Gii thiu chung v SSL

Chng ta thng gp hu ht giao thc ng o tng transport, xa hn na, l giao thc

Secure Sockets Layer (SSL) nm trong nhng th khc, bo mt nhng tc v HTML
(Hypertext Markup Language) trn Web. Khi chng ta gp, SSL c rt nhiu nhng ng
dng v c th d dng c s dng xy dng mc ch tng qut nhng ng ng
o tng Transport. SSL hot ng trn vng rng ngha l nhng tin ch ca TCPdump
v SSLdump, hy xem cch thc chng ta c th s dng xy dng mt ng ng o
gia hai chng trnh hoc c hai ci khng cn n nhng quan tm n SSL, cui cng
hy xem cch chng ta c th s dng SSL xy dng mt VPN gia hai mng.
Tng quan v SSL (Secure Sockets Layer)
SSL l mt s xut hin b sung ca VPN trn th trng. N c thit k cho nhng
gii php truy cp t xa v khng cung cp nhng kt ni site-to-site. SSL VPNs cung
cp vn bo mt truy cp u tin nhng ng dng web. Bi v SSL s dng trnh
duyt web, in hnh l nhng ngi s dng khng phi chy bt k phn mm client
c bit no trn nhng my tnh ca h.
SSL VPNs hot ng tng phin (session layer) ca m hnh tiu chun OSI. V bi v
client l mt trnh duyt web, ch nhng ng dng m chng h tr trnh duyt web,
bng mc nh, n s lm vic vi mt gii php VPN. V th nhng ng dng nh
Telnet, FTP, SMTP, POP3, multimedia, h thng in thoi di ng IP, iu khin
desktop t xa, v nhng ci khc khng lm vic vi SSL VPNs bi v chng khng s
dng trnh duyt web cho giao din u cui ngi dng ca h. Tt nhin, nhiu nh
cung cp cng s dng c java hoc ActiveX nng cao SSL VPNs bng vic h tr
nhng ng dng khng phi l HTTP, nhng khch hng l POP3, SMTP e-mail, v tp
tin Microsoft Windows v chia s my in. V d s b sung SSL VPNs ca Cisco h tr
nhng ng dng khng phi l web chng hn Citrix, Windows Terminal Services, v
nhiu ci khc. Thm vo , mt vi nh cung cp s dng java hay ActiveX phn
phi nhng thnh phn SSL VPNs khc, chng hn nh thm vo nhng chc nng bo
mt cho vic xa ht nhng du vt t mt hot ng ca mt khch hng trn my tnh
ca h sau khi SSL VPNs c kt thc. Cisco ch s b xung SSL VPN nh l
WebVPN.
Nhng b sung SSL Client (SSL Client Implementations)
Mt nguyn nhn chnh m nhng ngi qun tr mng yu cu a ra nhng b sung
SSL VPN nhng giao thc SSL VPNs m khng yu cu bt c loi phn mm c bit
ca VPN Client no c ci t trc trn nhng my tnh bn ca ngi s dng.
Tt nhin, ngi s dng bit mt vi phn mm cn thit, ging nh mt trnh duyt
web c h tr SSL, c th vi c Java v ActiveX cng c h tr, v hu nh
ngi s dng ci nhng iu ny t mt s ci t ban u trn my tnh.
C 3 loi SSL Client Implementation tng qut:

 Clientless
Thin client
Network client
Bi v ch mt trnh duyt web c yu cu trn my tnh ngi s dng, SSL client
thng thng c xem nh l Clientless hoc webified. V th SSL VPN thnh
thong c gi l clientless VPN. iu tr ngi chnh ca mt clientless VPN l ch
giao thng dng web c th c bo v.
c th ca mt Thin client l phn mm java hoc ActiveX ti xung thng qua SSL
VPN n my tnh ngi s dng. N cho php mt tp hp nh nhng ng dng khng
phi l web c vn chuyn thng qua SSL VPN. Trong vic truy cp da vo mng,
mt SSL client c ci t trn my tnh ca ngi s dng; tuy nhin, c tnh ny
c ti xung my tnh ca ngi s dng.
SSL Protection
SSL VPN khng cn thit cung cp vic bo v ca d liu tng network, chng hn
nh IPSec, PPTP, v L2TP. Client SSL VPN cung cp vic bo v cho nhng ng dng
web tng Session (tng th 5) m chng s dng trnh duyt web. V th, n s dng
vic bo v giao thng mt vi th c gii hn, cho ng dng giao thng c bo
v, mt vi cch s truy cp ca ngi s dng n ng dng phi thng qua mt trnh
duyt web. Tt nhin, bt k mt cch kt ni kiu HTTP c th d dng c bo v bi
v ngi s dng s dng trnh duyt web cho kiu chc nng ny, nhng iu ny c th
xut hin nhng vn cho nhng kiu ng dng khc, chng hn nh Telnet, POP3,
SMTP, SNMP, ping, traceroute, FTP, IP telephony, Citrix, Oracles SQL*net, tp tin v
vic chia s my in thng qua Windows hoc Unix v nhiu th khc.
S khc nhau gia IPSec v SSL VPNs:
IPSec cung cp s bo v cho nhng gi IP v nhng giao thc vn chuyn hai mng
hoc gia hai my.
SSL VPNs cung cp vic bo v cho s truy cp ca ngi s dng n nhng dch v
v nhng ng dng trn mng.
Kin trc mng:

Mt SSL c cu hnh trn Router:

+ Chun c lp.

+ Gii quyt ECT v kt ni vi mt hub server DMVPN.

Hot ng:
o Dng mt trnh duyt web c enable SSL,ngi dng thit lp mt kt ni n SSL
VPN.
o Phin SSL VPN c thit lp.
o Ngi dng truy cp trong cng mt mng.
Ch : SSL VPN cung cp mt li i vo mng. N lun c thit lp sau tng
la.
c im:
* Dng IE thit lp mt kt ni n cng SSL VPN.
* Cng SSL VPN s p ng vi ngi dng ng nhp vo trang HTML.
* Usename v password s c xc nhn n cng cho vic chng thc vi my ch
RADIUS.
* Nu mt phin c thit lp, cng s c duy tr bng cch gi mt phin cookies.
* Cookies ny phi ghi nh tt c cc ngi dng HTTP tip theo yu cu cho vic
chng thc ti cng SSL VPN.
* Nu cookies ny b li hay b hng, phin ny s b ngng v ngi dng s khng truy
cp trong cng mng c na.
* Vic dng phin ghi nh mi cho n khi ngi dng log out, phin ny s ngng
hay b xo sch bi cng SSL VPN.
* Trang SSL VPN v cc toolbar s c trnh by trn trnh duyt web ca ngi dng.
* T trang ny ngi dng c th truy cp n cc trang HTTP c sn bng cch nhn
vo Start Application Access link ,ngi dng c th truy cp li n cc server bn
trong c cu hnh thng qua cng chuyn tip TCP.
TCP port forwarding
Ngi dng download mt java applet bt u mt yu cu HTTP n cng SSL
VPN t client.
Cng SSL VPN s to mt kt ni TCP n server.

 Sau khi ci t, kt ni gia client v server s c x l nh l mt ng ni SSL vi

nhng gi tin TCP ang c chuyn t mt hng khc.
So snh
GIAO THC SSL
Chng ta hy bt u xem xt phin lm vic ca mt loi SSL. Nh l mt giao thc
tng transport, SSL ph thuc vo giao thc tng transport truyn gi tin ca n. V
nguyn tc c bn, khng l nguyn nhn SSL chy trn UDP, nhng c kh nng
c th phi xy dng vo giao thc SSL ca chnh n. trnh nhng s phc tp ny,
SSL ph thuc vo mt giao thc truyn ti tin cy chy. Ging vi giao thc TCP.
Mt phin lm vic ca SSL bao gm 3 bc sau: ci t kt ni, trao i d liu v thot
khi kt ni. Trong bc u tin, vic m ho, thm nh quyn v cc thut ton nn
c sp xp, ng nht v tu chn trn server, client s c xc nhn v kho trao i
s c thay th.
Bc 2, client v server trao i d liu ng dng. Nhng d liu ny s c m ho v
chng thc chc chn rng d liu khng th c bi mt bn th ba v bn th ba
khng th thay i m khng nhn ra.
Khi nhng ng dng hon tt vic trao i d liu hay mt trong s chng khai bo
kt thc nh l EOF. Bi v khai bo kt thc c chng thc, n khng th c gi
mo bi third party. iu ny ngn chn nh hng xu parties t vic gi mo mt TCP
FIN v vic ngt d liu sm.
SSL 3 v chng thc TSL ph thuc c vo 2 pha gi nhng khai bo kt thc, nhng
trong thc hnh, iu ny thng c b qua v ch c 1 pha gi n.
Lung gi tin SSL c bn
Hnh sau y m t phin lm vic ca SSL. u tin 9 thng ip bao gm c thit lp
kt ni.Trong phn ny client s gi n server mt thng ip l clienthello ch ra
phin ban SSL m n h tr v danh sch cc cipher suites v thut ton nn m n s
dng chng.

Server s tr li vi 3 thng ip. Cc tin nhn ny s tng hp li thnh 1 cp trong mi

bc iu khin v th 3 tin nhn ny s gi nh l mt phn on TCP n l.
u tin thng ip serverhello cho bit cc cipher suites v thut ton nn m server
chn.
Thng ip th 2 chng thc ca server.Chng thc p ng cho 2 mc ch. u

tin, n xc nhn tnh ng nht ca server.Th 2 n cha ng kho cng cng ca

server ci m client dng m ho mt b mt s c dng trn tt c cc cnh pht
ra cc m cn cho mt phin lm vic.
Cui cng, server gi mt thng ip ServerHelloDone. Bi v mt vi ch SSL ph
thuc vo server iu khin nhng thng ip. Gi ServerHelloDone p ng nh
du kt thc trnh t cho ca server.Ti thi im ny, server c chng thc tuyt i
n client, client v server ng trn cng cipher suites v thut ton nn, v client
c kha cn thit gi bo m n server mt vi kho c pht ra.
Trong ba thng ip ny, client s gi ti server mt vi kho trao i (client key
exchange), thng bo cho server bit, t y n s dng nhng kho pht sinh mi
m ho v chng thc cc thng ip ca n (ChangeCipherSpec), v cho server bit
n hon thnh phn iu khin ca n (Finished). Server p ng ChangeCipherSpec ca
chnh n v hon tt thng ip.
By gi nhng ng dng ny bt u cho vic trao i d liu.Vic trao i d liu ging
nh trao i trn d liu trn bt k TCP no ngoi tr nhng d liu trn phn on TCP
c m ho v chng thc. Khi chng ta xem vic trao i ny vi tcpdump ,chng
ta xem n s khng phn bit c t trao i d liu trn bt k phn on TCP no
ngoi tr d liu ng dng xut hin bits ngu nhin. Thng ip sau l khai bo kt
thc.Ti thi im ny d liu s khng trao i lu hn na, v kt ni s b ngt.