c im no ca lp 2 (lp Lin kt d liu) l ng ch

nht. C l l tnh c lp. S c lp ca lp ny cho php

n c kh nng lin tc (interoperability) v kh nng kt
ni (interconnectivity) rt mnh. Tuy nhin, xt v phng
din an ninh, iu ny li to ra nhng thch thc khng nh
do"b" tho hip ngay lp tc. H thng an ninh ca mng
ch mnh khi lp 2, tuyn phng v yu nht ny, cng phi
mnh.
c im no ca lp 2 (lp Lin kt d liu) l ng ch nht. C
l l tnh c lp. S c lp ca lp ny cho php n c kh nng
lin tc (interoperability) v kh nng kt ni (interconnectivity) rt
mnh. Tuy nhin, xt v phng din an ninh, iu ny li to ra
nhng thch thc khng nh do"b" tho hip ngay lp tc. H thng
an ninh ca mng ch mnh khi lp 2, tuyn phng v yu nht ny,
cng phi mnh.
Ai quan tm n lp 2?
Thng thng, cc hot ng ca mng thng theo mt lch trnh.
Mt b phn s thc hin cc tc v v vn hnh mng - cc nhn
vin qun tr mng (network administrator) v mt b phn thc
hin cc tc v v an ninh mng - cc nhn vin an ninh mng
(security administrator). Tuy nhin, cc hot ng ny thng kt
thc cc lp trn lp 2.
Cc nhn vin qun tr mng thng s dng cc mng LAN o
(Virtual LAN). Rt nhiu tuyn kt ni ca VLAN u vo/ra trn
cng mt thit b chuyn mch (LAN switch). Khi cc nhn vin an
ninh mng yu cu c mt phn on mng mi, cc nhn vin
qun tr mng s to ra mt mng VLAN v cung cp cho b phn
an ninh mt vng a ch. Bn an ninh khng bit l h ang s
dng VLAN v h cng khng quan tm bn vn hnh mng lm g
vi switch. B phn an ninh mng thm ch cn thng xuyn khng
quan tm n lp 2 m h ch tp trung vo lp 3 v cc lp cao

hn.
S khc bit v quan im cn th hin chnh cc thit b trn
mng. Cc Firewall thng c thit lp vi cu hnh bo mt cao
nht khi chng ln u c ci t. Theo mc nh, cho n khi
chng c iu chnh th chng khng cho php trao i thng tin.
Cc thit b chuyn mch v cc thit b nh tuyn li hon ton
tri ngc. Chng c thit k theo xu hng "khuyn khch truyn
thng". Khi thc hin chc nng ca mnh - m cc kt ni - chng
c th to ra cc l hng bo mt k tha v th cc switch v router
thng tch hp sn cc tnh nng bo mt bn trong. Tuy nhin,
nhng tnh nng v kh nng ny ca chng khng c kch hot
tr khi cc nhn vin qun tr mng bt cc tnh nng ln. Thng
thng th cc tnh nng ny khng c s dng, hoc c s
dng khng ng cch.
Mt cuc kho st an ninh v ti phm my tnh nm 2002 do Vin
nghin cu an ninh my tnh v Cc iu tra lin bang M tin hnh
cho thy s gia tng ng k cc kiu tn cng trn mng
(http://gocsi.com). Nm 1996, phn ln cc v tn cng n t cc
h thng bn trong. Phn cn li n t khu vc dial-up v qut
cng Internet. n cui nm 2002, s lng v chng loi cc v tn
cng thay i. Hn 70% cc v tn cng c thc hin theo kiu
qut cng t bn ngoi v 30% xut pht t h thng bn trong. Tuy
nhin, s lng cc v tn cng t bn trong vn cn rt ln v thit
hi m kiu tn cng ny gy ra cn ln hn rt nhiu so vi cc v
tn cng t bn ngoi.
Xin a ra hai kiu tn cng gy thit hi ln nht vi mc tiu l
lp 2 ca h thng - lp Lin kt d liu.
Kiu tn cng lm trn MAC
C mt bng lu tr cc a ch MAC ca cc cng vt l cng vi
nhng tham s VLAN ca chung trong mi switch. Bng ny c tn

l bng CAM (Content Addressable Memory). Bng ny tng ng

vi bng nh tuyn nhng lp 2. Bng CAM lu tr du vt v v
tr cc thit b trn mng v cho bit lu lng no s i qua cng
m trc c thit lp. Kiu tn cng lm trn MAC s c
gng lm cho cc switch c x nh cc hub bng cch lm trn
bng CAM. Khng gian nh trong bng CAM l hn ch do nguy
c trn lu lng l rt cao.
Mt cuc tn cng kiu ny trng ging nh lu lng t hng ngn
my tnh c chuyn n mt cng, nhng thc t l n ch n t
mt my gi mo a ch MAC ca hng ngn host gi mo. Macof,
mt cng c thng dng thc hin cc cuc tn cng kiu ny, c
th to ra 155.000 tuyn kt ni gi (gi l MAC entry) n mt
cng ca switch mi pht. Switch nhn thy lu lng v ngh rng
cc a ch MAC t cc gi m k tn cng gi i l cc cng hp l
v n s thm mt ch dn kt ni (entry) vo bng CAM. Mc tiu
lm trn switch c thc hin bng cch in y bng CAM vi
cc ch dn kt ni sai. Khi b lm trn, switch s pht qung b
lu lng trn VLAN m khng cn ch dn t bng CAM v v th
cho php k tn cng nhn thy lu lng m bnh thng hn
khng th nhn thy. Lm trn swtich rt d, thm ch l vi cc
switch c bng CAM ln v cu hnh mnh.
C rt nhiu cch ngn chn kiu tn cng ny. Phng php s
ng l cu hnh an ninh cho cc cng trn switch. Vic ny s cho
php cc nhn vin qun tr xc nh s lng PC c php kt ni
n tng cng ca switch. Nu s lng PC vt qu quy nh, cng
s b tt hoc chn cc a ch MAC vt qu gii hn xc nh
trc . Do phi duy tr vic d theo du vt ca cc a ch MAC l,
hiu nng ca h thng s b nh hng. V th, gii php thc t
nht vn l tt cc cng vt qu gii hn .
Bin php an ninh cho cng cn a ra thm mt s tnh nng khc
ngoi nhng tnh nng cn thit ngn chn cc v tn cng lm
trn switch.

Vn an ninh mng LAN o v cc v tn cng kiu VLAN

hopping
S gia tng ca cc thng tin sai lin quan n an ninh ca cc
mng LAN o, compounded by fear and uncertainty m VLAN c th
b tho hip. Nghin cu ca @stake, mt t chc quc t gm cc
chuyn gia an ninh ng dng v mng tm ra khng c cch no
tin hnh cc v tn cng tr phi c s cu hnh sai tn ti trn
switch. Trong nhng trng hp ny, s cu hnh sai thng xut
pht do kin trc ca swtich c thit k theo kiu "khuyn khch
kt ni" (open-communications) hn l bt ngun t li ca nhn
vin qun tr mng. Do , an ninh VLAN cn tn ti rt nhiu phc
tp do cu hnh mc nh ca switch lm cho n c nguy c b tn
cng rt ln trc cc kiu tn cng nh VLAN hopping c bn v
VLAN hopping kiu ng gi kp.
Cc cuc tn cng VLAN hopping c thit k cho php k tn
cng i vng qua cc thit b lp 3 khi trao i thng tin t mt
VLAN ny sang mt VLAN khc. Hnh ng tn cng c tin hnh
nh tn dng nhng li th t cc cng trung k (trunk port) c
cu hnh bt hp l. Theo mc nh, cc cng trung k c th truy
nhp ti tt c cc VLAN. Chng c s dng nh tuyn lu
lng cho rt nhiu VLAN qua cng mt ng kt ni vt l gia
cc switch. D liu truyn qua cc tuyn ny c th c ng gi
theo chun IEEE 802.1Q hoc ISL (Inter-Switch Link).
Giao thc DTP (Dynamic Trunking Protocol) t ng cu hnh trung
k ISL/802.1Q v c s dng trao i thng tin gia cc switch.
N ng b ch ca trung k gia hai u cui ca tuyn v hn
ch s cn thit ca vic can thip cc bin php qun l ti mi
switch. Nhn vin qun tr mng c th cu hnh trng thi DTP trn
mi cng trung k. Cc trng thi bao gm: On, Off, Desirable, Auto
v Non-Negotiate.
- On: trng thi ny c s dng khi switch khc khng hiu giao

thc DTP;
- Off: trng thi ny c s dng khi cng c cu hnh t
trc khng vi mc ch tr thnh cng trung k.
- Desirable: trng thi ny c s dng khi cng switch mun tr
thnh cng trung k.
- Auto: y l trng thi mc nh trn nhiu switch.
- Non-Negotiate: trng thi ny c s dng khi ngi qun tr
mng mun mt loi trung k ISL hay .1Q c th.
c im chnh cn nh v giao thc DTP l ch mc nh ca
cc cng trn phn lp cc switch l Auto.
Kiu tn cng VLAN hopping c bn
V tn cng xy ra khi k tn cng nh la switch switch ngh
hn l mt switch ang mun kt ni trung k. K thut ny i hi
mt thit lp "trunking-favorable", kiu nh thit lp Auto , th mi
c th tn cng thnh cng. By gi, k tn cng tr thnh thnh
vin ca rt nhiu VLAN c kt ni n switch v c th gi v
nhn lu lng trn cc VLAN ny.
Cch tt nht ngn chn kiu tn cng VLAN hopping c bn l
tt kt ni trn tt c cc cng ngoi tr nhng cng cn thit.
Kiu tn cng VLAN hopping ng gi kp
Kiu tn cng ny li dng cch m phn cng trong phn ln cc
switch hot ng. Hin nay, phn ln cc switch ch thc hin ng
gi IEEE 802.1Q mt mc. iu ny cho php k tn cng, trong
nhng tnh hung c th, c kh nng gn cc ui 802.1Q (gi l .
1Q tag) ca hn vo khung. Khung ny s vo VLAN vi ui .1Q
u ra khng xc nh. Mt c im quan trng ca kiu tn cng
VLAN hopping ng gi kp l n c th tin hnh thm ch vi cc
cng trung k c thit lp ch Off.

Ngn chn cc cuc tn cng kiu ny khng d nh vic ngn chn

cc cuc tn cng kiu VLAN hopping c bn. Bin php tt nht
m bo cc VLAN thun ca cc cng trung k c phn bit rch
ri vi cc VLAN thun ca cc cng ca ngi dng. bit thm
bin php ngn chn cc cuc tn cng kiu ny, xem ti kt ni
http://www.blackhat.com/presentations/bh-usa-02/bh-usa-02convery-switches.pdf.
Qun l switch v iu khin truy nhp
Gn y, mt s thit k mng bin Internet ch s dng mt switch
duy nht iu khin c nhng phn ng tin cy v nhng phn
khng ng tin cy ca mng.
Trong thit k ny, nhiu VLAN c s dng phn tch nhng
lu lng tin cy v khng ng tin cy. Theo nghin cu ca
@stake, nu c cu hnh ng, VLAN c th c s dng
phn tch lu lng theo cch ny. Nhng tht khng may, s dng
nhiu mc an ninh trn mt switch s lm gia tng mc phc tp
trong vic cu hnh v thng lm cho cc nhn vin qun tr mng
phm sai lm. Hn na, nu switch b tho hip, k tn cng
hon ton c th i vng qua firewall, thit lp mt kt ni trc tip
gia Internet v mng ni b.
iu quan trng cn nh l cc bin php an ninh cho mng ca
bn phi bao gm c switch v firewall. V do trong phn ln cc
mng, b phn an ninh khng chu trch nhim iu khin switch,
y c th l mt vn thc s. Mt thit k khc s dng nhiu
switch khng cn nhiu VLAN (hnh b). Trong trng hp ny, nu
mt switch b tho hip, h thng an ninh ca ton b mng vn
khng b v hiu ho.
Mt s tnh nng bo mt cn c cc thi b lp 2
- Port security: cho php nhn vin qun tr mng xc nh s lng

PC c php kt ni n tng cng switch.

- Private LANs: cung cp bin php an ninh v kh nng phn vng
cc cng trn switch m cc cng ny l thnh vin ca cng mt
VLAN. Tnh nng ny m bo rng ngi s dng c th giao tip
ch vi gateway mc nh ca h m khng phi vi gateway ca
ngi khc. Private VLAN thng c s dng hiu qu trong cc
mi trng DMZ (Delimitized Zone).
- STP root guard/BPDU guard: loi b cc cuc tn cng theo kiu
spanning-tree bng cch tt tt c cc cng c th gy ra s thay
i cu trc mng lp 2.
- SSH support: cung cp mt kt ni t xa an ton n cc thit b
lp 2 v lp 3. i vi cc kt ni t xa, SSH cung cp mc bo
mt cao hn Telnet do cung cp phng php m ho mnh hn khi
thit b c nhn thc. Tnh nng ny c c SSH server v SSH
client tch hp.
- VMPS (VLAN Membership Policy Server): cho php cc a ch MAC
nht nh tng ng vi cc VLAN nht nh. Tnh nng nycho php
ngi s dng di ng trong mng campus lun c kh kt ni vi
cng mt bin php an ninh mng.
- Nhn thc IEEE 802.1X: bo v mng bng cch nhn thc ngi
s dng theo mt c s d liu trung tm trc khi bt c mt hnh
thc kt ni no c php thc hin. Ngc li, phn ln ngi s
dng bn trong cc mng cc b thng c th truy nhp ch bng
cch s dng mt kt ni Ethernet m khng cn phi nhn thc g.
- Wire-rate ACLs: cho php cc danh sch iu khin truy nhp c
thc hin m khng lm gim hiu nng h thng.
Thay cho li kt
Ngoi cc kiu tn cng lm trn MAC v VLAN hopping, cn c mt
s kiu tn cng khc nh spanning-tree, gi mo giao thc phn
gii a ch (ARP spoofing), tn cng DHCP, u c th xy ra ti lp
2. Ngoi nhng hng dn cc bin php ngn chn c th tm thy
ti http://www.blackhat.com, bn cng nn thc hin mt s iu
sau:

- Hn ch cc hot ng truy nhp qun l switch sao cho nhng

khu vc khng tin cy trong mng khng th li dng cc giao din
v cc giao thc qun l nh SNMP (Simple Network Management
Protocol).
- Ngn chn cc kiu tn cng t chi dch v v cc kiu li dng
tn cng khc bng cch kho cc giao thc spanning-tree v cc
giao thc ng khc.
S dng phn cng ACL ti nhng v tr c th chn cc lu lng
khng mong mun.
- S dng cc VLAN ID dnh ring cho tt c cc cng trung k.
- Tt tt c cc cng khng s dng trong VLAN
- S dng cc bin php an ninh cho cng hn ch s lng cc
a ch MAC c php gp phn bo v h thng trc cc cuc tn
cng lm trn switch.
http://quantrimang.com/an-ninh-lop-2-khac-phuc-diem-yeu-210