TNG QUAN V MNG RING O (VPN) 1.

Mng ring o VPN Khi nim: VPN l mt mng ring s dng h thng mng cng cng (thng l Internet) kt ni cc a im hoc ngi s dng t xa vi mt mng LAN tr s trung tm. Thay v dng kt ni tht kh phc tp nh ng dy thu bao s, VPN to ra cc lin kt o c truyn qua Internet gia mng ring ca mt t chc vi a im hoc ngi s dng xa Mt s c im ca VPN: Bo mt (security) Tin cy (reliability) Kh nng m rng (scalability) Kh nng qun tr h thng mng (network management) Kh nng qun tr chnh sch (policy management) 2. Cc m hnh ca VPN 2.1. Remote-Access: Hay cng c gi l Virtual Private Dial -up Network (VPDN), y l dng kt ni Userto-Lan p dng cho cc cng ty m cc nhn vin c nhu cu kt ni ti mng ring (private network) t cc a im t xa. in hnh, mi cng ty c th hy vng rng ci t mt mng kiu Remote-Access din rng theo cc ti nguyn t mt nh cung cp dch v ESP (Enterprise Service Provider). ESP ci t mt mt cng ngh Network Access Server (NAS) v cung cp cho cc user xa vi phn mm client trn mi my ca h. Cc nhn vin t xa ny sau c th quay mt s t 1-800 kt ni c theo chun NAS v s dng cc phn mm VPN client truy cp mng cng ty ca h. Cc cng ty khi s dng loi kt ni ny l nhng hng lnvi hng trm nhn vin thng mi. Remote-access VPNs m bo cc kt ni c bo mt, m ho gia mng ring r ca cng ty vi cc nhn vin t xa qua mt nh cung cp dch v th ba (thirdparty) 2.2. Site-to-Site: Bng vic s dng mt thit b chuyn dng v c ch bo mt din rng, mi cng ty c th to kt ni vi rt nhiu cc site qua mt mng cng cng nh Internet. Cc mng Site-to-site VPN c th thuc mt trong hai dng sau: Intranet-based: p dng trong trung hp cng ty c mt hoc nhiu a im xa, mi a im u c 1 mng cc b LAN. Khi h c th xy dng mt mng ring o VPN kt ni cc mng cc b trong 1 mng ring thng nht. Extranet-based: Khi mt cng ty c mt mi quan h mt thit vi mt cng ty khc (v d nh, mt ng nghip, nh h tr hay khch hng), h c th xy dng mt mng extranet VPN kt ni kiu mng Lan vi mng Lan v cho php cc cng ty c th lm vic trong mt mi trng c chia s ti nguyn. Hnh 2.1 M hnh3 loi VPN 3. Cc phng php bo mt Mt VPN c thit k tt thng s dng vi phng php duy tr kt ni v gi an ton khi truyn d liu: Bc tng la - Mt tng la (firewall) cung cp bin php ngn chn hiu qu gia mng ring ca ngi dng vi Internet. Ngi dng c th s dng tng la ngn chn cc cng c m, loi gi tin c php truyn qua v giao thc s dng. Mt vi sn phm VPN, chng hn nh Cisco's 1700 router, c th nng cp bao gm c tng la bng cch chy Cisco IOS tng ng trn router. Ngi dng cng nn c tng la trc khi s dng VPN, nhng tng la cng c th ngn chn cc phin lm vic ca VPN. M ho - y l qu trnh mt m d liu khi truyn i khi my tnh theo mt quy tc nht nh v my tnh u xa c th gii m c. Hu ht cc h thng m ho my tnh thuc v 1 trong 2 loi sau: M ho s dng kho ring (Symmetric-key encryption) M ho s dng kho cng khai (Public-key encryption)

Trong h symmetric-key encryption, mi my tnh c mt m b mt s dng m ho cc gi tin trc khi truyn i. Kho ring ny cn c ci trn mi my tnh c trao i thng tin s dng m ho ring v my tnh phi bit c trnh t gii m c quy c trrc. M b mt th s dng gii m gi tin. V d: Khi to ra mt bc th m ho m trong ni dung th mi k t c thay th bng k t sau n 2 v tr trong bng k t. Nh vy A s c thay bng C, v B s c thay bng D. Gia hai ngi c quy c kho ring l Dch i 2 v tr (Shift by 2). Ngi nhn c th s gii m s dng cha kho ring . Cn nhng ngi khc s khng c c ni dung th. My tnh gi m ho d liu cn gi bng kho b mt (symetric key), sau m ho chnh kha b mt (symetric key) bng kho cng khai ca ngi nhn (public key). My tnh nhn s dng kho ring ca n (private key) tng ng vi kho public key gii m kho b mt (symetric key), sau s dng kho b mt ny gii m d liu. H Public-key encryption s dng mt t hp kho ring v kho cng cng thc hin m ho, gii m. Kho ring ch s dng ti my tnh , cn kho cng cng c truyn i n cc my tnh khc m n mun trao i thng tin bo mt. gii m d liu m ho, my tnh kia phi s dng kho cng cng nhn c, v kho ring ca chnh n. Mt phn mm m ha cng khai thng dng l Pretty Good Privacy (PGP) cho php m ho c hu ht mi th. Ngi s dng c th xem thm thng tin ti trang ch PGP. 4. Cc k thut v cc giao thc s dng trong VPN 4.1. Cc k thut s dng trong VPN K thut VPN da vo tng ng hm (tunneling). K thut VPN tunneling cp n vic thit lp, duy tr kt ni mng logic (c th c cc chng trung gian). Vi kt ni ny cc gi c xy dng da vo nh dng ca cc giao thc VPN v c ng gi vo cc giao thc khc (chng hn nh gi TCP/IP) sau uc truyn i n client hay server v c khi phc t u thu. C rt nhiu giao thc VPN ng gi vo gi IP. Cc giao thc ca VPN cng h tr vic nhn dng v m ha bo mt ng hm. Cc dng ng hm ca VPN: VPN h tr hai dng ng hm l t nguyn v bt buc: i vi ng hm t nguyn: VPN client qun l vic thit lp kt ni. Trc tin client thc hin vic kt ni n ISP, sau VPN ng dng to ra ng hm n VPN server qua ng hm kt ni trc tip ny. i vi ng hm bt buc nh cung cp mng (ISP) qun l vic thit lp kt ni VPN. Trc tin VPN client kt ni n ISP v ISP thc hin kt ni gia client v VPN server. Nu ng VPN client th vic kt ni ch thc hin 1 bc (so vi 2 bc nu s dng tunneling t nguyn). VPN tunneling bt buc s nhn dng client v kt hp chng vi VPN server ch nh bng cc kt ni logic c xy dng sn trong cc thit b kt ni gi l VPN FEP (Front End Processor), hay NAS, POS. 4.2. Cc giao thc ca VPN Tunneling: C rt nhiu giao thc mng my tnh c s dng cho VPN tunneling. Tuy nhin, 3 giao thc di y l ph bin nht v chng khng tng thch ln nhau *PPTP (Point-to-Point Tunneling Protocol) PPTP (Point-to-Point Tunneling Protocol) l nghi thc bin th ca Point to Point Protocol dng truyn qua mng dial up. PPTP thch hp cho ng dng truy cp t xa ca VPN nhng cng h tr trong LAN Internetworking. PPTP hot ng lp 2 ca m hnh OSI. S dng PPTP: PPTP ng gi d liu trong gi PPP v sau tch hp trong gi IP v truyn qua ng hm VPN. PPTP h tr vic m ha d liu v nn cc gi d liu ny. PPTP cng s dng dng GRE (Generic Routing Encapsulation) ly d liu v a n ch cui cng. Trong PPTP th VPN tunnel c to ra qua 2 qu trnh: - PPTP client kt ni n ISP qua ng dial up hoc ISDN. - Qua thit b kt ni PPTP to ra kt ni iu khin TCP gia VPN client v VPN server thit lp tunnel. PPTP s dng TCP port 1723 cho cc kt ni ny. PPTP cng h tr kt ni VPN qua LAN. Cc kt ni ISP l khng cn thit trong trng hp ny v th ng hm c th to trc tip. Ngay khi ng hm VPN c thit lp PPTP h tr hai loi thng tin nh sau:

Cc thng ip iu khin qun l v nh gi kt ni VPN. Thng ip iu khin c th truyn trc tip gia VPN client v Server. Cc gi d liu i qua ng hm n VPN client hoc t VPN client i Kt ni iu khin PPTP: ngay khi kt ni TCP c thit lp PPTP s dng chui cc thng ip iu khin duy tr kt ni VPN. PPTP bo mt: PPTP cng h tr nhn dng, m ha v lc gi d liu. Nhn dng ca PPTP cng s dng EAP (Extensible Authentication Protocol), CHAP (Challenge Hanhdshake Authentication), PAP (Password Authentication Protocol). PPTP cng h tr lc gi d liu trn VPN server. *Layer 2 Forwarding (L2F). Layer 2 Forwarding (L2F) l giao thc c pht trin bi Cisco System cng lc vi s pht trin PPTP ca Microsoft. y l mt giao thc cho php cc remote host c th truy xut n mng Intranet ca mt t chc thng qua c s h tng mng cng cng vi tnh bo mt v kh nng qun l cht ch. Cng nh vi PPTP, L2F cho php bo mt mng truy xut c nhn thng qua h tng mng cng cng bng vic xy dng mt tunnel thng qua mng cng cng gia client v host. Bi v l mt giao thc lp 2, L2F c th c dng cho cc giao thc khc ngoi IP nh IPX, NetBEUI. *Layer 2 Tunneling Protocol (L2TP) L2TP l s kt hp ca PPTP v L2F. Giao thc ny so vi PPTP c nhiu c tnh v an ton hn. L2TP s dng UDP nh l mt phng thc ng gi cho c s duy tr tunnel cng nh d liu ngi dng. Trong khi PPTP dng MPPE (Microsoft Point -to-Point Encryption) cho vic m ha, L2TP li da vo mt gii php bo mt hn, l cc gi L2TP c bo v bi IPsecs ESP s dng transport mode. L2TP c th c t vo trong mt gi IPsec, y l vic kt hp cc u im bo mt ca IPsec v cc li ch ca s chng thc user, vic gn a ch tunnel v cu hnh, h tr a giao thc vi PPP. L2TP cung cp s linh hot, mm do, v gii php kinh t ca remote access cng nh d kt ni nhanh chng point-to-point ca PPTP. *IP security (IPsec) Cu trc IPsec cung cp mt framework cho vic bo mt ti lp IP cho c IPv4 v IPv6. Bng vic cung cp s bo mt ti lp ny, cc giao thc thuc cc lp cao hn nh transport, application c th s dng s bo mt IPsec m khng cn thm bt c s thay i no. Trong qu trnh m ha v chng thc d liu, IPsec s dng mt trong hai hoc c hai giao thc sau bo mt thng tin: Authentication header (AH): header ca gi tin c m ha v bo v phng chng cc trng hp IP spoofing (s gi mo IP) hay man in the midle attack. Tuy nhin, trong trng hp ny ch c phn header ca gi tin uc bo v cn phn ni dung thng tin chnh th khng. Encapsulation Security Payload (ESP): ni dung thng tin s c m ha, ngn chn cc hacker t chng trnh nghe ln v chn bt d liu. Thng thng, khi mun bo v thng tin truyn trong mng cng cng, ngi ta phi kt hp c hai giao thc AH v ESP. *Giao thc s dng SSTP trong VPN. -C nhng tnh hung nh nhn vin gh thm khch hng,a im i tc hoc khch sn m h thng ch cho truy cp web (HTTP,HTTPs),cn tt c cc port khc b ngn chn.Kt qu,nhng user t xa ny gp phi vn khi thc hin kt ni VPN do lm tng cuc gi nh tr gip v gim nng sut ca nhn vin. - Secure Socket Tunneling Protocol(SSTP) l mt ng hm VPN mi c gii thiu trong Windows Server 2008 nhm gii quyt vn kt ni VPN ny. SSTP thc hin iu ny bng cch s dng HTTPs lm lp vn chuyn sao cho cc kt ni VPN c th i qua cc firewall,NAT v server web proxy thng c cu hnh.Bi v kt ni HTTPs (TCP 443) thng c s dng truy cp cc site Internet c bo v nh cc web site thng mi,do HTTPs thng c m trong cc firewall v c th i qua cc Proxy web,router NAT. - VPN Server chy trn nn Windows Server 2008 da vo SSTP lng nghe cc kt ni SSTP tu VPN client.SSTP server phi c mt Computer Certificate c ci t thuc

tnh Server Authentication.Computer Certificate ny c s dng xc thc server SSTP vi client SSTP trong qu trnh thit lp session SSL.Client hiu lc ha certificate ca server SSTP. thc hin iu ny th Root CA cp pht certificate cho SSTP server phi c ci t trn client SSTP. - ng hm VPN da vo SSTP c chc nng nh mt ng hm peer -L2TP v da vo PPTP.iu ny c ngha PPTP c bao bc trn SSTP m sao gi cc lu lng cho cho kt ni HTTPs.Nh vy,tt c cc tnh nng khc ca VPN nh kim tra sc khe da vo NAT,ti lu lng IPV6 trn VPN,cc thut ton xc thc nh username v smartcard...v client VPN da vo trnh qun l kt ni vn khng thay i i vi SSTP,PPTP v L2TP.N giup cho Admin mt ng dn di tr tt di chuyn t L2TP/PPTP n SSTP. * SSTP hat ng nh th no? -SSTP hat ng trn HTTPs tc l ch HTTP s dng SSL cho s bo mt thng tin v d liu.SSL cng cung cp c ch xc thc cc im cui khi uc yu cu s dng PKI.SSTP s dng SSL xc thc server vi client v n da vo PPP chy trn xc thc client vi server.Ngha l Client xc thc server bng certificate v Server xc thc Client thng qua giao thc hin c c h tr bi PPP. -Khi Client kt ni vi Remote Access Server bng cch s dng SSTP lm giao tc to lp ng hm,SSTP thit lp session HTTPs vi server t xa ti port 443 mt a ch URL ring bit.Cc xc lp proxy HTTP c cu hnh thng qua IE s c s dng thit lp kt ni ny. Vi session HTTPs,client i hi server cung cp certificate xc thc.Khi tht lp quan h SSL han tt,cc session HTTP c thet lp trn .Sau ,SSTP c s dng thng lng cc tham s gia Client v Server.Khi lp SSTP c tht lp,vic thng lng SSTP c bt u nhm cung cp c ch xc thc client vi server v to ng hm cho d liu 5. Cc gii php trin khai VPN 5.2. Gii php trin khai VPN bng phn cng Gii php trin khai VPN da trn h thng CISCO l ch yu, v n lun l la chn tt nht. Ty vo loi VPN c trin khai (truy cp t xa hay im-ni-im), s cn phi ci t nhng b phn hp thnh no thit lp mng ring o. c th l: Phn mm cho desktop ca my khch dnh cho ngi s dng t xa. Phn cng cao cp nh b x l trung tm VPN hoc firewall bo mt PIX. H thng cc Router, Switch c kh nng lp trnh nh hng Server VPN cao cp dnh cho dch v Dial -up. NAS (my ch truy cp mng) do nh cung cp s dng phc v ngi s dng t xa. Mng VPN v trung tm qun l. B x l trung tm VPN C nhiu loi my x l VPN ca cc hng khc nhau, nhng sn phm ca Cisco t ra vt tri mt s tnh nng. Tch hp cc k thut m ha v thm nh quyn truy cp cao cp nht hin nay, my x l VPN c thit k chuyn bit cho loi mng ny. Chng cha cc module x l m ha SEP, cho php ngi s dng d dng tng dung lng v s lng gi tin truyn ti. Dng sn phm c cc model thch hp cho cc m hnh doanh nghip t nh n ln (t100 cho n 10.000 im kt ni t xa truy cp cng lc). Hnh 2.2 B x l trung tm VPN s hiu 3000 ca hng Cisco. Router, Switch dng cho VPN Thit b ny cung cp cc tnh nng truyn dn, bo mt. Da trn h iu hnh Inter net IOS ca mnh, hng Cisco pht trin loi router thch hp cho mi trng hp, t truy cp nh ti vn phng cho n nhu cu ca cc doanh nghip quy m ln. Tng la PIX ca Cisco Firewall trao i Internet ring (Private Internet Exchange) bao gm mt c ch dch a ch mng rt mnh, my ch proxy, b lc gi tin, cc tnh nng VPN v chn truy cp

bt hp php. Thay v dng IOS, thit b ny c h iu hnh vi kh nng t chc cao, x l c vi nhiu giao thc, hot ng rt mnh bng cch tp trung vo IP Hnh 2.3 M hnh VPN s dng thit b CISCO u im: Cht lng ng truyn tc , n nh Tnh bo mt ng truyn, bo mt d liu rt cao Kh nng m rng cao, m bo c th pht trin cc ng dng mi nh IP Telephony, video conference Nhc im: Chi ph ban u tng i cao. Yu cu v phn cng l rt ln. Da rt nhiu vo m hnh OSI m ha v truyn d liu. i hi ngi qun tr phi c kin thc tt v bo mt. 5.2. Gii php trin khai VPN bng phn mm Cc h iu hnh Windows 2000 Server tr i cho php thit lp VPN server bng cch s dng li th c sn trong dch v cho php truy cp t xa. Sau khi thit lp my ch thnh VPN Server th cc my trm (Clients) c th truy cp nhng ti nguyn trong mng ni b (mng LAN) nh l ang kt ni trc tip vi mng . Dch v kt ni t xa thng qua dch v VPN Client ti my ch s m bo truy cp ti thng tin trong mng ni b mt cch an ton bi giao thc m ha v o ng hm trn nn tng mng Internet, nhm mc ch to mt mng ring o trn nn mng Internet c th trao i d liu, khai thc cc dch v CSDL trn mng a. Yu cu phn cng Cn c mt ng truyn ADSL tc phc v cho qu trnh kt ni v truyn thng. VPN Client s kt ni n my ch cung cp dch v VPN Server gia nhp h thng mng ring o ca cng ty v c cp pht a ch IP thch hp kt ni vi cc ti nguyn ni b. My ch d liu ci t Windows Server 2008, 2008 R2 v Windows Server 2008, 2008 R2 lm my ch VPN, VPN Server c 1 card mng kt ni vi h thng mng ni b v 1 card mng kt ni ti lp mng chy dch v Internet bn ngoi ADSL kt ni vi bn ngoi My ch cung cp dch v tt nht chy ng dng trn nn tng Domain Controler ca hng Microsoft m bo an ton khi chia s d liu v chia s cc dch v trong mng LAN (Dch v File, Email ni b, Email Internet, Phn mm Nghip v: K ton, qun l cng vn cng vic, nhn s tin lng, ) b. Yu cu phn mm Yu cu ci t h iu hnh Microsoft Windows Server 2008, 2008 R2 u im: Chi ph ban u l va phi, thch hp cho h thng va v nh. Khng yu cu nhiu v phn cng. D dng v thun tin trong vic qun tr. C nhiu gi bo mt c tch hp vo h thng. Tnh bo mt ng truyn, bo mt d liu rt cao. Kh nng m rng cao, m bo c th pht trin cc ng dng mi nh IP Telephony, video conference. 6. Li ch ca VPN Mt s li ch ca VPN mng li nh : M rng kt ni ra ngoi Cung cp dch v mt cch nhanh chng (Dch v ni b) Tng cng an ninh mng H tr truy cp, lm vic t xa v tng kh nng tng tc. n gin ho m hnh kin trc mng Qun tr h thng mng t xa hiu qu Qun l d dng: c th qun l s lng ngi s dng (kh nng thm, xo knh kt ni lin tc, nhanh chng).