AH Tunnel mode

i v i c hai mode, AH xc thc ton b gi tin (t data n IP header). S thay i ip trn ng truy n dn n AH kh ng hot ng c. AH Header gm cc trng sau:

Hnh 33 AH header

Next Header: di 8 bits, xc nh kiu giao thc cha trong trng payload. Payload Length: cha chiu di AH Header. Reserved: dnh s d ng trong tng lai (cho n thi im n y n c biu th bng cc ch s 0).

Security parameter Index (SPI): u cu i m i k t n i IPSec tu ch n gi tr SPI, dng nh n d ng kt n i. Bn nhn s d ng gi tr SPI cng vi a ch IP ch v lo i giao thc IPSec (trng h p n y l AH) xc nh chnh s ch SA d ng cho gi tin (ngha l giao thc IPSec v cc thut ton no c dng p cho gi tin).

Sequence Number: tng ln 1 cho m i AH datagram khi m t host gi c lin quan n chnh sch SA. Gi tr bt u ca b m l 1, chui s n y kh ng bao gi cho php ghi l n l 0 v khi host gi yu c u kim tra m n khng b ghi v n s tho thun chnh sch SA mi n u SA n y c thit lp. Host nh n s d ng chu i s pht hi n replayed datagrams. Nu kim tra bn pha host nh n, bn nh n c th ni cho b n gi bit rng b n nh n khng kim tra chu i s, nh ng i h i n ph i lun c trong bn g i t ng v gi chu i s .

Authentication Data: cha k t qu ca gi tr Integrity Check Value (ICV), lu n l b i ca 32-bit (t ) v phi c m vo nu chi u di ICV trong cc bytes cha y.

Trong qu trnh hot ng, vic xc thc IPSec mang li l i ch rt cao. Tuy nhin b n c nh , n cng mang li kh ng t s phin toi. AH xc thc g i tin d a vo th ng tin IP header. Do v y, n s khng t ng thch v i cc thay i do c ch NAT mang li. V gi tr ICV ca AH c tnh ton trc NAT n n khi g i tin gi t i ch, vic kim tra t nh ton vn s tht bi. Trong ch transport, ESP v NAT khng t ng thch v i nhau v cc th ng tin ca

ph n header g i tin b NAT thay i. Khi NAT thc hi n thay i phn th ng tin v IP, n cng t nh li gi tr checksum trong TCP header v v TCP checksum c tnh ton khng ch da vo TCP header, m cn da vo cc thng tin t IP header,

nh a ch ngun/ch ca g i tin nn NAT ph v tnh ton vn g i tin. Trong ch Transport ESP, ton b TCP header c m ho, NAT box khng th t nh ton li TCP checksum (t ng t i v i UDP packets khi UDP checksum c t nh n). Kt qu l trc khi gii m, gi tin s b h y v kh ng bo m t nh ton vn. gii quyt cc v n trn, NAT Traversal ra i vo nm 2001, l kt qu ng hp nht hai phng php tip c n cnh tranh c xut vi IETF ca SSH Communications v cc ng tc gi F-Secure, Microsoft, Cisco, Nortel. Gii php l g i tin sau khi c m ha, xc thc th c ng g i theo giao thc UDP v i s xut hin ca hai trng b sung l UDP header v Zeropad.

Hnh 34 Gi tin h tr NAT-Traversal

Hi n ti, AH khng tng thch NAT Traversal v khng s d ng r ng r i nn kh ng c u tin pht trin. SSH Communications cng xut pht trin thm h tr AH. Tt nhin, s dng NAT Traversal, c hai thit b u cu i (gateway to gateway, client to gateway, client to client) u phi h tr.

IKE (Internet Key Exchange)

Xc thc hai b n, m ph n gi a IKE v IPSec SA, t o cc kh a m h a d liu IPSec, c cng chc n ng v i ISAKMP (Internet Security Association and Key Management Protocol).

DH (Diffie-Hellman)

To kha b mt (secrect key) gia hai b n trn k nh truy n khng bo mt, dng bn trong

IKE to session key. Ho t ng b ng cch hai b n th ng nht nhau (c th c ng khai) 2 s p v q (s nguy n nh hn p), m i bn gi s b mt ln lt a, b. Sau A gi X = (q^a)

mod p cho B, B cng g i Y = (q^b) mod p cho A. Bng phng php t nh to n ring, hai b n cng t nh ra gi tr K = ((q^b)^a) mod p = ((q^a)^b) mod p l kh a b mt (secrect key).

Hnh 35 Cch th c hot ng ca DH

Cc thut ton s dng Thut ton m ho

DES (Data Encryption Standard): c n gi Lucifer, pht trin b i IBM vo nm 1975, thut ton m ha i x ng hot ng dng m h a tng kh i (block cipher - 64 bit block). DES l s trao i c trnh t v thay th cc bit d liu, kt hp kh a m h a, h tr kh a c chiu di 64 bit trong 56 bit m ha, 8 bit c n li kim tra parity. Tuy nhin, nu dng kh a c chiu di nh hn 56 bit v d 40 bit th mnh tht s ca kha ch 40 bit. DES da trn nh ng t nh ton c bn nn n c th d dng c trin khai trn phn cng, ch tr ng n t c m ha v gii m, chia lm hai dng con: Dng ECB (Electronic Code Book): m i d liu th (plaintext) 64 bit dng chung kh a 56 bit m h a, nu hai kh i d li u th gi ng nhau d ng chung kha m h a th d liu m ha (ciphertext) s gi ng nhau. V th, k tn cng c th li dng i m

n y, bt li cc gi tin, khng quan t m n i dung b n trong v gi li. V d k tn

cng bt li g i tin ng nhp c a ngi qun tr c bo v b i DES - ECB, sau g i li v k tn c ng c th xm nhp h th ng. ch ng li iu n y, CBC ra i. Dng CBC (Cipher Block Chaining): m i kh i 64 bit d liu th (plaintext) u c XOR v i d liu m ha (ciphertext) sau d liu th (plaintext) XOR mi c m ha. V th nu tt c kh i d liu th (plaintext) u gi ng nhau thi c ng kh ng th cho ra d liu m h a (ciphertext) gi ng nhau... 3DES (Triple Data Encryption Standard): dng bi n i ca DES c lp i lp li ba ln v i cc kh a khc nhau v th 3DES m nh hn DES gp i, c th ch ng li tn c ng Brute - Force. 3DES s dng kha c chiu di ln n 168 bit so v i DES (56bit) bao gm ba kha c chiu di 56 bit K1, K2, K3. M ha: d ng K1 m ha, dng K2 gii m, dng K3 m ha. Gii m : dng K3 gii m, K2 m ha, K1 gii m. AES (Advanced Encryption Standard): NIST (The National Institute of Standards and Technology) a ra AES thay th DES trong cc thit b m h a. AES cung cp tnh bo mt cao hn nhiu so vi DES v hiu qu h n so vi 3DES. AES dng kha 128, 192, 256 bit. RSA (Rivest, Shamir, and Adleman) signature: m ha bt ng b , t y m c ch s d ng m dng kha m h a gii m thch hp, ng d ng nhi u nht trong ch k i n t.

Thut ton bm

MD5 (Message Digest 5): dng xc thc gi tin d liu, m bo nu gi tin b chnh sa trn ng truy n s pht hi n ra. HMAC (MD5 Hashed Message Authentication Code) l bin th ca MD5, cung cp tnh an ton cao h n MD5. Thut to n bm l thut ton m t chiu. V th, vi c chuy n gi tr c bm v gi tr ban u l kh ng th. Bt k gi tr u vo l bao nhiu th gi tr u ra vn l c nh. IKE v ESP dng MD5 xc thc. SHA-1 (Secure Hash Algorithm 1): Nh MD5, SHA-1 l m t thut ton hash dng xc thc d liu g i tin, bin th l HMAC-SHA-1v d ng x c thc IKE v ESP.

c.

IPSec hot ng: g m 5 bc chnh

Bc 1 - Xc nh Interesting trafic: lu ng th ng tin c coi l Interesting trafic khi n c nh n ra rng y l d liu cn c bo v, ty thu c vo chnh sch trn thit b VPN. M i d liu i qua thit b (Inbound, Outbound) u c 2 hng x l:

B qua IPSec, d liu c gi dng cleartext. p cc chnh sch IPSec c nh trc.

Bc 2 - IKE Phase 1: Mc ch c b n l m phn cc chnh sch, xc thc peer v thit lp knh bo mt gi a cc bn, x y ra trong hai mode: Aggressive mode: nhanh hn nh ng khng h tr kh nng bo v t nh ton vn ca d liu trn ng truy n nh main mode. Do , hai bn phi trao i thng tin xc nh trc thit lp secure CA, bao g m hai bc: B c 1: m ph n chnh s ch, DH public key khi to, gi cho i t c cng thng tin x c th c hai b n, sau khi k th g i tin tr v v hon tt qu trnh trao i. B c 2: ti khng n h qu trnh trao i.

Main mode: gm ba b c trao i: B c 1: dng cc thut to n v h m bm b o mt thng tin IKE c m ph n v ch p nh n gi a cc bn. B c 2: s dng DH t o kh a b mt (secrect key) d ng sinh ra t t c kh a cho qu trnh m h a v x c th c bc mt k c bc hai (nu c n thit). B c 3: xc minh tnh xc th c peer c n li, dng xc th c remote peer. Nu khng tin h nh xc th c, c kh n ng khi to kt ni b o mt vi k tn c ng.

Policy set: khi c gng thit l p k nh b o mt, chnh sch ngh trao i v i nhau. Cn c chnh s ch n y, l n lt ki m tra theo u tin t cao n th p (mt l cao nht), n khi hai bn ch n ra chnh s ch ph h p m c hai c ng h tr (c ng thut ton m h a, xc th c, DH v b m) th qua bc tip theo, nu kh ng kt ni b ngt.

DH key exchange: phng th c trao i kh a cung cp gii php cho hai bn gip to nn kh a b mt (secrect key) trn ng truyn kh ng b o mt m v n m bo an to n ca kh a. DH c nhiu nh m (1 - 7) trong nh m 5 khuy n khch d ng nht, nh m 7 ch d ng cho cc thit b cm tay c vi x l yu. Sau khi vic m ph n nh m kt thc, kh a b mt (secrect key) c tnh ton. Kha b mt chia s (Shared secrect key SKEYID) n y c d ng tnh ra ba kh a khc: SKEYID_a, SKEYID_d, SKEYID_e. M i kh a c m c ch s d ng khc nhau. SKEYID_a dng cho qu trnh xc th c, SKEYID_e d ng cho qu trnh m ha (bc 1), SKEYID_d dng sinh kh a cho bc 2. Tt c kh a trn u c sinh ra sau khi kt th c bc 1.

Authenticate Peer Identity: Trn thit b ni ring v cu c s ng n i chung, vic x c

n h c ngi ang giao tip l iu ht sc quan trng v khng h d th a. V th trc khi qua bc 2 (lp k nh bo mt cho d liu) th cn ph i c bc xc th c hai bn (peer). C 2 cch xc th c: Pre-shared key hay RSA signature.

Hnh 36 So snh chun m h a, thut ton bm, ph ng thc chng thc

Hnh 37 Cc bc m phn giai on 1

Bc 3 - IKE Phase 2: th a thun tham s bo mt IPSec (IPSec security parameter) bo mt ng hm IPSec (IPSec tunnel), th nh lp IPSec SA, nh k m ph n IPSec SA bo m bo mt, to kha mi cho qu tr nh truy n d liu (optional).

Hnh 38 i chiu cc tham s bo mt

Bc 4 - Data transfer: d liu c truy n gi a 2 peer. Bc 5 - IPSec tunnel termination: IPSec SA b x a hoc time out.

Hot ng c th i vi IKE phase 1 Pre-shared key o Vi Main Mode

Hnh 39 IKE giai on 1 s dng Pre-shared key trong main mode

Bc (1) Initiator gi g i ISAKMP c header ch a cookie Ci v policy SAi c nh ngha trc (phng thc xc thc, thut ton m h a, thut ton bm, DH, lifetime) Bc (2) Responder gi tr li g i ISAKMP ch a cookie Ci nhn c km theo cookie Cr v SAr. SAr c la ch n trong s nh ng chnh sch c cu hnh m ph h p v i SAi, nu tt c u kh ng ph hp th Responder gi li gi tin t ch i. Bc (3) v (4) xy d ng kh a b mt (secrect key). Sau qu trnh n y sinh ra b n kha. SKEYID (Shared Key ID) v K c d ng sinh ra ba kh a cn li: SKEYID = hash (Pre-Shared Key, Ni|Nr) SKEYIDd= hashfunc (SKEYID, K|CI|CR|0) SKEYIDa hashfunc (SKEYID, SKEYIDd|K|CI|CR|1) SKEYIDe = hashfunc (SKEYID, SKEYIDa|K|CI|CR|2). Qua hm hashfunc (key, data) n n kh a c to ra l ho n ton khc nhau. SKEYIDd c dng sinh ra thm nh ng kha khc d ng cho giai o n 2 (nu cn). SKEYIDa c dng cho qu trnh Integrity ca ISAKMP message.

SKEYIDe dng encrypt IKE message.

Bc (5) v (6) gi tin m h a b ng SKEYIDe, x c thc, kim tra ton vn b ng hm bm: HASHi = hash (SKEYID, X|Y|Ci|Cr|SAr|IDi) HASHr = hash (SKEYID, X|Y|Cr|Ci|SAi|IDr) Vi Aggressive Mode

Hnh 40 IKE giai on 1 s dng Pre-shared key trong aggressive mode

Bc (1) Initiator gi g i ISAKMP ch a Ci, gi tr public X ca DH cho Responder. Bc (2) nhn c X, responder c th nhanh chng t m ra b n kha cn thit: kha, SKEYIDa, SKEYIDe, SKEYIDd. Sau ton b cookie, Y, hash g i li cho Initiator. Bc (3) Initiator gi gi tr bm cng cookie li cho Responder hon tt qu trnh xc thc.

Digital Signature o Vi Main Mode

Hnh 41 IKE giai on 1 s dng Digital Signature trong main mode

Gi ng Pre-shared key, ch khc b c (5) v (6). Gi tr ngu nhin c bm v m h a bng kh a ri ng t (private key) ca chnh mnh, nh k m cng ch ng nhn (certificate) gi i. V i SIG c tnh nh sau: SIGi= PRIVATEKEY_i (HASHi) SIGr = PRIVATEKEY_r (HASHr) V khc cch t nh SKEYID: SKEYID = hash (Ni|Nr|K) Sau khi nhn c, c hai d ng kh a c ng khai (public key) ca i phng gii m ch k c gi tr bm, em gi tr ngu nhin nhn c i bm, n u hai gi tr bng nhau th x c thc thnh c ng. i vi IKE phase 2

Sau khi thit lp knh bo mt thnh c ng, xt n giai on IKE giai on 2, g m ba bc:

Hnh 42 IKE giai on 2

Bc (1) Initiator gi g i tin ISAKMP cha IPSec SA km theo Ni2. Gi tr N n y d ng t nh ton kh a mi nhm ch ng li tn c ng Replay. Bnh thng, tt c kh a ca IPSec u sinh ra t SKEYIDd ca phase 1. Do , nu k t n c ng c trnh hiu bit v cch DH hot ng cng nh c ch sinh kha SKEYIDd s c th tnh to n ra cc kha hi n h nh v nh ng kha dng trong th i gian t i n khi IKE k t thc. V th tng c ng bo mt, PFS (Perfect Forward Secrecy) dng tch bit m i quan h gi a kh a c v mi. Nu kch hot, gi tr DH (X, Y) c tnh li t sinh ra kh a b mt (secrect key) m i t K: HASH (1) = hash (SKEYIDa, Mid|SAi|Ni2) khng c PFS HASH (1) = hash (SKEYIDa, Mid|SAi|Ni2|X|IDi|IDr) vi PFS Bc (2) Responder gi gi tin ISAKMP v i n i dung tng t. HASH (2) = hash (SKEYIDa, Mid|SAr|Ni2|Nr2) khng c PFS HASH (2) = hash (SKEYIDa, Mid|SAr|Ni2|Nr2|Y|IDi|IDr) vi PFS Bc (3) Tnh ton HASH (3) kim tra knh truy n trc khi thit lp IPSec. HASH (3) = hash (SKEYIDa, 0|Mid|Ni2|Nr2) Sau khi g i tin th ba c gi th bt u truy n IPSec, nu Responder kh ng nh n c g i tin th ba n y th m i gi IPSec gi n u b b i. trnh trng hp n y, Responder thit lp bit cam kt trong qu tr nh trao i gi tin th hai. g i tin th ba, Responder yu cu thit lp bit cam kt. Mt khi xc thc c gi tin th ba th Responder gi li th ng

bo cho Initiator sn sng cho kt n i IPSec.

3.2.5 Cc loi VPN 3.2.5.1 Easy VPN

Da trn c s IPSec, Easy VPN khng khc nhi u so v i IPSec VPN. im khc bit ch cc bc lm vic ca client v server.

Hnh 43 Easy VPN

S l t hot ng VPN client khi t o kt n i n server (IKE Phase 1). VPN client thnh lp m t SA (security association) cho ISAKMP. VPN server chp nhn SA do VPN client ngh. VPN server yu cu username v password. Bt u qu trnh cu hnh. Bt u qu trnh RRI (Reverse Route Injection - tnh nng gip cho qu tr nh thit k VPN d dng h n khi yu cu t nh n ng nng cao nh redundancy hay loadbalancing), t ng thm cc ng nh tuy n t nh (Static

Route) ca Remote Client vo server. M i ng n y c to t cc thu c tnh c bn nh Network v Netmask v i next hop l im u ca tunnel.

Ho n t t qu trnh kt n i vi IPSec quick mode.

Main Mode (hot ng giai on 1) m phn IKE nhm thit lp k nh bo mt nh ISAKMP Security Association (SA) gi a hai m y t nh. ISAKMP SA bo v s th a thu n cc tham s bo mt. Do , Main Mode gip x c nh tp hp cc b mt m, trao i kh a thit lp kha bo mt chia s (shared secret key) v xc thc m i bn. Quick Mode (hot ng sau giai o n 1 nhng khng giai on 2) thit lp cc thng s bo mt (SAs) c gi l IPSec SAs. Trong sut Mode n y, kha lu n c t nh ton li, nu cn thit, c th sinh ra kha mi. Mt b bo v ph hp cng c la ch n. Quick Mode kh ng c xem l s trao i hon chnh b i c n t y thu c vo Main Mode. Bc 1: Ng i dng gi g i tin truy v n n server. Nu pre-shared key c dng xc thc th IKE giai on 1 hot ng Aggressive Mode, cc t n nhm d ng phn bit gia cc nh m ngi s dng VPN. Cn nu digital certificate c s dng x c thc th IKE giai on 1 hot ng Main Mode, khi trng organization c d ng xc nh nhm. Bc 2: Ng i dng gi cc SA cho Server gm thut ton m ha, bm, phng thc xc thc v nhm DH. Bc 3: Sau khi nh n cc SA t client, server ki m tra SA ph hp theo m c u tin cao. Sau , Server gi li cho client SA c ch n (SA c h tr trn c client v server). Bc 4: Hon tt ba bc trn, server s yu cu client cung cp username v password xc thc. Khi nh n c thng tin x c thc, server dng AAA kim tra thng tin x c thc ny. Bc 5: Nu xc thc thnh c ng, client yu cu cc th ng s cu hnh nh IP address, DNS, split tunnel information trong IP l bt bu c. Bc6: Thc hi n qu tr nh RRI. Khi m i IP client c ghi nh n vo bng Routing ca server. T nh nng ny c khuy n khch s d ng khi c nhiu hn m t VPN server trong h th ng v a ch c s dng cp cho client thay v d ng IP Pool. Bc 7: n y, IPSec SA s c thit lp sau VPN connect c hon tt.

3.2.5.2

Site to Site VPN

Vic s d ng mt m d nh ri ng cho nhiu ngi kt n i nhiu im c nh v i nhau thng qua m ng Internet, da trn: Intranet: nu c ng ty c vi a im t xa mu n tham gia vo m ng ri ng duy nht, h c th to ra mt VPN Intranet (VPN n i b ) n i LAN v i LAN. Extranet: khi cng ty c m i quan h mt thit v i c ng ty khc nh i t c cung cp,

khch h ngh c th xy d ng VPN extranet (VPN m r ng) kt n i LAN v i LAN nhiu t chc khc nhau c th lm vic trn m t mi trng chung.

Hnh 44 Kt ni cc doanh nghip qua mng cng cng

S kt n i hai m ng ri ng l th ng qua ng hm bo mt, dng cc giao thc L2TP, hay IPsec. Mc ch chnh l kt n i hai m ng li v i nhau, c thit k to m t kt n i mng trc tip, hiu qu bt chp kho ng cch gia chng.

3.2.5.3

SSL VPN (hay Web VPN)

Giao thc a m c ch t o cc giao tip gia hai chng trnh ng d ng trn c ng nh trc (socket 443) nhm m ho to n b thng tin i v n m ng y nay s dng r ng ri cho giao d ch i n t nh truy n s hiu th tn dng, mt khu, s b mt c nh n (PIN) trn Internet. c hnh th nh v pht trin u ti n vo nm 1994 bi nh m nghin cu Netscape d n dt bi Elgammal v ng y nay tr th nh chun bo mt thc hnh trn mng Internet. Phin bn SSL hi n nay l 3.0 v vn ang tip tc c b sung v hon thin. SSL k t hp nhng yu t sau thit lp c m t giao d ch an ton nhm m bo: Xc thc: tnh xc thc ca i t ng b n lm vi c u kia ca kt n i. M ho: th ng tin khng th b truy cp b i i t ng th ba. loi tr vic nghe tr m th ng tin nhy cm truy n qua Internet, d liu phi c m ho kh ng th b c c bi nh ng ngi kh c ngoi ng i gi v ngi nh n. Ton vn d liu: th ng tin kh ng sai l ch, th hin chnh xc th ng tin gc gi n. Nh

IPSec, SSL khng phi giao thc n l m l tp th tc chun ho thc hin nhim v: Xc th c server: Cho php ng i dng xc th c server kt n i. Lc n y, pha tr nh duyt dng k thu t m ho c ng khai chc ch n chng nh n v public ID ca server l c gi tr

v c cp pht bi CA (certificate authority) trong danh sch CA ng tin c y ca ngi

dng. iu ny r t quan trng v i ng i d ng. V d khi g i m s credit card qua mng ngi dng mu n kim tra liu server nhn thng tin ny ng l server h gi n kh ng. Xc th c ngi dng: Cho php pha server xc thc ngi dng mu n kt n i. Pha server dng c c k thut m ho cng khai kim tra chng nhn v public ID c gi tr khng v c cp pht b i CA (certificate authority) trong danh sch cc CA ng tin c y ca server. iu ny rt quan tr ng i v i nh cung cp. V d khi ngn hng nh gi cc th ng tin ti chnh mang tnh bo mt t i kh ch h ng th h mu n kim tra nh danh ca ngi nh n. M ho kt ni: Tt c thng tin trao i gia client v server c m ho trn ng truy n n ng cao kh nng bo mt. iu ny rt quan tr ng v i c hai b n khi c cc giao d ch mang tnh ri ng t. Ngoi ra, tt c d liu gi i trn kt n i SSL m ho c bo v nh c ch t ng pht hi n xo tr n, thay i trong d liu ( l cc thut ton bm). SSL bao g m hai giao thc con: SSL record: xc nh cc nh d ng dng truy n d liu. SSL handshake (Giao thc SSL bt tay): s d ng SSL record trao i m t s th ng tin gia server v client vo ln u thit lp kt n i SSL. Mt s thut ton c s dng: DES, 3DES, KEA, MD5, RSA, SHA-1 Giao th c SSL handshake: gm cc b c: Ngi dng s gi server s phin b n SSL ang dng, tham s ca thut ton m ho, d liu t o ra ngu nhin ( chnh l ch k s - Digital Signature) v m t s thng tin khc m server cn thit lp kt n i v i ng i dng. Ngc li, server gi th ng tin tng t cho ngi dng. Ngoi ra, cn gi ch ng nh n (certificate) ca n n ngi dng yu cu ch ng nhn (certificate) ng i dng nu cn. Ngi d ng s dng th ng tin server gi n xc thc. N u server khng xc th c th ngi dng s c nh bo v kt n i khng thit lp. Ngc li, s thc hi n tip. Dng thng tin t o ra trong giai on bt tay, ng i dng (cng s c ng t c ca server v ph thu c thut ton s dng) to ra premaster secret cho phin lm vic, m ho b ng kha c ng khai m server gi n trong ch ng nh n bc 2 v gi n server. Nu server yu cu x c thc ngi dng th ngi dng nh du vo ph n thng tin ri ng lin quan qu trnh bt tay hai bn u bit. Khi , ng i d ng g i c thng tin nh du v chng nh n (certificate) cng v i premaster secret m ho ti server.

Server s xc thc ngi d ng. Trng hp ngi dng khng c xc thc, phin lm vic b ngt. Cn nu ngi dng xc thc thnh cng, server dng kho b mt (private key) gii m premaster secret, sau thc hin cc bc t o ra master secret.

Ngi d ng v server dng master secret t o ra session key - kho i x ng dng m ho v gii m th ng tin trong phin lm vic v kim tra ton vn d liu. Ngi d ng g i li nhn n server th ng bo message tip theo m ho b ng session key. Sau gi li nhn m ho thng bo ngi dng kt thc giai o n bt tay.

Server gi ngi d ng li nh n thng bo cc message ti p theo m ho bng session key. Sau , n gi l i nh n m ho th ng bo server kt thc giai on bt tay.

Lc n y giai o n bt tay ho n th nh v phi n lm vic SSL bt u. C hai pha ng i dng v server s s d ng cc session key m ho v gii m thng tin.

SSL VPN c ba mode: Clientless: Cung cp kh nng bo mt truy cp ti nguyn cng nh n i dung web, hu dng vi truy cp ti nguy n, n i dung website thng qua trnh duyt, yu c u ng i d ng s d ng Windows 2000, Windows XP hay Linux. Tr nh duyt s dng HTTP hay HTTPS cung cp cc ng link, cho php ng i dng truy cp m ng hay website n i b (Internal Website) th ng qua lin kt n y. V i File Sharing, trnh duyt lit k li n kt cho php ng i d ng truy cp, t o mi, sa x a ti li u... cho php. Thin client (cn gi port-forwarding): m rng kh n ng m h a trnh duyt web, cho php truy cp ng dng b ng giao thc TCP: POP3, SMTP, SSH, IMAP. Tunnel mode: s dng ng hm SSL chuy n d liu lp Network v th Tunnel Mode h tr hu ht tt c cc ng dng. So snh: Clientless mode Thin mode Tunnel mode

Ty trnh duyt web (clientless). H iu h nh Microsoft Windows hay Linux. H tr Web-enabled applications, file sharing, Outlook Web Access. Chuy n i IP, giao thc, phn t ch v vit li n i dung ch n hiu.

Yu cu TCP port forwarding.

Lm vic gi ng clientless IPsec VPN.

S dng Java Applet. M r ng h tr ng d ng. Mt s ng dng c h tr nh Telnet, e-mail, SSH

Tunnel client hot ng trn JAVA hay ActiveX.

H tr tt c ng dng hot ng lp network.

C kh n ng m rng. Cn phi c quy n admin (local) ci t.

Bng 1 Bng so snh cc d ng SSL VPN

Ngoi ra, m bo cc my t nh ngi dng t c cc tiu chun t i thiu ra trc khi thit lp kt ni VPN, chng t i cn phi cp n t nh n ng: Endpoint Security: tp hp t nh nng nhm bo v, kim tra, nh gi m y t nh ng i dng trc khi cho php gia nhp h th ng m ng. Cc tnh nng n y hu ht c h tr trn cc thit b tng la hay i km v i chng, nh Checkpoint, ASA... Ci t trn m y t nh ng i dng, Cisco Secure Desktop (CSD) kim tra h iu hnh (Operating System OS), antivirus, antispy, process, registry ng th i bo v d liu cc phin lm vic v cu i cng s xa b tt c history nh cookie, ULR history, page cache v nh ng file download. CSD l gii php tuyt vi bo m h th ng lu n phng nga t t, nu pht hin ng i d ng c vn , n b cch ly ngay l p t c kh ng nh hng h th ng. Khi ngi dng kt n i web vpn, trc khi kt n i thit lp, CSD kim tra to n b my ngi dng m bo ng i dng khng b vn so vi yu cu t ra. Host scan: kim tra thanh ghi (registry), CSD bit c h iu h nh (Operating System OS) cng nh service pack. CSD kim tra trnh antivirus, antispyware cng nh phi n bn ca chng v c firewall software. Tt c th ng tin lu tr trn ASA. Secure session: m bo d liu trong phin lm vic Web VPN c m ha, kh ng b phn t ch, khai thc, l y cp nu ng i d ng b chi m quy n s dng hay do thm. Cache cleaner: xa sch ton b du vt qu trnh truy cp ng i d ng Web VPN. CSD Onscreen Keyboard (OSK): ch ng li keylogger ph n cng hay ph n mm khi ng i d ng ng nhp hay sut qu trnh dng Web VPN. Hi n nay, c nhi u b n keylogger CSD pht hi n c. Tuy nhin, s ph t trin ca m i him h a ny khng lng trc c. V th v i nh ng phin bn m i h n, CSD v n cha pht hi n c. Do , OSK s l gii php an ton nht cho v n n y.

PHN 4: XY DNG IPS V IDS


4.1 Tng quan IDS v IPS 4.1.1 Gii thiu Mng ton cu Internet ang pht trin vi t c ng kinh ngc trn ton th gii, n thay i m nh m cch thc lm vi c, trao i th ng tin, giao tip, cu c s ng.. hu ht cc c quan, t chc, c nh n. Cng u im m n mang li l cc m i nguy him ng y cng t ng v mc , kh nng ly lan, phc t p trong ph ng thc ti n hnh. Cc m i nguy hi lm nh hng, ph hoi, sai lch, nh cp thng tin, d liu cc thnh ph n hay ton b mng. Ph n mm hay thit b chuy n d ng gim st lu lng ra vo h th ng m ng, ph n t ch du hiu vi phm chnh sch bo mt hay pht hin v ph ng ch ng cc ri ro tim n, ph ho i hay cc hnh ng nh su tp, qut cng ng thi cung cp thng tin nh n bit hnh ng bt thng v a ra cnh bo cho nh qun tr. y l k thut an ninh mi, kt hp u im tng la v i h th ng pht hin xm nhp IDS (Intrusion Detection System - IDS) g i IDPS (Intrusion Detection Prevention System). C IDS v IPS u c nhiu im chung th nh ng hn hn IDS, IPS kh ng n gi n ch theo di m cn ng n ch n tn cng. Ch ng cho php t chc u tin, thc hin cc bc ng n chn s xm nhp, thng t vnh ai mng, kh nng bo v cc thit b trong mng.

Hnh 45 H thng IPS (Intrusion Prevention System)

IDPS ch yu tp trung xc nh cc nguy c xm nhp, ghi li thng tin, c gng ngn ch n cc nguy c xm hi v a ra bo co cho qun tr vin mng. Ngy nay, IDPS tr thnh m t b phn khng th thiu i v i c s h tng an ninh ca hu ht t chc doanh nghip.

4.1.2 Lch s hnh thnh Cch y khong 25 nm, khi nim pht hi n xm nhp (Intrusion Detection) xut hin qua bi bo ca James Anderson. Khi IDS pht trin v i mc ch theo d i v nghi n cu h nh vi v thi bt thng ca ngi d ng nhm gim s t t i sn h th ng mng, nghin cu chnh th c t 1983 n 1988 trc khi dng trong h th ng m ng khng lc Hoa K. n nm 1996, cc khi nim IDS vn cha c ph bin, hu ht ch xut hi n trong cc ph ng th nghim v vi n nghi n c u. Tuy nhin, m t s cng ngh IDS bt u pht trin da trn s bng n ca cng ngh thng tin. n nm 1997, IDS mi c bit n r ng r i v thc s em li li nhu n vi s i u ca cng ty ISS. Mt nm sau , Cisco nh n ra tm quan tr ng ca IDS v mua li cng ty Wheel chuy n cung cp gii php IDS. Vo nm 2003, IPS th h sau ca IDS ra i v sau ph bin r ng r i. Hin t i, IDS/IPS vn l m t trong cc cng ngh an ninh c s dng ph bin nht trn th gii.

4.1.3 Nguyn nhn ra i Vic qu n tr v vn hnh h th ng IDS ng y cng kh khn, t n km v kh ng em li hiu qu. l nh n nh ca hu ht t chc doanh nghip b y gi . Vo nm 2003, Gartner cng ty hng u trong lnh v c nghin cu v phn t ch th trng cng ngh thng tin trn ton cu - a ra d on g y ch n ng trong lnh vc bo mt: H th ng pht hin xm nhp (IDS) s khng cn na vo nm 2005. Ph t biu n y xut pht t m t s kt qu ph n tch v nh gi cho thy h th ng IDS ang phi i mt vi cc v n : Thng xuy n a ra nhiu bo ng gi (False Positives). Gnh nng cho qun tr an ninh h th ng b i IDS cn c theo di li n t c. Km theo cc cnh bo t n c ng l m t quy trnh x l an ninh rt vt v.

Khng th theo di cc lu ng d liu c truy n vi t c ln hn 600 Mbit/s.


Nhn chung, Gartner a ra nh n xt n y d a trn nhiu ph n nh c a khch h ng ang s dng IDS rng vic qun tr v vn hnh h th ng IDS rt kh khn, tn km v khng em li hiu qu tng xng so vi u t. Tuy nhin, m t s ki n ph n i cho rng, vic h th ng IDS khng em li hiu qu nh mong mu n l do cc vn t n ti trong vi c qun l v vn h nh ch khng phi do bn cht c ng ngh kim sot v ph n tch g i tin ca IDS. C th, h th ng IDS hot ng

hiu qu, vai tr c ng c, con ngi qun tr rt quan tr ng, cn p ng c cc tiu ch:

Thu thp v nh gi tng quan t t c cc s kin an ninh c pht hin b i c c


IDS, tng la trnh cc bo ng gi.

Cc thnh ph n qun tr phi t ng hot ng v phn t ch. Kt hp vi cc bin php ng n ch n t ng


Trc nh ng h n ch ca h th ng IDS, nht l sau cc cu c tn cng t quy m ln nh Code Red, NIMDA, SQL Slammer, vn t ra l lm sao t ng ng n chn c tn cng ch kh ng ch a ra cnh bo, nhm gim thiu c ng vic ca ng i qu n tr h th ng. Chnh nh ng nhu cu , IPS ra i vo nm 2003 v ngay sau , c ph bin r ng ri. Kt hp nng cp th nh phn qun tr, IPS d n thay th IDS b i n gim b t cc yu cu tc ng ca con ngi c ng nh gim bt gnh nng v n hnh. H n na, trong m t s trng hp c bit, IPS hot ng nh IDS bng vic ng t b tnh nng ngn chn xm nhp. n nm 2005, th h sau ca IDS-h th ng t ng pht hi n v ngn ch n xm nhp IPS dn khc phc c cc mt cn hn ch ca IDS v hot ng hiu qu hn nhiu so v i th h trc . Ngy nay cc h th ng mng u hng ti s dng cc gii php IPS.

4.2

Ph n loi

Ch c n ng chnh ca IPS l gim s t lu lng truy n ti trn mng nhm xc nh cc nguy c xm hi, ghi li cc th ng tin cn thit v a ra bo co nh gi h th ng. Ty loi hnh mng c gim st m la ch n cc dng IPS tng ng, gm b n d ng chnh: 4.2.1 Host-based Intrusion Prevention System (HIPS) Gim st v ghi li ton b kh n ng m y trm (g m c h iu h nh v ng d ng cng nh ton b dch v). y l thit b bo mt pht hi n cc tn cng trc tip ti m y trm.

Hnh 46 H thng HIPS

HIPS trin khai da trn HIDS (Host-based Intrusion Prevention) - pht trin t u nh ng nm 1980. Ngy nay, HIPS l m t trong nh ng c ng c m nh m ch ng t n cng v bo v my trm hiu qu. HIPS phn t ch file nht k (audit logs) gim st h th ng, cc s ki n, b n ghi nh n bo mt (security logs) trn Windows NT v syslog trong Unix. Ngoi ra, HIPS cn can thip cu c g i h iu h nh v ng d ng, bo mt h iu hnh v cu hnh ng dng, xc nh n y u cu dch v n, phn tch file nht k n i b cho hot ng ng ng. Khi pht hi n thay i, HIPS so snh file nht k mi v i du hiu tn cng c cu hnh trc, nu ph hp HIPS t ng th ng bo qun tr vin v a ra h nh ng tng ng. HIPS dng cc quy lut da trn s k t h p c im tn cng v ki n thc chi tit h iu h nh v ng dng trn m y ch, gip HIPS xc nh cc hot ng bt thng, t a ra h nh ng ngn chn thch hp. H n na, HIPS c i thin t nh bo mt m y ch b ng cc quy tc km sot hnh vi h iu hnh, b vi x l nh trn b m, cp nht thanh ghi (registry), ci t chng tr nh ng dng... Cc quy ch kim tra lu lng m ng hn ch s lng kt n i truy cp ch ng t n cng T Ch i Dch V (DoS Denial of Service). HIPS khng quan tm v tr m y t nh trong h th ng. S sau din t my t nh trong mng s dng HIDS:

Hnh 47 HIDS c ci t trn cc my t nh

H th ng HIPS ng y nay yu cu ph n mm Agent phi c ci t trn m i my xem xt nh ng hoat ng thc thi trn n, ch ng li tn cng v thc thi nh ng ph n t ch v bo v pht hin xm nhp vo m y. u im Xc minh s thnh cng hay th t bi cuc tn cng: V HIPS ch yu ph n t ch b n ghi nh n s ki n thc s x y ra trong h th ng n n xc sut pht hi n tn c ng cao hn so vi NIPS (Network-based Intrusion Prevention), t cc cnh bo nhm.

Gim st cc hot ng h thng: theo di ngi dng v cc ho t ng truy cp tp tin nh thay i quy n trn t p tin, truy cp cc d ch v c quy n ca h th ng

Thch hp s d ng trong mi trng m ha v mng chuyn mch: Switch chia nh mng l n th nh ph n on mng nh hn. Do , gy kh khn trong xc nh a im tt nht trin khai IPS bao ph ton mng. HIPS cung cp kh n ng hin th l n h n trong mng chuy n mch v HIPS ci t trn nhiu my t nh khc nhau trong h th ng. Ngoi ra, HIPS ci thi n nhc im NIPS i v i g i tin m ha v ngay khi h iu hnh nhn th y kt n i n, cc d ng d liu u c gii m.

Khng yu cu thm cc thit b phn cng: xy d ng trn c s h tng sn c. Chi ph trin khai thp: so v i NIPS (Network-based Intrusion Prevention).

Nhc im Gii hn tm nhn mng: kh x y dng bc tranh tng th h th ng mng. Yu cu h tr nhiu h iu hnh: HIPS cn ch y trn cc my trong m ng. Do , n i h i h tr xc minh cho cc h iu h nh khc nhau dng trong mng.

4.2.2 Network-based Intrusion Prevention (NIPS) Kim tra cc cng giao tip trn mng vi th i gian thc (real-time), qut header cc gi tin, v kim tra n i dung cc gi pht hi n cc o n m nguy him hay dng tn c ng kh c nhau. NIPS hot ng tin cy trong vic pht hi n cc dng tn cng trn h th ng mng.

Hnh 48 H thng NIPS

NIPS s dng cc thit b theo di, cm bin (sensor) trn ton mng nm bt v ph n tch lu lng ra v o h th ng nhm pht hi n hot ng nguy him v xm nhp tri php m a ra cc hnh ng ph hp. Cc cm bi n ny c tri n khai t i c c im m ng cho php nh qu n tr gim st hot ng mng, bt k v tr mc tiu t n cng, thng iu chnh phn

tch ph ng ch ng xm nhp. Cc h iu h nh c bn ci t ph n mm IPS c n t t cc dch v mng khng cn thit v bo mt cc dch v thit yu. V phn cng gm thit b sau:

Card mng (NIC Network Interface Card): NIPS phi c kh n ng kt n i v i bt k mng no (Ethernet, Fast Ethernet, Gigabit Ethernet). B x l: Qu trnh ph ng ch ng xm nhp i h i sc mnh ca CPU thc hi n ph n t ch pht hin xm nhp v so kh p cc du hiu t n cng c cu hnh trc.

B nh: trc tip nh hng n kh n ng ca NIPS trong vic pht hin t n cng.

Hnh 49 Hot ng ca NIPS

Bt k s m r ng ca h th ng mng, cc my t nh c th c thm vo mng m kh ng cn ci thm bt k cm bi n no. Cc b cm ng c yu cu ch khi hiu sut ca c c cm bin khng p ng c nhu cu hin ti, khi c bt k thay i no trong chnh sch bo mt hay m hnh h th ng m ng i h i b sung cc cm bi n. u im D dng nh n th y cc cu c t n cng ang di n ra trn ton b mng. Khng cn tri n khai IDS trn tt c m y t nh trong h th ng, khng ph thu c h iu h nh my ch. Nh c im Khng nhn bit c cc lu ng thng tin m ha. Kh xc nh v tr t NIPS sao cho nm bt t t c lu lng mng nht l khi mng tr nn l n h n. gii quyt v n ny, i hi s dng thm cc cm bi n, tuy nhin, gii php n y lm pht sinh thm chi ph trin khai. Nhn chung, HIPS v NIPS u c thun l i cng nh kh khn khc nhau. Vic la ch n t y m hnh trin khai. N u HIDS cho gii php hon ho i vi m y trm th NIDS bo v mng

LAN hiu qu. Vic qun l HIDS yu cu t ki n thc chuyn su, c n NIDS yu cu nhiu s quan t m ca nh qun tr. Sau y l b ng so snh chc n ng hai h th ng trn:

Chc nng Bo v trong m ng LAN Bo v ngoi mng LAN D dng qu n tr Tnh linh hot Gi th nh D dng b sung o to ngn hn c n thit Tng gi th nh Bng t n yu cu trong LAN

HIDS **** **** **** **** *** **** **** *** 0

NIDS **** **** ** * **** ** ** 2

nh gi C hai u bo v trong mng LAN Ch c HIDS Tng ng nhau xt v b i cnh qun tr chung HIDS l h th ng linh hot h n HIDS tit kim hn C hai tng ng nhau HIDS yu cu o to t hn NIDS HIDS tiu t n ca bn t hn NIDS s dng bng tn LAN r ng, cn HIDS th khng NIDS cn hai yu cu b ng t n mng i v i bt k mng LAN no C hai u cn bng t n Internet cp nht kp thi cc file mu NIDS yu cu kch hot m r ng cng m bo lu l ng LAN c qut HIDS nng cp t t c ngi d ng v i file mu trung tm NIDS c kh nng thch nghi trong cc n n ng dng hn HIDS m i thc hin kiu qut n y C hai u c chc nng bn ghi C hai u c chc nng cnh bo tng c nh n v qun tr vin

Network overhead

Bng t n yu cu (Internet)

**

**

Cc yu cu v cng m r ng Chu k nng cp cho ng i dng Kh n ng thch nghi trong cc n n ng dng Ch qut thanh ghi cc b Bn ghi Ch c n ng c nh bo

****

****

** **** *** ***

**** *** ***

Qut PAN Loi b gi tin

**** -

****

HIDS mi qut vng mng c nhn NIDS m i c phng thc n y Cn nhiu kin thc chuy n m n khi ci

Ki n thc chuyn mn

***

****

t v s d ng NIDS vi ton b vn bo mt mng

Qun l tp trung V hiu h a cc h s r i ro Kh n ng cp nht Cc nt pht hin nhiu o n mng LAN

** * ***

*** **** ***

NIDS c chi m u th h n NIDS c h s r i ro nhiu h n HIDS Nng cp ph n m m d h n phn cng, thng qua script t p trung Pht hin nhiu on mng ton din hn

****

**

Bng 2 Bng so snh cc chc nng ca HIPS v NIPS

Ngoi ra, IPS c n d c trin khai trn cc h th ng mng sau: Wireless Intrusion Prevention System (WIPS): ph n t ch hot ng cc giao thc mng kh ng dy, nhm pht hin cc lu ng th ng tin kh nghi ra vo m ng kh ng d y. Network Behavior Analysis (NBA): gim st giao thng mng xc nh cc ri ro tim n pht sinh lu lng m ng bt thng nh DDoS, cc dng malware v xm phm chnh sch. Perimeter Intrusion Detection System (PIDS): Pht hi n v ch ra v tr n lc xm nhp h ng ro bi n gii quanh c s h tng quan tr ng. S dng cp quang, PIDS pht hin r i lo n trn h ng ro, tn hiu ny c theo di, kch hot cnh bo khi pht hin xm nhp. VM based Intrusion Detection System (VMIDS): pht hin xm nhp nh gim st trn my o. Nh , trin khai h th ng pht hi n xm phm v i Virtual Machine Monitoring. y l m t trong nhng pht minh g n y c n trong giai o n nghi n cu. Khng cn x y dng h th ng IDS ring bit no, chng ti vn gi m st c tng th h th ng mng.

4.3

Nguyn l hot ng ca h th ng

H th ng IPS thnh cng nu yu t : thc hin nhanh, chnh x c, a ra thng bo hp l, ph n t ch ton b thng l ng, cm bi n t i a, ngn chn thnh c ng v chnh sch qun l

mm d o, gm ba module chnh:

4.3.1 Ph n tch lung d liu L y cc g i tin i n m ng ph n t ch, thng thng cc g i tin c a ch kh ng phi ca card mng th s b card mng h y b nh ng card mng IPS t ch thu nhn tt c. Tt c gi tin qua chng c sao chp, x l, phn t ch n t ng trng th ng tin. B ph n tch c thng tin tng trng trong gi tin, xc nh chng thu c gi tin no, dch v g... Cc thng tin n y c chuy n n module pht hin t n cng.

4.3.2 Pht hin tn cng Module quan tr ng nht pht hin cc cuc tn cng, bao g m ba phng php theo di l: 4.3.2.1 Misuse Du hiu tn cng (Signature-based Detection hay Detection) Tp nguy n tc s dng xc nh nh ng hot ng xm nhp th ng thng, phn t ch hot ng ca h th ng, theo di s ki n v so snh v i mu t n cng c cu hnh trc: Da trn s khai thc (exploit-based signature): pht hi n cng c d tm l h ng nh on password, kch b n shell t ng tn cng hay thc hin th tc n gin tm ki m l hng h th ng cng nh on m thc thi D a trn cc l h ng chng trnh (vulnerability-based signature): ph n t ch l h ng thc thi ch ng tr nh ng d ng, ri ro g y hi bo mt hay chc n ng h th ng nh password yu, x l u vo kh ng mong mu n hay truy n d n khng bo mt Vic to ra Signature-Based yu cu ng i qu n tr cc k n ng hiu bit tht r v loi hnh tn c ng, m i nguy hi v pht trin du hiu d t m. Khi nhiu phng php tn c ng v khai thc c khm ph, nh s n xut IPS phi cung cp nh ng bn cp nht file du hiu. Nu c nh ng lu lng trng kh p bt k du hi u tn c ng no, IPS da trn cu hnh trc m a ra h nh ng thch hp, kh ng c n t c ng ngi dng. Nh , pht hi n t n cng nhanh v chnh x c, khng a ra cnh bo sai lm gim kh n ng ho t ng mng v gip cc ngi qu n tr x c nh cc l h ng bo mt h th ng. Tuy nhin, phng php n y c nhc im l khng pht hi n c cc cu c t n cng khng c trong c s d liu, cc kiu t n cng mi, do v y h th ng lu n phi cp nht cc mu tn cng m i. L i ch t cnh bo nhm: Nh ng d u hiu d a trn hiu bit v hot ng xm nhp n n xc

sut pht hin t n cng cao. H thng d hiu: d dng iu chnh hnh ng ph h p vi bt k t n hiu cnh bo no. Ngoi ra, cng c th bt du hiu l n ti n h nh ki m tra ton mng. Cc t n cng mi cp nht thng xuyn: du hiu thay i li n t c sau khi ci t.

H n ch Khng th pht hin nhng cuc tn cng mi hay cha c bit (false negative): Do hot ng da trn cc mu du hiu nh ngha trc, g y kh kh n trong vic nh n ra t tn c ng mi cha tng bit hay khm ph trc y. Khng th pht hin s thay i nhng cuc t n cng bit: Nhng file du hiu l nh ng file t nh do kh ng thch nghi vi vi h th ng. N u thay i cch t n cng, k t n c ng c th xm nhp m khng b pht hi n (false negative). Kh nng qu n tr c s d liu nhng du hiu: Vic bo m c s d liu du hiu lu n cp nht v hi n h nh c n phi u t nhiu thi gian v tin bc. Dung lng b nh ca b cm bin cn hn ch: duy tr t nh trng thng tin nhanh ch ng tm ki m th ng tin. B cm bi n lu trng thi thng tin trong b nh.

4.3.2.2

Du hiu bt thng (Statistical Anomaly-based Detection)

K thut d thng minh, nhn dng h nh ng bt thng. Ban u, IPS lu tr b ng m t s l c nh m ngi d ng hay hot ng bnh thng h th ng (nh ph n quy n cc nh m s dng theo cc ho t ng v ngu n ti nguyn; web server phi c bng m t s lc ho t ng ca n da trn lu lng web, t ng t i vi mail server). Cng nhiu b ng m t s lc khc nhau cho m i d ng d ch v, h th ng IPS cng a ra c cc cnh bo ng. Sau , so snh v i cc lu lng ra vo h th ng v nh n d ng ho t ng no l kh c thng, c th g y hi h th ng, g m mt s k thut sau: Ph t hin m c ngng: nhn m nh vic v t qu m c ng ng c t ra i v i cc hot ng bnh thng nh ng nhp v i s ln qu quy nh, s lng cc tin trnh ho t ng trn CPU, s l ng m t loi g i tin c gi vt qu mc... th h th ng s coi l cc hot ng nguy hi. Ph t hin nh qu trnh t hc: gm hai bc. Khi bt u thit lp, h th ng pht hin t n cng s ch y ch t h c v to ra m t h s v cch c x ca m ng v i cc hot ng bnh thng. Sau thi gian kh i t o, h th ng s ch y ch l m vic, ti n h nh theo d i, pht hi n cc hot ng bt thng ca m ng b ng cch so snh v i h s thit lp. Ch t h c c th ch y song song vi ch lm vi c cp nht h s ca mnh nh ng nu d ra c t n hiu tn c ng th ch t h c phi d ng li cho ti khi cu c tn cng kt thc.

Ph t hin s kh ng bnh thng ca c c giao th c: cn c hot ng ca cc giao thc, dch v trong h th ng t m ra c c g i tin kh ng hp l, cc hot ng bt thng v n l du hi u xm nhp, tn c ng. K thut n y hiu qu trong vic ng n ch n cc hnh thc qut mng, qut c ng thu thp thng tin ca cc tin t c.

Phng php n y hu hiu trong vi c pht hin cc cu c tn c ng kiu t ch i dch v, pht hin ra cc kiu tn cng mi, cung cp cc th ng tin hu ch b sung cho phng php trn. Tuy nhin i khi thng to ra cc cnh bo sai lm gi m hiu sut hot ng ca m ng. L i ch Pht hin k t n cng bn ngoi hay k trm ti khon mt cch d dng. Ci thin nhng hn ch ca phng php theo di du hiu tn cng: Nu nh k tn cng c th kim tra th cc du hiu trn h th ng IPS m ch n l a cch thc cng nh c ng c tn cng ph hp th v i phng php n y, iu v cng kh a kh n do khng s dng nh ng c s d liu du hiu nh d ng trc nn k x m nhp khng th bit chnh xc ci g g y ra cnh bo. Ph hp cho vic pht hin cc cuc tn cng mi: khng d a trn tp nh ng du hiu c nh d ng hay cc t tn cng c bit, profile l ng v s d ng tr tu nh n t o xc nh nh ng hot ng bnh thng. H n ch Th i gian chu n b ban u cao ng th i khng c s bo v sut thi gian kh i to ban u. Kh kh n trong vic to ra cc profile nhm ngi d ng: bo m cht lng cc profile n y t ng i phc tp. Thng xuyn cp nht profile: khi th i quen ng i d ng thay i. Kh kh n trong vic nh ngha cch hnh ng th ng th ng: H IPS ch tht s tt khi n nh ngha nh ng h nh ng no l bnh thng. y l th thch khi m mi trng ni c ng vi c ngi d ng hay nh ng trch nhim thay i thng xuyn. Cnh bo nhm: Nh ng h th ng da trn s bt thng c xu h ng c nhiu false positive bi v ch ng thng tm nh ng iu khc thng. Vic nh ra cc profile ngi dng v hot ng h thng t ng i phc tp: L y m u th ng k, da trn nguy n tc, v mng neural l nhng ph ng cch nh m to profile m tht kh hiu v gii thch.

4.3.2.3

Giao thc (Stateful Protocol Analysis Detection)

Nh Signature-based Detection, thc hin phn t ch chiu s u giao thc c x c nh c th

trong gi tin. V d: Hacker bt u ch y chng trnh tn cng Server. Trc tin hacker phi g i m t gi tin IP c ng v i kiu giao thc, c th kh ng cha d liu trong trng payload, phng thc ny s theo di cc kiu t n cng c bn da tr n m t s giao thc:

Kim tra kh n ng ca giao thc xc nh g i tin c hp php hay khng. Kim tra n i dung trong Payload (pattern matching). Thc hi n nhng cnh co kh ng bnh thng.

4.3.2.4

Chnh sch (Policy-based IPS)

a ra cnh bo khi c nhng h nh ng vi phm ca cc chnh s ch c cu hnh trc. L i ch nh ra ch nh sch ring bit: thit lp chnh sch cho tng thit b trong h th ng. Xc thc v phn ng nhanh: rt t c nh ng cnh bo sai. H n ch i h i kinh nghim v kin th c nht nh: Vic thit lp chnh sch yu cu qun tr vin h th ng phi c kinh nghim v ki n thc nht nh ng thi qun l cc chnh sch n y t ng i phc tp. Thng xuyn phi cu hnh li: khi c cc thit b mi thm vo h th ng. Kh khn khi qun tr t xa.

4.3.3 Phn ng Khi c du hiu tn cng hay thm nhp, module pht hin tn c ng g i tn hi u n module phn ng. Lc module ph n ng k ch hot tng la thc hi n chc n ng ng n ch n cuc tn c ng hay cnh bo ng i qu n tr. Nu ch a ra cc cnh bo th h th ng n y c gi l h th ng ph ng th b ng. Di y l m t s k thut ng n ch n: Kt thc ti n trnh: gi cc gi tin ph hu ti n tr nh nghi ng. Tuy nhin, thi gian can thip chm h n thi im tin t c t n c ng, dn n tn cng xong ri mi bt u can thip. Ngoi ra, k thut n y khng hiu qu v i giao thc UDP nh DNS, hn na g i tin can thip phi c trng th t ng nh g i tin trong phin lm vic ti n trnh t n c ng. Nu ti n trnh tn c ng x y ra nhanh kh thc hin phng php n y. Hu b t n cng: h y b gi tin hay chn ng gi tin n, phin lm vic hay m t lu ng th ng tin t n cng, an ton nht nhng d nh m v i cc gi tin hp l. Thay i cc chnh sch ca tng la: cho php ng i qun tr cu hnh li chnh

sch bo mt t n c ng x y ra. S cu hnh li l tm th i thay i cc chnh sch i u khin truy nhp b i ngi dng c bit trong khi c nh bo t i ng i qun tr.

Cnh bo thi gian thc: Gi cc c nh bo thi gian thc n ngi qun tr h nm c chi tit cc cu c t n cng, cc c im v thng tin v ch ng. Ghi li vo tp tin: Cc d liu ca cc g i tin s c lu tr trong h th ng cc tp tin log. Mc ch ngi qun tr ti n theo di cc lu ng thng tin v l ngu n thng tin gip cho module pht hin t n c ng hot ng.

4.4

M t s thu t ng lin quan Event horizon

pht hin xm nhp, IPS kim tra thng tin so snh v i cc du hiu trong c s d liu. Tuy nhin, thnh tho ng th ng tin ny tr i di qua nhiu gi d liu. Khi du hiu yu c u nhiu mnh d li u, IDS duy tr t nh trng thng tin v du hiu bt u khi n th y cc m nh d liu u tin. T nh trng thng tin duy tr trong khong th i gian event horizon, khc nhau i vi tng dng tn cng. i vi vi tn cng, y l khong th i gian t l c ng nhp (logon) n khi r i kh i h th ng (logoff), c th ko di c t n vi cc dng t n cng khc. False negative Khi IPS l l c nh bo hnh ng xm nhp. False negative miu t tn c ng tht s m IPS b st khi cu hnh. Hu ht ngi pht tri n IPS c khuynh h ng thit k h th ng trnh kh i cc false negative n y. Tuy nhin, loi b ton b false negative, i h i cp nht d u hiu t n cng thng xuyn, m bo h th ng lun nh n bit cc dng tn c ng mi. False positive Ngc li false negative, false positive bit n nh vic a ra cc cnh bo khi khng c bt c cuc tn cng no di n ra. Khi IPS a ra qu nhiu cc bo ng gi, gy nh hng hiu nng mng. Vic h n ch cc false negative cng nh false positive lu n l mc ti u hng n ca hu ht cc qun tr vin khi trin khai h th ng IPS. True Positive M t vi c IPS a ra c nh bo ng khi pht hin tn c ng hay xm nhp tri php vo h th ng mng. y cng l m c tiu h ng n ca cc chuy n gia nghi n cu pht tri n IPS. True Negative Khng a ra bt k cnh bo no khi khng c tn c ng hay xm nhp tri php vo h th ng m ng. Vic bo m h th ng IPS lun h ng n true negative v true positive l mong mu n ca nhiu t chc doanh nghip. Tuy nhin, iu n y i h i u t nhiu th i gian ti n bc v s quan t m ca cc nh qu n tr.

PHN 5: XY DNG TNG LA CHO H THNG MNG TRNG I HC HOA SEN


5.1 Gii thiu

Trng H Hoa Sen c tr s chnh ti trung tm TPHCM - trung t m nng ng ca Vit Nam v khu vc. hnh lp vo nm 1991, giai an n n kinh t - x h i chuy n mnh h i nhp qu c t , nh trng xc nh mc tiu gio d c v o to thc cht, dn th n vo thng nhu cu ca x h i, bng cc trng chng tr nh k thut vin. o to p ng nhu cu x h i tip tc c duy tr v pht trin khi Trng tr thnh trng Cao ng vo nh ng nm cu i th k 20. Tm nhn, s mnh v trit l o to hnh th nh da trn gi tr ct li ny tip tc a i h c Hoa Sen pht trin vi t cch trng i h c bt u t nm 2006.

5.2

Yu cu

V i ch nm h c 2010 - 2011 Cng nhau vn cao hnnhm hng n vic tng c ng h p tc thnh c ng hn n a gia Trng H Hoa Sen v c c i tc s phm, i tc doanh nghip v x h i. Trong nm h c ny nh trng n cho 2623 tn sinh vi n, do , nhm th a m n nhu cu h c tp cng nh nng cao hiu qu lm vi c, nh trng quyt nh n ng cp ton b h th ng m ng t i cc c s ho t ng: X y d ng h th ng mng n i b gm ph ng lm vic, ph ng lab cho sinh vin, cung cp kt n i Wireless gip sinh vin tra cu ti nguy n mng ngoi gi h c trng. Cn bo m an to n thng tin, ch ng s xm nhp h th ng tri php b ng vic tri n khai h th ng tng la, gii php VPN gip truy cp t xa gia cc c s ng th i theo di v ghi nhn cc cu c tn c ng qua IDS/IPS. Cung cp h th ng d phng cho tng la khi g p s c, phn chia vi c kim tra cc lung th ng tin qua tng la, tn d ng t i a hiu sut hot ng tng la ng thi c n b ng ti kt n i ra Internet nhm m bo h th ng hot ng tt v lin t c. Cc yu cu c th i vi tng ph ng ban:

Thi Gian Lm Vic

Ph ng Ban

i T ng Truy cp

Yu cu c th

Gio vin 8h30 n 11h30 13h n 17h Tuy n Sinh K Ton Ti Chnh Lab (cho tt c sinh vin) 6h30 n 12h 13h n 17h30 Lab Thc H nh Mng Th vin 10h n 14h Internet Sinh vin 6h30 n 17h30 Wireless Nh n vin Khch mi Bng 3 Bng yu cu i vi cc ph ng ban Cho php truy cp Internet Sinh vin Cho php truy cp Internet, Khng cho php truy cp Internet. o To Nh n vin Cho php truy cp Web, File Server v gi mail. Chia s file gia cc ph ng ban.

mail v cc dch v khc gip sinh vin thc hnh thit k h th ng. Ch cho php truy cp Web.

5.3

Trin khai

5.3.1

S h th ng mng ti tr s chnh 5.3.1.1 M hnh mng

Da trn cc mu ki n trc tng la trn, chng t i quyt nh tri n khai h th ng t ng la cho trng i H c Hoa Sen theo mt trong hai m hnh sau:

(a)

(b) Hnh 50 S h thng mng trng i Hc Hoa Sen

S khc bit Vi s th nht: i km vic ng d ng c ng ngh d phng tng la Active/Active Failover, ch ng t i c n s dng HSRP (Hot Standby Router Protocol) gii php t tn k m nht chng t i la ch n (s c gii php khc ti u hn c cp trong phn Load Balancing Firewall) nhm t n dng t i a ti nguy n thit b. Tuy khai thc ht ti nguy n h th ng nhng cng mang li m t s hn ch sau: Chi ph u t cao. i h i qun tri vin h th ng m ng phi c kinh nghim v trnh nht nh. Qu trnh trin khai c ng nh qun tr tng i phc t p do vic s dng kh nhiu thit b (nht l thit b Switch l p 3). Vi s th hai: s dng cng ngh d phng tng la Active/Standby Failover.

Cng v i vic b bt cc tht b (Switch lp 3), chi ph u t c gim b t ng k. Ngoi ra, vic trin khai theo m hnh th hai cn gim bt gnh nng cho nh qu n

tr, kh ng gp nh ng vn v HSRP hay nh ng gii php loadbalancing cho firewall. Tuy nhin, so vi m hnh th nht, m hnh ny c ng mc phi h n ch: Khng khai thc ton b ti nguyn h th ng (c th l hai t ng la Standby).

Theo hai s trn, h th ng m ng trng i h c Hoa Sen ch yu g m b n vng m ng chnh, c sp x p theo bo mt gim d n: Vng mng Mng bn trong (Inside Network) Lp a ch IP 172.16.x.0 (x: VLAN tng ng) Subnet Mask 255.255.255.0 M t c th Mng n i b tin cy. Mc bo mt cao nht (100) t Server quan tr ng (g m Server Farm 10.0.0.0 255.255.255.0 Database Server). Mc bo mt 100 Vng Phi Qun S (DMZ Demilitarized Zone) Mng bn ngoi Internet (Outside Network) Cc l p IP Public khc d y a ch trn 11.0.0.0 255.255.255.0 t cc Server qung b ra Internet (gm Web Server, Mail Server). Mc bo mt xp sau Server Farm (50) Mng khng tin c y. Mc bo mt thp nht (0)

Bng 4 Bng cc vng mng trong h thng trng i Hc Hoa Sen

Ngoi ra, i v i cc kt n i im im (point - point) gia c c thit b, ch ng t i s dng lp a ch IP 193.1.0.0/16, t trong ra ngoi c cu hnh a ch IP nh sau:

Thit b Cp t ng la b n trong (Inside firewall) Gia hai cp tng la trong v ngoi (Inside & Outside)

Kt ni Switch l p 3 vi Active Firewall Switch l p 3 vi Standby Firewall (cp Firewall Inside) Gia hai cp tng la Active Gia hai cp tng la Standby Router bi n v i Active Firewall

Lp a ch IP 193.1.1.0 193.1.2.0 193.1.4.0 193.1.3.0

Subnet Mask 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0

Cp tng la b n ngo i (Outside firewall)

(cp firewall Outside) Router bin v i Stanby Firewall (cp Firewall Outside)

193.1.5.0

255.255.255.0

193.1.6.0

255.255.255.0

Bng 5 Lp a ch IP trn kt ni gia cc thit b

5.3.1.2

Xc nh cc nhm ng i d ng

M i ph ng ban ng v i tng nhm ngi dng v c phn chia theo cc VLAN tng ng, bao gm 9 phng ban nh sau:

Ph ng ban

VLAN tng ng

L p IP t ng ng

Subnet Mask

Miu t c th Cung cp mng khng d y

Access Point NetLab Lab Th vin (Library) Gio vin (Falculty) o To (Training) K Ton Ti Chnh (Finance) Tuy n sinh (Admission) IT

172.16.1.0

255.255.255.0

cho khch mi, nhn vin v sinh vin

2 3

172.16.2.0 172.16.3.0

255.255.255.0 255.255.255.0

Phng lab sinh vi n m ng Ph ng thc hnh cho tt c sinh vin Th vin cho sinh vin t nghin cu Ph ng ngh cho gio vin Tnh ton s sch, a ra cc bo co hot ng

172.16.6.0

255.255.255.0

172.16.7.0

255.255.255.0

172.16.8.0

255.255.255.0

172.16.9.0

255.255.255.0

Qun l k t qu h c tp

8 9

172.16.10.0 172.16.11.0

255.255.255.0 255.255.255.0

Cung cp, x l cc thng tin tuyn sinh Qun tr h th ng

Bng 6 Bng VLAN cc phng ban

Ngoi 9 VLAN c cu hnh trn, chng ti c n cu hnh thm 2 VLAN l Restricted VLAN (c s dng khi ngi d ng ng nhp sai) v Guest VLAN ( c d ng khi cung cp username v password tr ng ng nhp h th ng). Ngoi ra, chng t i cn tri n khai h th ng thoi VOIP cho t ng phng ban. y, ch ng t i quy nh nh d ng s i n tho i ti kho n ngi dng l xxxx, trong : Hai s u l s c s. Mt s tip theo l s phng ban.

Mt s cu i l s th t ng i dng.

S th t cc c s, ph ng ban v ngi dng t ng ng c quy nh theo cc bng sau: C s Quang Trung Nguyn Vn Trng Cao Thng S th t t ng ng 11 22 77

Bng 7 Cc c s trin khai VOIP Ph ng ban Gio vin (Falculty) o To (Training) K Ton Ti Chnh (Finance) Tuy n sinh (Admission) Th vin (Library) NetLab Lab S th t tng ng 1 2 3 4 5 6 7

Bng 8 Cc phng ban trin khai VOIP Ti kho n ngi dng User1 User2 S th t tng ng 1 2

Bng 9 S th t ti khon ngi dng

5.3.1.3

Cc quy nh kim tra gi tin trn t ng la

Vic kim tra cc g i tin ra vo qua h th ng mng l v cng quan tr ng, ng vai tr quyt nh trong vic pht hin v ngn chn cc cu c t n c ng vo h th ng. Do , tng cng

bo mt an ton h th ng mng, ch ng ti xy dng quy nh kim tra, bao g m hai loi:

Rule lp mng cho tng phng ban: g m ba lo i tng ng v i ba vng m ng, p dng cho cc lu ng thng tin xut pht t: Mng bn trong: c cu hnh trn tng la b n trong Hnh ng Giao th c Thi gian p dng 6h30 sng n 5h30 chiu 0h n 24h 6h30 sng n 5h30 chiu Miu t Cho php thit lp Web VPN truy cp Internet Cm t t c cc truy cp ra m ng bn ngo i. Cho php truy cp m i giao thc ra Internet Cho php truy cp web IT ALLOW ALL 6h30 sng n 5h30 chiu server trong DMZ, truy cp web trn Internet v cc giao thc qun l mng, h tr ngi d ng Cc ph ng ban c n li HTTP, HTTPS, ALLOW SMTP, FTP, SMB, SKINNY. Ch cho php truy cp 6h30 sng n 5h30 chiu web, file server mail server v chia s file, VOIP

Phng ban Access Point Lab

ALLOW

HTTPS

DENY

ALL

NetLab

ALLOW

ALL

Bng 10 Bng quy lut cho cc phng ban trong mng n i b Ngoi thi gian hot ng trn, tng la s kh a t t c kt n i truy cp t trong ra ngoi.

Vng Server Farm

Cm m i kt n i t vng n y vo mng bn trong hay i ra mng bn ngoi. Tuy nhin, nh ng kt n i c chng thc t cc server c th i vo bn trong th ng qua ng dng web trn cc cng c ch nh trc, do cc k s lp trnh thc hi n. Mng phi qu n s (DMZ): Cm m i kt n i t vng n y vo m ng b n trong hay i ra m ng bn ngo i. Mng bn ngoi: c cu hnh trn tng la bn ngo i.

Ch cho php truy cp web (HTTP) v mail (SMTP) trn v ng DMZ.

Cm ping (ICMP) trn t t c c ng giao tip c a t ng la. Ch ng IP Spoofing v ARP Spoofing.

Rule lp ng dng da v o hng lu lng T bn trong ra b n ngoi: c cu hnh trn t ng l a bn trong. Cc ph n kim tra url-length Request (host) uri request FTP IM (Instant Messenger) filename Chi ti t 100 www.tuoitre.vn, www.dantri.com union, script, char() *.exe, *.wav, *.mpg, *.avi,.. msn, yahoo Miu t c th di a ch truy cp web l 100 Cm truy cp Tui Tr v D n Tr Chn nh ng uri cha ba chu i n y Cm ti cc file audio, video, file n n v file thc thi Cm s dng ph n mm chat

Giao th c HTTP

protocol

Bng 11 Bng quy lu t lp ng dng t bn trong ra bn ngoi

T bn ngoi vo mng DMZ: c cu hnh trn t ng l a bn ngoi. Giao thc HTTP Cc phn kim tra Max-conn Embroyic Connection url-length uri request spoof-server Chi ti t 1000 200 100 union, script, char() ServerPRO Miu t c th Quy nh s k t n i t i a Quy nh s kt n i khng ho n tt di a ch truy cp web l 100 Chn nh ng uri cha ba chu i n y Ch ng Server Fingerprinting

Bng 12 Bng quy lut lp ng dng t bn ngoi vo DMZ

Rule i vi kt ni VPN Loi VPN H nh ng Giao thc H323 Site to Site VPN ALLOW SMB FTP HTTP Miu t Ng i dng cc chi nh nh g i i n cho nhau

Cho php chia s file trn Database Server Cho php ti file, truy cp web trn cc server trong vng DMZ Voice

SKINNY Easy VPN ALLOW SMB FTP HTTP

Cho php chia s file trn Database Server Thi gian idle 30 pht Thi gian kt n i t i a 5h, sau xc thc li Thi gian t n t i ca kh a l 1h Cho php ti file, truy cp web trn cc server trong vng DMZ Thi gian idle 30 pht Thi gian kt n i t i a 5h, sau xc thc li Thi gian t n t i ca kh a l 1h

FTP Web VPN HTTP

Bng 13 Bng quy lu t i v i kt ni VPN

5.3.2

Xy dng cc chnh sch

bo mt cc thng tin trong h th ng mng, vic thit lp cc chnh s ch kim tra trn t ng thit b v cng quan tr ng, c th g m cc thit b mng sau: 5.3.2.1 Switch Layer 2

Port Security: m bo s tng minh cc thit b u cu i. Khi c thit b l g n vo th c ng s b shutdown ngay lp t c.

Remote SPAN (Switched Port Analyzer): cho php nh qu n tr gim st h th ng d dng. Khi t nh n ng n y c bt, thit b (Switch) sao chp to n b gi tin i qua n v g i n cng hay VLAN c nh. T , nh qun tr phn tch, gim st, nh gi h th ng thng qua thit b gim st, h th ng IDS (Intrusion Detection System)

BPDU guard: bt trn cc cng mode access c a Switch, m t trong cc tnh nng Spanning Tree Protocol (STP) nhm ch ng nhng k tn c ng bn trong c tnh g i gi BPDU (PortFast Bridge Protocol Data Unit) tr thnh Root Bridge. N u Switch nh n c g i BPDU t c ng bt tnh nng n y th ngay lp t c cng n y r i vo trng thi errdisable, kh ng th truy n hay nhn d li u. Mun s dng li c ng n y, cn c s can thip ca qun tr vin hay i khong thi gian errdisable ht hn.

IEEE 802.1x (dot1x): cung cp m hnh ch ng thc client-server nhm h n ch ng i dng tham gia mng LAN th ng qua c ng vt l (PNAC - port-based Network Access Control), ch trin khai trn Switch c h tr. Cng vic cu hnh trn Switch, cn bt tnh nng ny trn cc m y trm u cui. So vi WEP (Wired Equivalent Privacy), 802.1x m bo t nh tin cy, ton vn d li u. H n n a, 802.1x em li m t s phng php tin ti n, nh c ch l c (Filtering). Ngo i thc hi n l c SSID v MAC, 802.1x c n h tr kh n ng l c giao thc.

5.3.2.2

Switch Layer 3

X y dng ACL theo hng t trong ra ngoi v i quy nh sau: Ngn ch n s truy cp gia hai phng Lab v th vin t i cc phng ban nh n vi n (Ph ng Gio Vin, K Ton Ti Chnh, o To, Tuyn Sinh) v truy cp ln nhau. Cho php c c phng ban nhn vi n (Phng Gio Vin, K To n Ti Chnh, o To, Tuyn Sinh) truy cp giao thc SKINNY (s dng dch v VOIP). Cho php ph ng NetLab truy cp tt c giao thc bn ngoi (Outside). Th vin ch c php truy cp HTTP bn ngoi (Outside). Cm ph ng Lab thng truy cp tt c giao thc cc m y n i b v b n ngoi. Cho php cc kt n i truy cp giao thc HTTPS t Access Point (AP) n T ng la b n trong (Firewall Inside).

5.3.2.3

Firewall Inside (Tng la bn trong)

Theo hng lu l ng T trong (Inside) ra ngoi (Outside) o Xy d ng Access Control List (ACL): cho php c c m y t nh n i b (Inside) truy

cp cc giao thc HTTP, HTTPS, FTP, SMTP, H323 gia cc CCM server. Ng n ch n ng i dung wifi kt n i vo c s khc.

time-range NOWORK periodic weekdays 0:00 to 06:30 periodic weekdays 17:00 to 24:00 periodic weekend 0:00 to 24:00 ! access-list IN_OUT extended deny ip 172.16.20.0 255.255.255.0 11.0.0.0 255.0.0.0 access-list IN_OUT extended deny ip 172.16.20.0 255.255.255.0 10.0.0.0 255.0.0.0 access-list IN_OUT extended permit ospf any any access-list IN_OUT extended deny ip any any time-range NOWORK access-list IN_OUT extended permit tcp 172.16.0.0 255.255.0.0 host 10.1.0.2 eq 445 access-list IN_OUT extended permit tcp 172.16.0.0 255.255.0.0 any eq http access-list IN_OUT extended permit tcp 172.16.0.0 255.255.0.0 any eq https access-list IN_OUT extended permit tcp 172.16.0.0 255.255.0.0 any eq ftp access-list IN_OUT extended permit tcp 172.16.0.0 255.255.0.0 any eq ftp-data access-list IN_OUT extended permit tcp 172.16.0.0 255.255.0.0 host 11.0.0.2 eq smtp access-list IN_OUT extended permit tcp 172.16.0.0 255.255.0.0 host 11.0.0.2 eq pop3 access-list IN_OUT extended permit tcp host 10.0.0.4 host 10.1.0.4 eq 1720 access-list IN_OUT extended permit tcp 172.16.0.0 255.255.0.0 any eq domain access-list IN_OUT extended permit udp 172.16.0.0 255.255.0.0 any eq domain Bng 14 Cc ACL t trong ra ngoi

o Thit lp chnh sch kim tra (Inspection Policy) lp Application vi giao thc: HTTP: cm truy cp cc trang web c n i dung x u, hoc ph n ng (v d www.tuoitre.com.vn v www.dantri.com); ng n ch n t i cc file c u i m r ng nh .exe, .bat, .gif, .vbs), cc file nn, file gi i tr; ch n cc ng dng web (c trng header l application); gii h n chiu d i header ph i ln hn 100; ch n n i dung ti v khng ph hp vi n i dung header, ch n t i cc trang web ch y ActiveX, Java Applet; chng CSS (Cross Site Scripting) v SQL Injection. regex URL_TUOITRE ".*[Tt][Uu][Oo][Ii][Tt][Rr][Ee]\.[Vv][Nn]" regex URL_DANTRI ".*[Dd][Aa][Nn][Tt][Rr][Ii]\.[Cc][Oo][Mm]\.[Vv][Nn]" regex VIRUS ".*\.([Ee][Xx][Ee]|[Cc][Oo][Mm]|[Bb][Aa][Tt]) HTTP/1.[01]" regex IMAGE ".*\.([Pp][Ii][Ff]|[Vv][Bb][Ss]|[Ww][Ss][Hh]) HTTP/1.[01]"

regex VIDEO ".*\.([Aa][Vv][Ii]|[Ff][Ll][Vv]|[Ww][Mm][Vv]) HTTP/1.[01]" regex MUSIC ".*\.([Mm][Pp]3|[Ww][Mm][Aa]|[Ww][Aa][Vv]) HTTP/1.[01]" regex COMPRESS ".*\.([Zz][Ii][Pp]|[Tt][Aa][Rr]|[Tt][Gg][Zz]) HTTP/1.[01]"

regex UNION ".*[Uu][Nn][Ii][Oo][Nn].*" regex SCRIPT ".*[Ss][Cc][Rr][Ii][Pp][Tt].*" regex CHAR ".*[Cc][H]h[Aa][Rr]\(.*\).*" regex contenttype "Content-Type" regex applicationheader "application/.*" ! class-map HTTP_MAP match port tcp eq www ! class-map type regex match-any RESTRITED_URLS match regex URL_TUOITRE match regex URL_DANTRI ! class-map type inspect http match-any URI_BLOCK match request header referer regex UNION match request header referer regex SCRIPT match request header referer regex CHAR match request uri regex VIRUS match request uri regex IMAGE match request uri regex VIDEO match request uri regex MUSIC match request uri regex COMPRESS ! class-map type inspect http match-any RESTRICTED_HTTP match request uri length gt 200 match request header host regex class RESTRITED_URLS ! class-map type inspect http match-all AppHeaderClass match response header regex contenttype regex applicationheader ! policy-map type inspect http MY_HTTP_MAP parameters protocol-violation action drop-connection class RESTRICTED_HTTP reset log

class URI_BLOCK reset log class AppHeaderClass

drop-connection log ! policy-map IN_OUT class HTTP_MAP set connection conn-max 1000 embryonic-conn-max 200 per-client-max 10 per-clientembryonic-max 5 inspect http MY_HTTP_MAP ! service-policy IN_OUT interface inside Bng 15 Chnh sch HTTP Inspection trn Firewall Inside

FTP: cu hnh cc chnh s ch tng t giao th c HTTP.

regex EXT_DOC ".+[Dd][Oc][Cc]" regex EXT_DOCX ".+[Dd][Oc][Cc][Xx]" regex EXT_XLS ".+[Xx][Ll][Ss]" regex EXT_XLSX ".+[Xx][Ll][Ss][Xx]" regex EXT_EXE ".+[Ee][Xx][Ee]" regex EXT_WAV ".+[Ww][Aa][Vv]" regex EXT_MPG ".+[Mm][Pp][Gg]" regex EXT_AVI ".+[Aa][Vv][Ii]" regex EXT_GIF ".+[Gg][Ii][Ff]" regex EXT_MP3 ".+[Mp][Pp]3" regex EXT_FLV ".+[Ff][Ll][Vv]" regex EXT_ZIP ".+[Zz][Ii][Pp]" regex EXT_RAR ".+[Rr][Aa][Rr]" ! class-map type inspect ftp match-any RESTRICTED_EXT match filename regex EXT_EXE match filename regex EXT_WAV match filename regex EXT_MPG match filename regex EXT_AVI match filename regex EXT_GIF

match filename regex EXT_MP3 match filename regex EXT_FLV match filename regex EXT_ZIP

match filename regex EXT_RAR ! policy-map type inspect ftp MY_FTP_MAP class RESTRICTED_EXT reset log ! class-map FTP_MAP match port tcp eq ftp ! policy-map IN_OUT class FTP_MAP inspect ftp strict MY_FTP_MAP class RESTRICTED_EXT reset log class-map FTP_MAP match port tcp eq ftp ! policy-map IN_OUT class FTP_MAP inspect ftp strict MY_FTP_MAP ! service-policy IN_OUT interface inside ! Bng 16 Chnh sch FTP Inspection trn Firewall Inside

Block Yahoo v MSN messenger

class-map IM match any ! policy-map type inspect im IM match protocol yahoo-im msn-im drop-connection policy-map IN_OUT

class IM inspect im IM

! service-policy IN_OUT interface inside Bng 17: Block Yahoo Messenger v MSN Messenger

T bn ngoi (Outside) vo bn trong (Inside) o Cu hnh Access Control List (ACL) M c ng 8000 t Web Server n Database Server, xc th c do l p trnh vin x l. Cho php cc c s khc truy cp vo Database Server. Cho php user (Easy VPN) kt ni vo Call Manager v Call Manager kt n i vi nhau Cho php cc ng dng c a Web VPN hot ng. Cho php t firewall outside connect vo ACS xc thc.

access-list OUT_IN extended permit tcp 172.17.0.0 255.255.0.0 host 10.0.0.2 eq 445 access-list OUT_IN extended permit tcp host 10.1.0.4 host 10.0.0.4 eq 1720 access-list OUT_IN extended permit tcp host 11.0.0.2 host 10.0.0.2 eq 8000 access-list OUT_IN extended permit ospf any any access-list OUT_IN extended permit udp host 193.1.3.1 host 10.0.0.2 eq radius access-list OUT_IN extended permit tcp host 193.1.3.1 host 10.0.0.2 eq 139 access-list OUT_IN extended permit tcp 12.0.0.0 255.255.255.0 host 10.0.0.4 eq 2000 access-list OUT_IN extended deny ip any any Bng 18 Cc ACL t ngoi vo Inside

Kt ni VPN Web VPN: khng c n ci thm phn m m, s d ng trnh duyt web (web browser) thc hi n kt n i VPN. Cho php cc i tng sau truy cp Internet thng qua Anyconnect. Tuy nhin, cc i t ng n y khng th truy cp h th ng m ng n i b . Gi o vi n Sinh vin C ng nh n vin

Khch mi

ip local pool WIFI 172.16.20.1-172.16.20.254 aaa-server RADIUS protocol radius aaa-server RADIUS (inside) host 10.0.0.2 123456 ! webvpn enable inside tunnel-group-list enable onscreen-keyboard logon svc image flash:/anyconnect-win-2.4.0202-k9.pkg svc enable exit ! http server enable ! group-policy WIFI internal group-policy WIFI attributes vpn-tunnel-protocol svc webvpn svc ask enable svc keep-installer installed svc rekey method ssl svc rekey time 60 ! tunnel-group WIFI type webvpn tunnel-group WIFI general-attributes address-pool WIFI authentication-server-group RADIUS LOCAL default-group-policy WIFI tunnel-group WIFI webvpn-attributes group-alias WIFI_GROUP enable Bng 19 Cc chnh sch Web VPN trn Firewall Inside

5.3.2.4

Firewall Outside (Tng la bn ngoi)

Theo hng lu l ng T bn ngoi (Outside) vo vng Phi Qun S (DMZ - Demilitarized Zone)

X y dng Access Control List (ACL) cho php c c m y tnh bn ngo i truy cp HTTP n Web Server, SMTP n Mail Server trong vng DMZ.

access-list OUT_IN extended permit tcp any host 193.1.5.2 eq http access-list OUT_IN extended permit tcp any host 193.1.5.2 eq https access-list OUT_IN extended permit tcp any host 193.1.5.2 eq smtp access-list OUT_IN extended permit tcp any host 193.1.5.2 eq pop3 Bng 20 Cc ACL cho php t bn ngoi vo DMZ

Gii h n s lng kt n i truy cp t i a (Max Connection) l 1000, c c kt n i khng ho n tt qu trnh bt tay (Embroyic Connection) l 200.

static (inside,outside) tcp interface http 10.0.0.2 http netmask 255.255.255.255 tcp 1000 200 static (inside,outside) tcp interface ftp 10.0.0.2 ftp netmask 255.255.255.255 tcp 1000 200 static (inside,outside) tcp interface ftp-data 10.0.0.2 ftp-data netmask 255.255.255.255 tcp 1000 200 static (inside,outside) tcp interface smtp 10.0.0.2 smtp netmask 255.255.255.255 tcp 1000 200 static (inside,outside) tcp interface pop3 10.0.0.2 pop3 netmask 255.255.255.255 tcp 1000 200 static (inside,outside) tcp interface imap 10.0.0.2 imap netmask 255.255.255.255 tcp 1000 200 Bng 21 Cc chnh s ch gii hn kt ni t ngoi vo DMZ

Thit l p chnh s ch ki m tra (Inspection Policy) lp Application vi giao th c HTTP nhm ch ng tn c ng Web Server Fingerprinting, Cross Site Scripting v SQL Injection t bn ngo i v o web server.

regex UNION ".*[uU][nN][iI][oO][nN].*" regex SCRIPT ".*[Ss][Cc][Rr][Ii][Pp][Tt].*" regex CHAR ".*[Cc][H]h[Aa][Rr]\(.*\).*" ! class-map type inspect http match-any HACKING match request uri regex UNION

match request uri regex SCRIPT match request uri regex CHAR

! policy-map type inspect http MY_HTTP parameters spoof-server ServerPRO class HACKING drop-connection log ! policy-map OUT_IN class OUT_IN inspect http MY_HTTP ! service-policy OUT_IN interface outside Bng 22 Chnh s ch HTTP Inspection trn Firewall Outside

Kt ni VPN Site to Site VPN X y dng Access List quy nh cc Interesting traffic, cho php nh n vin chi nhnh khc c th kt n i n Database Server trung tm cng nh truy cp DMZ. Ngoi ra, cho php cc Call Manager Server li n l c v i nhau gip ngi dng cc c s c th lien lc v i nhau. access-list VPN extended permit tcp 172.16.0.0 255.255.0.0 host 10.1.0.2 eq 445 access-list VPN extended permit tcp host 10.0.0.4 host 10.1.0.4 eq 1720 access-list VPN extended permit tcp host 10.0.0.2 eq 445 172.17.0.0 255.255.0.0 access-list VPN extended permit tcp host 10.0.0.4 eq 1720 host 10.1.0.4 ! access-list NONAT extended permit ip 172.16.0.0 255.255.0.0 10.1.0.0 255.255.255.0 access-list NONAT extended permit ip host 10.0.0.4 host 10.1.0.4 ! nat (inside) 0 access-list NONAT ! crypto isakmp key 123456 address 192.168.2.3

crypto isakmp policy 10 authentication pre-share encryption 3des hash md5 group 2 life 84600 crypto ipsec transform-set TRANFORM esp-aes esp-sha-hmac ! crypto map IPSEC 10 match address VPN crypto map IPSEC 10 set peer 192.168.2.3 crypto map IPSEC 10 set transform-set TRANFORM crypto map IPSEC interface outside ! crypto isakmp enable outside Bng 23 Cc chnh sch Site to Site VPN trn Firewall Outside

Easy VPN: Cho php nh n vi n truy cp h th ng mng n i b khi i cng tc, ch yu s d ng ba d ch v sau: Kt n i Database Server trung t m. Truy cp web, mail trong DMZ. Kt n i Call Manager Server th c hin cc cu c gi.

ip local pool EASY_VPN 12.0.0.1-12.0.0.254 ! access-list SPLIT stand permit 10.0.0.0 255.255.255.0 access-list NONAT extended permit ip 10.0.0.0 255.255.255.0 12.0.0.0 255.255.255.0 ! aaa-server RADIUS protocol radius aaa-server RADIUS (inside) host 10.0.0.2 123456 exit

crypto isakmp policy 10 authentication pre-share encryption 3des hash md5 group 2 life 84600 crypto ipsec transform-set TRANFORM esp-aes esp-sha-hmac ! group-policy POLICY_EASY_VPN internal group-policy POLICY_EASY_VPN attributes split-tunnel-policy tunnelspecified split-tunnel-network-list value SPLIT dns-server value 172.16.5.2 203.113.131.1 vpn-idle-timeout 15 default-domain value lotus.edu.vn ! tunnel-group EASY_VPN type remote-access tunnel-group EASY_VPN general-attributes authentication-server-group RADIUS local address-pool EASY_VPN default-group-policy POLICY_EASY_VPN exit ! tunnel-group EASY_VPN ipsec-attributes pre-shared-key 123456 exit ! crypto dynamic-map DYN_MAP_EASY_VPN 20 set transform-set TRANFORM crypto map IPSEC 60000 ipsec-isakmp dynamic DYN_MAP_EASY_VPN crypto map IPSEC interface outside Bng 24 Cc chnh sch Easy VPN trn Firewall Outside

Web VPN: Cho php nh n vin truy cp h th ng m ng n i b khi i cng t c, ch yu s d ng ba dch v sau:

webvpn

Kt n i Database Server trung t m. Truy cp web, mail trong DMZ. (Port Forwarding).

enable outside tunnel-group-list enable onscreen-keyboard logon port-forward APPLICATIONS 23 193.1.1.2 23 ! http server enable ! group-policy NHANVIEN internal group-policy NHANVIEN attributes vpn-tunnel-protocol webvpn group-lock value NHANVIEN webvpn functions url-entry file-access file-entry file-browsing url-list value URLs ! tunnel-group NHANVIEN type webvpn tunnel-group NHANVIEN general-attributes authentication-server-group RADIUS LOCAL tunnel-group NHANVIEN webvpn-attributes group-alias NVGroup enable group-policy NHANVIEN attributes group-lock value NHANVIEN ! group-policy ADMIN internal group-policy ADMIN attributes group-lock value ADMIN vpn-tunnel-protocol webvpn webvpn functions port-forward port-forward value APPLICATIONS !

tunnel-group ADMIN type webvpn tunnel-group ADMIN general-attributes authentication-server-group RADIUS LOCAL tunnel-group ADMIN webvpn-attributes

group-alias AdminGroup enable group-policy ADMIN attributes group-lock value ADMIN Bng 25 Cc chnh sch Web VPN trn Firewall Outside

5.3.2.5

Router bin

Cu hnh ch c n ng NAT (Network Address Translation) cc m y bn trong h thng m ng (Inside) c th truy cp bn ngoi Internet (Outside)

X y dng Access Control List (ACL) cho php cc kt n i t ngo i truy cp cc giao th c ISAKMP, ESP i vo Tng l a b n ngoi (Firewall Outside) v HTTP, HTTPS, SMTP cho cc my Web Server, Mail Server.

5.3.3

Cc cng ngh s dng

HSRP (Hot Standby Redundancy Protocol): trin khai trn hai Switch Layer 3 nhm c n b ng t i v d phng khi mt trong hai Switch gp bt k s c n o. Ngoi ra, hai Switch n y c n ng vai tr DHCP Server cung cp a ch IP t ng cho cc m y t nh trong h th ng. Do , vi s h tr cu HSRP, m t s ngi d ng l y Switch 1 l Default Gateway c a mnh, trong khi m t s khc nh n th y Switch 2 mi l Default Gateway. Qua , gip ph n chia ti mng truy cp tr n hai Switch ng thi tng kh n ng chu l i cho h thng. Failover (D Phng): cu hnh trn hai cp tng l a (Inside v Outside Firewall) m bo hot ng lin t c v chnh x c ng thi t n dng t i a hi u n ng c a c hai cp t ng l a. Load Balancing: ch yu tri n khai trn hai thit b: Firewall Load Balancing (Cn bng ti trn t ng la): Vic trin khai h th ng d ph ng (Failover) trn t ng l a l ch a , cn phi kt hp thm t nh n ng cn b ng ti gip phn chia kim tra cc lu lng truy cp trong h th ng. Ch nh v y m i m bo thng tin b o mt an ton ng thi t ng l a c ng lu n s n s ng ho t ng. Load balancing ADSL (Cn bng ti trn Router bin): cn b ng t i hai hay nhiu kt ni Internet, c nhiu cch khc nhau, ty nhu cu v kh nng kinh t v tt nhin c s cn i gi a chi ph v li ch m n mang li. HSRP/MHSRP: l c ch n gi n t t n k m nht tuy nhin n khng ph i l

cch cn b ng t i ho n h o, v qu trnh ph n chia cc ti m ng ph thu c vo kt ni c khi to t bn trong ra b n ngo i. Xt kha cnh ngc li, vi c truy cp t bn ngo i v o s khng c cn b ng t i. Chnh iu n y m gi i ph p

HSRP/MHSRP ch mang tnh t ng i khi khng c iu kin tri n khai nh ng gi i ph p kh c nh BGP hay load balancing b ng Vigor... i vi BGP: dng trn Internet, qu trnh cu hnh tng i ph c tp ng thi yu cu ISP phi h tr mi c th tri n khai. So vi HSRP/MHSRP, BGP l gi i php tng i ho n h o h n. Tuy nhin, BGP i h i kh n ng x l c a CPU cng nh RAM c a Router. Ngoi hai cch trn, c n nhiu cch kh c nhau. Tuy nhiu, theo cc nh gi c a nhiu chuy n gia, c n bng ti tr n ph n c ng (hardware load balancing) s l gi i php t i u nht so vi c n b ng t i trn phn mm (software load balancing). S dng thit b Vigor: cho php gp chung hai hay ba ng Internet. Chnh v y l gi i ph p ph n cng n n kinh ph u t cao hn hai c ch trn, nhng so vi hiu qu m n mang l i th rt ng trin khai. V th, y c ng l gii php ch ng t i ch n l a cho m hnh m ng trng i Hc Hoa Sen. VOIP: cung cp h th ng thoi cho ngi d ng trong cng c s hay gi a cc chi nh nh v i nhau th ng qua kt ni leased line hay tri n khai h th ng VPN (Virtual Private Network).

5.4

Mt s cng ngh trin khai thm

5.4.1
a.

Failover Gi i thiu

Tnh n ng c bit nhm cung cp kh n ng d phng cho thit b, m b o h th ng lu n hot ng t t v lin t c khi gp s c . M t c p thit b, trong mt ng vai tr Active, mt ng vai tr Standby, bao g m hai lo i d phng: D ph ng Phn cng (Hardware failover): cung cp kh n ng chu l i cho thit b ph n c ng, ch yu ng b cu hnh gi a hai thi t b. V th, gi s trong khi kt n i thit l p m thit b Primary b shutdown th m i kt ni u b ngt v phi c khi to li bn thit b secondary, iu kh ng mong mu n khi tri n khai h thng. D phng Ghi Nh Trng Thi (Stateful failover): v a cung cp kh n ng chu l i cho thit b ph n c ng v kh n ng b o ton kt ni. Ngo i vic ng b c u hnh, hai thit b c n ng b b ng trng thi kt ni, ng y gi, MAC address i vi transparent mode, SIP v VPN connection. V th vic b mt kt

ni v phi khi t o l i thit b secondary l iu hi m khi x y ra.

b.

Hot ng

Dng Active/Standby: mt trong hai thit b trng th i Active, c n li l Standby ti mt thi im. Mc nh, Primary s Active, t t c lung d liu i qua thit b Active v ng b sang Standby. Standby ch gi m st thit b Active, nu nh n th y Active kh ng ho t ng th n t chuy n sang Active. M i thit b c IP v MAC ri ng. Nu x y ra v n vi Active th Standby t chuy n IP v MAC ca mnh th nh IP v MAC c a active v gi i nhng frame ra cc c ng giao tip cp nht b ng MAC ca Switch. Ch thit b active v a r t kh ng chuy n sang Standby cho n khi s a xong. Cho d sa xong, thit b n y c ng trng th i Standby ch kh ng l y l i quyn Active. Tuy nhin, s dng d ng n y l ng ph mt thit b. Dng Active/Active: Khc ph c nhc im c a Active/Standby, Active/Active ra i da tr n n n tng v s kt h p ca Active/Standby v Context (cho php x y d ng firewall o).Trn m i thit b s c hai context (CTX1A, CTX1B, CTX2A, CTX2B), m i context b n n y s kt hp vi context b n kia to nn mt Active/Standby, nh v y s c mt cp Active/Standby. Cp th nht CTX1A l Active, CTX2A l Standby th cp th hai CTX1B l m Standby, CTX2B lm Active. Ngoi ra, kt hp vi ng nh tuy n tnh (Static Route), hay ng (dynamip route) transparent mode th s c th cn b ng t i trn hai thit b. Tuy nhin, trong th c t quan s t th vic dng nh tuy n tnh (Static Route) cn bng t i l khng t i u, v h u ht d li u ch i theo mt hng nht n h. Ch : multiple mode (h tr context) kh ng h tr nh tuy n ng (dynamip routing).

c.

Nguyn nhn

C nhiu nguy n nh n d n n Failover nh mt ngu n, mt hay nhiu c ng giao tip b h, card mng l i hay vn phn mm nh thiu b nh, tc nh n tr c tip c a ngi qu n tr vi cu l nh failover active tr n tng l a Standby. Di y l thi gian pht hi n v n :

Hnh 51 Thi gian Failover pht hin li

d.

Gim st

V c bn, kt n i d ph ng (failover link) v kt n i d liu (data link) gim st b i failover. i v i kt n i d phng, tin nh n hello (failover hello message) to ra m i 15s (mt nh), nu ba tin li n tip u kh ng th y phn h i t i phng th g i tin ARP c to ra v gi i trn tt c c ng giao tip. N u khng nh n c h i p no t c ng giao tip no th failover s lm vic, t ng chuyn th nh trng thi Active. Cn nu khng nhn c h i p t kt n i d ph ng m nh n c h i p t cc cng giao tip c n li th qu trnh chuy n i s khng x y ra. Trong trng h p n y, failover k t lu n l i do kt n i d phng. i v i kt n i d liu (data link), tin nh n hello (failover hello message) to ra v gi i trn tt c c ng giao tip (t i a l 255), nh tin nh n trn v cng gi i m i 15s. N u qu na thi gian hold-down m vn khng th y tr l i th thit b s tin h nh kim tra, xc nh c v n g xy ra v i c ng giao tip n y. Trc m i ln kim tra, b m s lng gi tin nh n c trn cng giao tip s c xa trng. Sau , thit b s kim tra xem c nh n c frame hay g i tin no h p l kh ng, nu c kt lun c ng giao tip hot ng bnh th ng, ngc li ch n ln kim tra tip theo, g m b n n i dung: Link up/down: v hiu h a (Disable) v k ch ho t li (re-enable) kim tra. Hot ng m ng: gim st cc frame nh n c trong v ng 5s. ARP: to hai gi tin truy v n ARP (ARP Query) cho hai mc mi nht trong bng ARP (ARP table) v ch i frame hp l trong vng 5s. Broadcast ping test: to gi ping broadcast v ch gi tin phn h i hp l trong 5s

Th ng thng thit b c kt n i switch layer 2, v th gim kh n ng xy ra l i th phi m bo cc cng giao tip cng VLAN. Nu kh ng th phi v hiu h a gim st trn c ng giao tip bng l nh [no] monitor-interface logical_if_name. Ti p n m bo vi c vn h nh thut ton STP khng t c ng hay kha cc cng n y. Ngoi ra n n cu hnh t nh n ng PortFast nu dng s n phm ca Cisco. Nu khng lm th , Switch s khng s d ng RSTP m thay vo dng chun do IEEE a ra (802.1d), sau STP li phi t nh ton li, vic n y mt kho ng 30 45 giy d n n b l ba gi tin hello v nh hng n failover.

5.4.2
a.

HSRP (Hot Standby Redundancy Protocol) Gii thiu

bo m h th ng m ng sn sng hot ng (High Availability) li n tc khi gp s c, HSRP l m t trong s tnh n ng cung cp kh n ng d phng lp Network cho cc m y trong h th ng mng, gip ti u h a vic cung cp cc ng kt n i khi pht hi n li n kt

b h v c ch ph c h i sau khi gp s c. Nh HSRP, Virtual Router Redundancy Protocol (VRRP) v Gateway Load Balancing Protocol (GLBP) cng cung cp nh ng chc n ng tng t, VRRP l giao thc chu n, c h tr b i hu ht Router khc nhau, c n GLBP l chu n ca Cisco, c ci ti n t VRRP v b sung thm t nh nng cn b ng t i.

Hnh 52 Giao th c HSRP

HSRP l chun ca Cisco, miu t c th trong RFC 2281. HSRP cung cp kh nng d ph ng cho m y trm d a trn s ph i hp ca cc Router a ra m t Router o gip nh tuy n lu lng ra vo h th ng. Nh dng chung a ch IP v MAC, Router o n y ng vai tr nh tuyn cc g i tin trong h th ng. Trn thc t , Router o n y hon ton kh ng t n t i; n c biu di n nh th nh ph n chung cc Router vt l cu hnh t nh nng HSRP. b. Hot ng

a ch IP ca Router o c cu hnh l Default Gateway cho cc my trm trong m ng. Khi nh ng frame c gi t cc m y t nh n n default gateway, chng d ng c ch ARP (Address Resolution Protocol) ph n gii a ch MAC v i IP default gateway. Cc frame g i n a ch MAC ny s c x l tip t c b i Router chnh (Active Router) hay Router d ph ng (Standby Router) thu c cng nh m Router o cu hnh. Qu trnh ny din ra hon ton trong sut vi c c my trm u cu i. Nh , HSRP gip nh tuy n cc lu lng m kh ng c n da vo tnh sn s ng ca bt k Router n l no.

Hnh 53 Qu trnh hot ng ca HSRP

Trong hnh trn Router A ang vai tr Active v chuy n tip t t c frame n a ch MAC l 0000.0c07.acXX vi XX l s nhm d phng (standby group). a ch IP v MAC tng ng ca Router o c duy tr trong b ng ARP c a m i Router trong nhm.

Hnh 54 Bng ARP ca cc Router thnh vin trong nhm

Hnh trn hin th b ng ARP c a Router thnh vin nh m d ph ng 1 thu c VLAN 10. Qua , a ch IP ca Router o l 172.16.10.110 vi MAC tng ng l 0000.0c07.ac01 (01 l s nh m, hin th d i h c s thp lc ph n). Cc Router d phng (Standby Router) trong nhm lun theo di trng thi hot ng ca Router chnh (Active Router) nhanh ch ng chuy n trng thi chuyn ti p gi tin n u Router chnh gp bt k s c no. Active v Standby Router s truy n cc gi tin hello message giao tip v i cc Router khc trong nhm vi a ch ch multicast 224.0.0.2, kiu truy n UDP c ng 1985 v a ch IP ngun l a ch IP Router gi i. Ngoi ra trong

nh m c n cha m t s Router khc khng phi Active hay Standby, nh ng Router n y s

gim st cc g i tin hello message c gi b i Active v Standby Router chc chn Active v Standby Router v n ang t n t i. Hn na, cc Router n y ch chuyn ti p nh ng g i tin n chnh a ch IP ca n m kh ng chuyn tip ch n Router o. Khi Active Router b l i, nhng router khc thu c cng HSRP group s khng c n nh n c message t active router, Standby Router s gi nh vai tr ca n lc ny l Active v iu khin cc lu lng mng, cc Router trong nh m li bu ch n ra Standby Router. Lc n y qu trnh truy n frame ca cc my trm v n kh ng b nh hng b i v Router trng th i chuy n tip vn s dng a ch IP o v MAC o nh lc u.

Hnh 55 Qu trnh chuyn i khi Active Router gp s c

Nu Active v Standby Router gp s c th tt c Router trong nhm la ch n li Active v Standby Router mi. Active Router m i nhn l y nhim v chuy n ti p g i tin n cc my trong h th ng m ng. Cc vai tr ca Router trong HSRP HSRP nh ngha ra cc nhm d phng (Standby Group), cc Router s c gn vai tr khc nhau trong nhm n y: Virtual Router: thc t ch l m t cp a ch IP v MAC m t t c thit b u cu i dng lm IP default gateway. Active router s x l t t c gi tin v frame g i ti a ch IP hay MAC ca Router o. Active Router: bu ch n da trn gi tr u tin (1-255, mc nh l 100) cng nh a ch IP cao nht, chu tr ch nhim chuy n tip gi tin ng th i gi a ch MAC o n cc thit b u cui. Standby Router: d phng khi Active Router gp bt c s c no. Khi , Standby

Router s ng vai tr Active, tip tc nh tuy n cc lu lng trong h th ng. Other router: cc Router khc kh ng tham gia nhm d phng (Standby Group).

Cc trng thi trong giao th c HSRP: Mt Router trong nh m d ph ng c th m t trong s trng thi sau:

Hnh 56 Cc trng th i ca HSRP

Initial: trng thi bt u t t c Router trong nh m. trng thi n y, HSRP khng hot ng.

Learn: Router mong ch nh n cc gi tin HSRP, t nh n th y a ch IP ca Router o v xc nh Active Router, Standby Router trong nh m.

Listen: Sau khi nh n g i tin HSRP v bit c a ch IP Router o, n tip t c chuy n sang trng thi listen nhm xc nh xem c s t n ti Active hay Standby Router trong nhm kh ng. N u nh c th n v n gi nguy n trng thi, ngc li chuy n sang trng thi Speak.

Speak: Cc Router ch ng tham d qu tr nh ch n la Active Router, Standby Router da vo gi tin Hello.

Standby: ng vin cho v tr Active Router k tip. Standby Router nh k g i cc gi tin hello, ng thi cng l ng nghe c c hello message t Active Router. Trong m t mng HSRP ch c duy nht mt Standby Router.

Active: chuy n tip gi tin, gi a ch MAC o ca nh m ng thi h i p cc g i tin ARP request hng n IP o. Active Router cng nh k gi ra cc hello message. Trong m t nh m d phng ch t n t i duy nht m t Active Router.

c.

Mt s thu t ng trong HSRP

C ba d ng timer dng trong HSRP. Nu kh ng c gi tin hello no c nh n t Active Router trong khong thi gian Active th Router chuy n sang trng thi m i. Active timer: dng gim st Active Router, t khi ng li vo bt k thi im no khi bt k Router trong nhm nh n c g i tin hello t Active Router. Standby timer: dng gim st standby router, t khi ng li vo bt k th i im no bt k Router trong nh m nhn c gi tin hello t Standby Router. Hello timer: thi gian ca gi tin hello. Tt c cc Router trong nh m d phng bt k trng thi no ca HSRP u to ra gi tin hello khi m hello timer qu hn. Ngoi ra, xc nh kho ng thi gian ti a gi tin hello, ch ng ta quan tn hai gi tr sau: Hello Interval Time: khong thi gian gia hai g i tin hello thnh cng t m t Router. Mc nh l 3 giy. Hold Interval Time: khong thi gian gia hai gi tin hello c nhn v gi nh Router gi ang gp s c. Mc nh l 10 giy.

d.

Multiple HSRP (MHSRP)

T phin bn Cisco IOS Release 12.2(18) SE tr ln u c kh nng h tr Multiple HSRP (MHSRP) c m rng t HSRP cho php c n bng t i gia hai hay nhiu nhm HSRP t cc m y trm n cc server trong h th ng.

Hnh 57 Multiple HSRP

Trong hnh trn, ta thy c Router A v Router B u thu c hai nhm d phng. i v i nh m 1, Router A m c nh l Active Router v n c gi tr u tin cao nht v Router B l

Standby Router. Ng c li nh m 1, trong nhm 2, Router B mc nh l Active Router bi v n c gi tr u tin cao nht v Router A l Standby Router. Trong sut qu tr nh ho t ng bnh thng, hai Router A v B ln lt phn chia ti mng. Khi hai Router khng hot ng, cc Router khc trong nh m s t bu ch n Active v Standby bo m h th ng m ng lun hot ng li n t c v cn b ng t i cc lu ng lu lng trong m ng.

5.4.3

Cn bng t i trn Firewall (Firewall Load Balancing)

Trong mi trng mng m bo mt ng vai tr s ng cn nh hi n nay, vic bo m t ng la lun sn sng hot ng (High Availability) rt quan tr ng. Ngoi vic cu hnh t nh nng d ph ng cho t ng la (Firewall Failover) cung cp kh nng hot ng li n tc v chnh xc, vic ph n chia cc lu ng thng tin kim tra trn tng la cng ng vai tr v cng cn thit. T phin b n ASA 7.0 v FWSM 3.1, Cisco a ra khi nim context v h tr tri n khai nhiu context trn cc cp tng la d phng gip chia ti kim tra cc lu lng ra vo h th ng. Tuy nhin, qu trnh n y i h i cu hnh b ng tay v cc tng la tham gia phi gi ng nhau v mu, phin bn v cc thng s k thut khc. a. Tng quan

Vic tri n khai h th ng tng la c th thc hin b ng nhiu cch khc nhau. Di y l b ng so snh gi th nh, cc t nh nng bo mt c ng nh kh n ng d phng trn h th ng trin khai xy dng m t t ng la n l, m t cp tng la hay nhm cc tng l a cu hnh t nh n ng Firewall Load Balancing (FWLB). Cc t nh nng Tng la n l (Single Firewall) Gi Thnh Thp, ch x y dng m t tng la. im d phng (Firewall Point of Failover) Mt: bn thn t ng la Khng: hai tng la vt l ring bit D phng t ng la (Firewall Failover) Va, cn xy d ng hai tng la. Cn bng t i trn t ng la (FWLB) Cao, t nht hai tng la, km theo thit b cn bng t i. Khng: Tt c tng la gom thnh nhm.

Hiu nng

Hn ch i vi h th ng tng la n l.

Hn ch i v i h th ng t ng la n l. Ch m t cp tng la chnh kim sot cc lu lng ti thi im nht nh.

T l thu n s lng tng la. Tr n l thuyt, m i t ng la tn dng t i a n ng lc vi kh nng cn bng t i l t ng.

Cn bng t i

Khng.

Khng, t ng la chnh (active) kim sot m i kt n i truy cp.

Kim tra kt n i truy cp giao cho cc tng la, da theo thut ton bm. Cng m t thi im, t t c tng la kim sot cc lu lng ra vo. Kt n i truy cp mi giao cho cc tng la khc x l. Mt thit b FWLB phi ci t m i bn nh m tng la. V i Catalyst 6500 Content Switching Module (CSM), CSM thc thi trn c hai bn nhm

Ph n ng khi gp s c

Khng chuyn tip Tt c lu lng truy cp hay kim sot bt k lu lng no. y qua tng la d ph ng (standby) x l. Khng

Ci t thm cc phn cng b sung

Khng

tng la. Bng 26 Bng so snh cc cc tnh nng t ng la trn cc h th ng khc nhau phn ph i cc kt n i gia cc th nh vin trong nhm, FWLB yu cu thm m t chc n ng cn bng t i trn m i b n nh m tng l a. iu ny m bo cc kt n i c phn ph i trn cc bc tng l a v cc lu lng ra v o h th ng lu n g i n cng t ng la.

Hnh 58 Firewall Load Balancing (FWLB)

b.

Mt s phng php cn bng ti trn t ng la

V i vic s d ng hay kt hp mt trong cc cch sau: Ph n mm: gm cc t nh nng sau: Ph n mm Cisco IOS dng trn cc switch Catalyst 6500 cho IOS Firewall Load Balancing (IOS FWLB), mt thnh ph n c a Server Load Balancing (IOS SLB). Cc t ng l a c cu hnh nh mt trang tri tng l a (firewall farm). Khi lu lng c nh tuy n qua n ng tri tng l a, cc kt n i ph n ph i cho tng tng l a trong trang tri. Qu trnh n y di n ra trong sut vi ngi d ng. Phn cng: Cc thit b c n b ng ti ph n ph i cc lu l ng truy cp cho th nh vin nng tri t ng l a. Nh ng kt ni qua t ng l a u c cn b ng ti th ng qua cc thit b ph n c ng vi c c thu c t nh sau: Cisco Catalyst 6500 Content Switching Module (CSM) dng cn b ng ti trn tng l a nh l mt th nh ph n ca Accelerated Server Load Balancing (ASLB). Tng l a c cu hnh nh m y ch trang tri bnh th ng. Khi lu lng truy cp c nh n trn VLAN trong, CSM ph n chia cc kt n i cho cc t ng l a thnh vi n x l. C c thit b chuy n dng

Thit b chuy n n i dung (External content-switching appliances) t trn m i b n nh m tng la. Cc kt ni truy cp ph n ph i cho cc th nh vin trong trang tri, d a theo: Cisco Content Services Switch (CSS) dng cn b ng ti.

Tng l a c c u hnh ri ng, CSS xem chng nh danh sch tng l a hu ch hn l mt trang tri tng l a.

CSS ph n ph i c c lu ng truy cp n tng l a theo ng nh tuy n xc nh v thut to n bm trn a ch IP.

5.4.4

Chng thc Gii thi u

802.1x a.

IEEE 802.1x c pht trin b i IEEE, mt trong s nhng giao th c m ng IEEE 802.1 nhm cung cp kh n ng chng th c cho ngi dng trong m ng kh ng d y. Sau , n cn c dng trong m ng Ethernet nh l mt c ch iu khi n truy cp tr n cc c ng vt l. Chu n 802.1x xy dng da trn m hnh ch ng th c kiu client-server gip h n ch ng i dng tham gia m ng LAN th ng qua phng ph p port-based. Bn cnh , 802.1x c n a ra h tng cho vic x c nh n v iu khi n lu thng ngi d ng trong m ng c bo v cng nh cp pht ng cc kh a m h a kh c nhau.

b.

Kin trc

Supplicant System (hay Client): m y tr m ho c cc thit b c nhu cu c chng th c c th m quy n tham gia vo m ng. Qu trnh xc th c c k ch hot khi ngi d ng th c thi chng trnh cung cp kh n ng x c th c 802.1x m cc ng dng n y thng i h i ph i h tr giao th c EAPoL (Extensible Authentication Protocol over LAN).

Hnh 59 Kin trc 802.1x

Authenticator System (thng l cc thi t b mng h tr xc thc 802.1x

nh Switch): cung cp cc cng (vt l v lun l) cho my t nh truy cp h th ng m ng. Ngoi ra, n cn gip trung chuy n cc thng tin chng thc qua li gi a client v server.

Authentication Server System: cung cp dch v xc thc cho Authenticator System, thng thng l RADIUS server, AAA server. Ngoi ra, n c n lu tr th ng tin ngi dng nh username, password, VLAN ph thu c dng so snh vi cc th ng tin ng i dng gi n nhm xc nhn xem y c phi l ngi d ng h p l hay khng. Authenticator v Authentication Server c t ch hp chung trn m t thit b. Tuy nhin, trnh trng h p ng i d ng tip xc trc tip g y t n hi server, Authentication Server v Authenticator System thng kt n i thng qua Switch v t n ti trong sut vi ng i dng.

c.

Hot ng: Quy tr nh xc thc (authenticate) v y quy n (authorize) theo chun 802.1x din ra nh sau:

Hnh 60 Hot ng xc thc ngi dng theo chun 802.1x

Initialization: Khi pht hin supplicant mi, cng trn switch (authenticator) c k ch hot trng thi cha c y quy n (unauthorized). trng thi n y, ch cho php c c lu lng 802.1X, ngoi ra nh ng lu lng truy cp khc nh DHCP, HTTP u b b i. Initiation: bt u qu tr nh ch ng thc, authenticator s ln lt chuyn cc frame EAPRequest/Identity n m t a ch c bit lp hai trn phn mng cc b . Supplicant s lng nghe trn a ch n y v khi nh n c frame EAP-Request/Identity, n s tr li b ng frame EAP-Response/Identity cha cc thng tin chng thc ca supplicant nh tn ng nhp (User ID), mt m (password). Sau Authenticator s ng g i cc thng tin n y trong gi tin RADIUS Access-Request v chuy n tip cho Authentication Server. Supplicant cng c th bt u hay khi ng li qu tr nh chng thc b ng cch gi frame EAPOL-Start cho Authenticator, m sau s c tr li v i frame EAP-Request Identity.

Negotiation (hay EAP negotiation): Authentication Server g i tr li (ng g i trong gi tin RADIUS Access-Challenge) cho Authenticator, g m thng s EAP Method (lo i ch ng thc da trn EAP Supplicant mun thc hin). Authenticator ng gi EAP Request trong frame

EAPOL v chuy n ti Supplicant. Lc ny, Supplicant c th NAK y u cu EAP Method v tr li vi thng s EAP Methods n mu n thc hin hay bt u yu cu EAP Method. Authentication: Nu c Authentication Server v Supplicant u ng cc thng s EAP Method th Supplicant v Authentication Server (thng qua Authenticator) s ln lt trao i cc bn tin EAP Requests v Responses cho n khi Authentication Server p ng m t trong hai tin EAP-Success (gi g n trong gi tin RADIUS Access) hay EAP-Failure (gi gn trong gi tin RADIUS Access-Reject). Nu chng th c thnh cng th Authenticator s thit lp trng thi c ng l "Authorized" v cho php chuyn tip m i lu lng truy cp; ngc l i nu tht bi, c ng v n trng thi "unauthorized". Khi Supplicant thot kh i h th ng, n g i b n cng tin EAPOL-logoff cho Authenticator ln na thit lp trng thi l "unauthorized", kha m i lu l ng truy cp ngoi tr cc lu lng EAP.

Hnh 61 Cch th c trao i gia Supplicant, Authenticator v Authentication Server

Nhn chung, qu trnh trao i b n tin gi a Supplicant v Authentication Server thc hin thng qua EAP Method d ng k t n i im - im, ph thu c loi EAP-Method cn Authenticator v Supplicant trao i cc b n tin thng qua giao thc ch ng thc EAPOL (EAP over LAN). Ngoi ra, trc khi ch ng thc thnh cng, ch c m t s giao thc c b n c dng trao i qua li gia Supplicant v Authenticator nh STP, CDP, EAPOL... Ch sau khi c ch ng thc, cc frame d liu khc mi c trao i bnh thng.

d.

u v nhc im ca 802.1x u im

m bo tnh tin cy: Hu ht thng tin trao i trong mng u m ha, c mt khu ban u, trnh vic gi mo thng qua c ch ch ng thc ln nhau gia Client v Server, p dng cc phng php m h a nh SSH (Secure Shell), SSL (Secure Sockets Layer) hay IPSec.

m bo tnh ton vn: dng cc ph ng thc kim tra nh Checksum hay Cyclic Redundancy Checks (CRCs) kim tra tnh ton vn d li u, bn cnh cn dng cc thut ton ha MD5 v RC4 m bo s to n vn n y.

m bo tnh sn sng: cp nht v i s pht trin thit b cng nh cc vn pht sinh mi nht m bo s n sng khng gp phi tr ng i cng nh tng thch thit b hin c. C ch xc th c: kt hp gia c ch chng thc ng v qu n l ch a kh a tp trung, 802.1x khc phc c hu ht v n ca cc giao thc khc. EAP - nh ngha trong RFC 2284, dng cho kt n i point-to-point (PPP), a ra nh ng c trng ca phng php ch ng thc gm nh dng ngi d ng nh mt m (password), ch ng nhn (certificate), giao thc c s dng (MD5, TLS, GMS, OTP), h tr sinh kha t ng v chng thc ln nhau. Do 802.1x da trn c s iu khi n truy cp trn cc c ng n n ngoi cc ph ng php bo mt chung, 802.1x c n em li m t s phng php ti n ti n, nh c ch l c (Filtering). Ngoi vic thc hin l c SSID v MAC nh cc chu n kh c, 802.1x c n h tr kh n ng l c giao thc. Mng LAN kh ng d y l c cc g i i qua mng da trn cc giao thc lp 2 n l p 7. Trong nhiu trng hp, cc nh sn xut lm cc b l c giao thc c th nh h nh c lp cho c nhng on mng hu tuy n v v tuy n ca Access Point (AP).

Nh c im Mc d theo nghi n cu trn th 802.1x l m t chun bo mt kh an to n. Tuy nhin n vn tn ti nh ng hn ch: Khng th ch ng li tn c ng T ch i dch v (DoS Denial of Service). Mt s c tnh yu cu c bit v phn cng, do phi kt hp cc ph ng php bo mt v i nhau, ng thi a ra cc chnh sch bo mt h p l. Theo cc vn trn, bn thn 802.1x a ra mt s chnh sch kh c phc: Bo mt v mt thit b vt l, phn cp quy n hp l, lu n bt tnh nng t i u nht, do m i t nh nng hu nh u c th k ch hot hay v hiu ha. S dng cc thit b qut ph xc nh thit b nghe tr m, cng sut pht hp l trnh t n hi u sng b r r ra ngo i phm vi cn thit. Tch hp VPN bo mt kt n i WLAN. Khi VPN Server tch h p vo Access Point (AP), ng i dng s d ng phn mm VPN Client, cc giao thc nh PPTP hay IPSec hnh th nh ng hm trc tip ti Access Point (AP). Trc tin ng i dng kt n i t i im truy nhp, sau quay s kt n i VPN. Tt c lu l ng c qua th ng qua ng h m, v c th c m h a thm mt lp an ton.

5.4.5

H thng thoi VOIP (Voice Over IP) a. Gii thiu

Hi n nay, h th ng voice l yu cu cp thit m bt k doanh nghi p hay t chc no cng cn n. T y nhu cu, doanh nghip c th trin khai h th ng thoi truy n th ng hay Voice Over IP (VOIP). V v y, c nhiu gii php tho i a ra nh: h th ng t ng i 3CX, h th ng Asterisk hay CVOICE ca Cisco. L m t trong cc nh sn xut ln, Cisco cung cp nhiu gii php v thit b ph c v lnh vc mng truy n thng, c bit l gii php t ch hp ting n i v hnh nh trn cng mng d liu AVVID (Architecture for Voice, Video and Integrated Data), g m ba thnh phn chnh c bn l c s h tng (Infrastructure), thit b u cui (Clients) v chng tr nh ng d ng (Applications). Bn cnh , Cisco l h ng a ra gii php y v ng b gia c c thnh phn: nh tuy n, Bo mt v Chuy n mch. V vn ng truy n, VOIP s dng h tng m ng IP thng thng g m LAN, WAN v kt n i PSTN. i vi LAN, v hot ng trn nn IP n n VOIP c th s dng chung h tng c sn, khng cn u t li. i vi kt n i WAN, c th dng ng truy n leasedline hay VPN kt n i hai hay nhiu trung tm. Tuy nhin, gii php no cng t n ti u v nhc ca n. V i leased-line, m bo cht lng cu c gi nh ng gi th nh cao, cn v i VPN kh m bo cht lng cu c gi. V th, ty nhu cu m c s ch n la thch hp.

Hnh 62 M hnh VOIP n gin

V thit b, cc thit b sau khng th thiu trong h th ng VOIP ca Cisco: Call Manager: h th ng tch h p phn c ng v ph n m m do Cisco ch to sn, ho t ng nh Server trong mng. Tuy nhin c th s dng Server bnh thng do nh sn xut khc cung cp (c trong danh sch h tr bi Cisco) ci t Call Manager. CCM Server: x l nh tuy n cu c g i, qun l in thoi IP (IP Phone). IP Phone: thit b u cu i, chuyn m thanh th nh t n hiu s, ng gi vo g i tin v ngc li. Ngo i ra, Cisco c n a ra phn mm Soft Phone tng t IP Phone.

Voice gateway (hay Voice-enable Router): chuy n thoi IP thnh Analog mng PSTN. Hin nay d ng Router 2800 hay 3800 c Card Voice FXO hay Card E1/T1 Pri.

H n na, Gateway c n lm m nhim chc nng QoS (Quality of Service) m bo cht lng m thoi.

b.

Gii php trin khai: bao g m hai phng n:

S dng My ch Call Manager cho h thng c nhiu h n 96 client Trong gii php n y, t i m i im s d ng m t Call Manager Server ri ng. M i Server chu trch nhim x l cu c gi m i chi nhnh. Khi cn thit ngi dng chi nh nh n y c th gi ngi d ng chi nh nh kia thng qua WAN hay PSTN ty cu hnh, gm thit b sau: S dng hai Voice Gateway c lp kt n i n PSTN. T y nhu cu, c th dng Card E1 PRI (30 knh thoi ng thi) hay n ng FXO (n knh thoi ng th i). Khi doanh nghip thu dch v tng ng t bu in. Ngoi ra ch ng ti cn thu thm ng WAN kt n i hai chi nhnh li v i nhau va truy n thoi v d liu. M i cuc g i cn t i thiu l 30Kb/s nn khuy n ngh l thu ng t i thiu khong 128Kb/s. IP phone c th dng phn cng hay ph n m m.

u im Kh nng m rng ln, m i Server c th x l cho 1000 my. Nng cp, a ra cc dch v cho IP Phone d hn nh: Conference, IP Contact Center, Voice mail. Nhc im: Gi thnh cao.

S dng My ch Call Manager cho h thng c s my in thoi mi chi nhnh u nh hn 96 Client Trong gii php n y kh ng dng CCM Server ti hai chi nh nh, vic x l cuc g i v qu n l IP Phone c thc hin b i Voice Gateway. M i thng s khc vn khng i. u im: Chi ph thp. Nhc im: Kh m r ng, tch h p d ch v mi. t tnh n ng hn.

KT LUN
Trong thi i khoa h c ng y c ng pht trin, b o mt an ton d liu trong h th ng m ng ng y cng ng vai tr quan trng, khon chi ph u t kh ng th thiu i v i hu ht t chc doanh nghip. Bo co cp n nh ng c ng ngh chung ca tng la t i cc lp Network, Transport v Application, nghi n cu tri n khai h th ng VPN v IPS/IDS. ng dng cc cng ngh ny trn s h th ng mng trng i H c Hoa Sen. Vic bo m th ng tin ho n ton bo mt trn ng truy n l iu khng th, b i kh ng c gii php no l ho n ho trong lnh vc bo mt th ng tin, nht l trong giai o n cng ngh k thut ng y c ng pht trin nh hin nay. Ph ng thc t n cng ng y c ng tinh vi, cc c ng c mi xm nhp, nh cp d liu ng y cng nhiu v kh ph ng ch ng. y, nh m chng t i ch a ra m t trong s nhiu li gii cho bi ton bo mt h th ng m ng trng i H c Hoa Sen, cn c nhiu cch trin khai khc nhau t y ki n thc c ng nh kinh nghim m i ngi. Tuy y kh ng phi l gii php hon ho v m i mt nh ng gii php n y va p ng nhu c u ngi d ng va tn dng c ti a t i nguyn h th ng. Vic thit k xy dng h th ng VPN cng nh IDS/IPS cng l iu khng th thiu i vi cc t chc doanh nghip, g p phn t ng cng an ninh m ng. V i t c pht trin vt bc ca khoa h c k thut, vic cp nht thng xuy n c c cng ngh m i phng ch ng c c cuc xm nhp tri php bo m h th ng mng lun c bo v an to n. Ngoi ra, cn phi khng ng ng ho n thin cc chnh s ch bo mt duy tr an ninh mng lu di. Nu c thm thi gian c ng nh chi ph u t c c thit b mng tht, ch ng t i hy v ng c th nghin cu, ng d ng thm cc c ng ngh bo mt m i. B i l, vn bo mt lun l ti quan tm hng u ca cc c ng ty trong v ngo i nc.

TI LIU THAM KHO


1. 2. Andrew Mason, CCSP SNAF Quick Reference, Cisco Press, USA, Dec 2008. Brandon Carroll, Cisco Access Control Security: AAA Administrative Services, Cisco Press, USA, May 27, 2004. 3. David Hucaby, Cisco ASA, PIX, and FWSM Firewall Handbook, Cisco Press, USA, Aug 2007. 4. Designing Cisco Network Service Architectures (ARCH) v2.0 Lab Guide, Cisco Systems, Inc., May 03, 2007. 5. Designing Cisco Network Service Architectures (ARCH) v2.0 Student Guide, Cisco Systems, Inc., May 08, 2007. 6. Dr. Thomas W. Shinder, Cherie Amon, Robert J. Shimonski & Debra Littlejohn Shinder, The Best Damn Firewall Book Period, Syngress Publishing Inc., United States, 2003. 7. Earl Carter & Jonathan Hogue, Intrusion Prevention Fundamentals, Cisco Press, USA, Jan 18, 2006. 8. Edwin Lyle Brown, 802.1x Port-Based Authentication, Auerbach Publication, New York, USA, 2008. 9. Elizabeth D. Zwicky, Simon Cooper & D. Brent Chapman, Building Internet Firewalls Second Edition, OReilly, United States, Jun 2000. 10. IOS Router: Authproxy Authentication Inbound with ACS for IPSec and VPN Client Configuration, Document ID 14294, Cisco Systems, Inc., Jan 14, 2008. 11. James Henry Carmouche, IPSec Virtual Private Network, Cisco Press, USA, Jul 19, 2006. 12. Jazib Frahim & Omar Santos, Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance, Cisco Press, USA, Oct 21, 2005 13. Jeremy Cioara, Michael J. Cavanaugh, Kris A. Krake, CCNA Voice Official Exam Certification Guide, Cisco Press, USA, Oct 2004. 14. Jim Geier, Implementing 802.1X Security Solutions for Wired and Wireless Networks, Wiley Publishing Inc., Indianapolis, Indiana, 2008.

15. Keith Hutton & Amir Ranjbar, CCDP Self-Study: Designing Cisco Network Service Architectures (ARCH), Cisco Press, USA, 2007. 16. Matt Warnock, An Evaluation of Firewall Technologies, Final Term Paper - Bus 503, Jan 02 2005.

17. Ralph Troupe, Vitaly Osipov, Mike Sweeney & Woody Weaver, Cisco Security Specialists Guide to PIX Firewall, Syngress Publishing Inc., United States, 2002. 18. Richard A. Deal, Cisco ASA Configuration, The McGraw-Hill Companies, Inc., United States, 2009. 19. Robert Padjen & Todd Lammle, CCDP: Cisco Internetwork Design Study Guide, SYBEX Inc., Alameda, CA, 2000. 20. Ryan Lindfield, CCSP SNAA Quick Reference, Cisco Press, USA, Feb 2009. 21. Securing Networks with PIX and ASA (SNPA) Lab Guide, Cisco System, Inc., May 04 2007. 22. Securing Networks with PIX and ASA (SNPA) Student Guide, Cisco System, Inc., May 04, 2007. 23. Symantec Internet Security Threat Report trends for 2009, Symantec Corp, April 2010. 24. Wes Noonan & Ido Dubrawsky, Firewall Fundamentals, Cisco Press, USA, Jun 02, 2006.