luan van nghien cuu vpn 4892

8/3/2019 Luan Van Nghien Cuu VPN 4892

1/118

Kho lun tt nghip i hc Cngngh

L Anh Hng K49DB 1

Mc lcLi muChng 1: Tngquan vVPN1. Tng Quan ...................................................................................................... 5

1.1 nh ngha VPN................................................................................... 51.2 Li ch ca VPN .................................................................................. 61.3 Chc nng ca VPN ............................................................................. 7

2 nh ngha ng hm v m ho ......................................................... 72.1 nh ngha ng hm: ........................................................................ 72.2 Cu trc mt gi tin IP trong ng hm: ............................................ 82.3 M ho v gii m (Encryption/Deccryption): ...................................... 82.4 Mt s thut ng s dng trong VPN: .................................................. 82.5 Cc thut ton c s dng trong m ho thng tin ............................ 9

3 Cc dng kt ni mng ring o VPN ......................................................... 10

3.1 Truy cp VPN (Remote Access VPNs) .............................................. 103.1.1 Mt s thnh phn chnh ............................................................. 113.1.2 Thun li chnh ca Remote Access VPNs: ................................ 123.1.3 Ngoi nhng thun li trn, VPNs cng tn ti mt s bt li khcnh: .................................................................................................... 12

3.2 Site To Site VPN ......................................................................... 133.2.1 Intranet........................................................................................ 143.2.2 Extranet VPNs (VPN m rng) ................................................... 16

4. VPN v cc vn an ton bo mt trn Internet. ..................................... 184.1 An ton v tin cy. ............................................................................. 194.2 Hnh thc an ton ............................................................................... 20

Chng 2: Giao thc trong VPN1 B giao thc IPSec (IP Security Protocol): ................................................ 22

1.1 Cu trc bo mt ..................................................................................... 221.1.1 Hin trng......................................................................................... 23

2 Ch lm vic ca IPSec .......................................................................... 232.1 Ch chuyn vn (Transport mode) ................................................. 232.2 Ch ng hm ( Tunnel Mode ):.................................................. 24

3 Giao thc PPTP v L2TP............................................................................. 313.1 Giao thc nh ng hm im ti im (Point-to-Point TunnelingProtocol) ....................................................................................................... 31

3.1.1 Quan h gia PPTP v PPP ......................................................... 323.2 Giao thc chuyn tip lp 2 (Layer 2 Forwarding Protocol) .................... 343.3 Giao thc nh ng hm lp 2 (Layer 2 Tunneling Protocol)............... 35

3.3.1 Quan h gia L2TP vi PPP ............................................................ 363.4 Tng quan giao thc inh ng hm lp 2 ( L2TP Overview)........... 383.5 ng dng L2TP trong VPN................................................................. 423.6 So snh gia PPTP v L2TP ............................................................... 42


2/118


L Anh Hng K49DB 2

3.6.1 u im ca L2TP. ........................................................................ 433.6.2 u im ca PPTP...................................................................... 43

Chng 3: M ho v chngthc trong VPN1. M ho trong VPN. ...................................................................................... 45

1.1 Thut ton m ho DES...................................................................... 451.1.1 M t DES .................................................................................. 461.1.2 u v nhc im ca DES ....................................................... 471.1.3 ng dng ca thut ton DES trong thc t. ............................... 47

1.2 Thut ton m ho 3DES. ................................................................... 481.2.1 M t 3DES. ............................................................................... 481.2.2 u v nhc im ca 3DES ...................................................... 49

1.3 Gii thut hm bm (Secure Hash Algorithm). ................................... 491.4 Gii thut RSA................................................................................... 49

2 Chng thc trong VPN ................................................................................ 502.1 Password Authentication Protocol (PAP): Giao thc chng thc bng

mt khu. ...................................................................................................... 512.2 Challenge Handshare Authentication Protocol (CHAP). ..................... 52

3 Firewall ........................................................................................................ 523.1 Khi nim v Firewall. ....................................................................... 523.2 Cc thnh phn ca Firewall. ............................................................. 53

3.2.1 B lc gi (Packet Filtering Router). ........................................... 533.2.2 Cng ng dng (Application-level gateway) ............................... 553.2.3 Cng vng (Circuit-level Gateway) .................................................. 57

3.3 Nhng hn ch t Firewall ................................................................. 583.4 Thit lp chnh sch cho Firewall ....................................................... 58

3.5 Mt s loi Firewall ........................................................................... 593.5.1 Screened Host Firewall. .................................................................... 603.5.2 Screened-Subnet Firewall ................................................................. 61

3.6 M hnh kt hp Firewall vi VPN......................................................... 62Chng 4: Cu hnh VPN trn thitb Cisco1. M hnh Site to Site VPN v Extranet VPN ....................................... 64

1.1 Kch bn Site to site VPN ............................................................. 641.1.1 Phn chia cc thnh phn a ch vt l ca m hnh site to siteVPN .................................................................................................... 641.1.2 Bng a ch chi tit cho m hnh mng Site to Site VPN ............ 65

2.1 Kch bn Extranet............................................................................... 652.1.1 Phn chia cc thnh phn a ch vt l ca m hnh Extranet VPN.................................................................................................... 66

2.1.2 Bng a ch chi tit cho m hnh mng Extranet VPN............... 662 Cu hnh ng hm (tunnel) ...................................................................... 67

2.1 S nh cu hnh mt GRE Tunnel ..................................................... 682.1.1 S cu hnh giao din ng hm, Ngun, v ch..................... 68


3/118


L Anh Hng K49DB 3

2.1.2 Kim tra giao din ng hm, Ngun, v ch.......................... 702.2 Cu hnh mt IPSec Tunnel:............................................................... 70

3 Cu hnh NAT (Network Address Translation). ........................................ 713.1 Cu hnh Static Inside Source Address Translation............................ 733.2 Kim tra Static Inside Source Address Translation. ........................... 73

4 Cu hnh s m ho v IPSec. ..................................................................... 744.1. Cu hnh nhng chnh sch IKE: ........................................................ 75

4.1.1 To ra nhng chnh sch IKE. ..................................................... 764.1.2 Cu hnh b xung thm yu cu cho nhng chnh sch IKE: ....... 774.1.3 Cu hnh Nhng kho dng chung .............................................. 78

4.2 Cu hnh cng vo cho s thao tc gia chng ch s. ........................ 804.2.1 Kim tra IKE Policies ................................................................. 814.2.2 Cu hnh kho dng chung khc ................................................. 81

4.3 Cu hnh IPSec v ch IPSec tunnel. ............................................. 824.3.1 To ra nhng danh sch truy nhp mt m. ................................. 83

4.3.2 Kim tra nhng danh sch mt m. ............................................. 834.4 nh ngha nhng tp hp bin i v cu hnh ch IPSec tunnel .. 834.4.1 Kim tra nhng tp hp bin i v ch IPSec tunnel............. 85

4.5 Cu hnh Crypto Maps. ...................................................................... 854.5.1 To ra nhng mc Crypto Map. .................................................. 854.5.2 Kim tra nhng mc Crypto map ................................................ 884.5.3 p dng Crypto map vo Interface.............................................. 884.5.4 Kim tra s kt hp Crypto Map trn interface............................ 89

5. Cu hnh nhng tnh nng Cisco IOS Firewall .......................................... 895.1 To ra Access list m rng v s dng s Access list ......................... 90

5.2 Kim tra Access list m rng ............................................................. 905.3 p dng Access-list ti Interface ....................................................... 905.4 Kim tra Access-list c p dng chnh xc ........................................ 91

Chng5: Cu hnh VPN trn Widows Server 20031. Gii thiu chung ........................................................................................... 922. Ci t VPN Server............................................................................................. 923. Cu hnh VPN Server .......................................................................................... 99

3.1. Route and Remote Access Properties ..................................................... 993.2. Ports Properties .................................................................................... 1023.3. Remote Access Policies ....................................................................... 103

4. To User trn Windows cho php s dng VPN............................................. 1045. VPN Client trn Windows XP .......................................................................... 1066. Qun l kt ni trn VPN Server............................................................... 113Kt lun .................................................................................................................. 115Ti liu tham kho ................................................................................................. 116CC THUT NG VIT TT.............................................................................. 117


4/118


L Anh Hng K49DB 4

Li m u

Trc kia, cch truy cp thng tin t xa trn my tnh c thc hin ls dng mt kt ni quay s. Cc kt ni RAS dial -up lm vic trn cc ng

in thoi POTS (Plain Old Telephone Service) thng thng v c tc tvo khong 56kbps. Tc l mt vn ln i vi cc kt ni dial-up RAS,tuy nhin mt vn ln hn l chi ph cho cc kt ni i vi khong cch dicn c cho vic truy cp

Ngy nay vi s pht trin bng n, mng Internet ngy cng c mrng, kh kim sot v km theo l s mt an ton trong vic trao i thngtin trn mng, cc thng tin d liu trao i trn mng c th b r r hoc bnh cp khin cho cc t chc nh: Cc doanh nghip, Ngn hng, Cng ty v cc doanh nhn lo ngi v vn an ton v bo mt thng tin d liu trongcc mng cc b ca mnh (LAN) khi trao i thng tin qua mng cng cngInternet.

VPN ( Virtual Private Network) l gii php ca ra cung cp mtgii php an ton cho cc: T chc, doanh nghip v cc doanh nhn trao ithng tin t mng cc b ca mnh xuyn qua mng Internet mt cch an ton vbo mt. Hn th na n cn gip cho cc doanh nghip gim thiuc chi phcho nhng lin kt t xa v a bn rng (trn ton quc hay ton cu).

L mt sinh vin cng ngh, phn no em cng hiuc s bn khonv lo lng v s mt an ton bo mt khi trao i thng tin ca cc t chc, c

nhn. Vi s hng dn, v gip ca thy c v bn b, em chn ti mngring o (VPN) nghin cu v cc gii php cng ngh cho vn xy dngmng ring o. Nghin cu cc m hnh truy cp, cc phng php xc thc vng dng trin khai ci t trn cc h thng mng.


5/118


L Anh Hng K49DB 5

Chng 1

TNG QUAN V VPN

1. Tng Quan

Trong thi i ngy nay. Internet pht trin mnh m v mt m hnhcho nn cng nghip, p ng cc nhu cu ca ngi s dng. Internet cthit k kt ni nhiu mng khc nhau v cho php thng tin chuyn nngi s dng mt cch t do v nhanh chng m khng xem xt n my vmng m ngi s dng ang s dng. lm c iu ny ngi ta sdng mt my tnh c bit gi l Router kt ni cc LAN v WAN vi nhau.Cc my tnh kt ni vo Internet thng qua nh cung cp dch v (ISP Internetservice Provider), cn mt giao thc chung l TCP/IP. iu m k thut cn tip

tc phi gii quyt l nng lc truyn thng ca cc mng vin thng cng cng.Vi Internet, nhng dch v nh gio dc t xa, mua hang trc tuyn, t vn yt,v rt nhiuiu khc tr thnh hin thc. Tuy nhin do Internet c phmvi ton cu v khng mt t chc, chnh ph c th no qun l nn rt kh khntrong vic bo mt v an ton d liu cng nh trong vic qun l cc dch v.T ngi ta a ra mt m hnh mng mi nhm tho mn nhng yu cutrn m vn c th tn dng li nhng c s h tng hin c ca Internet, chnh l m hnh mng rin o (Virtual Private Network VPN ). Vi m hnhmi ny, ngi ta khng phi u t thm nhiu v c s h tng m cc tnhnng nh bo mt, tin cy vn m bo, ng thi c th qun l ring c

s hot ng ca mng ny. VPN cho php ngi s dng lm vic ti nhring, trn ng i hay cc vn phng chi nhnh c th kt ni an ton n mych ca t chc m nh bng c s h tng c cung cp bi mng cng cng.N c th m bo an ton thng tin gia cc i l, ngi cung cp, v cc itc kinh doanh vi nhau trong mi trng truyn thng rng ln. Trong nhiutrng hp VPN cng ging nh WAN (Wire Area Network), tuy nhin c tnhquyt nh ca VPN l chng c th dng mng cng cng nh Internet m mbo tnh ring t v tit kim hn nhiu

1.1 nh ngha VPN

VPN c hiu n gin nh l s m rng ca mt mng ring ( PrivateNetwork) thng qua cc mng cng cng. V cn bn, mi VPN l mt mngring r s dng mt mng chung (thng l Internet) kt ni cng vi ccsite (cc mng ring l) hay nhiu ngi s dng t xa. Thay cho vic s dngkt ni thc, chuyn dng nh ng leased-line, mi VPN s dng cc kt nio c dn ng qua Internet t mng ring ca cc cng ty ti cc site hay


6/118


L Anh Hng K49DB 6

cc nhn vin t xa. c th gi v nhn d liu thng qua mng cng cngm vn bo m tnh an ton v bo mt VPN cung cp cc c ch m ho dliu trn ng truyn to ra mt ng ng bo mt gia ni nhn v ni gi(Tunnel) ging nh mt kt ni point-to-point trn mng ring. c th to ramt ng ng bo mt , d liu phi c m ho hay c ch giu i, ch

cung cp phn u gi d liu (header) l thng tin v ng i cho php n cth i n ch thng qua mng cng cng mt cch nhanh chng. D liu cm ho mt cch cn thn do nu cc packet b bt li trn ng truyn cngcng cng khng th c c ni dng v khng c kho gii m. Lin ktvi d liu c m ho v ng gi c gi l kt ni VPN. Cc ng ktni VPN thng c gi l ng ng VPN (Tunnel)

Hnh 1: M hnh mng VPN

1.2 Li ch ca VPN

VPN cung cp nhiu c tnh hn so vi nhng mng truyn thng vnhng mng leased-line. Nhng li ch u tin bao gm:

Chi ph thp hn nhng mng ring: VPN c th gim chi ph khitruyn ti 20-40% so vi nhng mng thuc mng leased-line v gimvic chi ph truy cp t xa t 60-80%

Tnh linh hot cho kh nng kinh t trn Internet: VPN vn c tnhlinh hot v c th leo thang nhng kin trc mng hn l nhngmng c in, bng cch no n c th hot ng kinh doanhnhanh chng v chi ph mt cch hiu qu cho vic kt ni t xa canhng vn phng, nhng v tr ngoi quc t, nhng ngi truyn


7/118


L Anh Hng K49DB 7

thng, nhng ngi dng in thoi di ng, nhng ngi hot ngkinh doanh bn ngoi nh nhng yu cu kinh doanh i hi

n gin ha nhng gnh nng Nhng cu trc mng ng, v th gim vic qun l nhng gnh nng:

S dng mt giao thc Internet backbone loi tr nhng PVC tnh hp

vi kt ni hng nhng giao thc nh l Frame Relay v ATM Tng tnh bo mt: Cc d liu quan trng s c che giu i vi

nhng ngi khng c quyn truy cp v cho php truy cp i vinhng ngi dng c quyn truy cp

H tr cc giao thc mng thng dng nht hin nay nh TCP/IP Bo mt a ch IP: Bi v thng tin c gi i trn VPN c m ho

do cc a ch bn trong mng ring c che giu v ch s dng cc ach bn ngoi Internet

1.3 Chc nng ca VPN

VPN cung cp 4 chc nng chnh S tin cy (Confidentiality): Ngi gi c th m ho cc gi d liu

trc khi truyn chng ngang qua mng. Bng cch lm nh vy,khng mt ai c th truy nhp thng tin m khng c php, m nuly c thng tin th cng khng c c v thng tin c mho

Tnh ton vn d liu (Data Integrity): Ngi nhn c th kim trarng d liu c truyn qua mng Internet m khng c s thayi no

Xc thc ngun gc (Origin Authentication): Ngi nhn c th xcthc ngun gc ca gi d liu, m bo v cng nhn ngun thngtin

2 nh ngha ng hm v m ho

Chc nng chnh ca mt mng ring o VPN l cung cp s bo mtthng tin bng cch m ho v chng thc qua mt ng hm (tunnel)

2.1 nh ngha ng hm:

Cung cp cc kt ni logic, im ti im vn chuyn cc gi d liu mho bng mt ng hm ring bit qua mng IP, iu lm tng tnh bo mtthng tin v d liu sau khi m ho s lu chuyn trong mt ng hm cthit lp gia ngi gi v ngi nhn cho nn s trnh c s mt cp, xemtrm thng tin, ng hm chnh l c tnh o ca VPN.

Cc giao thc nh ng hm c s dng trong VPN nh sau:


8/118


L Anh Hng K49DB 8

L2TP (layer 2 Tunneling Protocol): Giao thc nh ng hm lp2

PPTP (Point-to-Point Tunneling Protocol) L2F (Layer 2 Forwarding)

Cc VPN ni b v VPN m rng c th s dng cc cng ngh: IP Sec (IP security) GRE (Genenic Routing Encapsulation)

2.2 Cu trc mt gi tin IP trong ng hm:

Tunnel mode packet

IP AH ESP Header Data

2.3 M ho v gii m (Encryption/Deccryption):

Bin i ni dng thng tin nguyn bn dng c c (clear text hayplain text) thnh mt dng vn bn mt m v ngh a khng c c(cyphertex), v vy n khng c kh nng c c hay kh nng s dng binhng ngi dng khng c php. Gii m l qu trnh ngc li ca m ho,tc l bin i vn bn m ho thnh dng c c bi nhng ngi dngc php

2.4 Mt s thut ng s dng trong VPN:

H thng m ho (Crysystem): l mt h thng thc hin m ho haygii m, xc thc ngi dng, bm (hashing), v cc qu trnh trao i kho, mth thng m ho c th s dng mt hay nhiu phng thc khc nhau tu thucvo yu cu cho mt vi loi traffic ngi dng c th.Hm bm (hashing): l mt k thut ton vn d liu m s dng mt cng thchoc mt thut ton bin i mt bn tin c chiu di thay i v mt khomt m cng cng vo trong mt chui n cc s liu c chiu di c inh. Bn

tin hay kho v hash di chuyn trn mng t ngun ti ch. ni nhn vic tnhton li hash c s dng kim tra rng bn tin v kho khng b thay itrong khi truyn trn mng.

Xc thc (Authentication): L qu trnh ca vic nhn bit mt ngi sdng hay qu trnh truy cp h thng my tnh hoc kt ni mng. Xc thc chcchn rng c nhn hay mt tin trnh l hon ton xc nh

Ori inal acket

Hnh 2: Cu trc mt gi tin IP trong nghm


9/118


L Anh Hng K49DB 9

Cho php (Authorization): L hot ng kim tra thc th c cphp thc hin nhng quyn hn c th no

Qun l kho (Key management): Mt kho thng tin, thng l mt dyngu nhin hoc trng ging nh cc s nh phn ngu nhin, c s dng ban

u thit lp v thay i mt cch nh k s hot ng trong mt h thngmt m. Qun l kho l s gim st v iu khin tin trnh nh cc kho cto ra, ct gi, bo v, bin i, ti ln, s dng hay loi b.

Dch v chng thc CA (Certificate of Authority): Mt dch v m ctin tng gip bo mt qu trnh truyn tin gia cc thc th mng hoc ccngi dng bng cch to ra v gn cc chng nhn s nh cc chng nhn khocng cng, cho mc ch m ho. Mt CA m bo cho s lien kt gia ccthnh phn bo mt trong chng nhn.

2.5 Cc thut ton c s dng trong m ho thng tin:

DES (Data Encryption Security) 3DES (Triple Data Encryption Security) SHA (Secure Hash Algorithm)AH( Authentication Header): La giao thc bo mt gip xc thc d liu,

bo m tnh ton vn d liu v cc dch v anti-replay (dch v bo m tnhduy nht ca gi tin). AH c nhng vo trong d liu bo v.

ESP (Encapsulation Security Payload): L mt giao thc bo mt cungcp s tin cy d liu, bo m tnh ton vn d liu, v xc thc ngun gc dliu, cc dch v anti-replay. ESP ng gi d liu bo v. Oakley vSkeme mi ci nh ngha mt phng thc thit lp mt s trao i kho xcthc, ci bao gm cu trc ti tin, thng tin m cc ti tin mang, th t m cckho c s l v cc kho c s dng nh th no.

ISAKMP (Internet Security Association and Key Management):

IKE (Internet Key Exchange): L giao thc lai m trin khai trao i kha

Oakley v trao i kho Skeme bn trong khung ISAKMP (Protocol): L mtkhung giao thc m nh ngha cc nh dng ti tin, cc giao thc trin khai mtgiao thc trao i kho v s trao i ca mt SA (Security Association)

SA (Security Association): L mt tp cc chnh sch v cc kho cs dng bo v thng tin. ISAKMP SA l cc chnh sch chung v cc khoc s dng bi cc i tng ngang hang m phn trong giao thc ny bo v thng tin ca chng


10/118


L Anh Hng K49DB 10

AAA (Authentication, Authorization v Accouting): l cc dch v bomt mng m cung cp cc khung chnhqua iu khin truy cp c t trnRouter hay cc Server truy cp. Hai s la chn chnh cho AAA l TACACS+v RADIUS

TACACS+ (Terminal Access Controller Access Control System Plus): Lmt ng dng bo mt m cung cp s xc thc tp trung ca cc ngi dng cgng truy nhp ti Router hay mng truy cp Server.

RADIUS (Remote Authentication Dial-In User Service): L mt h thngphn tn client/server m bo mt cc truy cp khng c php ti mng.

3 Cc dng kt ni mng ring o VPN

3.1 Truy cp VPN (Remote Access VPNs)

Remote Access VPNs cho php truy cp bt c lc no bng Remote,mobile, v cc thit b truyn thng ca nhn vin cc chi nhnh kt ni n tinguyn mng ca t chc

Remote Access VPN m t cng vic cc ngi dng xa s dng ccphn mm VPN truy cp vo mng Intranet ca cng ty thng qua gatewayhoc VPN concentrator (bn cht l mt server). V l do ny, gii php nythng c gi l client/server. Trong gii php ny, cc ngi dng thngthng s dng cc cng ngh WAN truyn thng to li cc tunnel v mngHO ca h

Mt hng pht trin kh mi trong remote access VPN l dng wirelessVPN, trong mt nhn vin c th truy cp v mng ca h thng qua kt nikhng dy. Trong thit k ny, cc kt ni khng dy cn phi kt ni v mttrm wireless (Wireless terminal) v sau v mng ca cng ty. Trong c haitrng hp, phn mm client trn my PC u cho php khi to cc kt ni bomt, cn c gi l tunnel

Mt phn quan trng ca thit k ny l vic thit k qu trnh xc thc

ban u nhm m bo l yu cu c xut pht t mt ngun tin cy.Thng th giai on ban u ny da trn cng mt chnh sch v bo mt cacng ty. Chnh sch ny bao gm: quy trnh (Procedure), k thut, server (suchas Remote Authentication Dial-In User Service [RADIUS], Terminal AccessController Access Control System Plus [TACACS+] ).


11/118


L Anh Hng K49DB 11

3.1.1 Mt s thnh phn chnh

Remote Access Server (RAS): c t ti trung tm c nhim v xcnhn v chng nhn cc yu cu gi ti.

Quay s kt ni n trung tm, iu ny s lm gim chi ph cho mt syu cu kh xa so vi trung tm.

H tr cho nhng ngi c nhim v cu hnh, bo tr v qun l RAS vh tr truy cp t xa bi ngi dng.

Hnh 3 Thit lp mt non-VPN remote access

Bng vic trin khai Remote Access VPNs, nhng ngi dng t xa hoccc chi nhnh vn phng ch cn ci t mt kt ni cc b n nh cung cpdch v ISP hoc ISPs POP v kt ni n ti nguyn thng qua Internet. Thngtin Remote Access Setup c m t bi hnh v sau:


12/118


L Anh Hng K49DB 12

Hnh 4 Thit lp mt VPN remote access

3.1.2 Thun li chnh ca Remote Access VPNs:

-S cn thit ca RAS v vic kt hp vi modem c loi tr.-S cn thit h tr cho ngi dng c nhn c loi tr bi v kt ni t

xa c to iu kin thun li bi ISP.-Vic quay s t nhng khong cch xa c loi tr, thay vo , nhng

kt ni vi khong cch xa s c thay th bi cc kt ni cc b.-Gim gi thnh chi ph kt ni vi khong cch xa.-Do y l mt kt ni mang tnh cc b, do vy t kt ni s cao hn so

vi kt ni trc tip n nhng khong cch xa. -VPNs cung cp kh nng truy cp n trung tm tt hn bi v n h tr

dch v truy cp mc ti thiu nht cho d c s tng nhanh chng cckt ni ng thi n mng.

3.1.3 Ngoi nhng thun li trn, VPNs cng tn ti mt s bt li khc

nh:

-Remote Access VPNs cng khng m bo c cht lng dch v-Kh nng mt d liu l rt cao, thm na l cc phn on ca gi d liu

c th i ra ngoi v b tht thot.


13/118


L Anh Hng K49DB 13

-Do phc tp ca thut ton m ho, protocol overhead tng ng k,iu ny gy kh khn cho qu trnh xc nhn. Thm vo , vic nn dliu IP v PPP-based din ra v cng chm chp v ti t.

-Do phi truyn d liu thng qua Internet, nn khi trao i cc d liu lnnh cc gi d liu truyn thng, phim nh, m thanh s rt chm .

3.2 Site To Site VPN

Site to site : c p dng ci t mng t mt v tr ny kt ni timng ca mt v tr khc thng qua VPN. Trong hon cnh ny th vic chngthc ban u gia cc thit b mng c giao cho ngi s dng. Ni m cmt kt ni VPN c thit lp gia chng. Khi cc thit b ny ng vi trnh l mt gateway, v m bo rng vic lu thng c d tnh trc chocc site khc. Cc Router v Firewall tng thch vi VPN, v cc b tp trungVPN chuyn dng u cung cp chc nng ny.

Hnh 5 Site to site VPN

Site to Site VPN c th c xem nh l Intranet VPN hoc ExtranetVPN. Nu chngta xem xt chng di gc chng thc n c th c xemnh l mt intranet VPN, ngc li chng c xem nh mt extranet VPN.Tnh cht ch trong vic truy cp gia cc site c th c iu khi bi c hai(Intranet v Extranet VPN) theo cc site tng ng ca chng. Gii php Site To Site VPN khng phi l mt remote access VPN nhng n c thm voy v tnh cht hon thin ca n.

S phn bit gia remote access VPN v Site To Site VPN ch nthun mang tnh cht tng trng v xa hn l n c cung cp cho mc chtho lun. V d nh l cc thit b VPN da trn phn cng mi (Router Cisco


14/118


L Anh Hng K49DB 14

3002 chng hn) y phn loi c, chng ta phi p dng c hai cch, biv harware-based client c th xut hin nu mt thit b ang truy cp vomng. Mc d mt mng c th c nhiu thit b VPN ang vn hnh. Mt v dkhc nh l mt ch m rng ca gii php Ez VPN bng cch dng Router806 v 17xx

Site to Site VPN l s kt ni hai mng ring l thng qua mt nghm bo mt, ng hm bo mt ny c th s dng cc giao thc PPTP,L2TP, hoc IPSec, mc ch ca Site to Site VPN l kt ni hi mng khngc ng ni li vi nhau, khng c vic tho hip tch hp, chng thc, s cnmt ca d liu, bn c th thit lp mt Site to Site VPN thng qua s kthp ca cc thit b VPN concentrators, Router, v Firewalls.

Kt ni Site to Site VPN c thit k to mt kt ni mng trctip, hiu qu bt chp khong cch vt l gia chng. C th kt ni ny lun

chuyn thng qua Internet hoc mt mng khng c tin cy. Bn phi mbo vn bo mt bng cch s dng s m ho d liu trn t c cc gi dliu ang lun chuyn gia cc mng .

3.2.1 Intranet

Hnh 6 Thit lp Intranet s dng WAN backbone

Intranet VPNs hay cn gi l cc VPN ni b s kt ni cc mng ca trs chnh, vn phng v cc chi nhnh t xa qua mt c s h tng mng dngchung nh Internet thnh mt mng ring t ca mt tp on hay mt t chc


15/118


L Anh Hng K49DB 15

gm nhiu cng ty v vn phng lm vic m cc kt ni ny lun lun c mho thng tin

Intranet VPN c s dng kt ni n cc chi nhnh vn phng cat chc n Corporate Intranet (Backbone Router) s dng campus router (Hnh

7)

Theo m hnh bn trn s rt tn chi ph do phi s dng 2 Router thitlp c mng, thm vo , vic trin khai, bo tr v qun l mng IntranetBackbone s rt tn km cn tu thunc vo lng lu thng trn mng i trnn v phm vi a l ca ton b mng Intranet.

gii quyt vn trn, s tn km ca WAN backbone c thay thbi cc kt ni Internet vi chi ph thp, iu ny c th mt lng chi ph ngk ca vic trin khai mng Intranet (Hnh 1-5)

Hnh 7 Thip lp Intranet da trn VPN

Nhng thun li chnh ca Intranet setup da trn VPN theo hnh 7.

- Hiu qu chi ph hn do gim s lng router c s dng theo m hnhWAN backbone.


16/118


L Anh Hng K49DB 16

- Gim thiu s lng h tr yu cu ngi dng c nhn qua ton cu, cctrm mt s remote site khc nhau.

- Bi v Internet hot ng nh mt kt ni trung gian, n d dng cung cpnhng kt ni mi ngang hang.

- Kt ni nhanh hn v tt hn do v bn cht kt ni n nh cung cpdch v, loi b vn khong cch xa v thm na gip t chc gim thiu chiph cho vic thc hin Intranet.

Nhng bt li chnh kt hp vi cch gii quyt:

- Bi v d liu vn cn tunnel trong qu trnh chia s trn mng cngcng-Internet v nhng nguy c tn cng, nh tn cng bng t chi dch v(denial-of service), vn cn l mt mi e do an ton thng tin.

- Kh nng mt d liu trong lc di chuyn thng tin cng rt cao- Trong mt s trng hp, nht l khi d liu l loi high-end, nh cc tp

tin multimedia, vic trao i d liu s rt chm chp do c truyn thng quaInternet.- Do l kt ni da trn Internet, nn tnh hiu qu khng lin tc, thng

xuyn, v QoS cng khng c bo m.

3.2.2 Extranet VPNs (VPN m rng)

Hnh 8 Extranet VPN


17/118


L Anh Hng K49DB 17

Extranet l s m rng t nhng Intranet lin kt cc khch hng, nhngnh cung cp, nhng i tc hay nhng nhn vin lm vic trong cc Intranetqua c s h tng dng chung chia s nhng kt ni.

Khng gin nh intranet v Remote Access based, Extranet khng an

ton cch ly t bn ngoi (outer-world), Extranet cho php truy nhp nhng tinguyn mng cn thit k ca cc i tc kinh doanh, chng hn nh khchhang, nh cung cp, i tc nhng ngi gi vi tr quan trng trong t chc.

Hnh 9 Thit lp mng Extranet theo truyn thng

Nh h nh trn, mng Extranet rt tn km do c nhiu on mng ringbit trn intranet kt hp li vi nhau to ra mt Extranet. iu ny lm chokh trin khai v qun l do c nhiu mng, ng thi cng kh khn cho cnhn lm cng vic bo tr v qun tr. Thm na l mng Extranet d m rngdo iu ny s lm ri tung ton b mng Intranet v c th nh hng n cc

kt ni bn ngoi mng. S c nhng vn bn gp phi bt thnh lnh khi ktni mt Intranet vo mt mng Extranet. Trin khai v thit k mt mngExtranet c th l mt cn c mng ca cc nh thit k v qun tr mng.


18/118


L Anh Hng K49DB 18

Hnh 10: Thit lp Extranet

Mt s thun li ca Extranet:

Do hot ng trn mi trng Internet, bn c th la chn nh phn phikhi la chn v a ra phng php gii quyt tu theo nhu cu ca t chc. Biv mt phn Internet-connectivity c bo tr bi nh cung cp ISP nn cnggim chi ph bo tr khi thu nhn vin bo tr . D dng trin khai, qun l vchnh sa thng tin.

Mt s bt li:

- S e do v tnh an ton, nh b tn cng bng t chi dch v vn c ntn ti

- Tng thm nguy him s xm nhp i vi t chc trn Extranet.- Do da trn Internet nn khi d liu l cc loi high-end data th vic trao

i din ra chm chp.- Do da trn Internet, QoS cng khng c bo m thng xuyn.

4. VPN v cc vn an ton bo mt trn Internet.

Nh chng ta bit, s pht trin bng n v m rng mng ton cuInternet ngy cng tng, hng thng c khong 10.000 mng mi kt ni voInternet km theo l vn lm sao c th trao i thng tin d liu mtcch an ton qua mng cng cng nh Internet. Hng nm s r r v mt cpthng tin d liu gy thit hi rt ln v kinh t trn ton th gii. Cc ti


19/118


L Anh Hng K49DB 19

phm tin tc hacker lun t m mi cch nghe trm, nh cp thng tin dliu nhy cm nh: th tn dng, ti khon ngi dng, cc thng tin kinh tnhy cm... ca cc t chc hay c nhn.

Vy gii php s dng mng ring o VPN s gii quyt vn an ton

v bo mt thng tin trn Internet nh th no ?

Cu tr li cc t chc, cc doanh nghip, c nhn cm thy yn tmkhi trao i thng tin d liu qua mng Internet l s dng cng ngh mngring o VPN.

Thc cht cng ngh chnh c s dng trong mng ring o VPN l tora mt ng hm (tunnel) m ho v chng thc d liu gia hai u kt ni.Cc thng tin d liu s c m ho v chng thc trc khi c lu chuyntrong mt ng hm ring bit, qua s trnh c nhng cp mt t m

mun nh cp thng tin4.1 An ton v tin cy.

S an ton ca h thng my tnh l mt b phn ca kh nng bo trmt h thng ng tin cy c. Thuc tnh ny ca mt h thng c vin dnnh s ng tin cy c. C 4 yu t nh hng n mt h thng ng tin cy:

Tnh sn sang: Kh nng sn sang phc v, p ng yu cu trongkhon thi gian. Tnh sn sang thng c thc hin qua nhngh thng phn cng d phng.

S tin cy: N nh ngh a xc xut ca h thng thc hin ccchc nng ca n trong mt chu k thi gian. S tin cy khc vitnh sn sang , n c o trong c mt chu k ca thi gian. Ntng ng ti tnh lin tc ca mt dch v.

S an ton: N ch bo hiu mt h thng thc hin nhng chcnng ca n chnh xc hoc thc hin trong trng hp tht bimt ng x khng thit hi no xut hin.

S an ninh: Trong trng hp ny s an ninh c ngha nh mt sbo v tt c cc ti nguyn h thng

Mt h thng my tnh ng tin cy mc cao nht l lun m bo an

ton bt k thi gian no. N m bo khng mt s v chm no m khngcnh bo thng tin c cm gic, lu tm n d liu c cm gic c 2 kha cnh xem xt:

Tnh b mt. Tnh ton vn

Thut ng tnh bo mt nh c xc nh c ngha rng d liu khngthay i trong mt ng x khng hp php trong thi gian tn ti ca n. Tnh


20/118


L Anh Hng K49DB 20

sn sang, s an ton v anh ninh l nhng thnh phn ph thuc ln nhau. S anninh bo v h thng khi nhng mi e do v s tn cng. N m bo mt hthng an ton lun sn sang v ng tin cy.

4.2 Hnh thc an ton

S an ton ca h thng my tnh ph thuc vo tt c nhng thnh phnca n

C 3 kiu khc nhau ca s an ton: S an ton phn cng S an ton thng tin S an ton qun tr

An ton phn cng:

Nhng mi e do v tn cng c lin quan ti phn cng ca h thng.N c th c phn ra vo 2 phm tr:

S an ton vt l An ton bt ngun

S an ton vt l bo v phn cng trong h thng khi nhng mi e dovt l bn ngoi nh s can thip, mt cp thng tin, ng t v nc lm ngplt. Tt c nhng thng tin nhy cm trong nhng ti nguyn phn cng ca hthng cn s bo v chng li tt c nhng s bo v ny.

An ton thng tin:

Lin quan n tnh d b tn thng trong phn mm, phn cng v s kthp ca phn cng v phn mm. N c th c chia vo s an ton v truynthng my tnh. S an ton my tnh bao trm vic bo v ca cc i tngchng li s phi by v s d b tn thng ca h thng, bao gm cc c chiu khin truy nhp, cc c ch iu khin bt buc chnh sch an ton, c chphn cng, k thut m ho S an ton truyn thng bo v i tng truyn.

An ton qun tr:

An ton qun tr lin quan n tt c cc mi e do m con ngi lidng ti mt h thng my tnh. Nhng mi e do ny c th l hot ng nhns. S an ton nhn s bao bao trm vic bo v ca nhng i tng chng lis tn cng t nhng ngi dng u quyn.

Mi ngi dng ca h thng c nhng c quyn truy nhp nhng tinguyn nht nh. S an ton nhn s cha ng nhng c ch bo v chng linhng ngi dng c t nh tm kim c nhng c quyn cao hn hoc lm


21/118


L Anh Hng K49DB 21

dng nhng c quyn ca h, cho nn s gio dc nhn thc rt quan trng n thc s l mt c ch bo v s an ton h thng. Thng k cho thy nhngngi dng u quyn c t l e do cao hn cho mt h thng my tnh so vit bn ngoi tn cng. Nhng thng tin c thng k cho thy ch c 10% catt c cc nguy hi my tnh c thc hin t bn ngoi h thng, trong khi c

n 40% l bi nhng ngi dng trong cuc v khong 50% l bi ngi lmthu c


22/118


L Anh Hng K49DB 22

Chng 2

GIAO THC TRONG VPN

Trong VPN c 3 giao thc chnh xy dng ln mt mng ring ohon chnh l

IP Sec (IP Security) PPTP (Point-to-Point Tunneling Protocol) L2TP (Layer 2 Tunneling Protocol)

Tu theo tng lp ng dng c th m mi giao thc u c u v nhcim khc nhau khi trin khai vo mng VPN

1 B giao thc IPSec (IP Security Protocol):

IPSec thc cht khng phi l mt giao thc, n ch l mt khung ca cctp giao thc chun m rng c thit k cung cp tnh xc thc v ton vnd liu. Giao thc IPSec c lm vic ti tng Network Layer- Layer 3 ca mhnh OSI. Cc giao thc bo mt trn Internet khc nh SSL, TLS v SSH, cthc hin t tng transport layer tr ln (T tng 4 n tng 7 ca m hnh OSI).iu ny to ra tnh mm do cho IPSec, giao thc ny c th hot ng ti tng4 vi TCP, UDP, hu ht cc giao thc s dng ti tng ny. IPSec c mt tnhnng cao cp hn SSL v cc phng thc khc hot ng ti cc tng trn cam hnh OSI. Vi mt ng dng s dng IPSec m (code) khng b thay i,nhng nu ng dng bt buc s dng SSL v cc giao thc bo mt trn cc

tng trn trong m hnh OSI th on m ng dng s b thay i ln.1.1 Cu trc bo mt

IPSec c trin khai (1) s dng cc giao thc cung cp mt m(cryptographic protocols) nhm bo mt gi tin (packet) trong qu trnh truyn,(2) phng thc xc thc v (3) thit lp cc thng s m ho.

Xy dng khi nim v bo mt trn nn tng IP. Mt s kt hp bo mtn gin khi kt hp cc thut ton v cc thng s (v d nh cc kho-keys) l

nn tng trong vic m ho v xc thc trong mt chiu. Tuy nhin trong ccgiao tip hai chiu, cc giao thc bo mt s lm vic vi nhau v p ng qutrnh giao tip. Thc t la chn cc thut ton m ho v xc thc li ph thucvo ngi qun tr IPSec bi v IPSec bao gm mt nhm cc giao thc bo mtp ng m ho v xc thc cho mi gi tin IP.

Trong cc bc thc hin phi quyt nh ci g cn bo v v cung cpcho mt gi tin outgoing (i ra ngoi), IPSec s dng cc thng s Security


23/118


L Anh Hng K49DB 23

Parameter Index (SPI), mi qu trnh Index ( nh th t v lu trong d liu Index v nh mt cun danh b in thoi) bao gm Security AssociationDatabase (SADB), theo sut chiu di ca a ch ch trong header ca gi tin,cng vi s nhn dng duy nht ca mt tho hip bo mt cho mi gi tin. Mtqu trnh tng t cng c lm vi gi tin i vo (incoming packet), ni

IPSec thc hin qu trnh gii m v kim tra cc kho t SADB.

Cho cc gi multicast, mt tho hip bo mt s cung cp cho mt group,v thc hin cho ton b cc receiver trong group . C th c hn mt thohip bo mt cho mt group, bng cch s dng cc SPI khc nhau, tuy nhin ncng cho php thc hin nhiu mc bo mt cho mt group. Mi ngi gic th c nhiu tho hip bo mt, cho php xc thc, trong khi ngi nhn chbit c cc keys c gi i trong d liu. Ch cc chun khng miu tlm th no cc tho hip v la chn vic nhn bn t group ti cc c nhn.

1.1.1 Hin trng

IPSec l mt phn bt buc ca IPv6, c th c la chn khi s dngIPv4. Trong khi cc chun c thit k cho cc phin bn IP ging nhau,ph bin hin nay l p dng v trin khai trn nn tng IPv4.

Cc giao thc IPSec c nh ngha t RFCs 1825 -1829, v c ph binnm 1995. Nm 1998, c nng cp vi cc phin bn RFC 2401-2412, nkhng tng thch vi chun 1825-1829. Trong thng 12 nm 2005, th h th 3ca chun IPSec, RFC 4301-4309. Cng khng khc nhiu so vi chun RFC

2401-2412 nhng th h mi c cung cp chun IKE second. Trong th hmi ny IP security cng c vit tt li l IPSec.

2 Ch lm vic ca IPSec

2.1 Ch chuyn vn (Transport mode)

Ch ny h tr truyn thng tin gia cc my hoc gia my ch vimy khc m khng c s can thip no ca cc gateway lm nhim v an ninhmng.

Trong Transport mode, ch nhng d liu bn giao tip cc gi tin

c m ho v hoc xc thc. Trong qu trnh Routing, c IP headeru khng b chnh sa hay m ho; tuy nhin khi authenticationheader c s dng, a ch IP khng th chnh sa ( v d nh portnumber). Transport mode s dng trong t nh hung giao tip host-to-host.


24/118


L Anh Hng K49DB 24

iu ny c ngh a l ng gi cc thng tin trong IPSec cho NATtraversal c nh ngha bi cc thng tin trong ti liu ca RFC biNAT-T

2.2 Ch ng hm ( Tunnel Mode ):

Ch ny h tr kh nng truy nhp t xa v lin kt an ton ccWebsite. Ch chuyn vn s dng AH v ESP i vi phn ca tng chuynvn trong mt gi tin IP. Phn d liu thc ca giao thc IP ny l phn duy nhtc bo v trong ton gi tin. Phn header ca gi tin IP vi a ch ca imtruyn v im nhn khng bo v. Khi p dng c AH v ESP th AH c pdng sau tnh ra tnh ton vn ca d liu trn tng lng d liu. Mt khcch ng hm cho php m ho v tip nhn i vi ton b gi tin IP. Cccng bo mt s dng ch ny cung cp cc dch v bo mt thay cho ccthc th khc trn mng. Cc im truyn thng u cui c bo v bn trong

cc gi tin IP n trong khi cc im cui m ho li c lu trong cc gi tinIP truyn i. Mt gateway bo mt thc hin phn tch gi tin IP n cho imnhn cui cng sau khi IPSec hon thnh vic s l ca m nh. Trong ch ng hm, a ch IP ca im n c bo v.

Trong ch ng hm, c mt phn header IP ph c thm vo, cntrong ch chuyn vn th khng c iu ny. IPSec nh ra ch nghm p dng cho AH v ESP.

Khi host 1 mun giao tip vi host 2, n c th s dng ch ng

hm cho php cc gateway bo mt c th cung cp cc dch v m boan ton cho vic lin lc gia hai nt mng trn mng cng cng.

IPSec cho php ch bo mt theo nhiu lp v theo nhiu tuyn truyn.Trong , phn header ca gi tin ni ti c hon ton bao bc bi phnheader ca gi tin c pht i. Tuy vy, phi c mt iu kin l cc tuyntruyn khng c gi chng ln nhau.

i vi vic s l lung d liu truyn i, tng IP s tham chiu n SPD(Security Policy Database ) quyt nh cc dch v bo mt cn p dng.Cc b chn lc c ly ra t cc phn header s dng ch ra mt cchthc hot ng cho SPD. Nu hot ng ca SPD l p dng tnh nng bo mtth s c mt con tr, tr n SA trong SADB ( Security Association Database) c tr v. Trng hp SA khng c trong SADB th IKE s c kchhot. Sau cc phn header AH v ESP c b xng theo cch m SA nhra v gi tin s c truyn i.


25/118


L Anh Hng K49DB 25

Vi vic s l lung d liu gi n, sau khi nhn c mt gi tin, tngc nhim v bo mt s kim tra danh mc cc phng thc bo mt a racc hnh ng sau y: hu b, b qua hoc p dng. Nu hnh ng l pdng m SA khng tn ti th gi tin s b b qua. Tuy nhin, nu SA c trongSADB th gi tin s c chuyn n tng tip theo x l. Nu gi tin c

cha cc phn header ca dch v IPSec th stack ca IPSec s thu nhn gi tinny v thc hin s l. Trong qu trnh s l, IPSec ly ra phn SPI, phn ach ngun v a ch ch ca gi tin. ng thi, SADB c nh s theo cctham s chn ra SA nht n s dng: SPT, a ch ch hoc l giaothc.

Hnh 11

+ IPSec cho php thit lp cc mi truyn thng ring bit v m bo tnh bmt trn mng internet m khng cn bit n cc ng dng ang chy trnmy hay cc giao thc tng cao hn nh tng vn chuyn

( Transport layer).

Hnh 12


26/118


L Anh Hng K49DB 26

+ IPSec l b giao thc c kh nng thm nh d liu c hai pha ngi gi vngi nhn, m bo tnh b mt v ton vn d liu bng cch m ho chngthc. IPSec c kh nng thch ng vi tt c cc trnh ng dng chy trn mngIP.

+ IPSec hot ng hiu qu v nhanh hn cc ng dng bo mt hot ng

tng ng dng ( Application layer)

Hnh 13

+ IPSec c th c coi nh l mt lp di ca giao thc TCP/IP, lp ny kimsot cc ngi dng truy nhp da vo mt chnh sch an ton v mi my tnh

v mt t chc m phn an ninh gia ngi gi v ngi nhn. Giao thc ng gi an to n ESP ( Encapsulation Security

Payload): l giao thc s 50 c gn bi IANA. ESP l mt giaothc bo mt c th c s dng cho vic cung cp tnh bo mtv xc thc cc gi d liu khi s nhm ng ca ngi dngkhng c php. ESP cung cp phn ti tin ca gi d liu, ESPcung cp s xc thc cho gi tin IP ni b v phn tiu ESP. Sxc thc cung cp s xc thc v ngun gc v tnh ton vn cagi d liu. ESP l giao thc h tr v kiu m ho i xng nh:Blowfish, DES. Thut ton m ho d liu mc nh s dng trongIPSec l thut ton DES 56 bit. Trong cc sn phm v thit bmng ca Cisco dng trong VPN cn s dng vic m ho d liutt hn bng cch s dng thut ton 3DES( Triple DataEncryption Security ) 128 bit.

+ Giao thc ESP c th c s dng c lp hoc kt hp vi giao thc chngthc u mc AH ( Authentication Header ) tu thuc vo tng mi trng. Haigiao thc ESP v AH u cung cp tnh ton vn, xc thc cc gi d liu.


27/118


L Anh Hng K49DB 27

+ Giao thc ESP cng c th bo v c tnh duy nht ca gi tin bng cchyu cu bn nhn t bit replay trong tiu ch ra rng gi tin cgi.

Giao thc chng thc mc u AH ( Authentication HeaderProtocol).

Trong h thng IPSec c mt u mc c bit: u mc chng thc AHc thit k cung cp hu ht dch v chng thc cho d liu IP. Vi IP v4

Hnh 14.1Vi IP v6

Hnh 14.2

Giao thc trao i cha kho Inernet ( IKE ).AH v ESP l nhng giao thc m IPSec yu cu nhng b mt dng

chung trong vic phn phi kho, do cc cha kho c th mt cp khi trao iqua li. Do mt c ch trao i ch a kho an ton cho IPSec phi tho mnyu cu sau

Khng ph thuc vo cc thut ton c bit.

Khng ph thuc vo mt nghi thc trao i kho c bit, S chng thc ca nhng thc th qun l kho Thit lp cc SA trn cc tuyn giao thng khng an ton. S dng hiu qu cc ngun ti nguyn.

Giao thc IKE da trn khung ca Hip hi qun l ch a kha trn Internet vGiao thc phn phi kho Oakley


28/118


L Anh Hng K49DB 28

Giao thc IKE c cc c tnh sau:+ Cc cha kho pht sinh v nhng th tc nhn bit.+ T ng lm mi li cha kho.+ Gii quyt vn mt kho.

+ Mi mt giao thc an ton ( AH, ESP ) c mt khng gian ch s anton ca chnh mnh+ Gn sn s bo v.+ Chng li cc cuc tn cng lm nghn mch ti nguyn nh: Tn cngt chi dch v DoS ( Denial- of- Service ).+ Tip cn hai giai on

Thit lp nhng SA cho kho trao i. Thit lp SA cho d liu chuyn.

+ S dng ch k s.+ Dng chung kho.

Giao thc IKE thit k ra cung cp 5 kh nng: Cung cp nhng phng tin cho hai bn v s ng nhng giao

thc, thut ton v nhng cha kho s dng. m bo trao i kho n ng ngi dng. Qun l nhng cha kho sau khi c chp nhn. m bo rng s iu khin v trao i kho an ton. Cho php s chng thc ng gia cc i tng ngang hang.

thit lp mt hip hi kho IKE bt u t mt im, ch nh hay

cng vo an ton mt Intranet tp on, ta cn thit k 4 khon. Mt gii thut m ho d liu. Mt gii thut hm bm gim bt d liu trn. Mt phng php chng thc d liu. Thng tin v nhm ngi dng khi trao i Diffie-Hellman

Trc khi IPSec gi xc nhn hoc m ho d liu IP, gia hai ngi giv ngi nhn phi thng nht v gii thut m ho v cha kho m ho hocnhng cha kho s dng. IPSec s dng giao thc IKE t thit lp nhnggiao thc m phn v nhng cha kho m ho, thut ton s dng.

Giao thc IKE cung cp s chng thc s cp: vic xc minh s nhn bitcc h thng t xa trc khi bn bc, thng lng v cha kho v gii thut.

Giao thc IKE l giao thc lai ghp ca 3 giao thc: ISAKMP ( InternetSecurity Association and Key Management Protocol ), Oakley, SKEME.


29/118


L Anh Hng K49DB 29

Giao thc ISAKMP cung cp mt khung cho s trao i chng thc vcha kho.

Giao thc Oakley m t nhng kiu trao i cha kho.Giao thc SKEME inh ngha k thut trao i cha kho.

Trong ISAKMP c hai knh thnh lp SA ( Security Association - Hiphi an ton ).

Giao thc IKE c hai lung chung: ISAKMP thc hin ln mt ( kiu chnh): m phn thit lp Hip

hi an ton ISAKMP, mt knh an ton truyn thng t xa hnna cho IKE, hai h thng pht sinh mt ch a kho dng chungDiffie-Ellman. Xc minh nhn bit h thng t xa ( Chng thc scp ).

Node A Node B

Public Value

Private Value

Public Value

Private Value

Shared Secret

Value

Shared Secret

Value

Private Value combined

with Public Value BPrivate Value B combined

with Public Value AA B

=

A B

A B

A&B select Diffie-Hellman Group

Step 2

Step 1

Step 3

Hnh 15: S hnh thnh kho dng chung Diffie-Hellman

ISAKMP thc hin ln 2 ( Kiu nhanh). S dng knh truynthng an ton ca ISAKMP SA cho s m ho IPSec AH hocESP.


30/118


L Anh Hng K49DB 30

Hnh 16: Thit lp SA

+ S chng thc s cp IKE ( IKE Primary Authentication ):IKE phi xc nhn nhng h thng s dng thut ton Diffie-Hellman, qui trnhny c gi l chng thc s cp.IKE c th s dng hai phng php chng thc s cp:

Ch k s ( Digital Signatures). Kho dng chung ( Pre-shared keys)

Ch k s v s m ho cha kho cng cng l c s v s m ho chakho bt i xng v yu cu mt c ch phn phi nhng cha kho cng cng.

S chng thc ch k s ( IKE Digital Signature Authentication ):Mt ch k s tng t nh mt gi tr hm bm ch a kho ixng. S khc nhau gia chng l ch c mt ngi nm gi chakho ring mi c th pht sinh ra ch k s, trong khi mi ngigi cha kho i xng c th pht sinh mt gi tr hm bm chakho i xng,

S chng thc kho dng chung ( IKE Pre-Shared KeyAuthentication ): Vi s chng thc kho dng, gia ngi gi vngi nhn phi trao i bng tay v nh hnh mt cha kho dngchung i xng. Kho dng chung ch c s dng chngthc s cp.


31/118


L Anh Hng K49DB 31

3 Giao thc PPTP v L2TP

Hnh 17

3.1 Giao thc nh ng hm im ti im (Point-to-Point Tunneling

Protocol)

PPTP l mt trong s nhiu k thut c s dng thit lp ng hmcho nhng kt ni t xa. Giao thc PPTP l s m rng ca giao thc PPP cbn cho nn giao thc PPTP khng h tr nhng kt ni nhiu im lin tc mn ch h tr kt ni t im ti im.

Hnh 18

PPTP ch h tr IP, IPX, NetBIOS, NetBEUI, PPTP khng lm thay iPPP m n ch l gii php mi, mt cch to ng hm trong vic chuyn chgiao thng PPP.


32/118


L Anh Hng K49DB 32

Hnh 19

Hnh 20

3.1.1 Quan h gia PPTP v PPP

PPP tr thnh giao thc quay s truy cp Internet v cc mng TCP/IPrt ph bin hin nay. Giao thc ny lm vic lp th 2 trong m hnh OSI.PPP bao gm cc phng php ng gi cho cc loi gi d liu khc nhau

truyn ni tip. PPTP da trn PPP to ra cc kt ni quay s gia khchhng v my ch truy cp mng. PPTP da trn PPP thc thi cc chc nng. Thit lp v kt thc kt ni vt l. Xc thc cc ngi dng. To ra gi d liu PPP.

Sau khi PPP thit lp kt ni, PPTP s dng cc quy lut ng gi ca PPP ng gi cc gi truyn trong ng hm nh di y:


33/118


L Anh Hng K49DB 33

Hnh 21

tn dng u im ca kt ni to ra bi PPP, PPTP nh ngha hai loigi: Gi iu khin v gi d liu ri gn chng vo hai knh ring. Sau ,PPTP phn tch cc knh iu khin v knh d liu thnh lung diu khin vigiao thc TCP v lung d liu vi giao thc IP. Kt ni TCP c to ra giaclient PPTP vi my ch PPTP c s dng chuyn thng bo iu khin.

Sau khi ng hm c thit lp th d liuc truyn t client sangmy ch PPTP cha cc gi d liu IP. Gi d liu IP c ng gi tiu nhhnh sau:

Hnh 22

Khi ng gi n c s dng s ID ca host cho iu khin truy cp. ACKcho gim st tc truyn d liu trong ng hm

PPTP cng c c ch iu khin tc nhm gii hn s lng d liu truyni. Ch ny lm gim ti thiu kch thc d liu phi truyn li do mt gi.

PPTP cho php ngi dng v cc ISP c th to ra nhiu loi ng hmkhc nhau. Ngi dng c th ch nh im kt thc ca ng hm ngay timy tnh ca m nh nu nh c ci client PPTP, hay ti my ch ISP nu nh


34/118


L Anh Hng K49DB 34

my tnh ca h ch c PPP m khng c PPTP. ng hm c chia ra lmhai loi:

ng hm t nguyn c to ra theo yu cu ca ngi dngcho mc ch xc nh.

ng hm bt buc c to ra khng thng qua ngi dng chonn n trong sut i vi ngi dng u cui.

3.2 Giao thc chuyn tip lp 2 (Layer 2 Forwarding Protocol)

Giao thc L2F l mt k thut c nghin cu v pht trin trong cc hthng mng ca Cisco trong lc giao thc PPP ang pht trin, n l mt giaothc cho php mt my tnh ca ngi dng truy nhp vo mt intranet ca mtt chc xuyn qua c s h tng mng cng cng Internet vi s an ton v iukhin c bo tr . Tng t nh giao thc nh ng hm im ti imPPTP, giao thc L2F cho php s truy nhp mng ring o an ton xuyn qua c

s h tng mng cng cng Internet bng cch to ra mt ng hm gia haiim kt ni.

S khc nhau c bn gia hai giao thc PPTP v L2F l PPTP ch h trIP, IPX, NetBIOS, NetBEUI, cn L2F nh ng hm khng tu thuc vomng IP, L2F c th lm vic vi nhiu th tc mng khc nhau nh: FrameRelay, ATM, FDDI. Mt L2F h tr vic nh ng hm cho hn mt ktni, gii hn ca giao thc PPTP. L2F c th lm c iu ny trong khi nnh ngha nhng kt ni bn trong ng hm, y l mt c im hu chca L2F. Trong tnh trng ni c nhiu mt ngi ang dng truy nhp t xa m

ch c duy nht mt kt ni c tho mn yu cu.

Hnh 23


35/118


L Anh Hng K49DB 35

Hnh 24

L2F s dng giao thc PPP cho s chng thc khch hang nh giao thcPPTP, tuy nhin L2F cn h tr chng thc ngi dng quay s t xa RADIUS( Remote Authentication Dial-up User Service ) v h thng iu khin gim stu cui TACACS+ ( Terminal Access Controller Access Control System ).

S chng thc L2F th hin hai mc: u tin khi ngi dng t xa ktni ti nh cung cp dch v ISP qua giao thc bu in POP sau kt nic chuyn ti cng vo mng Intranet ca t chc. L2F chuyn nhng gi dliu xuyn qua mt ng hm ring o gia hai u cui ca mt kt ni imti im, L2F lm iu ny ti giao thc.

L2F l mt lp hai giao thc cho nn L2F c th s dng cho nhng giaothc khc IP nh: IPX, NetBEUI

Vi giao thc L2F, mt s an ton y gia hai u im cui VPN cth c to ra v s dng, n l mt gii php bin i c v ng tin cy.

3.3 Giao thc nh ng hm lp 2 (Layer 2 Tunneling Protocol)

L2TP l mt k thut ny sinh cung cp mt kt ni t xa ti mtIntranet tp on hay t chc. L2TP l giao thc c pht trin ho trn giahai giao thc PPTP v L2F.

Hnh 25


36/118


L Anh Hng K49DB 36

L2TP cung cp mt k thut xy dng cho mt kt ni ng hm quagiao thc im ti im PPP. ng hm c th v u c to ra gia ngidng t xa ti nh cung cp dch v.

Hnh 26

Giao thc L2TP khng nhng cung cp cc kt ni t xa ca ngi dngtrong mt mng ring o VPN m cn c th h tr cc giao thng a th tc,

l tt c cc giao thc lp mng h tr bi giao thc PPP ng tin cy. Hn na,L2TP cung cp s h tr cho bt k s nh v cho bt k lp mng no ln s kt ni qua Internet.

3.3.1 Quan h gia L2TP vi PPP

Giao thc nh ng hm lp 2, L2TP l s kt hp gia hai giao thc l PPTP v L2F. Ging nh PPTP, L2F l giao thc ng hm, n s dngtiu ng gi ring cho vic truyn cc gi lp 2. im khc bit giaPPTP v L2F l L2F khng ph thuc vo IP v GRE. Cho php n c th lm

vic cc mi trng vt l khc. L2TP mang c tnh ca PPTP v L2F. Tuynhin, L2TP nh ngha ring mt giao thc ng hm da trn hot ng caL2F. L2TP da trn PPP to kt ni quay s gia client v my ch truy cpmng ( NAS ). L2TP s dng PPP to kt ni vt l, tin hnh xc thc u,to gi d liu PPP v ng kt ni khi kt thc phin lm vic. L2TP c th tonhiu ng hm gia ISP v cc my ch mng client.


37/118


L Anh Hng K49DB 37

Tiu IP

Tiu GREv2

Gi ti PPP

IP, IPX v gi d liu NETBEUI

Tiu mi trng phn phi(IP,ATM,X.25)

Khung Ethernet

Tiu MT Khung

PPP

ServerClient Di ng

Chuyn mch truy nhp t xaca ISP

`

`

`

Host

Host

LAN

Hnh 27

L2TP cng ging vi PPTP l n cng c 2 thng bo: Thng bo iu khin Thng bo d liu

Cng tng t nh PPP, sau khi ng hm c thit lp th d liu ctruyn t client sang my ch PPTP cha cc gi d liu IP. Gi d liu IP cng gi tiu nh hnh sau.

Hnh 28: B lc gi L2TP

L2TP cng s dng nhng lp ng hm nh PPTP. ng hm t nguyn: To theo yu cu ca ngi dng ng hm bt buc: c to t ng ( Ngi dng khng c

la chn ).


38/118


L Anh Hng K49DB 38

3.4 Tng quan giao thc inh ng hm lp 2 ( L2TP Overview).

Giao thc L2TP c th h tr s truy cp mng LAN t xa s dng bt kgiao thc lp mng no c h tr bi giao thc PPP qua cc phin ng hmv ci trc tip c qun l bi vic kt thc kt ni PPP trong s truy nhpcng vo mng Intranet ca mt t chc hay mt tp on.

Hnh 29

Trong giao thc L2TP c mt s phn t tham gia vo vic thit lp ng hm: L2TP Access Concentrator (LAC): B tp trung truy nhp giao

thc.B tp trung truy nhp LAC c inh v ti nh cung cp dch v

ISP qua giao thc POP cung cp cc kt ni vt l ca ngi dng txa. Trong LAC phng tin truyn thng vt l c kt thc v nc th c ni ti mng in thoi chuyn mch cng cng PSTNhoc mng s tch hp a dch v ISDN. Qua b tp trung LAC ny,ngi ta c th thit lp kt ni ng hm L2TP qua b nh tuynLAC router ti ngi dng u cui ning hm c kt thc. L2TP Network Server ( LNS): My ch phc v L2TPLNS tip nhn cc phin kt ni ca ngi dng t xa, ch c mt kt

ni n c s dng trn LNS kt thc cc knh kt ni gi nt nhng ngi dng t xa t cc phng tin truyn thng khc nhaunh ISDN, V120 B tp trung a truy nhp cng c th c s dng nh LNS khi nc s dng nh cng vo truy nhp Intranet tp on. Network Access Server (NAS): My ch truy cp mng.


39/118


L Anh Hng K49DB 39

NAS l mt thit b truy nhp t im ti im p ng nhng yucu truy nhp ca ngi dng t xa qua ISDN hay PSTN.NAS thnh lp v iu khin cc phin hp v ng hm+ Ngi dng t xa bt u mt kt ni PPP ti NAS+ NAS chp nhn cuc gi

+ S chng thc ngi dng u cui c my ch u nhim chophp ti NAS+ Ngi dng u cui thit lp kt ni vi LNS to ra ng hmti Intranet tp on. Cc phin kt ni c LAC qun l v cc gid liu c gi qua ng hm LAC LNS, mi LAC v LNS theodi tnh trng cc kt ni ca ngi dng.

Hnh 30

+ Ngi dng t xa cng c xc nhn bi my ch chng thc cacng ra vo LNS trc khi c chp nhn kt ni ng hm. + LNS chp nhn kt ni v thit lp ng hm L2TP v NAS chngthc.+ LNS trao i vi ngi dng t xa qua giao thc PPP.

L2PT c th h tr cc hm sau: Thit lp ng hm ca ngi dng n quay s trong nhng

khch hang S xuyn ng hm bng cc chng trnh chuyn vn nh. u vo ca mt kt ni gi ti LNS t LAC. Thit lp a ng hm. U nhim chng thc cho PAP v CHAP S chng thc im cui ca ng hm. Che du cp thuc tnh truyn mt mt khu PAP u nhim. S xuyn ng hm s dng mt lookup table. S xuyn ng hm s dng tn lookup ngi dng PPP trong h

thng AAA.Nhng kiu ng hm L2TP:

Nhng ng hm L2TP bt buc: Vi kiu ng hm L2TP btbuc ny th ng hm L2TP c thit lp gia LAC, nh cungcp dch v ISP v mt LNS ti mng Intranet ca tp on.


40/118


L Anh Hng K49DB 40

Hnh 31

Mt ng hm bt buc c thit lp nh sau: Ngi dng t xa bt u mt kt ni PPP ti nh cung cp dch

v ISP Nh cung cp dch v ISP chp nhn kt ni v mi lin kt PPP

c thnh lp ISP thit lp mt ng hm L2TP ti LNS, nu LNS chp nhn

kt ni th LAC ng gi PPP vi L2TP v chuyn vo nghm, LNS chp nhn khung ny, tc b L2TP v s l u voPPP.

LNS s dng chng thc lm cho c hiu lc vi ngi dngsau gn a ch IP

Hnh 32


41/118


L Anh Hng K49DB 41

Hnh 33 : ng gi d liu trong ng hm L2TP

Thit lp kt ni mng ring o t xa s dng L2TP v IPSec.

Hnh 34: S dng IPSec bo v L2TP trong ng hm bt buc gia ngidng t xa vi mt cng vo tp on

Hnh 35


42/118


L Anh Hng K49DB 42

3.5 ng dng L2TP trong VPN.

V d: Cng ty c h tr bi nh cung cp dch v VPN. C ngha lISP cung cp kt ni Internet cho cng ty c my ch Proxy RADIUS v LAC.Cn ti cng ty duy tr my ch RADIUS v LNS

Hnh 36:Quay s L2TP truy nhp VPN

L2TP l mt th h giao thc quay s truy cp mi ca VPN. N phihp nhng c im tt nht ca PPTP v L2F. Hu ht cc nh cung cp snphm PPTP ua ra cc sn phm tng thch L2TP hoc gii thiu sau ny.

Mc d n chy ch yu trn mng IP nhng n cng khng c kh nng chytrn mng Frame Relay, ATM iu ny cng lm cho n cng tr nn ph bin.

3.6 So snh gia PPTP v L2TP

C hai PPTP v L2TP\IPSec s dng giao thc kt ni im - im cung cp mt v bc c s cho d liu, v sau ni thm phn header vo truyn qua cc mng lm vic. Tuy nhin c nhng ci khc sau y:

Vi PPTP, d liu c bt u m ho sau khi PPP kt ni x l (v, bi vy, PPP c xc thc ) l hon thnh. Vi L2TP\IPSec,

d liu c bt u m ho trc khi PPP kt ni x l bng mphn mt IPSec lin kt bo mt. PPTP kt ni s dng MPPE, mi chui mt m l mt c bn trn

RSA RC-4 thut ton m ho s dng 40, 56, hoc 128 bit cckho m ho. Chui mt m m ho d liu nh mt bit cc chuikt ni L2TP\IPSec s dng DES, ci no l mt khi mt m ms dng hoc mt kho 56 bit cho DES, hoc 3 kho 56 bit cho 3 -


43/118


L Anh Hng K49DB 43

DES. Cc khi mt m m ho d liu trong cc khi ring bit (cc khi 64 bit, trong trng hp ca DES).

Cc kt ni PPTP yu cu ch s dng mc chng thc qua mtgiao thc chng thc PPP c bn. Cc kt ni L2TP\IPSec yu cunh s dng mc chng thc v thm mc my tnh chng thc s

dng my tnh cp chng nhn.

3.6.1 u im ca L2TP.

Sau y l nhng thun li s dng L2TP\IPSec hn PPTP trongWindows 2000:

IPSec cung cp cho mi gi d liu chng thc ( Chng minh dliu c gi bi ngi dng cho php), ton ven d liu(Chng minh l d liu khng b sa i trong qu trnh truyn), replay protection ( Ngn cn t vic gi li mt chui ca cc

gi ly c ), v d liu tin cy ( Ngn cn t vic phin dch ccgi ly c vi ngoi cc kho m ho). Bi tri ngc, PPPcung cp ch cho mi gi d liu tin cy.

Cc kt ni L2TP/IPSec cung cp chng thc chc chn bng yucu c hai chng thc mc my tnh qua giy chng nhn v mcchng thc ngi dng qua mt giao thc chng thc PPP.

Cc gi PPP thay i trong thi gian mc chng thc ngi dngl khng bao gi gi dng khng phi bng m v kt ni PPP xl cho L2TP/IPSec xut hin sau khi IPSec lin kt bo mt (SAs) c thit lp. Nu chc, xc thc PPP thay i mt vi kiu

ca cc giao thc xc thc PPP c th s dng thc thi cc tncng t in ngoi tuyn v quyt nh s dng cc mt khu. Bim ho thay i xc thc PPP, cc tn cng t in ngoi tuyn lch c th thc hin c sau khi cc gi m ho hon thnhgii m.

3.6.2 u im ca PPTP

Sau y l nhng thun li ca PPTP hn L2TP/ IPSec trong Windows2000.

PPTP khng yu cu mt chng nhn c s h tng. L2TP/IPSecyu cu mt chng nhn c s h tng a ra cc chng nhnmy tnh ti my ch VPN v tt c cc my khch.

PPTP c th s dng bng cc my tnh chy Windows XP,Windows 2000 vi mng Windows quay s thc thi v cp nhtbo mt. L2TP/IPSec c th ch s dng vi Windows XP v


44/118


L Anh Hng K49DB 44

Windows 2000 cc my khch VPN. Ch cc khch h tr giaothc L2TP/IPSec, v s dng cc chng nhn.

Cc my khch v cc my ch PPTP c th t gia mt mytruyn a ch mng (NAT) nu NAT c my ph trch thch hpcho giao thng PPTP. Cc my khch hoc my ch L2TP/IPSec

c bn khng th t gia mt NATunnless c hai h tr IPSecNAT traversal (NAT-T). IPSec NAT-T l h tr bi WindowsServer 2003


45/118


L Anh Hng K49DB 45

Chng 3

M HA V CHNG THC TRONG VPN

Ngy nay mng my tnh tr nn ph bin v l thnh phn khng ththiu i vi mi ngi trong chng ta cng nh cc quc gia. Cc ng dng,dch v trn mng my tnh: th in t, chuyn v nhn tin, thng mi int, chnh ph in t tr nn ph bin, thun li v quan trng th yu cuv an ton mng, v an ninh d liu trn mng ngy cng tr nn cp bch vcn thit. T chc Interpol khuyn co v cc nguy c i vi mng my tnhnh:

S truy nhp tri php v n cp thng tin. Sa i d liu my tnh. Sao chp tri php. Lm t lit mng my tnh. Nhng tn cng khc

Do , thng tin trn mng, d ang truyn hay c lu tr u cnc bo v hoc cc thng tin cn c gi b mt hoc chng phi ccho php ngi ta kim tra tin tng rng chng khng b sa i so vi dngnguyn thu ca mnh v chng ng l ca ngi gi cho ta, hn na nimtin phi c php lut h tr. Do rt nhiu quc gia trn th gii rt quantm n vn ny, cc nh khoa hc nghin cu v a ra cc thut ton m

ho bo mt thng tin ngy mt tt hn trnh nguy c r r, mt mt thng tincho ngi dng, cc doanh nghip v cc quc gia khi giao dch, trao i thngtin qua mng ton cu Internet.

Trong ng dng cng ngh Mng ring o VPN, cc thut ton mho c ng dng trong tng lp giao thc m ngi dng tu chn cch mho thng tin bng thut ton m ho nh DES, 3-DES ..

1. M ho trong VPN.

1.1 Thut ton m ho DES

Thut ton m ho DES c IBM pht trin vo nhng nm 1970 sau c U ban tiu chun Quc gia Hoa K (The National Bureau of Standard).Ngy nay l NIST chp nhn ngy 15-5-1973. DES tr thnh chun m hod liu chnh thc cho Chnh ph Hoa K v nm 1977 v tr thnh h mt cs dng rng ri nht trn th gii.


46/118


L Anh Hng K49DB 46

Thut ton m ho DES c th tho mn cc yu cu sau: Thut ton phi c an ton cao. Thut ton phi c nh ngha y v hon ton d hiu. an ton phi nm kha, khng ph thuc vo tnh b mt ca

thut ton. Thut ton phi sn sng cung cp cho mi ngi dng. Thut ton phi thch nghic vi vic dng cho cc ng dng

khc nhau. Thut ton phi c ci t c mt cch tit kim trong cc

thit b in t. Thut ton khi s dng phi pht huy ti a hiu qu . Thut ton phi c kh nng hp thc ho. Thut ton phi c tnh thng mi.

1.1.1 M t DES

Mt m t y v DES c nu ra trong Cng bo v chun x lthng tin Lin bang s 46 ngy 15-1-1977. DES m ho mt dng bit r x c di 64 vi kho K l dng 56 bit, a ra bn m y cng l mt dy bit c di64.

Hnh 37 M t DES

| x | =64; | y | = 64; | k | = 56Thut ton DES gm 3 giai on:

Cho bn r x, ta tnh c x0 qua vic hon v cc bt ca x theohon v u IP:

X0 = IP(x)=L0R0L0l 32 bit u tin ca x0, R0 l 32 bit cn li v IP l hon v uc nh

Lp 16 vng.1 i 16Li = Ri-1;Ri = Li-1 f(Ri-1,k);


47/118


L Anh Hng K49DB 47

Du th hin php ton hoc loi tr hai dy bit, f l mthm, ki l nhng dy di 48 bit c to t kho k bi thut tonring.

Li-1 Ri-1

Li Ri

Hnh 38: Mt vng ca DES

Bn m y c tnh ton bi hon v IP -1 ca R16L16, ch ongc v tr ca L16 v R16Y= IP-1 (R16L16)

L16 R16

R16 L16

Cc mu hot ng ca DES: nh ta thy, u vo ca DES ch c 8

byte, vy m vn bn cn m li c th rt di, c vi kbyte chng hn. giiquyt vn ny, ngi ta ra 4 mu hot ng cho DES l: Electronic CodeBook mode (ECB). Cippher FeedBack mode (CFB). Cipher Block Chaining mode (CBC). Output FeedBack mode (OFB).

1.1.2 u v nhc im ca DES

- u im: Thut ton m ho DES tc m ho d liu rt nhanh.- Nhc im: Do DES c kch c ca khng gian kho 2

56

l qu nh,khng an ton, cho nn nhng my c mc ch c bit c th s bgy v d ra kho rt nhanh.

1.1.3 ng dng ca thut ton DES trong thc t.

Mt ng dng rt quan trng ca DES l ng dng cho cc vn bn tronggiao dch ngn hang s dng cc tiu chun c hip hi cc ngn hang M

ki

+

f


48/118


L Anh Hng K49DB 48

pht trin. DES c s dng m ho cc s nhn dng c nhn (Pins) v ccvn bn v ti khon c my thu ngn t ng thc hin (ATMs)

1.2 Thut ton m ho 3DES.

Thut ton m ho 3DES l mt bin th ph ca DES, nh ta bitDES vn tn ti nhiu nhc im nh: C th b gy bng nhng my c mcch c bit tm ra kha.

1.2.1 M t 3DES.

Thut ton m ho 3DES gm 3 cha kho 64 bit, tc l ton b chiu dikho l 192 bitTrong khi m ho rin t, chng ta n gin l nhp ton b 192 bit kho n lvo mi 3 cha kho c nhn.

Des Encryption

Des Encryption

Des Encryption

Key 1

Ciphertext

Plaintext

Key 2

Key 3

Hnh 39:M t 3DES

Th tc m ho cng tng t DES nhng n c lp li 3 ln tc ltng ln 3 ln DES. D liu c m ho vi cha kho u tin, v c giim vi cha kho 2, sau m ho ln na vi cha kho th3 thu c dliu m ho cui cng.+ Cc mu hot ng ca 3DES:

Triple ECB (Triple Electronic Code Book): Sch m ho in t. Triple CBC (Triple Cipher Chaining): Mc ni khi k s.


49/118


L Anh Hng K49DB 49

1.2.2 u v nhc im ca 3DES

- u im: Khc vi DES, thut ton m ho 3DES c m ho 3 lnDES vi kch c khng gian kho 168 bitcho nn an ton hn rt nhiuso vi DES.

- Nhc im: V 3DES s dng 3 ln m ho DES cho nn tc m hos chm hn rt nhiu so vi DES. Phn mm ng dng t ra rt chm ivi hnh nh s v mt s ng dng d liu tc cao v kch thc khi64 bit vn cn l mt nhc im i vi nhng h c tc ca th k21.

1.3 Gii thut hm bm (Secure Hash Algorithm).

i vi cc s ch k thng thng, ta ch c th k cc bc in nh.Chng hn khi dng chun ch k s DSS, mt ti liu di 160 bit s c k

bng ch di 320 bit. Trn thc t ta cn k cc ti liu di hn nhiu ( Chnghn, mt ti liu v php lut c th di nhiu Megabyte ).

Gii php gii quyt cc vn ny l dng hm Hash m kho cngkhai nhanh. Hm ny da trn ni dng mt ti liu c di tu to ra mtbn tm tt ca ti liu vi kch thc quy nh (160 bit nu dng DSS). Sau, bn tm tt ca ti liu ny (d liu ra ca hm Hash) s c k. Vicdng hm Hash vi DSS c biu din nh sau.Bc in: m: di tu Tnh bn tm lc thng bo: z=h(m)

160 bit

Khi B mun k bcin x, trc tin B to mt bn tm tt z ca ti liubng cch s dng hm bm h v sau dng kho b mt ca mnh tm chk s (s=Sigk(z); trong Sigk l hm m ho RSA vi kho b mt ca B). Tiptheo, B gi cp (m,s) n cho A. xc thc trc ht A phi khi phc bntm tt ca ti liu bng hm h (z=h(m)) v sau thc hin kim tra xemVerk(m,s) c bng true hay khng.

1.4 Gii thut RSA

RSA l mt h mt m kho cng khai ph bin v cng a nng nhttrong thc t, c pht minh bi Rivest, Shamir v Adleman c coi nh lmt h chun i vi cc h mt m kho cng khai.

RSA da trn tnh kh ca bi ton phn tch cc s ln thnh ra tha snguyn t: bit mt s nguyn t nhn chng vi nhau thu c mt hp s l


50/118


L Anh Hng K49DB 50

bi ton d. Cn khi bit hp s, phn tch n ra thnh tha s nguyn t lbi ton rt kh m hu nh khng thc hin c nu 2 nguyn t l nhngs ln.

Gi s n l mt s nguyn t v l tch ca hai s nguyn t ln khc

nhau p v q (n=p.q). Ta chn mt s nguyn t vi (n)=(p-1)(q-1),v tnh b=a-1Mod (n), tc l a.b 1 mod (n).

H RSA c m t nh sau:Ly n=p.q, trong p v q l hai s nguyn t.t P=C=Zn:K={(n,b,a):ab 1 mod (n)},Trong (n, b) l kho cng khai, cn a l kho b mtVi K = (K,K), K = (n,b), K= a, ta nh nghaek(x) = x

b mod ndk(y) = y

b mod nVi x, y Zn

Ta thy rng vi mi x Zn*

(Tc l x Zn v x l nguyn t vi n)Dk (ek(x))= (xb)a = xab = xt.(n) + 1 = x mod n

Vi x Zn\Zn* ta vn c ng thc ni trn, v khi hoc x chia ht cho p v x

nguyn t vi q hoc x chia ht cho q v x nguyn t vi p. Trong c hai trnghp ta u c:

xt.(n) + 1 = x mod pxt.(n) + 1 = x mod q

T suy ra ta c xt.(n) + 1 = x mod n.

2 Chng thc trong VPN.

S chng thc l mt b phn cu trc ca s an ton mng ring oVPN, c th ta c mt h thng ng tin cy xc nhn nhng mng, ngi dngv dch v mng nhng nh vy cha hn l mt h thng an ton tuyt i,ta khng th kim sot c cc truy nhp vo h thng ti nguyn mng tpon ca ta trc nhng ngi dng bt hp php. Cho nn mt gii php c thiu khin v ngn cn ngi dng bt hp php c tnh truy nhp h thng l tas dng phng php chng thc.

Hnh 40: Kch bn ca s chng thc

S chng thc th da vo mt trong ba thuc tnh sau: Something you have : Cha kho hay mt th du hiu Something you know: Mt khu


51/118


L Anh Hng K49DB 51

Something you are: Ting ni hay qut vng mcNgi dng c th chng thc bng:

Password. One-time Password (s/key). USB ikey. Smart card. PKI/ certificate IP.

Tuy nhin ch l nhng phng php chng thc n, khng thch hphay cha mnh m bo v nhng h thng, thay vo cc chuyn gia anton gii thiu phng php chng thc mnh m, p dng hai trong nhngthuc tnh trc cho s chng thc.

S a dng ca nhng h thng mng VPN sn c hin thi ph thucvo nhng phng php khc nhau ca s chng thc hoc nhng s kt hpca chng, Ngoi cc phng php chng thc n, trong mng ring o VPNcn s dng s chng thc bng giao thc.Giao thc chng thc:

Password Authentication Protocol (PAP). Challenge Handshare Authentication Protocol (CHAP). Extensible Authentication Protocol (EAP). Remote Authentication Dial-up User Services (RADIUS).

My ch chng thc: Radius. Kerberos. LDAP. NT domain. Solaris Pluggable Authentication Modules (PAM). Novell Directory Services (NDS).

2.1 Password Authentication Protocol (PAP): Giao thc chng thcbng mt khu.

Giao thc chng thc mt khu PAP trc kia c thit k ra chnh l mt my tnh xc nhn my tnh khc thng qua giao thc t im ti im PPPc s dng nh th tc truyn tin. S chng thc PAP c th c s dng tini bt u mt mi lin kt PPP tc l khi mt my trm truy nhp t xa ti hthng mng tp on n phi gi ID (tn ngi dng) v mt khu ti h thngmng ch, my ch iu khin truy nhp NAS c nhim v chng thcmy trm ca ngi dng c c php truy nhp ti ti nguyn mng catp on hay khng.


52/118


L Anh Hng K49DB 52

Tuy nhin, s chng thc bng giao thc chng thc bng mt khu cha s an ton v tin cy v thng tin chng thc c trao i khng an tontrong mi trng mng cng cng Internet nn cc ti phm tin hc c th nghetrm, nh cp thng tin t on ra c mt khu truy nhp vo h thng.

2.2 Challenge Handshare Authentication Protocol (CHAP).

Giao thc CHAP c thit k tng t giao thc PAP nhng c anton cao hn nhiu. Cng nh giao thc PAP, giao thc CHAP cng c th cs dng ti ni bt u mt mi lin kt PPP v sau lp li sau khi mi linkt c thit lp.

3 Firewall

3.1 Khi nim v Firewall.

Firewall l mt thut ng c ngun gc t mt k thut thit k trong xydng ngn chn, hn ch ho hon.

Trong cng ngh mng thng tin, Firewall l mt k thut c tch hpvo h thng mng nhm mc ch:

Ngn chn v hn ch cc truy nhp tri php, nhm bo v ccngun ti nguyn , thng tin d liu.

Cm truy nhp t bn trong (Intranet) ti mt s a ch nht nhtrn InternetCng c th hiu Firewall l mt c ch bo v mt mng tin cy khi

cc mng khng tin cy nh mng cng cng Internet.Thng thng Firewall c t gia mng tin cy bn trong nh mng Intranetca mt cng ty hay mt t chc v mng khng tin cy nh Internet.

M hnh Firewall

Hnh 41


53/118


L Anh Hng K49DB 53

Chc nng ca tng la Firewall: L kim sot lung thng tin ra, vogia mng tin cy (Intranet) v mng khng tin cy Internet. Thit lp c chiu khin cc lung thng tin c th l:

Cho php hoc cm nhng dch v truy nhp t mng tin cy rangoi mng khng tin cy (T mng Intranet ti mng Internet).

Cho php hoc cm nhng dch v truy nhp t mng khng tincy vo trong mng tin cy.

Theo di v iu khin cc lung d liu gia Internet v Intranet. Kim sot cc a ch truy nhp hoc cm a ch truy nhp. Kim sot ngi dng v vic truy nhp ca ngi dng.

3.2 Cc thnh phn ca Firewall.

Firewall c th phn loi thnh 3 dng c bn: B lc gi (Packet Filters) My phc v u nhim (Proxy Server) bao gm1. Cng ng dng (Application Gateway).2. Cng mch (Circuit level gateway). B lc gi c trng thi (Statefull Packet Filters)

Hnh 42

xy dng Firewall hot ng c hiu qu nht, nn s dng kt hp ttc cc thnh phn trn

3.2.1 B lc gi (Packet Filtering Router).


54/118


L Anh Hng K49DB 54

Hnh 43

Khi ni n vic lu thng d liu gia cc mng vi nhau thng quaFirewall th iu c ngha rng Firewall hot ng cht ch vi giao thcTCP/IP.Nguyn l:

B lc packet cho php hay t chi mi packet m n nhn c. Nkim tra ton b on d liu quyt nh xem on d liu c tho mnmt trong s cc lut l ca b lc packet hay khng. Cc lut l lc packet n yl da trn cc thng tin u mi packet (Packet header) dng cho phptruyn cc packet trn mng. l:

a ch IP ni xut pht (IP Source address) a ch IP ni nhn (IP Destination address) Nhng th tc truyn tin (TCP,UDP. ICMP, IP tunnel) Cng TCP/UDP ni xut pht Cng TCP/UDP ni nhn Dng thng bo ICMP (ICMP message type) Giao din packet n (Incomming interface of packet) Giao dinpacket i (outcomming interface of packet)

Nu lut l lc packet c tho mn th packet c chuyn quaFirewall.Nu khng tho mn, packet s b b i. Nh vy m Firewall c thngn cn c cc kt ni vo cc my ch hoc mng no c xc nh,hoc kho vic truy cp vo h thng mng ni b t nhng a ch khng cho

php. Hn na, vic kim sot cc cng lm cho Firewall c kh nng ch cho

php mt s loi kt ni nht nh vo cc loi my ch no , hoc ch cnhng dch v (Telnet, SMTP, FTP ) c php mi chy c trn h thngmng cc b.

u im


55/118


L Anh Hng K49DB 55

a s cc h thng Firewall u s dng b lc packet. Mt trong nhngu im ca phng php dng b lc packet l chi ph thp v c ch lc packet c bao gm trong mi phn mm Router.

Ngoi ra, b lc packet l trong sut i vi ngi s dng v cc ng dng, v

vy n khng yu cu s hun luyn, o to c bit no c.

Hn ch

Vic nh ngha cc ch lc packet l mt vic kh phc tp, i hingi qun tr mng cn c hiu bit chi tit v cc dch v Internet, cc dngpacket header, v cc gi tr c th c th nhn trn mi trng. Khi i hi vs lc cng ln, cc lut lc cng tr nn di v phc tp, rt kh qun l viu khin.

Do lm vic da trn header ca cc packet, r rang l b lc packetkhng kim sot c ni dng thng tin ca packet. Cc packet chuyn qua vnc th mang theo nhng hnh ng vi ly cp thng tin hay ph hoi cak xu.

3.2.2 Cng ng dng (Application-level gateway)

Hnh 44

Nguyn l:


56/118


L Anh Hng K49DB 56

y l mt loi Firewall c thit k tng cng chc nng kim sotcc loi dch v, giao thc c php truy cp vo h thng mng.

C ch hot ng da trn cch thc gi l Proxy service. Proxy service

l cc b m c bit ci t trn gateway cho tng ng dng. Nu ngi quntr mng khng ci t Proxy code cho mt ng dng no , dch v tng ngs khng c cung cp v do khng th chuyn thng tin qua Firewall.Ngoi ra, Proxy code c th c nh cu hnh h tr ch mt s c imtrong ng dng m ngi qun tr mng cho l chp nhn c trong khi t chinhng c im khc.

Mt cng ng dng thng c coi nh mt pho i (bastion host), biv n c thit k c bit chng li s tn cng t bn ngoi. Nhng bin

php m bo an ninh mng ca mt bastion host l:

Bastion host lun chy cc version an ton (Secure version) cacc phn mm h thng. Cc version an ton ny c thit kchuyn cho mc ch chng li s tn cng vo OpenratingSystem, cng nh m bo s tch hp Firewall.

Ch nhng dch v m ngi qun tr mng cho l cn thit mic ci t trn bastion host, n gin ch v nu mt dch vkhng c ci t, n khng th b tn cng. Thng thng, chmt s gii hn cc ng dng cho cc dch v Telnet, DNS, FTP,SMTP v xc thc user l c ci t trn bastion host

Bastion host c th yu cu nhiu mc xc thc khc nhau, vd nh: user name, password hay smart card.

Mi mt proxy c t cu hnh cho php truy nhp ch mts cc my ch nht nh. iu ny c ngha rng b lnh v cim thit lp cho mi proxy ch ng vi mt s my ch trnton h thng.

Mi proxy duy tr mt quyn nht k ghi chp li ton b chi titca giao thng qua n, mi s kt ni, khong thi gian kt ni.Nht k ny rt c ch trong vic tm theo du vt hay ngn chnk ph hoi.

Mi proxy c lp vi cc proxies khc trn bastion host. iu nycho php d dng qu trnh ci t mt proxy mi, hay tho g mtproxy ang c vn .

u im:

Cho php ngi qun tr mng hon ton iu khin c tng dch vtrn mng, bi v ng dng proxy hn ch b lnh v quyt nh nhng my chno c th truy cp c bi cc dch v.


57/118


L Anh Hng K49DB 57

Cho php ngi qun tr mng hon ton iu khin c nhng dch vno cho php, bi v s vng mt ca cc proxy cho cc dch v tng ng cngha l cc dch v y b kho

Cng ng dng cho php kim tra xc thc rt tt, v n c nht kghi chp li thng tin v truy nhp h thng.

Lut l lc Filltering cho cng ng dng l d dng cu hnh v kim trahn so vi b lc packet.

Hn ch:

Yu cu cc user thay i thao tc, hoc thay i phn mm ci ttrn my client cho truy nhp vo cc dch v proxy. Chng hn, dch v telnet

truy nhp qua cng ng dngi hi hai bc ni vi my ch ch khngphi ch mt bc. Tuy nhin, c mt s phn mm client cho php chy ngdng trn cng ng dng l trong sut, bng cch cho php user chra my chch khng phi cng ng dng trn Telnet.

3.2.3 Cng vng (Circuit-level Gateway)

Hnh 45

Nguyn l:


58/118


L Anh Hng K49DB 58

Cng vng l mt chc nng c bit c th thc hin c bi mt cngng dng. Cng vng n gin ch chuyn tip (relay) cc kt ni TCP l khngthc hin bt k mt hnh ng x l hay lc packet no.

Cng vng lm vic nh mt si dy sao chp cc byte gia kt ni bn

trong (inside connection) v cc kt ni bn ngoi (outside connection). Tuynhin, v s kt ni ny xut hin t h thng Firewall, n che du thng tin vmng ni b.

Cng vng thng c s dng cho cc kt ni ra ngoi, ni m ccngi qun tr mng tht s tin tng nhng ngi dng bn trong.u im ln nht l mt bastion host c th c cu hnh nh l mt hn hpcung cp cng ng dng cho nhng kt ni n, v cng vng cho cc kt ni i.iu ny lm cho h thng bc tng la d dng s dng cho nhng ngitrong mng ni b mun trc tip truy nhp ti cc dch v Internet, trong khi

vn cung cp chc nng bc tng la bo v mng ni b t nhng s tncng bn ngoi.

3.3 Nhng hn ch t Firewall

Firewall khng thng minh c th hiu c tng loi thng tin vphn tch ni dng tt hay xu ca n. Firewall ch c th ngn chn s xmnhp ca nhng ngun thng tin khng mong mun nhng phi xc nh r ccthng s a ch.

Firewall khng th ngn chn mt cuc tn cng nu cuc tn cng nykhng i qua n. Mt cch c th, Firewall khng th chng li mt cuc tncng t mt ng Dial-up, hoc s d r thng tin do d liu b sao chp bthp php ln a mm.

Firewall cng khng th chng li cc cuc tn cng bng d liu. Khi cmt s chng trnh c chuyn theo th in t, vt qua Firewall vo trongmng c bo v v bt u hot ng y.

Mt v d l cc virus my tnh. Firewall khng th lm nhim v qutvirus trn cc d liu c chuyn qua n, do tc lm vic, s xut hin lintc ca cc virus mi v do c rt nhiu cch m ho d liu, thot khikh nng kim sot ca firewall.Tuy nhin, Firewall vn l gii php hu hiu c s dng rng ri.

3.4 Thit lp chnh sch cho Firewall.


59/118


L Anh Hng K49DB 59

Cc chnh sch c thng bo trc ngi qun l mng v ngidng mng bit c mnh c th lm c nhng g, c th truy cp hay khngth truy cp ti nhng Webside no trn mng.

Mt s im ch khi thit lp chnh xch c bn ca Firewall:

Ngn chn tt c lu lng vo ra, sau ch cho php mt s c i qua. Ttc lu lng vo ra khi mng u phi chuyn qua bc tng la kim trav sang lc nhng lu lng c th qua c.

Khng dng firewall nh l ni lu tr thng tin chung a chc nnghoc chy chng trnh.

Khng cho php mt m hay cc a ch bn trong mng qua tng la.

Nu nh mng cn phi cung cp dich v cho mng Internet th t dch

v ra ngoi tng la.

Lu tr li cc thng tin d liu quan trng ca dch v cng cng bngcch to ra my ch Stand-by.

3.5 Mt s loi Firewall

Packet-Filltering FirewallDual-Homed Gateway FirewallScreened Host Firewall

Hnh 46

u im: Tc cao


60/118


L Anh Hng K49DB 60

D dng thch ng vi cc dch v mi xut hin Gi thnh thp, cu hnh v qun tr n gin Trong sut i vi user

Hn ch:

C tt c hn ch ca mt packet-filltering router: D b tn cng vo ccb lc m cu hnh c t khng hon ho, hoc b tn cng nhm di nhngdch v c php (gi mo a ch IP).

Bi v cc packet c trao i trc tip gia hai mng thng qua router,nguy c b tn cng c quyt nh bi cc host v dch v c php.iu dn n mi mt host c php truy nhp trc tip vo Internet cn phi ccung cp mt h thng xc thc phc tp, v ngi qun tr p hi thng xuynkim tra xem c du hiu ca s tn cng no khng.

Mt s packet-filltering khng m bo yu cu v trng thi dng anton. Khi c ch kim sot cc gi tin khng lm vic, nhng h ny s lm vicnh mt router, chuyn tt c cc kt ni gia hai mng: mng ni b v mngbn ngoi dn n tt c h thng trn mng ni b c th b tn cng.

3.5.1 Screened Host Firewall.

H thng ny bao gm mt Packet-filltering router v mt bastion host.H thng ny cung cp bo mt cao hn h thng trn, v n thc hin bomt c tng Network v tng ng dng. ng thi, k tn cng phi ph b

c hai tng bo mt tn cng vo mng ni b

Hnh 47: Screened Host Firewall


61/118


L Anh Hng K49DB 61

Hnh 48

3.5.2 Screened-Subnet Firewall

Hnh 49

H thng bao gm hai packet-filltering router v mt bastion host. Hthng c an ton cao nht v n cung cp bo mt c lp mng v lp ng

dng, trong khi nh ngha mt mng phi qun s. Mng DMZ ng vi trnh mt mng nh, c lp t gia mng cng cng Internet v mng ni b. Cbn, mt DMZ c cu hnh sao cho cc h thng trn Internet v mng ni bch c th truy nhp c mt s gii hn cc h thng t rn mng DMZ v struyn trc tip qua mng DMZ l khng th c. Vi nhng thng tin n,router ngoi chng li nhng s tn cng (nh gi mo a ch IP), v iu khintruy nhp ti DMZ. H thng ch cho php bn ngoi truy nhp vo bastion host.


62/118


L Anh Hng K49DB 62

Router trong cung cp s bo v th hai bng cch iu khin DMZ truy nhpmng ni b vi nhng truyn thng bt u t bastion host.

Vi nhng thng tin i, Router trong iu khin truy nhp mng ni btruy nhp ti DMZ. N ch cho php cc h thng bn trong truy nhp bastion

host v c th c Information server. Quy lut Filltering trn router ngoi yucu s dng dch v proxy bng cch ch cho php thng tin ra bt ngun tbastion host.

u im:

Mun tn cng cn ph v ba tng bo v: Router ngoi, bastion host vrouter trong.

Bi v Router ngoi ch qung co DMZ network ti Internet, h thng

mng ni b l khng th nhn thy (invisible). Ch c mt s h thng cchn ra trn DMZ l c bit n bi Internet qua routing table v DNSinformation exchange.

Bi v Router bn trong ch qung co DMZ network ti mng ni b,cc h thng trong mng ni b khng th truy cp trc tip vo Internet. iuny m bo rng nhng user bn trong bt buc phi truy nhp Internet quadch v proxy.

3.6 M hnh kt hp Firewall vi VPN.

Nh chng ta bit tng la l mt thit b bao gm c hai phn cngv phn mm c t gia mt mng tin cy cn c bo v ti mng khngtin cy bn ngoi nh mng cng cng Internet bo v mng ring o VPN camt cng ty hay mt tp on thot khi s nguy him n t cc mng khngtin cy cng nh nhng ngi dng khng hp php c tnh truy nhp vo mng khai thc ti nguyn thng tin.

Hnh 50: M hnh s dng Firewall iu khin truy nhp gia hai mng my tnh


63/118


L Anh Hng K49DB 63

Cc lung trao i thng tin d liu v nhng yu cu truy nhp gia haimng my tnh u phi i qua Firewall

Mt mng ring o VPN cung cp nhng phin kt ni an ton da trnc s h tng mng cng cng Internet, do mng ring o VPN s lm gim

chi ph xy dng c s h tng mt mng my tnh cng nh gi thnh truy cpt xa bng vic s dng ti nguyn, c s h tng mng cng cng Internet dngchung bi nhiu ngi dng.

Cng ngh mng ring o VPN cho php nhng cng ty xy dngnhng mng Intranet lin kt cc tr s, chi nhnh vn phng ti mng tpon. VPN c s dng kt hp vi Firewall cung cp s bo v an tonton din hn cho mt t chc.

Hnh 51: M hnh kt hp Firewall v VPN

S truy nhp ti nguyn mng tp on c iu khin bi Firewall, qua thit lp c s tin tng gia ngi dng v mng. Tuy nhin d liutruyn gia ngi dng v mng tp on vn tim n nhng mi nguy himnh: R r, mt cp hay thay i thng tin bi ngi dng bt hp php khi cclung thng tin i ngang qua mng cng cng Internet. Do VPN c to ra cung cp s an ton d liu ring t gia hai v tr mng. Nh vy vic sdng kt hp gia hai cng ngh Firewall v mng ring o VPN l mt giiphp ti u v hiu qu an ton thng tin cao


64/118


L Anh Hng K49DB 64

Chng 4

CU HNH VPN TRN THIT B CISCO

Chng ny gii thch nhng cng vic cbn cho s cu hnh IP-base,site to site v Extranet Virtual Private Networks (VPNs) trn mt Cisco IOSVPN gateway s dng gi nh tuyn chung (GRE) v nhng giao thc IPSectunneling. Cbn v bo mt, s truynia ch mng (NAT), s m ho, vs mrng danh sch truy nhp cbn cho traffic filtering c cu hnh.

1. M hnh Site to Site VPN v Extranet VPN

1.1 Kch bn Site to site VPN

Hnh 52

1.1.1 Phn chia cc thnh phn a ch vt l ca m hnh site to siteVPN

Hnh 53


65/118


L Anh Hng K49DB 65

1.1.2 Bng a ch chi tit cho m hnh mng Site to Site VPN

2.1 Kch bn Extranet

Hnh 54


66/118


L Anh Hng K49DB 66

2.1.1 Phn chia cc thnh phn a ch vt l ca m hnh Extranet VPN

Hnh 55

2.1.2 Bng a ch chi tit cho m hnh mng Extranet VPN


67/118


L Anh Hng K49DB 67

2 Cu hnh ng hm (tunnel)

Tunneling cung cp mt cch ng gi nhng gi trong mt giao thctruyn ti. Tunneling th c thc hin nh mt giao din o cung cp mtgiao din n gin cho s cu h nh. Giao din Tunnel th khng b rng bucring bit ti nhng giao thc passenger hoc transport, nhng ng hn, nl mt cu trc ci m c thit k cung cp nhng dch v cn thit thc thi bt k s ng gi Point to Point chun no ln lc . V nhngtunnel l nhng lin kt Point to Point, bn phi nh hnh mt ng hmring bit cho mi lin kt

Tunneling c ba thnh phn chnh sau y: Passenger Protocol, y l mt giao thc bn ang ng gi

(Apple Talk, Banyan VINES, Connectionless Network Service[CLNS], DECnet, IP, hoc Internetwork Packet Exchange [IPX]).

Carrier Protocol, nh giao thc ng gi l tr nh chung (GRE)hoc giao thc IPSec.

Transport Protocol, nh IP, l giao thc s dng mang theo giaothc c ng gi

S : Minh ha thut ng v khi nim xuyn ng hm

Hnh 56

Mc ny bao gm nhng ch sau: Cu hnh mt G

luan van nghien cuu vpn 4892

Documents