Bo mt mng LAN khng dy - 21/7/2006 11h:5

NH TI TR

1. Gii thiu
Khi cc mng wireless LAN c trin khai rng ri v chng ta cng bit nhiu v li
ch ca n, xong i km vi n l vic bo mt cng rt kh khn. Bi vit ny chng ti
ch ch cp v tho lun mt s k thut c bn bo mt h thng ny v mt s gii
php bo mt hu hiu.
2. Ti sao bo mt li rt quan trng
Ti sao chng ta li phi quan tm n vn bo mt ca mng wireless LAN? iu
ny bt ngun t tnh c hu ca mi trng khng dy. kt ni ti mt mng LAN
hu tuyn bn cn phi truy cp theo ng truyn bng dy cp, phi kt ni mt PC
vo mt cng mng. Vi mng khng dy bn ch cn c my ca bn trong vng sng
bao ph ca mng khng dy. iu khin cho mng hu tuyn l n gin: ng truyn
bng cp thng thng c i trong cc ta nh cao tng v cc port khng s dng c
th lm cho n disable bng cc ng dng qun l. Cc mng khng dy (hay v tuyn)
s dng sng v tuyn xuyn qua vt liu ca cc ta nh v nh vy s bao ph l
khng gii hn bn trong mt ta nh. Sng v tuyn c th xut hin trn ng ph,
t cc trm pht t cc mng LAN ny, v nh vt ai c th truy cp nh thit b thch
hp. Do mng khng dy ca mt cng ty cng c th b truy cp t bn ngoi ta nh
cng ty ca h. Hnh 1 th hin mt ngi l c th truy cp n mt LAN khng dy t
bn ngoi nh th no. Gii php y l phi lm sao c c s bo mt cho mng
ny chng c vic truy cp theo kiu ny.

V d v mt ngi l truy cp vo mng

3. Cc im yu trong bo mt 802.11
Chun IEEE 802.11 a ra mt WEP (Wired Equivalent Privacy) bo v s truyn
pht khng dy. WEP c s dng mt chui s 0 i xng m ha cc ngi dng
trong mng khng dy. 802.11 a ra cc kha WEP 64 bit nhng c cung cp thm
ln kha WEP 128 bit. 802.11 khng a ra cc kha c xp xp nh th no. Mt
WEP bao gm 2 phn: vector khi to (IV) 24 bit v key mt. IV c pht trong plain
text phn header ca cc gi 802.11. Tuy nhin n rt d b crack. V vy gii php
tip theo l phi s dng cc kha WEP ng m c th thay i mt cch thng xuyn.
Chun 802.11 xc nhn cc my khch s dng kha WEP. Tip sau chun cng
nghip c a ra thng qua xc nhn 802.1x (bn c th xem phn 7) b sung
cho cc thiu xt ca chun 802.11 trc n. Tuy nhin gn y, trng i hc
Maryland minh chng bng ti liu v s c ca vn bo mt tim n vi giao thc
802.1x ny. Gii php ngy nay l s dng s xc nhn ln nhau ngn cn ai
gia tn cng v cc kha WEP ng, cc kha ny c xp xp mt cch cn thn v
cc knh m ha. C hai k thut ny c h tr bi giao thc (TLS: Transport Layer
Security). Ni bt hn c l vic kha per-packet v kim tra tnh ton vn ca message.
y chnh l chun bo mt 802.11i.
Xem tip: Bo mt mng LAN khng dy (K 2)
Bo mt mng LAN khng dy (K 3)

Bo mt mng LAN khng dy (K 2) - 22/7/2006 7h:22

NH TI TR

Bo mt mng LAN khng dy (K 1)

4. Cu trc ca mt LAN khng dy

Mt LAN khng dy gm c 3 phn: Wireless Client, Access Points v Access Server.
Wireless Client in hnh l mt chic laptop vi NIC (Network Interface Card) khng
dy c ci t cho php truy cp vo mng khng dy. Access Points (AP) cung cp
s bao ph ca sng v tuyn trong mt vng no (c bit n nh l cc cell (t
bo)) v kt ni n mng khng dy. Cn Access Server iu khin vic truy cp. C hai
chun 802.11b (LAN 11Mbps ti tn s 2,4GHz) v APs Bluetooth c h tr y.
Mt Access Server (nh l Enterprise Access Server or EAS) cung cp s iu khin,
qun l, cc c tnh bo mt tin tin cho mng khng dy Enterprise.

Enterprise Access Server trong Gateway Mode

Mt b phn khng dy c th c kt ni n cc mng khng dy tn ti theo mt s

cch. Kin trc tng th s dng EAS trong Gateway Mode hay Controller Mode.
Trong Gateway Mode (xem hnh 2 trn) EAS c t gia mng AP v phn cn li
ca mng Enterprise. V vy EAS iu khin tt c cc lung lu lng gia cc mng
khng dy v c dy v thc hin nh mt firewall.
Trong Controll Mode (hnh di), EAS qun l APs v iu khin vic truy cp n
mng khng dy, nhng n khng lin quan n vic truyn ti d liu ngi dng.
Trong ch ny, mng khng dy c th b phn chia thnh mng dy vi firewall
thng thng hay tch hp hon ton trong mng dy Enterprise.

Enterprise Access Server trong Controller Mode.

5. M hnh bo mt khng dy
Kin trc LAN khng dy h tr mt m hnh bo mt m v ton din da trn chun
cng nghip nh th hin trn hnh 4. Mi mt phn t bn trong m hnh u c th cu
hnh theo ngi qun l mng tha mn v ph hp vi nhng g h cn.

M hnh bo mt khng cho mng khng dy

Dievice Authorisation: cc Client khng dy c th b ngn chn theo a ch phn cng

ca h (v d nh a ch MAC). EAS duy tr mt c s d liu ca cc Client khng dy
c cho php v cc AP ring bit kha hay thng lu lng ph hp.
Encryption: WLAN cng h tr WEP, 3DES v chun TLS s dng m ha trnh
ngi truy cp trm. Cc kha WEP c th ck to trn mt per-user, per session
basic.
Authentication: WLAN h tr s y quyn ln nhau (bng vic s dng 802.1x EAPTLS) bo m ch c cc Client khng dy c y quyn mi c truy cp vo
mng. EAS s dng mt RADIUS server bn trong cho s y quyn bng vic s dng
cc chng ch s. Cc chng ch s ny c th t c t quyn chng nhn bn trong
(CA) hay c nhp t mt CA bn ngoi. iu ny tng ti a s bo mt v gim
ti thiu cc th tc hnh chnh.
Firewall: EAS hp nht customable packet filtering v port blocking firewall da trn
cc chui Linux IP. Vic cu hnh t trc cho php cc loi lu lng chung c
enable hay disable.
VPN: EAS bao gm mt IPSec VPN server cho php cc Client khng dy thit lp cc
session VPN vng chc trn mng.
Xem tip: Bo mt mng LAN khng dy (K 3)
Phm Vn Linh
Email: vanlinh@quantrimang.com

Bo mt mng LAN khng dy (K 3) - 23/7/2006 7h:18

NH TI TR

Bo mt mng LAN khng dy (K 1)

Bo mt mng LAN khng dy (K 2)

6. M ha
M ha l bin i d liu ch c cc thnh phn c xc nhn mi c th gii m
c n. Qu trnh m ha l kt hp vi plaintext vi mt kha to thnh vn bn
mt (Ciphertext). S gii m c bng cch kt hp Ciphertext vi kha ti to li
plaintext gc nh hnh 5. Qu trnh xp xp v phn b cc kha gi l s qun l kha.

Qu trnh m ha v gii m

Nu cng mt kha c s dng cho c hai qu trnh m ha v gii m th cc kha

ny c hiu nh l symmetric (i xng). Cn nu cc kha khc nhau c s dng
th qu trnh ny c hiu nh l asymmetrric. Cc kha Asymmetric c s dng
nhiu trong cc PKIs (Public Key Infrastructures), ni m mt kha l public v cc ci
cn li l private.
C hai phng php m ha: Cipher khi v Cipher chui. Cc Cipher khi hot ng
trn plaintext trong cc nhm bit gi l cc block, in hnh di 64 hoc 128 bit. Cc v
d in hnh ca Cipher khi nh l: DES, triple DES (3DES), AES v Blowfish. Cc
Cipher chui bin i mt kha thnh mt keystream ngu nhin (in hnh l 8 bit),
sau kt hp vi plaintext m ha n. Cc Cipher chui c dng nhiu hn so vi
cc Cipher khi. Cc v d v Cipher chui nh l: RC4 (c s dng trong LANs
khng dy 802.11).
7. Xc nhn khng dy
S xc nhn l vic cung cp hay hy cung cp mt ai hay ci g c xc nhn.
S xc nhn thng thng l mt qu trnh mt chiu (one-way), v d nh mt ngi log
on bng mt my tnh v cung cp nhn dng ca h vi username v password. Trong
mng khng dy, s xc nhn ln nhau nn c s dng nhng ni m mng xc nhn
Client v cc Client xc nhn mng. iu ny ngn cn cc thit b gi c th gi trang
nh thit b mng truy cp n cc d liu quan trng trn cc Client khng dy.
Chun LAN khng dy 802.11 khng c s xc nhn thng minh, v vy chun cng
nghip thng qua giao thc 802.1x cho s xc nhn ca n. 802.1x a ra cch thc
iu khin truy cp mng c port-based, ci ny s dng EAP (Extensible Authentication
Protocol) v RADIUS server. 802.1x khng a ra giao thc xc nhn mt cch c th
nhng ch r EAP trong vic h tr s lng cc giao thc xc nhn nh l CHAP-MD5,
TLS v Kerberos. EAP c th c m rng v vy cc giao thc xc nhn mi c th
c h tr nh trong cc phin bn sau ca n. EAP c a ra hot ng trn giao
thc Point-to-Point (PPP); n tng thch vi cc giao thc ca lp lin kt d liu
khc (nh l Token Ring 802.5 hay Wireless LANs 802.11) EAP Over LANs (EAPOL)
c pht trin. M hnh xc nhn cui cng c th hin hnh di:

M hnh xc nhn

802.1x EAP-TLS c s dng trong cc m trng c bn v an ton cao. S trao i

ca cc message EAP-TLS cung cp s xc nhn ln nhau, s bt tay ca giao thc m
ha v s trao i kha bo v gia mt Client khng dy v mng. EAP-TLS l mt k
thut cung cp cc kha m ha ng cho ngi dng v session. iu ny ci thin mt
cch ng k v vt qua nhiu im yu trong cc mng khng dy.
Hnh di y ch ra mt chui cc s kin xut hin khi mt Client c xc nhn bng
802.1x EAP-TLS. Hai chng ch digital c yu cu y: mt trn RADIUS server (v
d EAS) v mt trn Client khng dy. Ch rng s truy cp khng dy c cung cp
cho ti khi s xc nhn thnh cng v cc kha WEP ng c thit lp.

Xc nhn 802.1x EAP-TLS

802.1x EAP-TLS vi EAS trong Controller Mode c th hin trn hnh 8. Client khng
dy c chng ch digital (c ci t t trc). Client khng dy truyn thng vi EAS
thng qua AP. Tt c ba thnh phn (Wireless client, AP v EAS) h tr qu trnh 802.1x
EAP-TLS. Client khng dy c th s dng Windows XP (c xy dng h tr cho
802.1x EAP-TLS) hay Windows 98/Me/2000 bng vic s dng Madge Wireless LAN
Utility (WLU). Khi xc nhn, d liu ngi dng cng c th c s dng EAS m
c cu hnh trong Gateway Mode.

802.1x EAP-TLS trong Controller Mode