1.

IPSEC
1.1. T ng quan v IPsec Thut ng IPSec l mt t vit tt ca thut Internet Protocol Security. N c quan h ti mt s b giao thc (AH, ESP, FIP-140-1, v mt s chun khc) c pht trin bi Internet Engineering Task Force (IETF). Mc ch chnh ca vic pht trin IPSec l cung cp mt c cu bo mt tng 3 (Network layer) ca m hnh OSI, nh hnh 1.1:

Hnh 1.1: V tr ca IPsec trong m hnh OSI Mi giao tip trong mt mng trn c s IP u da trn cc giao thc IP. Do , khi mt c ch bo mt cao c tch hp vi giao thc IP, ton b mng c bo mt bi v cc giao tip u i qua tng 3. ( l l do ti sao IPSec c pht trin giao thc tng 3 thay v tng 2). IPSec VPN dng cc dch v c nh ngha trong IPSec m bo tnh ton vn d liu, tnh nht qun, tnh b mt v xc thc ca vic truyn d liu trn mt h tng mng cng cng. Ngoi ra, vi IPSec tt c cc ng dng ang chy tng ng dng ca m hnh OSI u c lp trn tng 3 khi nh tuyn d liu t ngun n ch. Bi v IPSec c tch hp cht ch vi IP, nn nhng ng dng k tha tnh nng bo mt m khng cn phi c s thay i ln lao no. Cng ging IP, IPSec trong sut vi ngi dng cui. IPsec bao gm cc tnh nng sau: o Bo mt d liu (Data condentiality) o Ton vn d liu (Data integrity) o Xc thc d liu gc (Data origin authentication) o Chng trng lp gi tin (Anti-replay)

Cc tnh nng, dch v ca IPsec c thc hin bi mt lot cc tiu chun da trn cc giao thc. iu quan trng l vic thc hin IPsec c da trn tiu chun m m bo kh nng tng tc gia cc nh cung cp. Ba giao thc chnh c s dng bi IPsec l: o o o Trao i kha Internet (Internet Key Exchange - IKE ) ng gi bo mt ti (Encapsulating Security Payload - ESP ) Xc thc mo u (Authentication Header - AH )

1.1.1. Cc tnh nng b o m t c a IPsec B o m t d li u lin quan n vic gi cc d liu trong IPsec VPN gia nhng thit b VPN. Bo mt d liu cng lin quan n vic s dng m ho trong qu trnh truyn d liu. S dng m ho bao gm la chn thut ton m ha v cc phng tin phn phi kha m ha. Ton v n d li u m bo rng cc d liu khng b sa i trong thi gian truyn qua IPsec VPN. Ton vn d liu thng s dng mt thut ton bm (hash algorithm) kim tra xem d liu trong gi tin gia thit b u cui c b sa i khng. Cc gi tin c xc nh l c thay i th s khng c chp nhn. Xc th c d li u g c xc nhn ngun gc ca IPsec VPN. Tnh nng ny c thc hin bi mi u ca VPN m bo truyn thng ng i tng. Ch ng trng l p gi tin m bo rng khng c gi tin c nhn i trong VPN. iu ny c thc hin thng qua vic s dng cc s th t trong cc gi tin v mt ca s trt (sliding window) pha ngi nhn. Cc s th t c so snh vi ca s trt v gip pht hin cc gi tin n mun. Cc gi tin nh vy c coi l bn sao, v b nh rt. 1.1.2. Cc giao th c trong IPsec IPsec bao gm ba giao thc chnh gip thc hin cc kin trc IPsec tng th, ba giao thc IPsec cung cp cc tnh nng khc nhau. Mi IPsec VPN s dng mt s s kt hp ca cc giao thc ny cung cp cc tnh nng mong mun cho VPN. Trao i kha Internet (IKE): Gip cho cc thit b tham gia VPN trao i vi nhau v thng tin bo mt nh m ha th no? M ha bng thut ton g? Bao lu m ha mt ln. IKE c tc dng t ng tha thun cc chnh sch bo mt gia cc thit b tham gia VPN. Trong qu trnh trao i kho, IKE dng thut ton m ha i xng (symmetrical encrytion) bo v vic trao i kho gia cc thit b tham gia VPN. y l c tnh rt hay ca IKE, gip hn ch trnh trng b kha ca cc attacker. So vi cc thut ton m ha khc, thut ton i xng c xu hng hiu qu hn v d dng hn thc hin trong phn cng. Vic s dng cc thut ton nh vy i hi phi s dng cc kho ph hp, v IKE cung cp c ch trao i cc kho. ng gi b o m t t i (ESP): C tc dng xc thc (authentication), m ha (encrytion) v m bo tnh trn vn d liu (securing of data). y l giao thc c dng ph bin trong vic thit lp IPSec. Cc phng php m ha sau y c s dng cho ESP: -Data Encryption Standard (DES): Mt phng php c ca m ha thng tin tng c s dng rng ri -Triple Data Encryption Standard (3DES): Mt thut ton m ha khi c s dng DES ba ln. -Advanced Encryption Standard (AES): Mt trong nhng thut ton kha i xng c s dng ph bin nht hin nay. Xc th c mo u (AH): giao thc AH ch lm cng vic xc thc v bo m tnh trn vn d liu. Giao thc AH khng c chc nng m ha d liu. Do AH t c dng trong IPSec v n khng m bo tnh bo mt .

1.1.3. Cc ch IPsec (IPsec modes) IPsec nh ngha hai phng thc xc nh mc bo v c cung cp cho cc gi tin IP. Hai ch ny l phng thc ng hm (tunnel mode) v phng thc vn ti (transport mode). Trong transport mode, AH v ESP s c t sau IP header ban u. V vy ch c ti (IP payload) l c m ha v IP header ban u l c gi nguyn vn. Transport mode c th c dng khi c hai host h tr IPSec. Ch transport ny c thun li l ch thm vo vi bytes cho mi gi tin v n cng cho php cc thit b trn mng thy c a ch ch cui cng ca gi. Kh nng ny cho php cc tc v x l c bit trn cc mng trung gian (v d nh QoS) da trn cc thng tin trong IP header. Tuy nhin cc thng tin Layer 4 s b m ha, lm gii hn kh nng kim tra ca gi. Trong tunnel mode, ton b gi IP ban u s b ng gi bi AH hoc ESP v mt IP header mi s c bao bc xung quanh gi d liu. Ton b cc gi IP s c m ha v tr thnh d liu mi ca gi IP mi. Ch ny cho php nhng thit b mng, chng hn nh router, hot ng nh mt IPSec proxy thc hin chc nng m ha thay cho host. Router ngun s m ha cc gi tin v chuyn chng dc theo ng hm (tunnel). Router ch s gii m gi IP ban u v chuyn n v h thng cui. V vy header mi s c a ch ngun chnh l gateway. Hnh 1.2 cho thy hai phng thc IPsec so vi mt gi IP "bnh thng".

Nh cp trc , cc thit b u cui ca ng hm IPsec c th l thit b bt k. Hnh 1.2 cho thy cc router l thit b u cui, c th c s dng cho VPN site to site. Cc khi nim v mt ng hm VPN c s dng vi c hai loi tunnel mode v transport mode. Trong transport mode, ni dung gi tin c bo v gia thit b u cui VPN, trong khi tunnel mode, ton b gi tin IP ban u c bo v. 1.1.4. Xc th c ngang hng (Peer Authentication) Nh phn tch, IPsec c kh nng bo v d liu trong qu trnh truyn. N c th m ha d liu ngn chn nhng ngi gia nhn thy n (bo mt d liu), v n c th m bo rng d liu cha c sa i trong khi ang truyn (ton vn d liu). IPsec c th m bo chuyn giao d liu, nhng trc khi dch v c thc hin, cc thit b u cui ca IPsec VPN phi c xc thc. C 5 phng php khc nhau trao i xc thc: o Username v password : Username v password phi c xc nh trc v cuhnh sn trong cc thit b u cui IPsec. Nh vy chng thng c s dng trongthi gian di. Chng thng khng c coi l an ton, bi v nu ai on bit c s kt hp Username/password, ngi c th thit lp mt kt ni IPsec vi bn.

o One-time password (OTP): mt OTP thc hin nh mt s nhn dng c nhn (PIN) hoc mt s xc thc giao dch (TAN). iu ny rt tt khi ch thit lp mt Ipsec. Nu ai bit c mt OTP c th cng s v ch thit lp kt ni IPsec mi. o Biometrics (xc thc bng sinh hc): Cng ngh Biometrics phn tch cc c tnh vt l ca con ngi, chng hn nh du vn tay, kch thc tay, vng mc mt v con ngi v cc mu khun mt. c im ny rt kh gi mo. Bt k s kt hp no ca chng cng c th c dng xc thc mt ngi, v do cung cp bo mrng thit b ch IPsec l chnh xc. o Preshared keys: Preshared keys tng t nh khi nim Username v password. Trong trng hp ny, mt kho duy nht (l mt gi tr) c cu hnh sn trong mi kt ni IPsec. Nu ai c th xc nh preshared key trc, h s c kh nng thit lp mt kt ni IPsec vi bn. o Digital certicates (ch k s ) : Digital certicates l mt cch rt ph bin xc thc ngi dng v thit b. Thng thng, mt digital certicate c cp cho mt thit b t mt quyn chng nhn (certication authority - CA), bn th ba ng tin cy. Khi thit b c nhu cu xc thc, n a ra giy chng nhn ca n. Nu mt thit b khc c gng s dng giy chng nhn, xc thc s tht bi.

Tng quan v IPSEC

IPSec l mt b khung ca nhng chun m cho cc traffic TC/IP c m ho c trong mi trng network. IPSec lm vic bng cch m ho thng tin cha trong cc gi d liu thng qua vic gi gn li. iu ny cung cp tnh ton vn d liu mc network, tnh tuyt mt ca d liu, chng nhn ban u d liu, v bo v replay. Nhng chc nng c bn ca IPSec l: Chng thc: bo v cc network c nhn v d liu c nhn cha trong . IPSec bo v d liu c nhn khi nhng tn cng man-in-the-middle, t kh nng la tn cng n nhng truy cp vo network, khi nhng k tn cng thay i ni dung ca gi d liu M ho: giu ni dung tht s ca cc gi d liu cc bn khng c quyn s hu khng th hiu c. IPSec cn c th dng cung cp cc kh nng lc gi. N cng c th chng thc cc traffic gia hai host v m ho cc traffic gia cc host. IPSec c th dng to mng ring o (VPN). IPSec c th dng kch hot cc giao tip gia cc vn phng xa v nhng khch hng truy cp t xa qua Internet. IPSec hot ng mc network cung cp m ho end-to-end. V c bn iu ny c ngha l cc d liu c m ho my tnh ngun gi d liu. Tt c cc h thng trung gian x l cc khc m ho ca cc gi nh l payload. Cc h thng trung gian nh cc router ch n thun forward gi n ch cui ca n. Cc h thng trung gian khng gii m cc d liu m ho. Cc d liu m ho ch c gii m khi n n c ch.

IPSec giao tip vi layer transport TCP/UDP v layer Internet, v c p dng cho cc ng dng mt cch d dng. IPSec cng rt d ngi dng s dng. V c bn iu ny c ngha l IPSec c th cung cp bo mt cho phn ln cc giao thc c trong b giao thc TCP/IP. Khi ni n cc ng dng, tt c cc ng dng u dng TCP/IP c th dng cc chc nng bo mt ca IPSec. Bn s khng cn phi cu hnh bo mt cho mi ng dng xc nh da trn TCP/Ip. S dng nhng nguyn tc v cc b lc, IPSec c th nhn cc traffic network v chn nhng giao thc bo mt an ton, xc nh cn dng nhng thut ton no, v c th p dng cc key mt m do bt k mt thit b no yu cu. Nhng chc nng v kh nng bo mt ca IPSec c th dng bo mt mng c nhn v cc d liu c nhn tuyt mt khi b: Tn cng DOS n cp d liu Sa cha d liu n cp chng nhn ca ngi dng Trong Windows Server 2003, IPSec dng giao thc Authentication Header (AH) v giao thc

Encapsulating Security Payload (ESP) cung cp bo mt d liu: My tnh client Domain servers Workgroup tp on Mng cc b LANs Mng din rng WANs Cc vn phng xa Nhng chc nng v kh nng bo mt do IPSec cung cp c th tm tt nh sau: Chng nhn: mt ch k s c dng xc nh nhn din ca ngi gi thng tin. IPSec c th dng Kerberos, mt preshared key, hay cc chng nhn s cho vic chng nhn. Ton vn d liu: mt thut ton hash c dng m bo d liu s khng b can thip vo. Mt checksum c gi l mt m chng nhn tin nhn hash (HMAC) c tnh ton cho d liu ca gi. Khi mt gi c thay i trong khi ang di chuyn th HMAC c thay i s c lu li. Thay i ny s b xo bi my tnh nhn. Bo mt d liu: cc thut ton m ho c thc hin m bo d liu c di chuyn s khng th gii m c. Anti-replay: ngn chn k tn cng gi cc gi khi c gng truy cp vo mng c nhn Khng t chi: cc ch k s key public c s dng chng nhn tin nhn l nguyn vn Rekeying dynamic: cc key c th c to ra trong khi cc d liu ang c gi i bo v cc khc giao tip vi nhng key khc nhau To key: thut ton key ng thun Diffie-Hellman c s dng kch hot hai my tnh c th trao i cc key m ho c chia s. B lc IP Packet: chc nng lc gi ca IPSec c th dng lc v kha nhng dng traffic nht nh, da trn nhng thnh phn sau hoc kt hp tt c li: a ch IP Cc giao thc

 Cc cng

Mt vi chc nng IPSec mi c trong Windows Server 2003, cng vi nhng cng c cho mt s chc nng IPSec c trong cc h iu hnh Windows trc y: Windows Server 2003 c cng c mi IP Security Monitor thc thi nh l mt snap-in MMC. Cng c IP Security Monitor cng c vic qun l bo mt IPSec. Vi cng c IP Security Monitor, bn c th thc hin nhng hot ng qun tr sau: Tu chnh hin th IP Security Monitor Qun l thng tin IPSec trn my tnh cc b Qun l thng tin IPSec trn cc my tnh t xa Xem cc phn tch IPSec Xem cc thng tin v nhng chnh sch ca IPSec Xem cc b lc c c im chung Xem cc b lc nht nh Tm cc b lc xc nh da trn a ch IP Bn c th cu hnh IPSec bng cch cng c dng lnh Netsh. Cng c dng lnh Netsh thay th cng c dng lnh trc l Ipsecpol.exe IPSec h tr chc nng mi Resultant Set of Policy (RSoP) ca Windows Server 2003. My tnh Resultant Set of Policies (RSoP) c th dng xc nh nhng chnh sch no s c p dng cho mt my tnh hay mt ngi dng nht nh. Resultant Set of Policy (RSoP) tng tt c cc nhm chnh sch c p dng cho mt my tnh v mt ngi dng trong mt domain. N cng cha tt c cc b lc v ngoi l. Bn c th dng chc nng thng qua Resultant Set Of Policy (RSoP) Wizard hay t dng lnh quan st chnh sch IPSec ang c p dng. Tch hp IPSec vi Active Directory cho php bn qun l mt cch tp trung cc chnh sch bo mt Chng nhn Kerberos 5 l phng php chng nhn mc nh c cc chnh sch IPSec s dng xc nh nhn din ca cc my tnh Ngc li IPSec cng tng thch vi Windows 2000 Security Framework. Nu mt chnh sch cc b khng th p dng cho mt my tnh, bn phi c la chn to ra mt chnh sch lin tc cho nhng my tnh nht nh.

Tnh cht ca nhng chnh sch lin tc l: Cc chnh sch lin tc ch c th cu hnh thng qua cng c dng lnh Netsh Cc chnh sch lin tc lc no cng positive Cc chnh sch lin tc khng th b chy Trong cc trin khai Windows Server 2003 IPSec, ch traffic Internet Key Exchange (IKE) l c min khi IPSec. Trc y, traffic Resource Reservation Protocol (RSVP), traffic Kerberos v traffic IKE cng c min IPSec. IPSec trong Windows Server 2003 c c h tr cho thay i kho Group 3 2048-bit Diffie-Hellman. Key Group 3 mnh hn v phc tp hn thay i kho Group 2 1024-bit Diffie-Hellman trc y. Tuy nhin nu bn cn tng thch vi Windows 2000 v Windows XP, th bn phi c i kho Group 2 1024-bit Diffie-Hellman

 Cc gi IPSec ESP c th i qua Network Address Translation (NAT) thng qua User Datagram Protocol-Encapsulating Security Payload (UDP-ESP)

Nh chng ta bit khi ta sao chp d liu gia 2 my hoc thng qua mng VPN nng cao ch bo mt ngi qun tr mng phi to cc User Account ch khi no cc User ny nhp ng thng tin th mi c th trao i d liu vi nhau c. Nh vy mt ngi no khng cung cp thng tin cn thit s khng th truy cp d liu ca chng ta. Tuy nhin h vn c th rnh rp ch thi c nh cp d liu mt cch hon ho bng cch Capture d liu ang truyn t my ny sang my kia v my mnh. Nh vy h thng chng ta c an ton hn ngi ta s dng cng ngh IPSec hay ni cch khc m ha d liu trn ng truyn. C nh vy d liu c b nh cp cng khng th c c v b m ha hon ton. Trong bi ny ti s ly v d cho bn thy d liu ca bn chy trn ng truyn t my ny sang my kia s khng b m ha. Gi s ti c 2 my trong mng 172.16.1.0/24 v ti s tin hnh truyn d liu cho nhau. Cu hnh IP cc my nh sau:

My

c tnh
IP Address

PC01

PC02

Card Lan

Subnet Mask Default gateway Preferred DNS

IP Address

172.16.1.1 255.255.255.0

172.16.1.2 255.255.255.0

Card Cross

Subnet Mask Default gateway Preferred DNS

Bn tin hnh ci t dch v Network Monitor Capture d liu trn ng truyn ca mnh xem sao. Bn vo Windows Components chn Management and Monitoring Tools

Chn cng c Network Monitor Tools

Sau khi ci t thnh cng bn vo Start -> Programs -> Administrative Tools -> Network Monitor

V 2 my ni vi nhau thng qua Card Cross nn ti mn hnh Select a Network ti chn Cross

Nhp chn Capture -> Start bt u tin trnh Capture Data

By gi ti PC01 ti ping n PC02 v c kt qu thnh cng Cng xin ni thm rng trong Windows khi ta Ping mt PC no n th n s gi lin tc 4 dng tin c ni dung "abcdefghijklmnopqrstuvwxyzabcdefghi" n my b yu cu v khi nhn c cc tin ny my b yu cu s Reply vi cng ni dung tng ng.

Tr li mn hnh lm vic ca Network Monitor chn Capture -> Stop and View xem kt qu

Bn ch dng tin no c dng ICMP Echo 172.16.01.01 to 172.16.01.02 n cho ta bit dng tin c gi t my PC01 n PC02 v vi giao thc ICMP (chnh l giao thc Ping) nhp vo dng tin ny

Chn tip phn ICMP: Data: xem ni dung d liu trn ng truyn. V ta thy mn hnh kt qu hin th r cc ni dung m my PC01 gi cho PC02

By gi nng cao ch bo mt trn ng truyn chng ta cn ci t dch v IPSec bng cch vo Start -> Run -> nhp mmc v Enter

Trong ca s Console1 chn File -> Add/Remove Snap-in...

Chn mc IP Sercurity Policy Management v IP Sercurity Monitor vo

V ta thc hnh trc tip trn my mnh vi cc my trong mng LAN nn ti y bn chn l Local Computer

Mn hnh Console1 sau khi Add hon tt

Bn ch rng trong mn hnh ca IP Sercirity Policies an Local Computer c sn 3 Policy m Windows to sn cho chng ta tuy nhin cc Policy ny ang nm trng thi cha c kch hot. Trong bi ti s khng s dng cc Policy ny m s t to cc Policy ring bng cch nhp phi vo khong trng chn Create IP Sercurity Policy

t tn cho Policy ny v d IPSec

B chn Active the default response rule

Nhp Filnish hon tt to Policy mi

By gi ta thy xut hin thm Icon IPSec m ta va to trong ca s Console1

Tip tc nhp phi vo IPsec chn Assign kch hot n

By gi ta cu hnh Policy cho IPSec va to bng cch Double click vo IPSec

Mc nh trong ny Windows to sn cho ta mt Policy tn l Default tuy nhin ti khng s dng n m to mt Policy khc bng cch nhp vo nt Add v chn Next

Trong Network Type bn chn dng mun tc ng All Network connection: trn tt c ng truyn Local area network: trong mng ni b Remote access: iu khin t xa

Trong IP Filter List bn chn dng mun tc ng: All ICMP Traffic: tc ng ln tt c lin quan n giao thc ICMP All IP Traffic: tc ng ln tt c

Do trong bi ti ch th nghim trn DOS Ping nn ti chn ICMP

Filter Action chn Require Sercurity

Trong mn hnh Authentication Method chng ta c 3 la chn m ha: - Kerberos V5: m ha theo Kerberos - Use a certificate from this certification authority: m ha bng chng thc t CA Server - Use this string to protect the key exchange: m ha bng Key ring Gi s ti chn la chn 3 v t mt Key l "123"

Sau khi hon tt bn check vo All ICMP Traffic trong IPSec Properties v chn OK

By gi ti tr li mn hnh DOS ping li my PC02 th s thy bo l Negotiating IP sercurity, ngha l my ca ta gi mt yu cu n my PC02 tuy nhin do my PC02 khng hiu d liu m ta gi n l g v khng c Key gii m nn khng hi p c. V vy ti my PC02 bn cng phi lm thao tc tng t v gn cng Key th 2 my mi hiu nhau.

Tuy nhin d liu m PC01 truyn n PC02 vn c m ha hon ho. Bn vo li mn hnh Network Monitor s thy lc ny giao thc truyn i khng cn l ICMP na m l ISAKMP ri

Vo xem li dng tin m ta truyn i s thy b m ha hon ton

n y bn c th an tm v d liu ca mnh truyn trn mng c m ha k cng vi IPSec Tuy nhin trong thc t ngi ta khng dng Key nh ti trnh by trn m dng Certificate t CA Server

Tr li mn hnh IPSec Properties bn double click vo All ICMP Traffic chn tip Edit

n y ta chn lc chn 2 Use a certificate from this certification authority

V xin Certificate t CA Server (xem li bi Cerificate Authority)

IPSec SA gm c 3 trng: SPI (Security Parameter Index):y l mt trng 32 bit dng nhn dng giao thc bo mt, c nh ngha bi trng Security protocol, trong b IPSec ang dng. SPI c mang theo nh l mt phn u ca giao thc bo mt v thng c chn bi h thng ch trong sut qu trnh tha thun ca SA. Destination IP address:y l a ch IP ca nt ch. Mc d n c th l a ch broadcast, unicast, hay multicast, nhng c ch qun l hin ti ca SA ch c nh ngha cho h thng unicast. Security protocol: Phn ny m t giao thc cho IPSec, c th l AH hoc ESP. Mi kt ni hai chiu phi bao gm t nht hai SA ngc chiu nhau. Ch : Mt u im ca lc la chn SA mt chiu l h tr cho kiu truyn thng broadcast. Cc t hp bo v c th vn c thnh lp trong ch ch nhn bng cch my nhn chn ly mt SPI. Gi tin unicast c th gn mt gi tr SPI duy nht, cn cc gi tin multicast c th gn gi tr SPI cho mi nhm multicast. Tuy nhin, s s dng ca IPSec i vi kiu truyn thng broadcast c mt s gii hn. Trnh qun l kho v phn b kh khn, v gi tr ca mt m b gim i bi v ngun ca gi tin khng c thnh lp mt cch r rng. Bi v bn cht theo mt chiu duy nht ca SA, cho nn 2 SA phi c nh ngha cho hai bn thng tin u cui, mt cho mi hng. Ngoi ra, SA c th cung cp cc dch v bo mt cho mt phin VPN c bo v bi AH hoc ESP. Do vy, nu mt phin cn bo v kp bi c hai AH v ESP, 2 SA phi c nh ngha cho mi hng. Vic thit lp ny ca SA c gi l SA bundle. Trc khi mt phin trao i an ton c th c thnh lp th t hp bo v phi c thnh lp my gi v my nhn. Nhng t hp bo v ny c th c cu hnh th cng hay t ng thng qua giao thc qun l kho. Khi mt gi d liu c gi i cho mt my nhn (c bo mt), h thng gi s tm kim t hp bo v tng ng v chuyn gi tr kt qu ti my nhn. My nhn s s dng SPI v a ch ch tm kim t hp bo v trn h thng ca n. Trong trng hp nhiu mc an ton, nhn an ton cng tr thnh mt thnh phn ca tin trnh la chn t hp bo v tng ng. H thng nhn s dng cc tham s ca t hp bo v x l chui gi tin nhn c t my gi. thnh lp phin giao tip xc thc y th my gi v my nhn phi tro i vai tr v thit lp mt SA th hai theo chiu ngc li. Mt IPSec SA dng 2 c s d liu. Security Association Database (SAD) nm gi thng tin lin quan n mi SA. Thng tin ny bao gm thut ton kha, thi gian sng ca SA, v chui s tun t. C s d liu thc hai ca IPSec SA, Security Policy Database (SPD), nm gi thng tin v cc dch v bo mt km theo vi mt danh sch th t chnh sch cc im vo v ra. Ging nh cc ch bo mt ca tng la v lc gi, nhng im truy cp ny nh ngha lu lng no c x l v lu lng no b t chi theo tng chun ca IPSec. 1.3. IPSec Protocols B IPSec a ra 3 kh nng chnh bao gm: Tnh xc thc v Tnh ton vn d liu (Authentication and data integrity): IPSec cung cp mt c ch mnh m xc nhn tnh cht xc thc ca ngi gi v kim chng bt k s sa i khng c bo v trc ca ni dung gi d liu bi ngi nhn. Cc giao thc IPSec a ra kh nng bo v mnh chng li cc dng tn cng gi mo, nh hi v t chi dch v. S cn mt (Confidentiality): Cc giao thc IPSec m ha d liu bng cch s dng k thut m ha cao cp, gip ngn cn ngi cha chng thc truy cp d

liu trn ng i ca n. IPSec cng dng c ch to hm n a ch IP ca nt ngun (ngi gi) v nt ch (ngi nhn) t nhng k nghe ln. Qun l kha (Key management): IPSec dng mt giao thc th ba, Internet Key Exchange (IKE), tha thun cc giao thc bo mt v cc thut ton m ha trc v trong sut phin giao dch. Mt phn quan trng na, IPSec phn phi v kim tra cc kha m v cp nht nhng kha khi c yu cu. Hai tnh nng u tin ca b IPSec, authentication and data integrity, v confidentiality, c cung cp bi hai giao thc chnh ca trong b giao thc IPSec. Nhng giao thc ny bao gm Authentication Header (AH) v Encapsulating Security Payload (ESP). Tnh nng th ba, key management, nm trong b giao thc khc, c b IPSec chp nhn bi n l mt dch v qun l kha mnh. Giao thc ny l IKE. Lo t bi v IP Security (Ph n 2) - Cc giao th c trong b IPSec: Authentication Header (AH) 1.4. Giao thc s dng trong IPSec (IPSec Protocol) IPSec Bo mt kt ni mng bng vic s dng 2 giao thc v cung cp bo mt cho cc gi tin ca c hai phin bn IPv4 v IPv6: IP Authentication Header cung cp 3 dch v c bn: Ton vn thng tin. Xc thc thng tin. Chng pht li. IP Encapsulating Security Payload cung cp 4 dch v: Ton vn thng tin. Xc thc thng tin. M ha thng tin. Chng pht li. Thut ton m ho c s dng trong IPsec bao gm HMAC-SHA1 cho tnh ton vn d liu (integrity protection), v thut ton TripleDES-CBC v AES-CBC cho m m ho v m bo an ton ca gi tin. 1.4.1. Authentication Header (AH) AH c s dng trong cc kt ni khng c tnh m bo d liu. Hn na n l la chn nhm chng li cc tn cng replay attack bng cch s dng cng ngh chng tn cng sliding windows v discarding older packets. AH bo v qu trnh truyn d liu khi s dng IP. Trong IPv4, IP header c bao gm TOS, Flags, Fragment Offset, TTL, v Header Checksum. AH thc hin trc tip trong phn u tin ca gi tin IP. di y l m hnh ca AH header.

Hnh 1.3. Cu trc gi tin AH ngha ca tng trng: Next header (8 Bits): Nhn dng giao thc trong s dng truyn thng tin, xc nh loi d liu cha bn trong tiu AH. Payload length (8 Bits): ln ca gi tin AH tnh bng n v t (32 Bits) v tr i 2 n v. (V d: ton b chiu di tiu AH l 6 th chiu di vng Payload length l 4) RESERVED (16 Bits): S dng trong tng lai (cho ti thi im ny n c biu din bng cc s 0). Security parameters index (SPI 32 Bits): Nhn ra cc thng s bo mt, c tch hp vi a ch IP, v nhn dng cc thng lng bo mt c kt hp vi gi tin.Gi tr 1-255 c dnh ring, gi tr 0 s dng cho mc ch c bit, cc gi tr khc dng gn cho SPI. Sequence number (32 bits): y l mt gi tr khng du, lun tng v cho php cung cp dch v antireplay cho mt SA. Thng tin ny khng nht thit c dng bi bn nhn nhng n phi bao gm bi thit b gi. Ch s ny c khi ng v 0 khi SA c thit lp. Nu dch v antireplay c dng, ch s ny khng bao gi c php lp li. Bi v bn gi khng bit bn nhn c dng dch v antireplay, SA s c hy v mt SA mi s c ti thit lp sau khi c 232 gi tin c truyn. Authentication data (Chiu di khng xc nh): Trng ny cha gi tr Integrity Check Value (ICV) cho gi tin. Trng ny phi l mt s nguyn bi s ca 32 v c th cha cc gi tr m (padding) lp y cc bit trng cho 32 bits. Gi tr ICV ny c tnh dng cc gii thut nh Message Authentication Code (MACs). MACs c da trn cc gii thut m ha i xng nh DES v 3DES hoc cc hm hash mt chiu nh MD5 hoc SHA-1. Khi tnh ton ch s ICV, php tnh s tnh trn ton b gi tin mi. Mt kha b mt dng chung s c dng trong MAC lm cho gi tr ny kh b b gy. Mi u ca kt ni VPN s tnh ton ch s ICV ny mt cch c lp. Nu cc gi tr ny khng trng, gi tin s b b qua. iu ny gip m bo gi tin khng b thay i trong qu trnh truyn. AH cung cp tnh xc thc, tnh nguyn vn v khu lp cho ton b gi tin bao gm c phn tiu ca IP (IP header) v cc gi d liu c chuyn trong cc gi tin.

AH khng cung cp tnh ring t, khng m ha d liu nh vy d liu c th c c nhng chng s c bo v chng li s thay i. AH s s dng thut ton Key AH nh du gi d liu nhm m bo tnh ton vn ca gi d liu.

Hnh 1.4. Cc phn tin chng thc trong AH

Hnh 1.5. Qu trnh to gi tin trong AH 1.4.1.1. Qu trnh gi AH Khi mt AH SA c khi to ln u tin, thut ton xc thc v cc kha c ghi li, v s chui truy cp c thit lp l 0. Khi IPsec xc nh rng mt gi tin ra bn ngoi c AH c p dng, n nm trong SA thch hp v thc hin cc bc sau. 1. Mt tiu AH mu c chn vo gia IP Header v tiu lp trn. 2. S sequence number tng dn v c lu gi trong cc tiu AH. Vo thi gian

ny, AH kim tra m bo rng s th t s khng lp. Nu lp, AH to ra mt SA mi v khi to dy s 0. Trong trng hp s sequence number khng lp, s th t c tng ln v c lu gi trong cc tiu AH. 3. Phn cn li ca cc trng AH, ngoi tr ca ICV, c lm y vi chiu di qui nh. 4. Nu cn, padding ty c thm vo tiu AH m bo rng n l mt bi s ca 32 bit (64 bit cho IPv6). 5. Cc trng c th thay i trong IP Header v trng ICV trong tiu AH c nh 0, v ICV c tnh trn ton b datagram IP. Nu c nhiu ngun nh tuyn khc trong khi truyn (truyn qua cc thit b trung gian) trong IP header, a ch ch phi c t l a ch ch cui cng trc khi tnh ton ICV. 6. Cc trng c th thay i c lm y, v ICV c lu tr trong tiu AH. Nu c mt ngun nh tuyn ty chn trung gian khc, trng a ch ch ca tiu IP c thit lp li cc im n trung gian. 7. Cc datagram IP c t vo hng i u ra cho truyn dn n ch ca n. 1.4.1.2. Qu trnh nhn AH Mt datagram IP xc thc c th b phn mnh trn ng ti ch. Nu vy, cc mnh ny phi c thu thp v ti hp thnh datagram trc khi x l AH. Mt khi datagram c ti hp, AH thc hin cc bc sau y. 1. Da trn SPI trong tiu AH v a ch ch trong IP Header, AH SA thch hp s c xc nh. Nu mt SA p dng cho mt datagram khng th xc nh c, datagram s b loi b. 2. Nu kch hot vic kim tra sequence number, AH xc nh s chui nh tnh ton trc trong qu trnh gi. Nu s chui l qu c hoc l mt s trng nhau, datagram b loi b. 3. AH sao chp IP header v AH header v lm cho cc trng c th thay i trong IP Header cng nh ICV trong AH header tr v 0. 4. Thut ton xc thc v xc nh kha trong SA c s dng tnh ton mt ICV cho ton b cc gi d liu, v kt qu c so snh vi gi tr ban u trong tiu AH. Nu gi tr khng ging nhau, gi d liu b loi b. Nu gi tr ging nhau, gi tin c xc thc l ton vn. 5. Cc tiu AH c ly ra t datagram, v cc trng IP header gc c phc hi. Datagram c t vo hng i u vo x l cho gi tin IP bnh thng. Lo t bi v IP Security (Ph n 3) - Cc giao th c trong b IPSec:Encapsulation Security Payload (ESP) 1.4.2. Encapsulating Security Payload (ESP) Giao thc ESP cung cp xc thc, ton vn, m bo tnh bo mt cho gi tin. ESP cng h tr tnh nng cu hnh s dng trong tnh hung ch cn m ho hay ch cn xc thc.

Hnh 1.6. Cu trc gi tin ESP

Security parameters index (SPI 32 Bits): Nhn ra cc thng s c tch hp vi a ch IP, nhn dng lin kt SA. Sequence number (32 Bits): T ng tng c tc dng pht li. Payload data ( di bt k): y l gi tin IP hoc mt phn ca gi tin ban u ty thuc vo ch (mode) ca IPSec ang c dng. Khi dng Tunnel Mode, trng ny cha ton b gi tin IP ban u. Trong Transport Mode, n ch bao gm phn giao thc cc lp bn trn ca gi tin ban u. Chiu di ca payload lun l mt s nguyn ca bytes. Padding ( di bt k) v Pad Length (8Bits): D liu chn vo di ca n. Next header (8 Bits): Nhn ra giao thc c s dng trong qu trnh truyn thng tin. Nu l TCP gi tr l 6, nu l UDP gi tr l 17 khi dng Transport Mode, khi dng Tunnel mode l 4 (IP-in-IP). Authentication data (Bi s ca 32 Bits): Bao gm d liu xc thc cho gi tin, c tnh trn ton b gi ESP tr phn Authentication data. Cc thut ton m ha bao gm DES, 3DES, AES . Cc thut ton xc thc bao gm MD5 hoc SHA-1. ESP cn cung cp tnh nng anti-replay bo v cc gi tin b chnh sa. ESP trong trng thi vn chuyn s khng ng gi thut ton trn ton b gi tin m ch ng gi phn thn IP, loi tr phn IP Header. ESP c th s dng c lp hay kt hp vi AH. Di y l mt m hnh ca qu trnh thc thi ESP trn user data bo v gia 2 IPSec Peers.

Hnh 1.7. Qu trnh to gi tin trong ESP ESP s dng mt m i xng cung cp s mt ho d liu cho cc gi tin IPSec. Cho nn, kt ni ca c hai u cui u c bo v bi m ho ESP th hai bn phi s dng kha ging nhau mi m ho v gii m c gi tin . Khi mt u cui m ho d liu, n s chia d liu thnh cc block nh, v sau thc hin thao tc m ho nhiu ln s dng cc block d liu v kha. Thut ton m ho hot ng trong chiu ny c xem nh Blocks Cipher Algorithms. Khi mt u cui khc nhn c d liu m ho, n thc hin gii m s dng key ging nhau v qu trnh thc hin tng t, nhng trong bc ny ngc vi thao tc m ho. ESP c ch s IP Protocol l 50. 1.4.2.1. Qu trnh gi ESP Khi sn sng c t trn hng i u ra, mt datagram IP c kim tra xem c th x l bng IPSec hay khng. Nu ng gi ESP c yu cu, th cn bit chnh xc SA hot ng trong Transport Mode hay Tunnel Mode. Qu trnh x l thc hin cc bc sau y. 1. SPD tm kim mt SA ph hp vi cc thng tin chnh xc nh a ch ch, cng, giao thc.... Nu mt SA cha tn ti, mt cp SA c thng lng gia hai bn truyn nhn. 2. Cc s th t t SA tng dn v c t trong tiu ESP. Nu peer khng v hiu ha chc nng antireplay, s th t c kim tra chc chn rng n khng bng 0. 3. Nu cn thit, Padding s c thm vo cho s bit, chiu di pad v next header s c lm y. Nu thut ton m ha yu cu, IV s c thm vo payload data (IV Initializatin vector l mt block ty c XOR vi block d liu u tin trc khi c m ha trnh tnh trng chui m ha ging nhau v d liu gc ging nhau), IV v payload data cng ESP trailer s c m ha, s dng kha v thut ton m ha ch nh trong SA.

4. ICV c tnh trn ESP header, IV, payload data, trng ESP trailer v t trong trng Authentication data, s dng kha v thut ton m ha trong SA. 5. Nu cc gi d liu kt qu yu cu phn mnh, n c thc hin ti thi im ny. Trong Transport Mode, ESP ch c p dng cho ton b datagrams IP. Tunnel Mode, ESP c th c p dng cho mt mnh datagram IP. Ch : Trnh t trong qu trnh m ha v xc thc l rt quan trng. V xc thc c thc hin cui cng, ICV s tnh ton trn d liu m ha trc , c ngha l ngi nhn c th thc hin vic xc minh chng thc tng i nhanh chng trc khi thc hin qu trnh gii m kh chm. iu ny c th phn no ngn cn tn cng DoS bi mt lot cc d liu ngu nhin c m ha gi ti u nhn. 1.4.2.2. Qu trnh nhn ESP V d liu n c th b phn mnh do qu trnh nh tuyn, chng phi c ti hp. V sau khi ti hp, qu trnh x l ESP s thc hin cc bc sau y. 1. SA nhn c bng cch so snh a ch ch, giao thc (ESP) v SPI ca gi n. Nu khng c SA no tn ti, gi s b loi b. 2. Nu antireplay c kch hot, n s thc hin vic kim tra s sequence number. 3. Gi tin c xc thc bng vic tnh ton ICV da trn ESP Header, payload, v trng ESP trailer, s dng thut ton m ha v kha trong SA, nu xc thc tht bi, gi tin ny b loi b. Nu gi tin c xc thc, n s c chp nhn v u nhn cp nht li s sequence number. 4. Payload v trng ESP trailer c gii m bng vic s dng thut ton v kha trong SA. Nu Padding c thm, n cn c kim tra chc chn c nhng gi tr thch hp cho thut ton gii m. Gi IP gc c ti hp b i cc trng ESP, vic ti hp ny ph thuc vo vic s dng Transport Mode hay Tunnel Mode.

Bng 1.1. So snh gia AH v ESP Lo t bi v IP Security (Ph n 4) - Cc ch trong IPSec 1.5. Cc ch IPSec SA trong IPSec hin ti c trin khai bng 2 ch . c m ti hnh di l ch Transport v ch Tunnel. C AH v ESP c th lm vic vi mt trong hai ch ny.

Hnh 1.8. Transport Mode v Tunnel Mode 1.5.1. Transport Mode Transport Mode bo v giao thc tng trn v cc ng dng. Trong Transport Mode, phn IPSec header c chn vo gia phn IP header v phn header ca giao thc tng trn. V vy, ch c ti (IP payload) l c m ha v IP header ban u l c gi nguyn vn. Transport Mode c th c dng khi c hai host h tr IPSec.

Hnh 1.9. Datagram IPSec trong Transport Mode Transport Mode thiu mt qu trnh x l phn u, do n nhanh hn, ch Transport ny c thun li l ch thm vo vi bytes cho mi packets v n cng cho php cc thit b trn mng thy c a ch ch cui cng ca gi. Tuy nhin, n khng hiu qu trong trng hp ESP c kh nng khng xc nhn m cng khng m ha phn u IP. 1.5.2. Tunnel Mode Khng ging Transport Mode, Tunnel mode bo v ton b gi d liu. Ton b gi d liu IP c ng gi trong mt gi d liu IP khc v mt IPSec header c chn vo gia phn u nguyn bn v phn u mi ca IP.

Hnh 1.10. Datagram IPSec trong Tunnel Mode Ton b gi IP ban u s b ng gi bi AH hoc ESP v mt IP header mi s c bao bc xung quanh gi d liu. Ton b gi IP s c m ho v tr thnh d liu mi ca gi IP mi. ch ny cho php cc thit b mng, chng hn nh Router, hot ng nh mt IPSec proxy thc hin chc nng m ha thay cho host. Router ngun s m ha cc packets v truyn chng dc theo tunnel. Router ch s gii m gi IP ban u v chuyn n v h thng cui. Vi Tunnel hot ng gia hai Security Gateway, a ch ngun v ch c th c m ha. Trong AH Tunnel Mode, phn u mi (AH) c chn vo gia phn Header mi v phn Header nguyn bn. Trong ESP Tunnel Mode, phn ESP Header c chn vo gia New IP Header v phn Header nguyn bn.

Lo t bi v IP Security (Ph n 5) - Ch ng th c gi a cc bn (Peers) v c ch trao i kha IKE 1.6. Chng thc gia cc Peer C rt nhiu phng php thc hin chng thc nh: t username v password: Cc peer cng tha thun s dng user name v password, y l phng php chng thc kh n gin v d b tn cng. Mt khu mt ln (One Times Password OTP): L mt khu ch c gi tr trong mt phin ng nhp hoc mt qu trnh giao dch, sau khi s dng, mt khu ny s khng cn gi tr v phi s dng mt mt khu khc c sinh bt k dng chng thc. Phng php ny hn ch c nhc im ca mt khu c nh, l cc hacker d c ly c mt khu nhng cng khng th s dng c. Tuy nhin, cng c nhc im l bn khng th t nh ht cc mt khu, v mi ln ng nhp bn phi ly mt khu mi pht sinh t b phn h tr chng thc nh cc CA. Sinh trc hc (Biometric): L phng php chng thc c bit thng qua cch nhn dng nhng b phn trn c th ngi nh du vn tay, ng t, khun mt, ging niPhng php ny kh tn km v kinh t v s dng nhng thit b phc tp. Kha bit trc (Preshared Keys): S dng nhng kha chia s bit trc c ngi dng thit lp b mt cho cc peers chng thc. Chng ch s (Digital Certificates): L mt tp tin in t dng xc minh danh tnh mt c nhn, mt my ch, mt cng ty trn Internet. Chng ch s c xc nhn bi Nh cung cp chng ch s (Certificate Authority CA). CA phi m bo v tin cy, chu trch nhim v chnh xc ca chng ch s m mnh cp. Trong chng ch s c ba thnh phn chnh: - Thng tin c nhn ca ngi c cp dng th xc thc bn gi v trnh trng hp mt mt thng tin bn gi. - Kho cng khai (Public key) ca ngi c cp dng m ha thng tin cn gi. - Ch k s ca CA cp chng ch m bo tin cy. 1.7. Internet Key Exchange (IKE) IKE gip cc bn giao tip ha hp cc tham s bo mt v kha xc nhn trc khi mt phin bo mt IPSec c trin khai. Ngoi vic ha hp v thit lp cc tham s bo mt v kha m ha, IKE cng sa i nhng tham s khi cn thit trong sut phin lm vic. IKE cng m nhim vic xo b nhng SA v cc kha sau khi mt phin giao dch hon thnh. Thun li chnh ca IKE bao gm: - IKE khng phi l mt cng ngh c lp, do n c th dng vi bt k c ch bo mt no. - C ch IKE, mc d khng nhanh, nhng hiu qu cao bi v mt lng ln nhng hip hi bo mt tha thun vi nhau vi mt vi thng ip kh t. IKE thit lp mt SA dng cho 2 peers trong vic thit lp Ipsec vi nhau v kt ni thnh cng th IKE phi thc hin cc thnh phn sau: Oakley: y l mt giao thc trao i kha, n c nh ngha lm th no c th to ra nhng kha chng thc c th. Nn tng c bn ca Oakley l thut ton

trao i kha Diffie-Hellman. Chc nng: To kha b mt cho tng SA. Hot ng: Ch yu da trn thut ton Diifie-Hellman (S cp phn sau) v c b sung cc c ch bo mt: S dng Cookie chng tn cng t chi dch v (Clogging) hay s dng cc s ngu nhin (Nonce) chng pht li (Replay). V d: Mt hacker gi danh a ch IP ngun gi kha cng khai cho a ch ch dn n my tnh s lin tc tnh ton tm c kha ring m khng lm c cc vic khc dn n Clogging. Gii php: Mi bn phi thc hin trao i Cookie (S ngu nhin) bn tin khi to.Sau Cookie phi c xc nhn trong messenge trao i kha.(Cookie c to ra s dng mt hm bm nhanh (nh MD5) p dng ln i ch IP ngun, IP ch, port ngun, port ch cng vi gi tr ngu nhin). ISAKMP (Internet Security Association and Key Management Protocol): S c lp bin i IPSec yu cu tt c cc thnh phn ca t hp bo v, khng ch ring kho mt m, c phn phi n c im cui. Nu khng tham s ca t hp bo v, cc im cui s khng th xc nh c kho mt m c p dng nh th no. iu ny dn n cn pht trin Internet Security Association and Key Management Protocol (ISAKMP). ISAKMP h tr chc nng qun l kho chun v bao gm cc thnh phn bt tay, thnh lp, sa i, v xo cc t hp bo v v thuc tnh ca chng. Tt c cc ci t Ipv4 v Ipv6 ca IPSec u yu cu h tr cu hnh th cng i vi t hp bo v v kho. Cu hnh th cng hot ng tt vi phm vi hp, mi trng tnh khng c s bin i nhng n rt kh khn iu chnh cho mi trng rng, c bit nu bao gm vic qun tr nhiu vng. Trong nhng mi trng nh vy chc nng qun l SA v kho phi c t ng. V l do ny m chc nng ISAKMP c thit k. ISAKMP c thit k h tr cc dch v AH v ESP, nhng n cn i xa hn na. ISAKMP c kh nng h tr cc dch v bo mt ti cc tng vn chuyn v tng ng dng cho rt nhiu c ch an ton khc. iu c th l do ISAKMP phn tch chc nng qun l t hp bo v khi c ch trao i kha. ISAKMP c giao thc trao i kha c lp. N cung cp mt qui nh chung tha thun, trao i, sa i v xa b cc t hp bo v gia cc h thng khng ging nhau. Vic tp trung ha cch qun l cc t hp bo v bng ISAKMP lm gim nhiu chc nng trng lp trong mi giao thc bo mt v gim ng k thi gian thit lp kt ni bi v ISAKMP c th tha thun mt ln cho mt tp cc dch v. Giao thc ISAKMP lin kt qu trnh xc thc v qu trnh trao i SA/kha vo mt dng d liu duy nht. iu ny lm cho nhng tn cng da vo vic chn bt v thay i dng d liu (nh chn bt, ngi ng gia) hon ton v tc dng. Oakley v ISAKMP l hai khi nim thng i cng vi nhau (ISAKMP/Oakley). Lo t bi v IP Security (Ph n 6) - Cc giai o n trong IKE (IKE Phases) 1.7.1. Cc giai o n c a (IKE Phases) Giai on 1 v 2 l hai giai on to nn phin lm vic da trn IKE, hnh di trnh by mt s c im chung ca hai giai on. Trong mt phin lm vic IKE, n gi s c mt knh bo mt c thit lp sn. Knh bo mt ny phi c thit lp trc khi c bt k tha thun no xy ra.

Hnh 1.11. IKE Phase Trc khi i vo tng giai on c th, chng ta kho st qua cu trc tiu ca ISAKMP

Hnh 1.12. ISAKMP Header Bn tin IKE c xy dng bng mt lot ISAKMP payload gn vo ISAKMP Header. Cc Initiator v responder cookie phi c to ra ti mi Peer kt hp cng s ID xc nh trng thi ca qu trnh trao i ISAKMP. Cc cookies c gi tr 8 byte ngu nhin nhn dng IKE SA. Initiator cookie c khi to trong ISAKPM Header u tin gi sang cho Peer, khi Peer nhn c s ly Initiator cookie gn vo Initiator cookie ca n thi khi to Responder cookie v p tr li gi ISAKMP, ti Peer gi, n s tra trong mc Initiator ca gi ny, nu s cookie trng vi s n khi to, ISAKMP Header ny c chp nhn. Trng Next payload ch ra rng ISAKMP Payload s ngay lp tc ti sau Header. Phin bn ISAKMP c xc nh bi trng Major Vendor v Minor Vendor. Cho n nay, Major l 1 v Minor l 0. Flag l c gi tr mt octet nhng ch 3 bit c s dng, bt u l cc bit thp. Bit 0 l bit m ha, khi c

bt ln 1 ngha l payload c m ha. Bit 1 l bit cam kt, nu bt ln 1, n m bo cc d liu m ha s khng nhn c trc khi c thit lp SA. Bit 2 l bit xc thc, nu bt ln 1, payload s c xc thc v khng m ha. Trng length di 4 octet, cho bit tng chiu di l header cng thm vi cc payload. 1.7.1.1. Giai o n 1 c a IKE Giai on 1 ca IKE u tin xc nhn cc im thng tin, v sau thit lp mt knh bo mt cho s thit lp SA. Tip , cc bn thng tin tha thun mt ISAKMP SA ng ln nhau, bao gm cc thut ton m ha, hm bm, v cc phng php xc nhn bo v m kha. Sau khi c ch m ha v hm bm c ng trn, mt kha chia s b mt c pht sinh. Theo sau l nhng thng tin c dng pht sinh kha b mt: - Gi tr Diffie-Hellman. - SPI ca ISAKMP SA dng cookies . - S ngu nhin (nonce). Nu hai bn ng s dng phng php xc nhn da trn public key, chng cng cn trao i ID. Sau khi trao i cc thng tin cn thit, c hai bn pht sinh nhng key ring ca chnh mnh s dng chng chia s b mt. Theo cch ny, nhng kha m ha c pht sinh m khng cn thc s trao i bt k kha no thng qua mng. Mc ch ca IKE Giai on 1 l mt knh to iu kin an ton gia cc peers cho giai on 2 cuc m phn c th xy ra mt cch an ton. 1.7.1.2. Giai o n 1.5 c a IKE (Optinal) Giai on ny c tin hnh trong qu trnh chng thc VPN cho khch hng (Clients), n s dng mt giao thc gi l Extended Authentication (Xauth), trong cung cp cho ngi dng xc thc ca cc ng hm IPSec trong giao thc IKE. Ngoi ra, bn c th trao i cc thng s khc gia cc peers. Ch cu hnh c s dng cung cp cc thng s nh a ch IP v a ch DNS cho khch hng. N cng bao gm ch cu hnh, dng y cc thuc tnh bo mt t server ti clients. 1.7.1.3. Giai o n 2 c a IKE Trong khi giai on 1 tha thun thit lp SA cho ISAKMP, giai on 2 gii quyt bng vic thit lp SAs cho IPSec. Trong giai on ny, SAs dng nhiu dch v khc nhau tha thun. C ch xc nhn, hm bm, v thut ton m ha bo v gi d liu IPSec tip theo (s dng AH v ESP) di hnh thc mt phn ca giai on SA. S tha thun ca giai on 2 xy ra thng xuyn hn giai on 1. in hnh, s tha thun c th lp li sau 4-5 pht. S thay i thng xuyn cc m kha ngn cn cc hacker b gy nhng kha ny v sau l ni dung ca gi d liu. Tng qut, mt phin lm vic giai on 2 tng ng vi mt phin lm vic n ca giai on 1. Tuy nhin, nhiu s thay i giai on 2 cng c th c h tr bi mt trng hp n giai on 1. iu ny lm qua trnh giao dch chm chp ca IKE t ra tng i nhanh hn. Oakley l mt trong s cc giao thc ca IKE. Oakley ln lt nh ngha 4 ch ph bin IKE. Lo t bi v IP Security (Ph n 7) - B n ch lm vi c c a IKE 1.7.2. IKE Modes 4 ch IKE ph bin thng c trin khai:

Ch Ch Ch Ch

chnh (Main mode) linh hot (Aggressive mode) nhanh (Quick mode) nhm mi (New Group mode)

1.7.2.1. Main Mode Main Mode xc nhn v bo v tnh ng nht ca cc bn c lin quan trong qu trnh giao dch. Trong ch ny, 6 thng ip c trao i gia cc im: - 2 thng ip u tin dng tha thun chnh sch bo mt cho s thay i. - 2 thng ip k tip phc v thay i cc kha Diffie-Hellman v nonces. Nhng kha sau ny thc hin mt vai tr quan trng trong c ch m ha. - Hai thng ip cui cng ca ch ny dng xc nhn cc bn giao dch vi s gip ca ch k, cc hm bm, v tu chn vi chng nhn.

Hnh 1.13. Thng tin trao i trong Main Mode 1.7.2.2. Aggressive Mode Aggressive Mode v bn cht ging Main mode. Ch khc nhau thay v main mode c 6 thng ip th ch ny ch c 3 thng ip c trao i. Do , Aggressive Mode nhanh hn Main mode. Cc thng ip bao gm : - Thng ip u tin dng a ra chnh sch bo mt, trao i kha chnh, v trao i nonces cho vic k v xc minh tip theo. - Thng ip k tip hi p li cho thng tin u tin. N xc thc ngi nhn v hon thnh chnh sch bo mt bng cc kha. - Thng ip cui cng dng xc nhn ngi gi (hoc b khi to ca phin lm vic).

Hnh 1.14. Thng tin trao i trong Aggressive Mode C Main Mode v Aggressive Mode u thuc giai on 1. 1.7.2.3. Quick Mode

Ch th ba ca IKE, Quick mode, l ch trong giai on 2. N dng tha thun SA cho cc dch v bo mt IPSec. Ngoi ra, Quick mode cng c th pht sinh kha chnh mi. Nu chnh sch ca Perfect Forward Secrecy (PFS) c tha thun trong giai on 1, mt s thay i hon ton Diffie-Hellman key c khi to. Mt khc, kha mi c pht sinh bng cc gi tr bm.

Hnh 1.15. Thng tin trao i trong Quick Mode 1.7.2.4. New Group Mode New Group Mode c dng tha thun mt private group mi nhm to iu kin trao i Diffie-Hellman key c d dng. Hnh di m t New Group Mode. Mc d ch ny c thc hin sau giai on 1, nhng n khng thuc giai on 2.

Hnh 1.16. Thng tin trao i trong New Group Mode Ngoi 4 ch IKE ph bin trn, cn c thm Informational Mode. Ch ny kt hp vi qu trnh thay i ca giai on 2 v SA. Ch ny cung cp cho cc bn c lin quan mt s thng tin thm, xut pht t nhng tht bi trong qu trnh tha thun. V d, nu vic gii m tht bi ti ngi nhn hoc ch k khng c xc minh thnh cng, Informational Mode c dng thng bo cho cc bn khc bit.

Hnh 1.17. Tng hp IKE Mode 1.7.3. M t s ch c nng khc c a IKE 1.7.3.1. Pht hi n m t k t n i t i Peer (Dead Peer Detection DPD) y l chc nng mang tnh hai chiu. Sau mt khong thi gian nht nh, cc trm s gi cho peer ca mnh mt thng ip, bn cht thng ip ny l xc nhn xem peer c cn hot ng hay khng, v peer phi thc hin reply li, nu khng th c xem nh mt kt ni. Phng php ny tit kim c nhiu thi gian v ti nguyn cho cc peer trnh trng hp peer mt kt ni m gi tin vn c gi i. IKE Keepalives: Mt phng php khc peer duy tr kt ni vi cc thit b dng IKE khc l bn tin mt chiu IKE Keepalives. Bn tin ny c gi i sau mi khong thi gian l 10 giy. 1.7.3.2. NAT Traversal Khi thc hin qu trnh m ha bng ESP th lc ny cc source IP, port v destination IP, port

u c m ha v nm gn tron ESP Header. Nh vy khi tt c cc thng tin IP v Port b m ha th knh truyn IPSec khng th din ra qu trnh NAT. Do NAT Traversal ra i trong qu trnh hot ng ca IKE nhm pht hin v h tr NAT cho IPSec. Cc d liu s khng b ng gi trc tip bi giao thc IP m n s ng gi thng qua giao thc UDP. V lc ny cc thng tin v IP v Port s nm trong gi UDP ny. 1.7.3.3. Xauth (User Authentication) Xauth s cho php phng thc AAA (Authentication, Authorization, Accounting) hot ng i vi vic xc thc user. Xauth khng ln IKE m vic xc thc ca giao thc Xauth ny l xc thc ngi dng ch khng phi qu trnh xc thc din ra trong Phase 1. Lo t bi v IP Security (Ph n cu i) - Ch ng th c v ton v n d li u v i kha v hm bm 1.8. Chng thc v kim tra ton vn d liu dng kha v hm bm

Hnh 1.18. Xc thc ton vn d liu bng hm bm v kha Trng Checksum thc hin kt hp kha v gi tin thnh mt gi tin chng thc MAC (Message Authenticateion Code). Sau khi thc hin Sender s gi MAC v gi tin ti Receiver trn mt knh khng bo mt. Receiver sau khi nhn c MAC v hm bm ca Sender s thc hin qu trnh bm nh ca Sender to ra mt MAC khc. Sau Receiver s thc hin so snh MAC ca Sender v MAC ca mnh. Nu ging nhau th d liu l ton vn, nu khc nhau th d liu khng ton vn. 1.8.1. Thut ton bm (Hash) Thut ton c th chuyn i bt c thng ip (c di bt k) thnh mt chui

cc k t c di c nh. Cn c theo thuc tnh, thut ton bm khng khc nhiu hnh thc tm lc thng ip (Message Digest). ng nhin, tnh nng hash s khng mang li kt qu ging nhau sau khi x l nhng u vo (d liu) khc nhau. Khi thut ton c s dng ti mt kho, tnh ton vn d liu c th c m bo nu kho c gi b mt. Ngoi ra, do bn cht mt chiu ca kho, thut ton bm thng c s dng giu nhng thng tin nhy cm trong c s d liu hoc cc tp tin (thng l mt khu). 1.8.2. HMAC Phng php s dng hm bm rt thng dng v hu ht dng trong kim tra ton vn d liu. Do , tng bo mt, ngi ta s dng HMAC. HMAC l vic dng mt hm bm bm chui thng tin bt k thnh chui c chiu di c nh khi thng tin ny c kt hp vi kha ca chng. Nhng hm bm c s dng ph bin hin nay: MD5 (Message-Digest Algorithm 5) l mt hm bm mt m c s dng ph bin vi gi tr bm di 128-bit. L mt chun Internet (RFC 1321), MD5 c dng trong nhiu ng dng bo mt, v cng c dng ph bin kim tra tnh ton vn ca tp tin. Mt bng bm MD5 thng c din t bng mt s h thp lc phn 32 k t. MD5 c p dng cho hu ht cc ng dng ch k in t vi mt file qu ln phi c nn li an ton trc khi m ha bng private key. SHA-1 (Secure Hash Algorithm 1) c s dng rng ri trong nhiu ng dng v giao thc an ninh khc nhau, bao gm SSL/TLS, SSH, v IPSec. SHA-1 c coi l thut gii thay th MD5, cho gi tr bm di 160-bit, tuy nhin trong IPSec ch s dng 96-bit u tin. SHA-1 c thi gian tnh ton lu hn MD-5, tuy nhin n mang tnh bo mt hn. Ngoi cc thut ton bm trn, cn c cc thut ton khc nh MD-4, SHA-512, SHA-256, SHA-224

Bng 1.2. Thng s cc thut ton bm

Bng 1.3. So snh MD5 v SHA-1 Hm bm c tnh mt chiu, ngha l ch c th dng hm bm to ra cc m bm t thng tin gc m khng th lm ngc li. 1.9. Kh nng s dng IPSec 1.9.1. Cc hn ch ca IPSec IPSec c thit k bo mt cc kt ni IP gia cc my tnh. Nhng cng cn nh rng c nhiu ci n khng lm c. Sau y l mt s hn ch. - IPSec l khng an ton nu h thng ca bn khng an ton. An ton h thng trn cc my IPSec gateway l yu cu cn thit cho IPSec hot ng c nh thit k. Khng c h thng an ton nu cc my c s dng trong (underlying machines) b ph hoi. - IPSec khng bo mt dng end-to-end. IPSec khng cung cp dch v bo mt end-to-end nh cc h thng hot ng cc tng cao hn. IPSec m ha lin kt IP gia 2 my tnh, y l iu khc vi vic m th tn gia 2 ngi s dng hay gia cc ng dng. - IPSec khng lm c tt c. Nu bn cn ti liu c k in t bi mt ngi no , th bn cn ch k s v h m kha cng khai kim tra. Tuy nhin, ch rng, php xc thc ca IPSec tng truyn thng lm cho nhiu tn cng cc tng cao hn tr nn kh khn. c bit, vic xc thc chng li tn cng man-in-the-midle. - IPSec xc thc my, ch khng xc thc ngi s dng . IPSec s dng c ch xc thc mnh kim sot xem bn tin no i ti my tnh no, tuy vy khng c khi nim v ch s ngi s dng, iu ny l thit yu i vi nhiu c ch v chnh sch an ton. iu c ngha l cn cn thn khi iu chnh cc c ch an ton a dng trong mng cng vi nhau. - IPSec khng dng c tn cng t chi dch v. - IPSec khng dng c cc phn tch lu lng mng. Phn tch giao thng mng l c gng nhn c tri thc t cc bn tin m khng quan tm n ni dung ca chng. Trong trng hp IPSec, iu c ngha l cc

phn tch da trn nhng g nhn thy cc header cha c m ha ca cc gi tin m ha- a ch my cng ngun hoc ch, di gi... 1.9.2. Cch dng IPSec - Ch s dng xc thc. Trong mt s trng hp, IPSec c th ch cung cp dch v xc thc m khng bo mt. V d trong cc trng hp sau: o D liu l cng khai, nhng c ai mun chc chn rng nhn c d liu ng, v d nh t website. o Khi m vic m ha l khng cn thit v mt php lut. o Khi s dng mt m mnh nhng lp di, v d nh lp Data Link. o Khi mt m mnh c c s dng tng trn so vi IP.

- M ha m khng c xc thc l nguy him. Hin nay, bn c th s dng: o o ESP bo mt v xc thc . AH ch ring cho xc thc.

Mt s phng n khc khng nn dng l: o M ha bng ESP khng c xc thc o M ha bng ESP, xc thc bng AH: Sc ti s ln hn so vi vic dng ESP. o Xc thc hai ln, c bng AH v ESP: cng chc chn, tuy nhin sc ti ln. o Dng ESP c xc thc nhng khng m ha: y chnh l dng ESP null encryption. Nu ch cn xc thc th hy dng AH. Ht!

Internet hin nay gp nhiu vn v bo mt. l vic thiu phng thc hiu qu xc thc v bo v tnh ring t di tng ng dng. Trong hot ng Internet, bo mt ti tng IP c thc hin ph bin bng IPSec (Internet Protocol Security). Chng ta s nhc li mt cht v cng c thc hin bo mt ti tng IP ny.

IPSec:
IPSec thc hin chc nng xc thc ni gi v m ha ng kt ni, do vy m bo c kt ni bo mt. V cu trc, IPSec bao gm: Hai th tc bo mt Authentication Header (AH) v Encapsulating Security Payload (ESP). Hai phng thc lm vic: IPSec c hai phng thc lm vic: tunnel mode v transport mode. Tunnel mode p dng IPSec bng cch thm mt header mi v ly ton b gi tin IP trc kia lm phn payload. Ch ny thng c s dng trong VPN. Transport mode p dng IPSec cho truyn gi tin IP bi host, c s dng cho kt ni end-to-end gia cc node. CSDL Security Policy Database (SPD) qun l chnh sch bo mt v la chn ph hp vi lu lng thc. CSDL Security Association Database (SAD) cha nhng tham s cn thit thit lp kt ni IPSec v p dng IPSec. Cc th tc trao i kha: AH v ESP cn cc kha thit lp cc thut ton m ha v bo mt. Kha ny c th c thit lp theo theo cch no v d th nh hay phng thc khc. Tuy nhin nh vy rt th cng v kh thc hin trong h thng ln. Cn phi c h thng trao i kha t ng. IPsec a ra mt th tc tiu chun thc hin chc nng ny, gi l Internet Key Exchange (IKE).

IPSec trong IPv6:

Bn thn IPSec h tr c a ch IPv4 v IPv6. Tuy nhin, trong IPv6, thc thi IPSec c nh ngha nh l mt c tnh bt buc. Trong IPv4, cng ngh NAT c s dng v cng rng ri. Thit b thc hin NAT can thip v thay i header ca gi tin, iu gy cn tr trong vic thc hin IPSec. Th h a ch IPv6 vi khng gian a ch v cng rng ln c mong ch rng IPSec s c s dng rng ri trong cc giao tip u cui u cui. Thc thi IPSec c nh ngha nh mt c tnh bt buc ca a ch IPv6 khi cc th tc

bo mt ca IPSec c a vo thnh hai hai c tnh l hai header m rng ca a ch IPv6. l Authentication Header (AH) v Encapsulating Security Payload (ESP). Hai header ny c th c s dng cng lc, hoc ring r cung cp cc mc bo mt khc nhau cho nhng ngi s dng khc nhau. Authentication Header (AH) cung cp dch v chng thc. M rng ny h tr nhiu cng ngh chng thc khc nhau. S dng AH loi b c nhiu dng tn cng mng, bao gm c tn cng gi mo host (host masquerading attack). Encapsulating Security Payload (ESP) cung cp dch v bo m tnh ton vn v tnh tin cy cho gi tin IPv6. Mc d n gin hn mt s th tc bo mt tng t, song ESP vn gi c tnh mm do v khng ph thuc vo thut ton. IPSec phin bn mi cng ci tin th tc trao i kha IKE khi c nhng thay i v header v thng ip trao i. IPSec c coi l mt trong nhng c tnh c bn ca a ch IPv6. Chng ta rt hay gp nhng kt lun IPv6 tng cng bo mt, IPsec l bt buc. Tuy nhin ti thi im hin nay, d nhiu h iu hnh c h tr IPSec, vic s dng IPSec trong IPv6 cho kt ni end-toend l cha ph bin. Mt trong nhng nguyn nhn l do hin nay, IPSec c dng ph bin bo mt kt ni gia hai site (VPN), cha c s dng cho kt ni Point-to-Point, vn l mt trong nhng u im ca IPv6. M hnh kt ni c firewall hin nay v thi quen s dng nhng th tc bo mt ti tng ng dng khin cho vic p dng IPSec cho kt ni u cui u cui cha ph bin. Nhm lm vic ca IETF vn ang thc hin sa i hon thin cc tiu chun ha lin quan n IPSec nh v AH, ESP v n lc tin ti mc ch mi IPv6 node u c kh nng IPSec, a IPSec ph dng cng vi s ph bin ngy cng nhiu ca a ch IPv6.

Trin khai IP sec trn windows sever 2k3

TrungKFC on Sat Nov 06, 2010 8:28 am 1. IPsec l g ? IP Security (IPSec) l mt giao thc h tr thit lp cc kt ni an ton da trn IP. Giao thc ny hot ng tng ba (Network) trong m hnh OSI do n an ton v tin li hn cc giao thc an ton khc tng Application nh SSL. IPSec cng l mt thnh phn quan trng h tr giao thc L2TP trong cng ngh mng ring o VPN (Virtual Private Network). s dng IPSec bn phi to ra cc qui tc (rule), mt qui tc IPSec l s kt hp gia hai thnh phn l cc b lc IPSec (filter) v cc tc ng IPSec (action). V d ni dung ca mt qui tc IPSec l Hy m ha tt c nhng d liu truyn Telnet t my c a ch 192.168.0.10, n gm hai phn, phn b lc l qui tc ny ch hot ng khi c d liu c truyn t my c a ch 192.168.0.10 thng qua cng 23, phn hnh ng l m ha d liu. 2. Cc tc ng bo mt IPSec ca Microsoft h tr bn loi tc ng (action) bo mt, cc tc ng bo mt ny gip h thng c th thit lp nhng cuc trao i thng tin gia cc my c an ton. Danh sch cc tc ng bo mt trong h thng Windows Server 2003 nh sau: - Block transmissons: c chc nng ngn chn nhng gi d liu c truyn, v d bn mun IPSec ngn chn d liu truyn t my A n my B, th n gin l chng trnh IPSec trn my B loi b mi d liu truyn n t my A. - Encrypt transmissions: c chc nng m ha nhng gi d liu c truyn, v d chng ta mun d liu c truyn t my A n my B, nhng chng ta s rng c ngi s nghe trm trn ng truyn ni kt mng gia hai my A v B. Cho nn chng ta cn cu hnh cho IPSec s dng giao thc ESP (encapsulating security payload) m ha d liu cn truyn trc khi a ln mng. Lc ny nhng ngi xem trm s thy nhng dng byte ngu nhin v khng hiu c d liu tht. Do IPSec hot ng tng Network nn hu nh vic m ha c trong sut i vi ngi dng, ngi dng c th gi mail, truyn file hay telnet nh bnh thng. - Sign transmissions: c chc nng k tn vo cc gi d liu truyn, nhm trnh nhng k tn

cng trn mng gi dng nhng gi d liu c truyn t nhng my m bn thit lp quan h tin cy, kiu tn cng ny cn c ci tn l main-in-the-middle. IPSec cho php bn chng li iu ny bng mt giao thc authentication header. Giao thc ny l phng php k tn s ha (digitally signing) vo cc gi d liu trc khi truyn, n ch ngn nga c gi mo v sai lnh thng tin ch khng ngn c s nghe trm thng tin. Nguyn l hot ng ca phng php ny l h thng s thm mt bit vo cui mi gi d liu truyn qua mng, t chng ta c th kim tra xem d liu c b thay i khi truyn hay khng. - Permit transmissions: c chc nng l cho php d liu c truyn qua, chng dng to ra cc qui tc (rule) hn ch mt s iu v khng hn ch mt s iu khc. V d mt qui tc dng ny Hy ngn chn tt c nhng d liu truyn ti, ch tr d liu truyn trn cc cng 80 v 443. Ch : i vi hai tc ng bo mt theo phng php k tn v m ha th h thng cn yu cu bn ch ra IPSec dng phng php chng thc no. Microsoft h tr ba phng php chng thc: Kerberos, chng ch (certificate) hoc mt kha da trn s tha thun (agreed-upon key). Phng php Kerberos ch p dng c gia cc my trong cng mt min Active Directory hoc trong nhng min Active Directory c y quyn cho nhau. Phng php dng cc chng ch cho php bn s dng cc chng ch PKI (public key infrastructure) nhn din mt my. Phng php dng cha kha chia s trc th cho php bn dng mt chui k t vn bn thng thng lm cha kha (key). 3. Cc b lc IPsec IPSec hot ng linh hot hn, Microsoft a thm khi nim b lc (filter) IPSec, b lc c tc dng thng k cc iu kin qui tc hot ng. ng thi chng cng gii hn tm tc dng ca cc tc ng bo mt trn mt phm v my tnh no hay mt s dch v no . B lc IPSec ch yu d trn cc yu t sau: - a ch IP, subnet hoc tn DNS ca my ngun. - a ch IP, subnet hoc tn DNS ca my ch. - Theo s hiu cng (port) v kin cng (TCP, UDP, ICMP)

y l l thuyt, cn trin khai thit t IPsec th trong ti liu KFC post vit khc chi tit, cc bn c th c

v t lm c. (

ti li post li )

Link dow y: 4shared.com 4shared.com/file/19094338/ad0a57b6/Tailieu_win2003.html

cc bn dow v c nh, n nm trang 243/255 - 249/255. h h. chc cc bn thnh cng

TrungKFC
Tng s bi gi: 16 Join date: 25/10/2010

Review IPSEC (IP Security)

Review IPSEC (IP Security)

Gi i thi u IPSEC: Mt lng d liu ng k c truyn qua mt LAN theo mt nh dng no c th d dng b bt gi v c bin dch bi mt giao thc phn tch c kt ni vo mng. Nu bt k d liu no b bt gi, mt k tn cng c th thay i kh nng v truyn li gi d liu b chnh sa qua mng. bo mt d liu c truyn qua mng khi nhng loi tn cng ny, bn c th m ho d liu mng bng cch s dng IPSec. Ipsec cho php bn xc nh phm vi m ho ca bn. V d, bn c th m ho tt c giao tip mng cho cc client c th hoc cho tt c client trong domain. IPSec l thit lp chun cng nghip c xc nh kim tra, thm nh v m ho d liu ti cp gi IP. IPSEC Security Policy Trong Windows 2000 v cc phin bn sau ny, c ba chnh sch c cu hnh mc nh: -Client (Respond only): Nu mt my tnh hi client s dng IPSec, n s hi p vi IPSec. -Server (Request Security): bn c th s dng chnh sch ny trn c hai servers v client. Chnh sch ny lun th dng IPSec nhng c th tr v cc giao tip khng bo mt nu mt client khng c cu hnh vi mt IPSec policy. -Secure Server (Require Security): Bn c th s dng chnh sch ny cho c server v client. Nu chnh sch ny c gn, my tnh ch c th giao tip qua TCP v s khng bao gi tr v cc giao tip khng bo mt.

Ipsec da vo thm nh ln nhau cung cp cc giao tip bo mt. C 3 giao thc s dng c s dng nh sau: - Preshared keys: mt s kim tra mt cch ngu nhin chui cc k t s dng nh mt password gia hai IPSec Host. C th c s dng trong mi trng Workgroup IPSec hosts. -Kerberos protocol: c s dng trong mi trng min Active Directory. - CA (Certification Authority): c s dng trong mi trng WAN.

1.

Review IPSEC (IP Security) (Cont)

Tnh hu ng th c t : 1 ta nh cho nhiu cng ty thu lm vic. Mi cng ty l 1 phng ring.Cc my tnh cng lp mng v chia thnh nhiu Workgroup khc nhau (Workgroup l tn cng ty). 1 cng ty ha ABC c khong hn 10 computer. V s lng my tnh t nn cng ty khng cn qun tr mng. Cng ty mi bn l nhn vin k thut ti cu hnh vi yu cu l ch nhng pc trong cng cng ty (Workgroup) mi thy v chi s data cho nhau (trnh tnh trng nhn vin cng ty khc vo delete d liu). Phn tch: V cng ty vi s lng PC t nn khng cn thu qun tr mng thit lp cu hnh phc tp. Ta c th s dng IPSEC thit lp nhm p ng yu cu trn. Hi n th c:

V d minh ha nu nh PC khng thit lp nh trn

1.
Tnh hu ng:

M hnh th c t

Trung tm An Tin c m hnh mng nh hnh trn. Yu cu t ra i vi nhn vin qun tr l phi dng IPSec bo mt d liu truyn trong mng. Yu c u: 1.S truyn thng gia my tnh nhn vin lm vic ti File Server ko yu cu m ha d liu. 2.S truyn thng gia my tnh phng gim c ti File Server yu cu m ha d liu trnh b mt thng tin 3.D liu gia cc my tnh lm vic ca nhn vin khng quan trng nn ko cn m ha 4.S truyn thng gia my tnh nhn vin v Web Server ko yu cu m ha d liu 5.S truyn thng gia my tnh phng gim c v Web Server phi c m ha d liu 6.Cc truy xut ti Database Server phi c m ha v nhng kt ni khng m ha u khng c chp nhn Phn tch v Gi i php: Theo cc yu c u trn ta th y: 1. Cc my kt ni n File Server s gm cc my c IPSec v khng c IPSec. Do ta p dng chnh sch IPSec Server (Request Security) cho File Server.

2. Cc kt ni n Database Server lun phi bo mt. Do , ta p dng chnh sch Secure Server( Require Security). 3. Web Server va ng vai tr l client khi truy cp n Database Server va l Server khi cc my con truy cp n websites. Cc my con c th dng hoc khng dng IPSec. Do , ta p dng chnh sch Server(Request Security) cho Web Server. 4. Cc my trong phng Gim c khi kt ni vi File Server, Database Server, Web Server cn bo mt nn ta p dng chnh sch Client(Respond only) 5. Cc my phng Nhn Vin khi truy cp vo File Server v Web Server, hay truy xut gia cc my trong phng Nhn Vin u khng yu cu bo mt. Do , ta cn khng s dng IPSec cho cc my ny. Da vo cc phn tch trn ta c c m hnh sau:

C u hnh b o m t m ng I. Ch k M kha cng cng 1. s Ch k in t (digital signature) l on d liu ngn nh km vi vn bn gc chng thc tc gi ca vn bn v gip ngi nhn kim tra tnh ton vn ca ni dung vn bn gc. Ch k in t c to ra bng cch p dng thut ton bm mt chiu trn vn bn gc to ra bn phn tch vn bn (message digest) hay cn gi l fingerprint, sau m ha bng private key to ra ch k s nh km vi vn bn gc gi i. Khi nhn, vn bn c tch lm hai phn, phn vn bn gc c tch li v phn fingerprint so snh vi fingerprint c cng c phc hi t vic gii m ch k s. 2. Giao thc SSL Giao thc SSL (Secure Socket Layer) t hp nhiu gii thut m ho nhm m bo qu trnh trao i thng tin trn mng c bo mt. Vic m ho d liu din ra mt cch trong sut, h tr nhiu giao thc khc chy trn nn giao thc TCP. C ch hot ng ca giao thc SSL da trn nn tng cc ng dng m ho c kim chng nh: gii thut m ho i xng v bt i xng, gii thut bm (hash) mt chiu, gii thut to ch k s, v.v... 3. Phng php m ho d liu a. M ho kho b mt Phng php m ho kho b mt (secret key cryptography) cn c gi l m ho i xng (symmetric cryptography). Vi phng php ny, ngi gi v ngi nhn s dng chung mt kho m ho v gii m d liu. Trc khi m ho d liu truyn i trn mng, hai bn gi v nhn phi c kho v phi thng nht thut ton dng m ho v gii m. C nhiu thut ton ng dng cho m ho kho b mt nh: DES-Data Encrytion Standard, 3DES-triplestrength DES, RC2-Rons Cipher 2 v RC4, v.v b. M ho kho cng khai Phng php m ho cng khai (public key cryptography) gii quyt c vn ca phng php m ho kho b mt l s dng khai bo public key v private key. Public key c gi cng khai trn mng, trong khi private key c gi kn. Public key v private key c vai tr tri ngc nhau, mt kha dng m ho v kho kia s dng gii m. Phng php ny cn c gi l m ho bt i xng (asymmetric cryptography) v n s dng hai kho khc nhau m ho v gii m d liu. phng php ny s dng thut ton m ho RSA (tn ca ba nh pht minh ra n: Ron Rivt, Adi Shamir v Leonard Adleman) v thut ton DH (Diffie-Hellman. II. IPSec 1. Gii thiu v IPSec IP Security (IPSec) l mt giao thc h tr thit lp cc kt ni an ton da trn IP. Giao thc ny hot ng tng ba (Network) trong m hnh OSI do n an ton v tin li hn cc giao thc an ton khc tng Application nh SSL. IPSec cng l mt thnh phn quan trng h tr giao thc L2TP trong cng ngh mng ring o VPN (Vitual Private Network). s dng IPSec phi to ra cc qui tc (rule), mt qui tc IPSec l s kt hp gia hai thnh phn l cc b lc IPSec (filter) v cc tc ng IPSec (action). 2. Cc tc ng bo mt IPSec ca Microsoft h tr bn loi tc ng (action) bo mt, cc tc ng bo mt ny gip h thng c th thit lp nhng cuc trao i thng tin gia cc my c an ton. Danh sch cc tc ng bo mt trong h thng Windows Server 2003 nh sau: * Block transmission: c chc nng ngn chn nhng gi d liu c truyn, v d mun IPSec ngn chn d liu truyn t my A n my B, th n gin l chng trnh IPSec trn my B loi b mi d liu truyn n t my A. * Encrypt transmissions: c chc nng m ha nhng gi d liu c truyn, v d chng ta mun d liu c truyn t my A n my B, nhng chng ta s rng c ngi s nghe

trm trn ng truyn ni kt mng gia hai my A v B. Cho nn chng ta cn cu hnh cho IPSec s dng giao thc ESP (encapsulating security payload) m ha d liu cn truyn trc khi a ln mng. Lc ny nhng ngi xem trm s thy nhng dng byte ngu nhin v khng hiu c d liu tht. Do IPSec hot ng tng Network nn hu nh vic m ha c trong sut i vi ngi dng, ngi dng c th gi mail, truyn file hay telnet nh bnh thng. * Sign transmissions: c chc nng k tn vo cc gi d liu truyn, nhm trnh nhng k tn cng trn mng gi dng nhng gi d liu c truyn t nhng my m thit lp quan h tin cy, kiu tn cng ny cn c ci tn l main-in-the-middle. IPSec cho php chng li iu ny bng mt giao thc authentication header. Giao thc ny l phng php k tn s ha (digitally signing) vo cc gi d liu trc khi truyn, n ch ngn nga c gi mo v sai lnh thng tin ch khng ngn c s nghe trm thng tin. Nguyn l hot ng ca phng php ny l h thng s thm mt byte vo cui mi gi d liu truyn qua mng, t chng ta c th kim tra d liu c b thay i khi chuyn hay khng. * Permit transmissions: c chc nng l cho php d liu c truyn qua, chng dng to ra cc qui tc (rule) hn ch mt s iu v khng hn ch mt s iu khc. V d mt qui tc dng ny hy ngn chn tt c nhng d liu chuyn ti, ch tr d liu truyn trn cc cng 80 v 443. * * Ch : i vi hai tc ng bo mt theo phng php k tn v m ha th h thng cn yu cu ch ra IPSec dng phng php chng thc no. Microsoft h tr ba phng php chng thc: Kerberos, chng ch (certificate) hoc mt kha da trn s tha thun (agreed-upon key). Phng php Kerberos ch p dng c gia cc my trong cng mt min Active Directory hoc trong nhng min Active Directory c y quyn cho nhau. Phng php dng cc chng ch cho php s dng cc chng ch PKI (public key infrastructure) nhn din mt my. Phng php t cha kha chia s trc th cho php dng mt chui k t vn bn thng thng lm cha kha (key). 3. Cc b lc IPSec IPSec hot ng linh hot hn, Microsoft a thm khi nim b lc (filter) IPSec, b lc c tc dng thng k cc iu kin qui tc hot ng. ng thi chng cng gii hn tm tc dng ca tc ng bo mt trn mt phm vi my tnh no hay mt s dch v no . B lc IPSec da trn cc yu t ch yu sau: * a ch IP, Subnet hoc tn DNS ca my ngun. * a ch IP, Subnet hoc tn DNS ca my ch. * Theo s hiu cng (port) v kin cng (TCP,UDP,ICMP,). 4. Trin khai IPSec trn Windows Server 2003 Trong h thng Windows Server 2003 khng h tr mt cng c ring cu hnh IPSec, do trin khai IPSec chng ta dng cc cng c thit lp chnh sch dnh cho my cc Run ri g b hoc dng cho min. m cng c cu hnh IPSec Click vo Start Local Administrative Tools Programs secpol.msc, hoc click vo Start Security Policy, trong cng c chn IP Security Policies on Local Machine. Hnh 5 1. Giao din Local Security Settings Tm li, nhng iu cn nh khi trin khai IPSec: * Trin khai IPSec trn Windows 2003 thng qua cc chnh sch, trn mt my tnh bt k no vo ti mt thi im th ch c mt chnh sch IPSec c hot ng. * Mi chnh sch IPSec gm mt hoc nhiu quy tc (rule) v mt phng php chng thc no . Mc d cc quy tc Permit v Block khng dng n chng thc nhng Windows vn i ch nh phng php chng thc. * IPSec cho php chng thc thng qua Active Directory, cc chng ch PKI hoc mt kha c chia s trc. * Mi quy tc (rule) gm mt hay nhiu b lc (filter) v mt hay nhiu tc ng bo mt

(action). * C bn tc ng m quy tc c th dng l: block, encrypt, sign v permit. a. Cc chnh sch IPSec to sn Trong khung ca s chnh ca cng c cu hnh IPSec, bn phi chng ta xut hin ba chnh sch c to sn tn l: Client, Server v Secure. C ba chnh sch ny u trng thi cha p dng (assigned). Nhng ch ngay cng mt thi im th ch c th c mt chnh sch c p dng v hot ng. C ngha l khi p dng mt chnh sch mi th chnh sch ang hot ng hin ti s tr v trng thi khng hot ng. Sau y chng ta s kho st chi tit ba chnh sch to sn ny. * Client (Respond Only): chnh sch quy nh my tnh ca khng ch ng dng IPSec tr khi nhn c IPSec t my i tc. Chnh sch ny cho php c th kt ni c c vi cc my tnh dng IPSec hoc khng dng IPSec. * Server (Request Seurity): chnh sch ny quy nh my server ch ng c gng khi to IPSec mi khi thit lp kt ni vi cc my tnh khc, nhng nu my client khng th dng IPSec th server vn chp nhn kt ni khng dng IPSec. * Secure Server (Require Security): chnh sch ny quy nh khng cho php bt k cuc trao i d liu no vi server hin ti m khng dng IPSec. b. V d to chnh sch IPSec m bo mt kt ni c m ha Trong phn ny chng ta bt tay vo thit lp mt chnh sch IPSec nhm m bo mt kt ni c m ha gia hai my tnh. Chng ta c hai my tnh, my A c a ch 203.162.100.1 v my B c a ch 203.162.100.2. chng ta s thit lp chnh sch IPSec trn mi my thm hai quy tc (rule), tr hai quy tc ca h thng gm: mt quy tc p dng cho d liu truyn vo my v mt quy tc p dng cho d liu truyn ra khi my. V d quy tc u tin trn my A bao gm: * B lc (filter): Kch hot quy tc ny khi c d liu truyn n a ch 203.162.100.1, qua bt k cng no. * Tc ng bo mt (Action): m ha d liu . * Chng thc: cha kha chia s trc l chui quantri. * Quy tc th hai p dng cho my A cng tng t nh b lc c ni dung ngc li l d liu truyn i t a ch 203.162.100.1. ch : cch d nht to ra mt quy tc l trc tin phi quy nh cc b lc v tc ng bo mt, ri sau mi to ra quy tc t cc b lc v tc ng bo mt ny. Cu hnh chnh sch IPSEC * Trong cng c Domain Controller Security Policy, click phi trn mt IP Security Policies on Active Directory, ri chn Manage IP filter lists and filter Actions. * Hp thoi xut hin, chn tab Manage IP filter lists Sau Click Add thm mt b lc mi.

* Hp thoi xut hin, Click Add thm mt b lc mi. nhp tn cho b lc ny, trong v d ny chng ta t tn l Connect to 203.162.100.1. Click tip vo nt Add h thng hng dn khai bo cc thng tin cho b lc. * Click Next hp thoi Welcome to the IP Filter Wizard. * nh du vo mc Mirrored quy tc ny c ngha hai chiu khng phi tn cng to ra hai quy tc.

* Mc Source address chn My IP Address. * Mc Destination address chn A specific IP Address v nhp a ch 203.162.100.1 vo, mc IP Protocol Type mc nh. Cui cng chn Finish hon thnh phn khai bo, click tip vo nt OK tr li hp thoi u tin. * Tip theo chuyn sang Tab Manager Filter Actions to ra cc tc ng bo mt. Click Add

h thng s hng dn khai bo cc thng tin v tc ng. * Trc tin t tn cho tc ng ny, v d nh l Encrypt. Tip tc trong mc Filter Actions Chn Negotiate security, trong mc IP Traffic Security chn Integrity and encryption. n y hon thnh vic to mt tc ng bo mt.

* Cng vic tip theo l mt chnh sch IPSec trong c cha mt quy tc kt hp gia b lc v tc ng va to pha trn. Trong cng c Domain Controller Security Policy, click phi trn mc IP Security Policy on Active Directory, ri chn Create IP Security Policy, theo hng dn nhp tn ca chnh vo, v d l First IPSec, tip theo phi b nh du trong mc Active the default response rule. Cc gi tr cn li mc nh v quy tc Dynamic ny chng ta khng dng v s to ra mt quy tc mi. * Trong hp thoi chnh sch IPSec, Click Add to ra mt quy tc mi. H thng s hng dn tng bc thc hin, n mc chn b lc chn b lc va to pha trn tn Connect to 203.162.100.1, mc chn tc ng chn tc ng va to tn Encypt. n mc chn phng php chng thc chn mc Use this string to protect the key exchange v nhp chui lm kha m ha d liu vo, trong v d ny l qun tr. * n bc ny th cng vic thit lp chnh sch IPSec theo yu cu trn ca hon thnh, trong khung ca s chnh ca cng c Domain Controller Security Policy, click phi ln chnh sch First IPSec v chn Assign chnh sch ny c hot ng trn h thng Server. CU HI N TP Cho bit li ch ca ch k in t? C ch hot ng ca giao thc SSL da trn nn tng no? V sao phi m ha d liu? Chc nng ca IPSec l g? B lc ca IPSec da trn cc yu t no? CU HI KIM TRA Hy c v chn cu ng vo bng tr li: Mt giao thc h tr thit lp cc kt ni an ton da trn IP l VPN. NAT. IPSec. Khng c cu ng. s dng IPSec cn phi to ra cc Qui tc. Quy lut. Quy nh. iu kin. Mt qui tc IPSec l s kt hp gia hai thnh phn l cc b lc IPSec filter. IPSec action. L2TP. C a v b u ng.

Phng php m ho kho b mt cn c gi l m ho An ton. i xng. Cng khai. Cc cu trn u ng. IPSec ca Microsoft h tr bn loi tc ng (action) Ngn chn. Loi b. Bo mt. Khng c cu ng. Phng php Kerberos ch p dng c gia cc my trong cng mt min Active Directory hoc trong nhng min Active Directory c Quan h vi nhau. Xy dng min. Chng thc. y quyn cho nhau. Mi chnh sch IPSec gm mt hoc nhiu B lc. Quy tc. Tc ng. Chng ch. Mi quy tc gm mt hay nhiu Tc ng. iu kin. Yu t. B lc. Mc d cc quy tc Permit v Block khng dng n chng thc nhng Windows vn i ch nh Phng php Phng php Phng php Khng c cu m ha. chng thc. tc ng. ng.

Khi p dng mt chnh sch mi th chnh sch ang hot ng hin ti s tr v trng thi Khng hot ng. Bnh thng. An ton. Click hot. Hy hon thnh cc cu sau:

B lc c tc dng . cc iu kin qui tc hot ng. Phng php dng cc chng ch cho php s dng cc chng ch ... nhn din mt my. IPSec cng l mt thnh phn quan trng h tr giao thc .. trong cng ngh mng ring o VPN (Vitual Private Network). Mt qui tc IPSec l hai thnh phn l cc b lc v cc tc ng. C ch hot ng ca giao thc ...da trn nn tng cc ng dng m ho c kim chng.

IPSec v cc mc ch s dng

http://nis.com.vn/nis/images/stories/itarticles/Ipsec/ipsec-image6.gifVi cc Administrator , vic hiu Internet Protocol Security-IPSEC, s gip chng ta bo v thng tin lu chuyn trn Network an ton hn, v cu hnh IPSEC dng X.509 certificates c th to ra quy trnh xc thc an ton trong giao tip Network mc ti a. A. Ci t IPSEC IPSEC l mt chun an ton trong giao tip thng tin gia cc h thng, gia cc mng. Vi IPSEC vic kim tra, xc thc, v m ha d liu l nhng chc nng chnh. Tt c nhng vic ny c tin hnh ti cp IP Packet. Mc ch ca IPSEC: c dng bo mt d liu cho cc chuyn giao thng tin qua Mng. Admin c th xc lp mt hoc nhiu chui cc Rules, gil IPSEC Policy, nhng rules ny cha cc Filters, c trch nhim xc nh nhng loi thng tin lu chuyn no yu cu c m ha (Encryption), xc nhn (digital signing), hoc c hai. Sau , mi Packet, c Computer gi i, s c xem xt c hay khng gp cc iu kin ca chnh sch. Nu gp nhng iu kin ny, th cc Packet c th c m ha, c xc nhn s, theo nhng quy nh t Policy. Quy trnh ny ha ton v hnh vi User v Application kch hot truyn thng tin trn Mng. Do IPSEC c cha bn trong mi gi IP chun, cho nn c th dng IPSEC qua Network, m khng yu cu nhng cu hnh c bit trn thit b hoc gia 2 Computer. Tuy nhin, IPSEC khng tin hnh m ha mt vi loi giao tip Mng nh: Broadcast, MultiCast, cc packet dng giao thc xc thc Kerberos. Nhng thun li khi s dng IPSEC: Thun li chnh khi dng IPSEC, l cung cp c gii php m ha cho tt c cc giao thc hot ng ti lp 3 Network Layer (OSI model), v k c cc giao thc lp cao hn. IPSEC c kh nng cung cp: - Chng thc 2 chiu trc v trong sut qu trnh giao tip. IPSEC quy nh cho c 2 bn tham gia giao tip phi xc nh chnh mnh trong sut quy trnh giao tip. - To s tin cy qua vic m ha, v xc nhn s cc Packet. IPSEC c 2 ch Encapsulating Security Payload (ESP) cung cp c ch m ha dng nhiu thut ton khc nhau, v Authentication Header (AH) xc nhn cc thng tin chuyn giao, nhng khng m ha. - Tich hp cc thng tin chuyn giao v s loi ngay bt k thng tin no b chnh sa. C hai loi ESP v AH u kim tra tnh tch hp ca cc thng tin chuyn giao. Nu mt gi tin chnh sa, th cc xc nhn s s khng trng khp, kt qu gi tin s b loi. ESP cng m ha a ch ngun v a ch ch nh mt phn ca vic m ha thng tin chuyn giao. - Chng li cc cuc tn cng Replay (thng tin chuyn giao qua mng s b attacker chn, chnh sa, v c gi i sau n ng a ch ngi nhn, ngi nhn khng h hay bit v vn tin rng y l thng tin hp php. IPSEC dng k thut nh s lin tip cho cc Packet Data ca mnh (Sequence numbers), nhm lm cho attacker khng th s dng li cc d liu chn c, vi bt hp php. Dng Sequence numbers cn gip bo v chng vic chn v nh cp d liu, sau dng nhng thng tin ly c truy cp hp php vo mt ngy no . V d s dng IPSEC: Vic mt mt cc thng tin khi cuyn giao qua mng, c th gy thit hi cho hot ng ca t chc, iu ny cnh bo cc t chc cn trang b v xy dng nhng h thng mng bo mt cht ch nhng thng tin quan trng nh d iu v Product, bo c ti chnh, k hoch Marketing. Trong trng hp ny cc t chc c th s dng IPSEC m bo tnh cht ring t v an ton ca truyn thng Mng (Intranet, Extranet) bao gm giao tip gia Workstation vi Server, Server vi server. V d: C th to cc IPSEC policies cho cc Computer kt ni vi Server (nm gi nhng d liu quan trng ca t chc: tnh hnh ti chnh, danh sch nhn s, chin lc pht trin). IPSEC policy s bo v d liu ca t chc chng li cc cuc tn cng t bn ngoi, v m bo tnh tch hp thng tin, cng nh an ton cho Client.

IPSEC lm vic th no ? C th cu hnh IPSEC thng qua Local policy, hoc trin khai trn din rng th dng Active Directory Group Policy (GPO.) 1. Gi s chng ta c 2 Computer : Computer A v Computer B, IPSEC policy c cu hnh trn 2 computer ny. Sau khi c cu hnh IPSEC policy s bo cho IPSEC driver cch lm th no vn hnh v xc nh cc lin kt bo mt gia 2 computer khi ni kt c thit lp. Cc lin kt bo mt nh hng n nhng giao thc m ha s c s dng cho nhng loi thng tin giao tip no v nhng phng thc xc thc no s c em ra thng lng. 2. Lin kt bo mt mang tnh cht thng lng. Internet Key Exchange IKE, s c trch nhim thng lng to lin kt bo mt. IKE kt hp t 2 giao thc: Internet Security Association and Key Management Protocol (ISAKMP) v Oakley Key Determination Protocol. Nu Computer A yu cu xc thc thng qua Certificate v Computer B yu cu dng giao thc Kerberos, th IKE s khng th thit lp lin kt bo mt gia 2 Computer. Nu dng Network Monitor theo di IPSEC hot ng, s khng thy c bt c AH hoc ESP packet no, v giao tip IPSEC cha c thit lp, c l chng ta ch quan st c cc ISAKMP packets. 3. Nu nh lin kt o mt c thit lp gia 2 computer IPSEC driver s quan st tt c IP traffic, so snh cc traffic c nh ngha trong cc Filter, nu c hng i tip cc traffic ny s c m ha hoc xc nhn s. http://nis.com.vn/nis/images/stories/itarticles/image002.jpg Hnh 1. M t giao tip IPSEC gia 2 computer trong Active Directory Domain CHNH SCH BO MT IPSEC: IPSEC security policy bao gm mt hoc nhiu Rule xc nh cch thc hot ng IPSEC. Cc Administrator c th c th ci t IPSEC thng qua mt policy. Mi Policy c th cha mt hoc nhiu Rule, nhng ch c th xc nh mt Policy hot ng ti Computer ti mt thi im bt k. Cc Administrator phi kt hp tt c nhng Rule mong mun vo mt single policy. Mi Rule bao gm: - Filter: Filter bo cho Policy nhng thng tin lu chuyn no s p dng vi Filter action. V d: Administrator c th to mt filter ch xc nh cc lu thng dng HTTP hoc FTP. - Filter Action: Bo cho Policy phi a ra hnh ng g nu thng tin lu chuyn trng vi nh dang xc nh ti Filter. V d: thng bo cho IPSEC chn tt c nhng giao tip FTP, nhng vi nhng giao tip HTTP th d liu s c m ha. Filter action cng c th xc nh nhng thut ton m ha v hashing (bm) m Policy nn s dng. - Authentication method: IPSEC cung cp 3 phng thc xc thc: Certificates (thng thng cc Computer trin khai dng IPSEC nhn Certificates t mt Certificate Authority CA server), Kerberos (Giao thc chng thc ph bin trong Active directory Domain), Preshared Key (kha ngm hiu, mt phng thc xc thc n gin). Mi mt Rule ca IPSEC policy c th bao gm nhiu phong thc xc thc va nu. NHNG CHNH SCH IPSEC MC NH: K t Windows 2000 tr i IPSEC cu hnh sn 3 chnh sch, to s thun tin khi trin khai IPSEC. - Client (Respond only) : chnh sch th ng, ch phn hi s dng IPSEC nu partner c yu cu, thng c enable trn cc Workstation. Chnh sch mc nh ny ch c mt rule c gi l Default Respond Rule. Rule ny cho php Computer phn hi n cc yu cu IPSEC ESP t cc Computer c tin cy trong Active directory domain. ESP l mt ch IPSEC cung cp tin cy cho vic xc thc, tch hp, v chng Replay attack.

- Server (Request Security): Computer hot ng vi chnh sch ny lun ch ng dng IPSEC trong giao tip, tuy nhin nu i tc khng dng IPSEC, vn c th cho php giao tip khng bo mt. Chnh sch ny c dng cho c Server hoc Workstation. Chnh sch c 3 Rules: Default respond rule (nh trnh by trn), Permit ICMP (internet ControlMessage Protocol) rule cho php cc giao tip dng giao thc ICMP, v d nh Ping (mc d ICMP l mt giao thc kim tra v thng bo tnh trng kt ni Mng, phc v cho x l cc s c, nhng cng c th disable tng tnh bo mt cho Mng, v c mt s cch thc tn cng ph bin nhm vo nhng im yu cuq ICMP.), Yu cu ESP cho tt c IP traffic. - Secure Server (require security): Bt buc dng IPSEC cho giao tip Mng. C th dng chnh sch ny cho c Server, Workstation. Nu chnh sch c xc lp, khng cho php giao tip khng bo mt. chnh sch c 3 Rules: 2 chnh sch u tn t nh trn l Default Respond rule v Permit ICMP, v chnh sch th 3 quy nh: Tt c cc giao tip (tr ICMP) phi c m ha vi ESP, ngc li Server s khng giao tip. TH NO L THNG LNG MT LIN KT BO MT (A SECURITY ASSOCIATION) Cc Administrator khng nn quan tm n cc c im mang tnh c nhn ca Policy . C hai Computer tin hnh thng lng bo mt cn phi c nhng chnh sch b sung. Nu 2 computer c th thng lng thnh cng, IPSEC s c s dng. Nu thng lng khng thnh cng do bt ng v chnh sch, 2 computer c th khng tip tc giao tip hoc chp nhn giao tip khng an ton. V d v cch thc hot ng ca cc policy gia 2 Computer A v B: - Computer A yu cu ESP cho cc giao tip HTTP, Computer B yu cu AH cho HTTP, nh vy 2 computer s khng th thng lng mt lin kt bo mt. - Giao thc xc thc Kerberos l phng thc xc thc mc nh cho c 3 phng thc trnh by. Kerberos protocol, c cc Computer trong cng Active directory forest s dng , nu mt trong 2 Computer khng cng AD Forest, th khng th thng lng c phng thc bo mt. Tng t, khi Computer A dng Kerberos, Computer B dng Certificates lm phng thc xc thc IP traffic, thng long cng s khng c thit lp. Tuy nhin chng ta c th trang b cho computer A hocc B nhiu phng thc xc thc (c Kerberos v Certificates..), ch cn gp mt phng thc xc thc tng ng gia 2 Computer, xc thc s bt u. Ly chnh sch mc nh Secure Server (require Security) lm v d. Nu Computer A xc nh dng chnh sch ny, n s khng th giao tip vi bt k Computer no khng c trang b IPSEC. V d: Computer A yu cu kt qu truy vn t DNS server ca AD Domain (DNS server khng dng IPSEC), truy vn s khng c thc hin. Computer A cn truy cp SQL server (khng dng IPSEC), cng khng th truy cp. Nu Computer A dng chnh sch Server (request security), giao tip khng an ton vi cc Computer khng trang b vn c th thc hin. Trong thc t, cc chnh sch IPSEC nn c trin khai bo mt nhng thng tin quan trng, v cho php nhng giao tip c bn c th thc hin. http://nis.com.vn/nis/images/stories/itarticles/Ipsec/image004.gif