ON TP MNG MY TINH

2.0 Network Infrastructure 2.1 Differentiate between the different ports & protocols, their respective threats and mitigation techniques. Antiquated protocols
1. TCP/IP hijacking
"TCP session hijacking" l mt k thut c lin quan n vic chn mt phin TCP bt u gia hai my tnh chim quyn iu khin n. Trong vic kim tra chng thc ch c thc hin khi m ca phin giao dch, khi thc hin thnh cng cuc tn cng ny th c th kim sot cc kt ni trong sut thi gian ca phin giao dch.

2. Null sessions
Phng thc hot ng ca Null Session: Mt phin truy cp t xa c to lp khi ngi dng ng nhp t xa vo mt my tnh s dng mt tn ngi dng v mt khu c quyn truy cp vo ti nguyn h thng. Tin trnh ng nhp ny c thc hin qua giao thc SMB (Server Message Block) v dch v Windows Server. Nhng kt ni ny hon ton hp php khi nhng thng tin ng nhp chnh xc c s dng. Mt Null Session xy ra khi ngi dng thc hin kt ni ti mt h thng Windows m khng s dng tn ngi dng hay mt khu. Hnh thc kt ni ny khng th thc hin trn bt k hnh thc chia s Windows thng thng no, tuy nhin li c th thc hin trn chia s qun tr IPC (Interprocess Communication). Chia s IPC c cc tin trnh ca Windows s dng (vi tn ngi dng l SYSTEM) giao tip vi cc tin trnh khc qua mng ny. Chia s IPC ch c giao thc SMB s dng. Chia s khng yu cu thng tin ng nhp IPC thng c s dng cho nhng chng trnh giao tip vi mt chng trnh khc, tuy nhin khng c g m bo rng ngi dng khng th kt ni ti mt my tnh bng kt ni IPC ny. Kt ni IPC khng ch cho php truy cp khng gii hn vo my tnh, m cn trao quyn truy cp vo tt c cc my tnh trn mng, v y l nhng g m tin tc cn xm nhp h thng. Phng thc tn cng s dng Null Session: Kh d dng s dng hnh thc tn cng ny. Kt ni Null Session c th c thit lp trc tip t mt lnh Windows m khng cn s dng cng c b sung, chnh l

lnh NET. Lnh NET c th thc hin nhiu chc nng qun tr, khi s dng lnh ny chng ta c th to mt kt ni ti mt chia s tiu chun trn my ch ch, tuy nhin kt ni ny s tht bi do nhng thng tin ng nhp khng chnh xc.

Hnh 1: Kt ni tht bi vo mt mng chia s s dng lnh NET.

Khi s dng lnh NET, chng ta c th thay i tn chia s kt ni ti chia s qun tr IPC$. Khi kt qu s kh quan hn.

Hnh 2: Kt ni Null Session thnh cng vi lnh NET.

Lc ny, chng ta thit lp mt kt ni Null Session ti my tnh nn nhn. Tuy nhin, chng ta vn cha c quyn truy cp qun tr trn my tnh ny do cha th bt u duyt tm cng hay ly mt khu. Cn nh rng, chia s IPC c s dng giao tip gia cc tin trnh, do quyn truy cp ca chng ta s b gii hn xung quyn truy cp ca tn ngi dng SYSTEM. Chng ta c th s dng lnh NET ly nhiu thng tin hn t my tnh mc tiu, tuy nhin c nhiu cng c t ng ha s thc hin cc cng vic rc ri ny.

3. Spoofing
Spoofing (gi mo) l khi mt k tn cng gi v l ngi khc trong th t t c quyn truy cp vo ngun lc hn ch hoc ly cp thng tin. Loi tn cng c th c nhiu hnh thc khc nhau: V d, mt k tn cng c th mo danh a ch giao thc Internet (IP) ca ngi s dng hp php c c ti khon ca h. Ngoi ra, mt k tn cng c th gi email gian ln v thit lp cc trang web gi mo nm bt tn ng nhp ca ngi dng, mt khu, v thng tin ti khon. Faking mt email hoc trang web i khi c gi l mt cuc tn cng la o.

Mt loi gi mo lin quan n vic thit lp mt im truy cp khng dy gi v la nn nhn vo kt ni vi h thng qua kt ni bt hp php. Truy cp WIFI gi cng l mt cch tng i n gin n cp d liu. Mt s mo t bo v mnh khi s dng trong khu vc im nng l cho radio khng dy ca bn tt cho n khi bn sn sng s dng n, v hiu ho tp tin v my in chia s v thit lp ca bn ty chn khng dy. Chng trnh cp nht t ng cng c th l mt ng cho mt cuc tn cng gi mo khng dy. V vy, hy chc chn kch hot tnh nng "hi ti ln u tin" trc khi cho php my tnh ca bn ti bn cp nht.

4. Man-in-the-middle
Mt cuc tn cng m ngi dng gia c th gi, nhn hoc nh cp bt k thng tin no c gi i. Trong mt s trng hp, ngi dng c th gi d liu khng c m ha, c ngha l man-in-the-middle (MITM) c th c c bt k thng tin no khng c m ha. Trong trng hp khc, ngi dng c th c c thng tin t cc cuc tn cng, nhng c th khng mt m ha thng tin trc khi n c th c c. Trong hnh nh l mt v d v cch thc hot ng ca man-in-the-middle. Nhng k tn cng chn mt s hoc tt c lu lng truy cp n t my tnh, thu thp d liu, v sau chuyn tip n ngi dng ban u d nh truy cp vo.

5. Replay
Replay attack l mt cuc tn cng ni mt bui xc thc replayed bi mt k tn cng nh la mt my tnh vo cp quyn truy cp. N c th l bt k hnh thc hoc retransmission ca truyn d liu mng nhng thng c s dng t c xc thc mt cch gian ln. Cch ngn chn cuc Replay attack l: gn mt m thng bo phin lm vic ngu nhin ln cho mt phin hp v gi mt khu s gi mt khu mt ln bi gi tr m thng bo phin. Token phin ch c th c s dng mt ln. Thng tin xc thc gi c th c cc hash mt khu thm vo m thng bo phin v bm mt ln na. Xc thc phin s xem xt thi gian giao dch xy ra. Mt khu c th gn lin vi mt du thi gian gn ng v sa i cho ph hp.

6. DoS
Tn cng DoS l kiu tn cng v cng nguy him, hiu c n ta cn phi lm r nh ngha ca tn cng DoS v cc dng tn cng DoS. - Tn cng DoS l mt kiu tn cng m mt ngi lm cho mt h thng khng th s dng, hoc lm cho h thng chm i mt cch ng k vi ngi dng bnh thng, bng cch lm qu ti ti nguyn ca h thng. - Nu k tn cng khng c kh nng thm nhp c vo h thng, th chng c gng tm cch lm cho h thng sp v khng c kh nng phc v ngi dng bnh thng l tn cng Denial of Service (DoS). Mc d tn cng DoS khng c kh nng truy cp vo d liu thc ca h thng nhng n c th lm gin on cc dch v m h thng cung cp. Nh nh ngha trn DoS khi tn cng vo mt h thng s khai thc nhng ci yu nht ca h thng tn cng, nhng mc ch ca tn cng DoS:

7. DDoS
Tn cng Denial of Service chia ra lm hai loi tn cng - Tn cng DoS: Tn cng t mt c th, hay tp hp cc c th. - Tn cng DDoS: y l s tn cng t mt mng my tnh c thit k tn cng ti mt ch c th no .

8. Domain Name Kiting

Domain name kiting (Hnh vi th bng tn min) l qu trnh ng k mt tn min kim tra kh nng lu hnh ca n v sau , nu n khng to ra doanh thu qung co, hu n trong nm ngy khong thi gian cho mt khon hon li y . Thng thng, iu ny xy ra vi tn min ht hn mi vn c th nhn c lu

lng truy cp t cng c tm kim v cc lt view khc. Nu tn min cho thy tim nng kim c nhiu hn chi ph ng k, ngi ng k gi n. Nu khng, ngi ng k hy b tn min cho mt khon hon li y .

9. DNS poisoning
DNS Poisoning l g? y l mt phng php lc thng c s dng bi ISP chn truy cp vo mt danh sch nh ca cc trang web en (trong hng ngn) chng hn nh nhng trang c cha hnh nh lm dng tnh dc tr em trn ton b mng ca h. DNS Poisoning lm vic nh th no? N hot ng bng cch thay i cc bn ghi DNS ca cc trang web b chn ISP tr n mt my ch web gi lu tr mt trang khc. N tng i d dng thit lp, hp l v d dng duy tr. Nhc im ca DNS Poisoning l c gii hn n ch c th chn mt URL c th, khng phi l mt trang c nhiu trang con khc. N rt d dng vt qua, tt c vic phi lm l thay i ci t ca mnh s dng mt my ch DNS bn ngoi kt ni ISP ca mnh, v iu ny c th c thc hin rt d dng bi nhiu tr em vo ngy hm nay. Ngi s dng DNS Poisoning? DNS Poisoning hin ang s dng bi cc quc gia Scandinavia chn cc trang Web c cha nh lm dng tnh dc tr em (CSAI) l bt hp php truy cp hu ht cc nc. Danh sch cc trang web b chn c cung cp bi cnh st chnh quyn ca cc quc gia tng ng.

10.

ARP Poisoning

K thut tn cng Address Resolution Protocol (ARP) spoofing hay cn gi l ARP flooding, ARP poisoning hay ARP Poison Routing (APR). l cch tn cng t mt my tnh trong mng LAN, thng qua giao thc ARP v a ch MAC, IP, n nhm ngt kt ni t mt hay mt s my tnh vi Modem, dn n tnh trng cc my tnh khng th truy cp Internet. My tnh nn nhn mt kt ni Internet nhng vn c kt ni mng LAN nn khi bn ping n my nn nhn vn c kt qu.

Tham kho
1. MAC, ARP l g? Mi thit b mng u c mt a ch MAC (Medium Access Control address) v a ch l duy nht. Cc thit b trong cng mt mng thng dng a ch MAC lin lc vi nhau ti tng Data Link.

Cc thit b thng dng c ch ARP (Address Resolution Protocol) v RARP (Reverse Address Resolution Protocol) bit c cc a ch MAC, IP ca cc thit b khc 2. Qu trnh ARP ostA v ost tru n tin cho nhau cc pac et s c a u ng tng atalin ng gi cc ost s ph i ng gi MAC ngu n MAC ch vo frame Nh v trc hi qu tr nh tru n d li u ra 2 m s ph i lm ng tc h i MAC ca nhau Nu m ostA hi ng qu tr nh h i MAC trc n roadcast gi tin ARP request h i MAC ost th ost coi nh c MAC ca ostA v ost ch tr li cho A MAC ca HostB th i (gi tin tr li t ost l ARP repl ) 3. Lm th no tn cng bng ARP Gi s ta c mng Lan nh m h nh trn g m cc host Attacker: l m hac er dng tn cng ARP attack IP: 10.0.0.11 Mac: 0000:0000:0111 HostA IP: 10.0.0.09 MAC: 0000:0000:0109 HostB IP: 10.0.0.08 MAC: 0000:0000:0108 Victim: l my b tn cng ARP attack IP: 10.0.0.10 MAC: 0000:0000:0110 Attacker mu n thc hi n ARP attac i vi my Victim. Attacker mu n mi gi tin HostA truyn ti m Victim u c th chp li c xem trm. Lm th no Attacker c th hi n c iu ? u tin, HostA mu n gi d li u cho Victim. HostA cn ph i bit a ch MAC ca Victim lin lc. HostA s gi broadcast ARP Request ti tt c cc my trong cng mng Lan h i xem IP 10.0.0.10 (IP ca Victim) c a ch MAC l bao nhiu. ost Attac er Victim u nh n c gi tin ARP Request nhng ch c Victim l gi li gi tin ARP Reply li cho HostA. ARP Reply cha thng tin v IP ca Victim, MAC Victim, MAC HostA Sau khi nh n c gi tin ARP Reply t Victim ostA it c a ch MAC ca Victim. HostA bt u thc hi n lin lc, truyn d li u ti Victim. HostB, Attacker khng th xem ni dung d li u c truyn gi a 2 my HostA v Victim

Attacker mu n xem d li u truyn gi a HostA v Victim. Attacker s dng kiu tn cng ARP Spoof. Attacker th c hi n gi lin tc ARP Reply cha thng tin v IP Victim, MAC Attacker, MAC HostA. tha v l MAC Victim Attac er i thnh a ch MAC ca mnh. HostA nh n c ARP Repl v ngh l IP Victim 10 0 0 10 s c a ch MAC l 0000:0000:0111 ( MAC ca Attac er) ostA lu th ng tin n vo ng ARP Cache. By gi mi thng tin, d li u HostA gi ti 10 0 0 10 (Victim) Attac er u c th nh n c, Attacker c th xem tan b ni dung HostA gi cho Victim Attacker cn c th kim sat tan b qu trnh lin lc gi a HostA v Victim thng qua ARP Attack Attac er thng xuyn gi cc gi tin ARP Reply cha a ch IP ca c a ch MAC l ca Attacker. HostA nh n c gi tin ny th c ngh Victim s ca Attacker) Victim nh n c gi tin n ca Attacker) th c ngh ostA s ostA v Victim nhng

c a ch MAC l 0000:0000:0111 (MAC c a ch MAC l 0000:0000:0111 (MAC

Mi th ng tin trao i gi a HostA v Victim, Attac er u c th nh n c Nh v y l Attacker c th bit c ni dung trao i gi a HostA v Victim Sau khi b tn cng ARP attack, s rt nguy him cho ngi dng v mi th ng tin trao i ca h u b l, nht l nh ng th ng tin l quan trng, cn ph i gi b m t 4. Gii hn v im yu ca kiu tn cng ARP Spoof: Ch c nh ng my nm trong cng ng mng vi my Attacker mi b tn cng. Cc my nm khc mng s khng th b tn cng bng hnh thc ny v Trong cng mt ng mng LAN, cc my s thc hi n trao i d li u vi nhau da vo a ch MAC . HostA mu n trao i d li u vi HostB. HostA s d tm trong b ng ARP cache xem IP ca HostB s c a ch MAC tng ng l g. ostA ng gi d li u cn truyn vi MAC ngu n l MAC HostA, MAC ch l MAC ost Sau ostA s truyn d li u ti HostB da vo MAC ch ca gi tin Trong trng hp ostA ost hc ng mng mu n lin lc vi nhau, ta ph i da vo a ch IP truyn d li u v ph i thng qua mt thit b nh tuyn l router. HostA s ng gi d li u cn truyn vi MAC ngu n l ostA MAC ch l router Gi tin s c truyn n router, router s da vo a ch IP ch (IP ost )v d t m trong ng nh tuyn nhm c nh con ng i n HostB. Router c kh nng ngn chn cc gi tin broadcast Hnh thc tn cng ny khng th thc hi n c trong mng WAN, trn Internet m ch thc hi n c trn cng mng LAN

5. Mt s chng trnh tn cng bng ARP ARP0c http://www.l0t3k.org/security/tools/arp/ WinArpSpoofer http://www.nextsecurity.net/ Ettercap http://ettercap.sourceforge.net/

ch ph t hi n v ph ng chng ng nh: ipconfig /all em MAC ca m nh arp -a em ng ARP trn m m nh im tra MAC ca c ph i ng l MAC B hay khng. arp -d * a ton ARP ta le trn m m nh nh v cc a ch MAC tn c ng c ng mt v m t nh s t u hc li Nhng nu m tn c ng v n tip tc m cc gi tin ARP u c th vi c a ARP ta le n c ng v ch arp -s gn c nh IP ch vo MAC th t ca n nh v tn c ng h ng u c c IP n n a Nhng vi c n h ng h thi cho mng ln nhiu m t nh v c s tha i IP (v d dng CP)

Dng phn mm : Chng ta c th ci t phn mm Anti ARP trnh vi c nh n ARP Reply gi m o : da vo b ng DHCP Snooping c gi ra xem c hp l hay khng, Vlan validate ?

ng thit

Dynamic ARP Inspection : Switch s Binding kim tra gi tin ARP Repl nu khng hp l s DROP ngay SWITCH(config)#ip arp inspection SWITCH(config)#ip arp inspection

2.2 Distinguish between network design elements and components.

11. DMZ

Trong bo mt my tnh, mt DMZ hoc Demilitarized Zone l mt mng con vt l hoc mng con dng s hp l m c cn a ra dch v ra bn ngoi m phi i mt vi mt mt mng li ln hn v khng ng tin cy, thng l Internet. Mc ch ca mt DMZ l thm mt lp bo mt b sung vo mng ni b ca t chc (LAN). Mt k tn cng bn ngoi ch c quyn truy cp trc tip vo cc thit b trong DMZ, ch khng phi l bt k phn no khc ca mng (v d nh LAN). Tn bt ngun t thut ng "Demilitarized Zone vng phi qun s", mt khu vc trong quc gia khng c php t chc qun s. Hnh bn tri s dng 1 tng la, bn phi c thm 1 tng la na

12.

VLAN

VLAN l cm t vit tt ca virtual local area network (hay virtual LAN) hay cn c gi l mng LAN o. VLAN l mt k thut cho php to lp cc mng LAN c lp mt cch logic trn cng mt kin trc h tng vt l. Vic to lp nhiu mng LAN o trong cng mt mng cc b (gia cc khoa trong mt trng hc, gia cc cc trong mt cng ty,...) gip gim thiu vng qung b (broadcast domain) cng nh to thun li cho vic qun l mt mng cc b rng ln. VLAN tng ng nh mng con (subnet). Vi mng LAN thng thng, cc my tnh trong cng mt a im (cng phng...) c th c kt ni vi nhau thnh mt mng LAN, ch s dng mt thit b tp trung nh hub hoc switch. C nhiu mng LAN khc nhau cn rt nhiu b hub, switch. Tuy nhin thc t s lng my tnh trong mt LAN thng khng nhiu, ngoi ra nhiu my tnh cng mt a im (cng phng) c th thuc nhiu LAN khc nhau v vy cng tn nhiu b hub, switch khc nhau. Do va tn ti nguyn s lng hub, switch v lng ph s lng port Ethernet. Vi nhu cu tit kim ti nguyn, ng thi p ng nhu cu s dng nhiu LAN trong cng mt a im, gii php a ra l nhm cc my tnh thuc cc LAN khc nhau vo cng mt b tp trung switch. Gii php ny gi l mng LAN o hay VLAN. Phn loi: c 3 loi VLAN, bao gm: VLAN da trn cng (port based VLAN): Mi cng (Ethernet hoc Fast Ethernet) c gn vi mt VLAN xc nh. Do mi my tnh/thit b host kt ni vi mt cng ca switch u thuc mt VLAN no . y l cch cu hnh VLAN n gin v ph bin nht. VLAN da trn a ch vt l MAC (MAC address based VLAN): Mi a ch MAC c gn ti mt VLAN nht nh. Cch cu hnh ny rt phc tp v kh khn trong vic qun l.

VLAN da trn giao thc (protocol based VLAN): tng t vi VLAN da trn a ch MAC nhng s dng a ch IP thay cho a ch MAC. Cch cu hnh ny khng c thng dng.

u im v nhc im Tit kim bng thng ca mng: Do VLAN c th chia nh LAN thnh cc on (l mt vng qung b). Khi mt gi tin qung b, n s c truyn ch trong mt VLAN duy nht, khng truyn cc VLAN khc nn gim c lu lng qung b, tit kim c bng thng ng truyn. Tng kh nng bo mt: Cc VLAN khc nhau khng truy cp c vo nhau (tr khi c khai bo nh tuyn). D dng thm hay bt cc my tnh vo VLAN: Trn mt switch nhiu cng, c th cu hnh VLAN khc nhau cho tng cng, do d dng kt ni thm cc my tnh vi cc VLAN. Mng c tnh linh ng cao.

13.

NAT

NAT l g? Nh chng ta bit, trong h thng mng my tnh th qu trnh chuyn i a ch mng (Network Address Translation NAT ) l cng vic lin quan ti vic ghi li cc a ch [ngun gc] / [im ti] ca cc gi d liu vn chuyn qua Router / Firewall ta gi l NAT.

14. 15.

Network interconnections NAC

Vi mt th gii ca nhng tn trm d liu, nhng mi de da v su v virus trn mng ngy nay, s cn thit phi tun theo nhng chnh sch ring bit no , vic kt hp cht ch k thut iu khin truy cp mng (Network Access Control - NAC) vo c s h tng mng khng phi l mt ty chn m ng hn l mt quy lut tt yu. Network Access Control cho php bn kim sot nhng ngi v nhng g c cho php vo mng ca bn, chn ngi s dng tri php, kim sot truy cp khch v m bo tun th chnh sch bo mt ca cng ty bn cho nhn vin. Ci thin an ton bng cch kim sot truy cp mng Bng cch thc hin Network Access Control (NAC) s gim nguy c truy cp tri php t khch v h thng khng tng thch hoc lm nh hng n mng ca bn. Mt gii php NAC cung cp cho bn mt khun kh m bo rng ch c mt cch chnh xc bo m cc my tnh c truy cp mng.

My tnh c nh, di ng, c dy hoc khng dy kt ni vo mng c th c pht hin v qun l ph hp vi NAC ti ch. Nu h iu hnh cha c v, tng la c nhn ang b tt hoc cc ng dng tri php ang c s dng, truy cp mng ca bn c th b t chi.

16.

Subnetting

Chia mng con (subnetting) l g v ti sao? Nh chng ta bit bi vit C bn v IPv4 th ngun ti nguyn IP dn cn kit. Trong khi , chng hn nh mi lp mng A c n 2^24 2 = 16.777.214 a ch IP hay lp B c 2^16 2 = 65534 a ch IP, mt con s m kh mt h thng mng no t n s lng my tnh nh vy. iu ny gy lng ph khng gian a ch rt ln. Do vn t ra l phi chia tng lp mng ny thnh nhng lp mng nh hn c s IP ph hp vi nhu cu s dng hp l. S phn chia ny cn gip ngi qun tr d dng hn trong vic qun l, bo mt d liu ng thi gim ti cho cc thit b nh tuyn. Xt v mt thc tin ban u khi nim Subnetting ra i ch yu dng phn chia lp mng A v B, sau dn n tr thnh mt bi ton mang tnh l thuyt lm au u kh nhiu hc vin qun tr mng, trong c mnh ^^! Vy subnetting l g? Nm na l t hp nhng k thut phn chia khng gian a ch ca mt lp mng cho trc thnh nhiu lp mng nh hn bng cch ly mt s bit phn Host Address (Nhiu ti liu gi l Host ID, gi th no cng c min sao khi gi n vn ngonh u tr li) lm a ch mng cho mng con (Subnet). Minh ha sau vi lp B net work subnet host

hiu hn v subnetting, trc ht cn bit vi khi nim sau: (Theo mnh khi nim ch l tn gi ch yu l bn cht ca n) Prefix length: L i lng ch s bit dng lm a ch mng. Chng hn lp A c prefix length l 8, lp B l 16, lp C l 24. Vi mt a ch IP tiu chun prefix length l gi tr sau du /. Chng hn 192.168.1.1 /24 Default Mask (Network Mask): l gi tr trn ca mi lp mng A, B, C (D, E khng xt n) v l gi tr thp phn cao nht (khi tt c cc bit Network Address bng 1 v cc bit Host Address bng 0). Nh vy Default Mask ca lp A l 255.0.0.0, ca lp B l 255.255.0.0 v C l 255.255.255.0 Subnet Mask: Gi tr trn ca mng con, l gi tr thp phn tnh khi tt c cc bit ca prefix length bng 1 v phn cn li bng 0. Chng hn a ch IP 172.16.1.46 /26 c Subnet Mask l 255.255.255.192 (11111111.11111111.11111111.11000000)

a ch mng con (Subnet Address) ca mt a ch IP cho trc l gi tr nh nht ca di a ch mng con m IP thuc v. Cc thit b nh tuyn da vo a ch ny phn bit cc mng con vi nhau. Gi tr ca a ch mng c th c tnh bng nhiu cch. Cch c bn nht l dng php AND gia a ch Subnet Mask v IP di dng nh phn. Chng hn vi a ch 172.16.1.250 /26 Subnet Mask IP Address AND Subnet Address 11111111 10101100 10101100 172 11111111 00010000 00010000 16 11111111 00000001 00000001 1 11000000 11111010 11000000 192

Sau ny khi lm nhiu bi tp v phn chia mng con ta s c nhiu cch tnh Subnet address nhanh hn. a ch qung b (Broadcast Address) ca mt mng con l a ch IP cao nht ca mng . Subnet Address v Broadcast Address khng dng gn cho my ch. Do mi c cng thc tnh s IP kh dng l 2n 2 vi n l s bit dng cho Host Address. Khi nim cui cng v quan trng nht trong ng dng phn chia mng con thc tin l VLSM (Variable Length Subnet Mask) l k thut s dng cc Subnet Mask khc nhau to ra cc Subnet c lng IP khc nhau. Vi k thut ny qun tr vin c th chia mng con vi lng IP ph hp nht vi yu cu tng mng, d dng m thm cc mng con v sau ny.

Vy phn chia mng con th no?

gii quyt cu hi ny, ta tr li cu hi sau: Vi mt a ch IP tiu chun cho trc, hy xc nh Subnet Address, Broadcast Address, Subnet Mask, s Host Adress trong Subnet . V d c th vi IP 17.16.15.14 /13 Nhn xt: IP ny thuc lp A vy mn 5 bit lm Subnet Mask, v c 29 bit Host Address Subnet Mask: 11111111.11111000.00000000.00000000 tng ng 255.248.0.0 S Host Address trong subnet: 2^(32-13) 2 = 524286 Subnet Address: S dng php AND gia IP v Subnet Mask, cch ny hi lu v ta c kt qu 17.16.0.0 Vi 5 bit mn ta c s subnet to thnh l 2^5 = 32 suy ra khong cch gia cc Subnet (subnet length) l 256/32 = 8. Vy subnet tip theo l 17.24.0.0

Broadcast: l gi tr ln nht ca di IP subnet trc, cng chnh l IP lin k ca a ch Subnet ca mng sau v l 17.23.255.255 Cng vic c v n gin, nhng vic chuyn i qua li gia h thp phn v nh phn kh nhm t, c bit khi khng c my tnh th rt tn giy mc v cng sc. Sau y ta s tm li gii n gin v tng qut hn. thy rng ta ch lm vic vi cc s trong cng mt octet ti mt thi im. Ta gi l octet lm vic (working octet). Vi prefix l 13 ta lm vic vi octet 2 (khi s dng php AND gia Subnet Mask v IP ta thy r hn iu ny). tm octet lm vic cch tng qut l ly phn nguyn ca (prefix length/8) + 1 Gi m l s bit mn octet lm vic (Tnh bng s d ca prefix length/8) ta tm bc nhy subnet theo cng thc 2^(8-m) Xc nh v tr ca subnet hin ti bng cch xc nh s n sao cho gi tr n*2^(8-m) =< gi tr thp phn ca octet lm vic < (n+1)*2^(8-m) Khi Subnet hin ti s l n vi gi tr ca subnet address ti octet lm vic s l n*2^(8-m), gi tr ca cc octet trc octet lm vic gi nguyn, cc octet sau bng 0 Tng t cho subnet tip theo subnet hin ti, t ta tm c a ch broadcast. Ni th di dng vy nhng xt v d c th sau ta s hiu r hn: VD1 : IP 26.25.24.23 /22 Octet lm vic : 3, m = 4. Bc nhy : 16 suy ra n = 1 Vy Subnet address l 26.16.0.0 Subnet tip theo l 26.32.0.0 Broadcast : 26.31.255.255 VD2 : IP 32.31.30.29 /28 Octet lm vic : 4, m = 5 Bc nhy : 8 suy ra n = 3 Subnet address l 32.31.30.24 Subnet tip theo l 32.31.30.32 Broadcast : 32.31.30.31 Rt n gin phi khng no ^^ !

Tuy nhin, vn kh khn v mang tnh thc tin nhiu hn ca bi ton subnetting l vic quyt nh xem subnet nh nht l th no c th p ng hp l s host trn mt segment nhm tit kim ti a khng gian a ch IP v m rng mng li v sau. Bi ton t ra l bn mt di a ch nht nh, yu cu bn phn chia n thnh mt lng X subnet cho trc vi s lng host trn mi subnet l khc nhau cho trc. Gii quyt bi ton ny ta s dng k thut VLSM nh ni trn. Ta xt v d c th sau : Mt h thng mng gm 229 Host v a ch IP c thit lp lp 192.168.11.1/24. Hy chia h thng mng ny thnh bn mng con Net 1: c 19 Host, Net 2: c 29 Host, Net 3: c 61 Host v Net 4: c 120 Host Trc ht sp xp cc s lng host theo th t gim dn : 120,61,29,19 V vi mi x bit lm host address ta c s host l 2^x 2. Ta cn tm s x nh nht tha mn yu cu Vi Net 120 host => x = 7 => prefix length = 25 mn 1 bit octet 4. Bc nhy 2^7 = 128 Ta c Net4 : 192.168.11.0 /25 Subnet tip theo l 192.168.11.128 /25. Dng subnet ny chia tip cho Net3 : 61 host => x = 6 => prefix length = 26 mn 2 bit octet 4. Bc nhy 2^6 = 64 Ta c Net3 : 192.168.11.128 /26 Subnet tip theo l 192.168.11.192 /26 chia tip cho Net2 : 29 host => x = 5 => prefix length = 27 mn 3 bit octet 4. Bc nhy 32 Ta c Net2 : 192.168.11.192 /27 Subnet tip theo l 192.168.11.224 /27. Dng subnet ny cho Net1 : Ta c Net1 : 192.168.11.224 192.168.11.255

17.

Telephony

2.3 Determine the appropriate use of network security tools to facilitate network security.

18. 19. 20.

NIDS NIPS Firewalls

Tng la (firewall) l ro chn m mt s c nhn, t chc, doanh nghip, c quan nh nc lp ra nhm ngn chn ngi dng mng Internet truy cp cc thng tin khng mong mun hoc ngn chn ngi dng t bn ngoi truy nhp cc thng tin bo mt nm trong mng ni b. Tng la l mt thit b phn cng hoc mt phn mm hot ng trong mt mi trng my tnh ni mng ngn chn mt s lin lc b cm bi chnh sch an ninh ca c nhn hay t chc, vic ny tng t vi hot ng ca cc bc tng ngn la trong cc ta nh. Tng la cn c gi l Thit b bo v bin gii (Border Protection Device - BPD), c bit trong cc ng cnh ca NATO, hay b lc gi tin (packet filter) trong h iu hnh BSD - mt phin bn Unix ca i hc California, Berkeley. Nhim v c bn ca tng la l kim sot lung d liu gia hai vng tin cy khc nhau. Cc vng tin cy (zone of trust) in hnh bao gm: mng Internet (vng khng ng tin cy) v mng ni b (mt vng c tin cy cao). Mc ch cui cng l cung cp kt ni c kim sot gia cc vng vi tin cy khc nhau thng qua vic p dng mt chnh sch an ninh v m hnh kt ni da trn nguyn tc quyn ti thiu (principle of least privilege).

Cu hnh ng n cho cc tng la i hi k nng ca ngi qun tr h thng. Vic ny i hi hiu bit ng k v cc giao thc mng v v an ninh my tnh. Nhng li nh c th bin tng la thnh mt cng c an ninh v dng. C 2 loi tng la thng dng l tng la bo v bo v an ninh cho my tnh c nhn hay mng cc b, trnh s xm nhp, tn cng t bn ngoi v tng la ngn chn thng do cc nh cung cp dch v Internet thit lp v c nhim v ngn chn khng cho my tnh truy cp mt s trang web hay my ch nht nh, thng dng vi mc ch kim duyt Internet.

21.

Proxy servers

Proxy l mt Internet server lm nhim v chuyn tip thng tin v kim sot to s an ton cho vic truy cp Internet ca cc my khch, cn gi l khch hng s dng dch v internet. Trm ci t proxy gi l proxy server. Proxy hay trm ci t proxy c a ch IP v mt cng truy cp c nh. V d: 123.234.111.222:80 th IP ca proxy l 123.234.111.222 v cng truy cp l 80. Chc nng ca proxy Mt s hng v cng ty s dng proxy vi mc ch: Gip nhiu my tnh truy cp Internet thng qua mt my tnh vi ti khon truy cp nht nh, my tnh ny c gi l Proxy server. Ch duy nht my Proxy ny cn modem v account truy cp internet, cc my client (cc my trc thuc) mun truy cp internet qua my ny ch cn ni mng LAN ti my Proxy v truy cp a ch yu cu. Nhng yu cu ca ngi s dng s qua trung gian proxy server thay th cho server tht s m ngi s dng cn giao tip, ti im trung gian ny cng ty kim sot c mi giao tip t trong cng ty ra ngoi internet v t internet vo my ca cng ty. S dng Proxy, cng ty c th cm nhn vin truy cp nhng a ch web khng cho php, ci thin tc truy cp nh s lu tr cc b cc trang web trong b nh ca proxy server v giu nh danh a ch ca mng ni b gy kh khn cho vic thm nhp t bn ngoi vo cc my ca cng ty. i vi cc nh cung cp dch v ng truyn internet: Do internet c nhiu lng thng tin m theo quan im ca tng quc gia, tng chng tc hay a phng m cc nh cung cp dch v internet khu vc s phi hp s dng proxy vi k thut tng la to ra mt b lc gi l firewall proxy nhm ngn chn cc thng tin c hi hoc tri thun phong m tc i vi quc gia, chng tc hay a phng . a ch cc website m khch hng yu cu truy cp s c lc ti b lc ny, nu a ch khng b cm th yu cu ca khch hng tip tc c gi i, ti cc DNS server ca cc nh cung cp dch v. Firewall proxy s lc tt c cc thng tin t internet gi vo my ca khch hng v ngc li. ngha ca proxy

Proxy khng ch c gi tr bi n lm c nhim v ca mt b lc thng tin, n cn to ra c s an ton cho cc khch hng ca n, firewal Proxy ngn chn hiu qu s xm nhp ca cc i tng khng mong mun vo my ca khch hng. Proxy lu tr c cc thng tin m khch hng cn trong b nh, do lm gim thi gian truy tm lm cho vic s dng bng thng hiu qu. Proxy server ging nh mt v s bo v khi nhng rc ri trn Internet. Mt Proxy server thng nm bn trong tng la, gia trnh duyt web v server tht, lm chc nng tm gi nhng yu cu Internet ca cc my khch chng khng giao tip trc tip Internet. Ngi dng s khng truy cp c nhng trang web khng cho php (b cm). Mi yu cu ca my khch phi qua Proxy server, nu a ch IP c trn proxy, ngha l website ny c lu tr cc b, trang ny s c truy cp m khng cn phi kt ni Internet, nu khng c trn Proxy server v trang ny khng b cm, yu cu s c chuyn n server tht, DNS server... v ra Internet. Proxy server lu tr cc b cc trang web thng truy cp nht trong b m gim chi ph kt ni, gip tc duyt web nhanh hn. Proxy server bo v mng ni b khi b xc nh bi bn ngoi bng cch mang li cho mng hai nh danh: mt cho ni b, mt cho bn ngoi. iu ny to ra mt b danh i vi th gii bn ngoi v gy kh khn i vi nu ngi dng t tung t tc hay cc hacker mun xm nhp trc tip my tnh no . Cch s dng proxy hiu qu Do cc proxy c quy m b nh khc nhau v s lng ngi ang s dng proxy nhiu-t khc nhau, Proxy server hot ng qu ti th tc truy cp internet ca khch hng c th b chm. Mt khc mt s website khch hng c y iu kin nhn thn c, nghin cu nhng b tng la chn khng truy cp c th bin php i proxy truy cp l iu cn thit nhm m bo cng vic. Do ngi s dng c th chn proxy server s dng cho ring mnh.

22. 23. 24.

Honeypot Internet content filters Protocol analyzers

2.4 Apply the appropriate network tools to facilitate network security.

25. 26. 27. 28. 29.

NIDS Firewalls Proxy servers Internet content filters Protocol analyzers

2.5 Explain the vulnerabilities and mitigations associated with network devices.
30. 31. 32. 33. 34. Privilege escalation Weak passwords Back doors Default accounts DoS

B xung: n tp (VPN)
35. 36. 37. 38. 39. 40. 41. 42. 43. 44. 45. 46. 47. nh ngha mng ring o v nu nhng li ch ca mng ring o. Nu nhng yu cu i vi mng ring o. Trnh by v cc m hnh kt ni VPN thng dng. Trnh by v giao thc PPTP Trnh by giao thc L2F Trnh by v giao thc L2TP. So snh s khc nhau gia cc giao thc ng hm truy cp t xa. Trnh by v giao thc xc thc tiu AH trong IPSec Trnh by v giao thc ng gi ti bo mt ESP trong IPSec. Trnh by cc pha trong giao thc trao i kha Internet IKE Trnh by cc ch IKE v s khc nhau gia chng. Trnh by s ging v khc nhau gia IPSec v SSL. Nu cc bc trin khai mng ring o truy cp t xa.