Professional Documents
Culture Documents
tltv0214 926 PDF
tltv0214 926 PDF
Uploaded by
viti_930 ratings0% found this document useful (0 votes)
16 views241 pagesOriginal Title
tltv0214_926.pdf
Copyright
© © All Rights Reserved
Available Formats
PDF or read online from Scribd
Share this document
Did you find this document useful?
Is this content inappropriate?
Report this DocumentCopyright:
© All Rights Reserved
Available Formats
Download as PDF or read online from Scribd
0 ratings0% found this document useful (0 votes)
16 views241 pagestltv0214 926 PDF
tltv0214 926 PDF
Uploaded by
viti_93Copyright:
© All Rights Reserved
Available Formats
Download as PDF or read online from Scribd
You are on page 1of 241
HOC VIEN CONG NGHE BUU CHINH - VIEN THONG
CO 86 TP. HO CHi MINH
KY THUAT
MANG RIENG AO
(VPN) |
Bién soan: THS. TRAN CONG HUNG
NHA XUAT BAN BUU DIEN
Thang 7 - nam 2002
Fase
CN
i]
HOC VIEN CONG NGHE BUU CHINH - VIEN THONG
CO S6 TP. HO CHi MINH
KY THUAT
MANG RIENG AO
(VPN)
Bién soan: THS. TRAN CONG HUNG
NHA XUAT BAN BUU DIEN
Thang 7 - nam 2002
LOI TUA
Cac mang vién thong truéc day cé dae diém chung Ja tén tai mOt cdch
ri€ng 12, dng véi mi loai dich vu thong tin lai c6 it nh&t mot loai mang vién
thong riéng biét dé phuc vy dich vu dé. Mdi mang dude thiét ké cho cde dich vu
riéng va khéng thé sit dung cho cdc muc dich khdc. Vi du ta khdng thé truyén
thoai qua chuyén mach goi X.25 vi tré qua mang nay qué Win,
Mai mang jai yeu cdu phiing phap chiét ke, sin xudt, van hanh, bdo
dudng khée nhau. Nhw vay hé thong mang vién thong sé c6 nhiéu nhuge diém
trong dé quan trong nhat ta:
- Chi truyén duge cfc dich vu doc fap wong tng vi ting mang,
- Thiéu su’ mém déo: do khé thich nghi vdi cdc yéu cdu ctia cde dich vu
khdc nhau trong tong lai.
- Kém hiéu qua trong viée bao dudng van hanh, cfing nhy st dung wi
nguyén. Tai nguyén c6 sin trong mang khdng thé chia sé cho cdc mang
khdc cing sit dyng.
Do vay, yéu cdu cd mot mang vién thong duy nhat ngdy cang 1S nén be
thiét. Chiing ta o6 thé xét cdc nguyén nhan sau:
= Cac yéu cau vé dich vu bang rng ting lén.
= Cée yéu edu kg thuat xif ly tin higu, chuyén mach, truyén din & te dd
cao (cd vai trim Mbivgidy d&n vai Gbivgiay) da tré thanh hién thuc.
- Su cdn thiét phai té hyp cdc dich vy phu thuGc Ian nhau chuyén mach
kénh va chuyén mach g6i vao mét mang bang rong duy nhat.
~ Su can thiét phai thod man tinh mém déo cho c&e yéu cdu vé phia
ngu@i st dung cing nhu ngu@i quan tri mang.
Theo khuyén nghi ITU-T 1.121 dua ra mang t6 hyp dich vu sO bang rong B-
ISDN (Broadband Integrated Service Digital Network) cung cap cic
trong B-ISDN phue vy cho tat cé cée dich vu chuyén mach kénb, chuyén mach
Suge adi
g6i theo kiéu da phugng tién, don phuong tiga, theo kiéu hung Jién ket hoe
khong Jién két. Ma theo ITU-T thi B-ISDN hoat déng dua trén co sd phung thite
truyén khong déng bd ATM (Asynchronous Transfer Mode) nhu vay ATM Ia nén
tang ctia B-ISDN. fe
Hién nay thi cong ngh¢ ATM van chua duge dua ra dp dung 6 Vidt Nam,
vin con dang thit nghiém, theo tdi duge biét thi da c6 nhiéu nude da 4p dung yao
thyc té. Hién nay thi cae ting dung chuyén mach phan da giao thie MPLS (Multi- |
Protocol Label Switching) cing duge dita ra va sit dung 6 Han Quéc. Cong nghé
hé thong MPLS Ia sy ph6i hgp gitta cong nghé chuyén mach te dé cao ATM va
céng nghé dinh tuyén IP. D6 Ia sy ket, hép tinh cia ca Iép,2 ddy di dén
mang Ii We d6 cao va.16p 3 thich hyp cho chat lugng dich vy QoS, Cac dich vu
tng dung MPLS mG. duting cho Internet thé hé sau. Tuy. nhién sy tén tai cila
MPLS thi khong thé khéng ndi dén sv t6n tai eda mang riéng do, VPN (Virtual
Private Network), vi MPLS dya vao dich vu IP-VPN duge phat wién nhy chitc
nang ting dung chinh cia hé thong MPLS va hd tro dich vy béi sy két nd cde vi
tri VPN ding duting din nhan chuyén mach MPLS LSP (MPLS Label Switched
Path). Do dé dé gidp cho sinh vién va cdc ban ham thich vé finh vue vién thong
noi chung va hé thdng mang hé thong
MPLS irong tung lai 6 nude ta, quyén sdch nay sé trang bi kién thite vé mang
riéng Ao (VPN), dé 1a mot phan kién thife cd sé MPLS cho cdc ban.
ai St, ti rat
Tuy nhién lan xuat ban dau tién khong thé tanh khoi nha
mong nhan duge su g6p ¥ cla quy déc gid dé cudn séch hodn chinh hon trong lain
14i ban sau, moi déng gép xin giti dén e-mail: conghung@ plithcm.edu.vn.
Xin chan thanh cam on,
Tac:gia: THS. TRAN CONG HUNG
PHAN MO DAU
GIGI THIEU TONG QUAN VE VPN
Cum tit Virtual Private Network hay tam dich 1 mang riéng do, thuting goi
{tla VPN, thye sit bing né vaio nam 1997 va cing ngay
cap dua ra nhitng gidi phap riéng vé VPN cho nhiing khdch hang etta ho, én cdc
dau chiing ta cing cd thé bat gap nhitng bai
n phim hd try cho VPN.
ng cé nhiéu nha cung
tap chi chuyén dé, trén Internet.
bao, nhing hdi théo lign quan dén VPN
ss mhut ca
Trong quyén séch nay chting ta khng thé dé cp hét dén moi van dé thude VPN,
tuy nhién chting ta sé dé cap dén nhiing gi
ban nhat cla VPN ciing nhut co sé
trong viée x@y dung m6t VPN cho mét t6 chife, cd quan,... VA trong p
thiéu nay chting ta sé xem xét dén nhttng van dé co bin vé VPN, cdc loai hinh
VPN, nhitng Idi ich ma n6 dem lai, cling v6i Mot sé van dé c6 Tién quan.
n gidi
1. Can ban vé mang riéng do
Khai niém vé mang riéng 0
Mang riéng do 1a phwing phép Lam cho mot mang cng cong (vi dy nh
mang Internet) hoat déng gidng nh mot mang cuc bd, c6 cing cde dae tinh nhu
bao mat va tinh vu tién ma ngudi ding ting ua thich. VPN cho phép thanh lap cde
két ni riéng Vdi nhitng ngudi ding & xa, cdc van phong chi nhdnh cla céng ty va
Gi téc cla cong ty dang stf dung chung mot mang cong cong. Mang dién rong
WAN (Wide Area Network) truyén théng yéu cau cong ty phai tra-chi phi va duy
ti nhigu loai duding day rigng, song song voi viée dau tw cdc thiét bi va doi ngti
can bd. Nhung ning vin dé vé chi phi Am cho cde céng ty di. mun hung
nhaing Igi ich ma viée mé rong mang dem lai nhung Adi ki ho KhOng thye hién
ndi. Trong khi dé, VPN khong bi nhitng ro can vé chi phi nh cde mang WAN
trén do due thye hién qua mot mang cong cng.
8 Ky thuat mang riéng ap (VPN)
‘Thye ra, khdi nigm VPN khong phai Ia mOt cng nghé mdi, ching dA time duge
sit dung trong c4c mang dién thoai (Telephone Networks) edch day mot vai niim va
tr nén phd bién do su phat trién cia mang thong minh, Céc mang VPN chi ti nén
thye suf c6 tinh méi mé khi ching chuyén thanh cée mang IP (mang sit dung giao thife
Internet) ching han nhu mang Internet. Do 46, nhiéu ngudi da ding thuat ngit
Internet VPN va mang di liu rigng do, VPDN (Virtual Private Data Network) dé
thay cho thuat ngit VPN: VPN sif ding Viéelma hog’ dir ligu'd@ nan ngtfa cae ngui
dling khong duge phép truy ofp dén dit ligu va bio dim dif ligu khOng bi sta di,
Dinh dugng ham (tunneling) Ia mot co ché dang cho vige déng g6i
(encapsulate) mét giao thife vao trong mdt giao thife kh4c. Trong ngif canh
Internet, dinh dugng hdm cho phép nhiing giao thie hw IPX, AppleTalk va IP
duge ma hod, sav dé déng g6i trong IP. Tong ty, trong ngi canh VPN, dinh
duing ham che gidu giao thitc 16p mang nguyén thy bing céch mi hod g6i dit
ligu va chia g6i dd ma hod vao trong mét vd boc IP (IP envelope). Vo boc IP
nay, thyc ra IA mOt géi IP, sau dé sé duge chuyén di mot cdch bdo mat qua mang
Internet, Tai bén abga, sau khi nh4n dutge g6i trén sé tin hanh gd bd vd boc ben
ngoai va gidi ma théng tin di liéu trong g6i ndy va phan phoi dén thiét bi truy
cap thich hgp, ching han nhu mot b9 dinh tuyén,
VPN cdn cung cp céc thoa thuan vé chat lng dich vu (QoS), nhitng thoa
thuan’ nay thudng dude dinh ra cho mét gidi han trén cho phép vé d6 tré trung
binh cia géi trong mang. Ngoai ra, cde thod thudn trén cé thé kem theo mét suv
chi dinh cho gidi han dudi cia bing thong higu dung cho mdi ngudi ding. Céc
thod thugn nay duge phat tién théng qua cdc thod thuan mite dich vu SLA
(Service Level Agreements) vdi nha cung cp dich vu. Ching ta sé aé cap chi et
hon vé céc thoa thuan SLA nay 6 phan sau.
Qua nhing van dé 44 trinh bay nhu trén, 06,thé dinh nehia VPN: mét céch
ng&n gon qua c6ng, thife sau:
VPN = Dinh duéng him + Bao sade + Cie théa thudn vé QoS
Nh& vao Igi: thé ca ‘cic Ung dung quan trong duge trién khai’trén mang
Intranet va cdc mang truy cap tit xa da 1am cho: khach hang-thda man hgn trong
cong viéc cia ho, hoat dong kinh doanh eda cong'ty.tr nén hgp ly, higu qua va dat
t6i nhitng thi trudng rong 1dn hon. Tuy nhién'céc van dé vé chi phi mang (bao gém
chi phi thiét bi, duting day, chi phi cho viéc bao du@ng,...) cing nhu viée quan ly
mang 1 nhiing van dé quan trong d0i v6i nhiéu cng ty, dc biee {A nhimg cong ty
mu6n thu héi von nhanh dé cdi sn xudt. Do dé ngudi ta di dua ra gidi phap xAy
dung nhing mang riéng 40 dé gidm thiéu chi phi mang cho céng ty, thay thé cho
cdc gidi php ding dung truyén chuyén biét truyén thOng nhu true day.
Phan mé déu: Gigi thigu tng quan vé VPN. 9
Nh& vao viée néi mang qua VPN tiét kiém chi phi hon han gidi phap thué
bao dung truyén, cdc doanh nghiép cé thé wy minh mé rong tim hoat dong cia
cong ty 6 mife toan cau (théng qua mang Internet) mA khéng cén dau tw 6 mite
qui mé toan cdu! VPN c6 vai trd quan trong trong doanh nghiép nhi v
nhan vién hu dng (mobile worker) - vic
gidm chi phi két ndi doi vi c: ‘ong
ty c6 nhiéu chi nhdnh trén thé-gidi thi doi ngd nhan vién clia ho rat dong, nhidu
ngudi phdi lam vigc 6 nhiing quéc gia xa véi trung tam - md rong Intranet dén cde
van phong chi nhdnh, lién lac vdi d0i tae va khdch hang chit y€u thong qua mang
Extranet. Sau day sé dé cp dén mgt sO Ii ich, gid tri cla VPN, eae thuat ngit
lién quan d&n VPN, ciing nhw winh bay t6ng quat cde phuong thifc hoat dong hién
nay ctla cdc VPN, dé tao diéu kién cho viée Iya chon phuong thie thich hyp, higu
qua nhat dé xay dyng mgt VPN.
Nhifng Igi ich do VPN dem lai
VPN mang lai Igi ich thye sy va te thoi cho céng ty. C6 thé ding VPN dé
don gidn hoa viée truy cp d6i véi cdc nhan vién [am viée va ngu@i dang hu
dng, mé rong Intranet dén ting van phdng chi nhénh, tham chi trién khai
Extranet dén tn khach hang va cdc d6i tac chi chét va diéu quan trong [A nhitng
cong viée trén déu cd chi phi thép hon nhigu so vdi viée mua thiét bi va dung
day cho mang WAN riéng. VPN do mdt nha cung cé’p dich vu lam cht va quan
ly, bing quy m6 kinh té va cdc céng nghé tién ti€n, ho cé thé phuc vu nhiéu té
chife trén cing mot mang, ding céc phn mém hién dai dé phan biét luu lvong dit
ligu cia cng ty nay duge tach riéng véi cde cong ty khac, C6 thé din ching
nhifng uu diém ctia VPN nhu sau:
Gidm chi phi thudng xuyén: VPN cho phép tiét ki¢m d&n 60% chi phi so
n cu6c goi dén eta cdc nhan vién lam
voi thué dudng truyén va gidm
vige & xa, Gidm duge cude phi dung dai khi truy cap VPN cho cde nhan vién di
dOng va céc nhan vién lam viée 6 xa nhd vao viée ho truy nhép vao mang thong
qua cde diém két ndi POP (Point of Presence) & dia phuong, han ché goi duéng
dén cic modem tap trung.
Giam chi phi d4u tu: Sé khng t6n chi phi dau wy cho may chi, bd dinh
tuy€n cho mang dudng truc va cdéc b6 chuyén mach phuc vu cho viée truy clip bdi
vi ede thiét bi nay do cic nha cung cap dich vu quan ly va lam chil. Cong ty cling
khong phai mua, thigt 4p c&u hinh hoje quan ly céc nhém modem phife tap.
Ngoai ra ho cling c6 thé thué véi gid ré cde thiét bi phuc vu khach hang, thing
c6 sin 6 cde nha cung cap dich vy, hode tir cde cong ty dich vu gid wi gia ting,
nhi thé vige nang c4p mang cding trd nén dé dang va it tn kém hon.
10 z Ky thuat mang riéng ap (VPN)
¢ Gidm chi phi quan Iya hd trg: Voi quy m6 kinh té ctia minh, cdc nha
cung cp dich vu c6 thé mang lai cho c6ng ty nhifng khodn tiét kiém 6 gid tri so
vdi vide wy quan ly mang, gidm hay loai tit hin yéu cdu nhan vién “tai nha”.
Hon nifa, nhan duge sy hd try va phuc vu 24/24 do nhiing nhan vién nh nghé
lu6n sn sang dap ting moi ltic, gidi quyét nhanh chong ca
Truy edip moi lée, moi ni: Khich hang cia VPN qua mang mé rong nay,
6 cing quyén truy cap va kha ede dich vu trung tim bo
gém WWW; e-mail, FTP... cling nhir cde itn’dung thiét yéu khéc, khi tray
ching thong qua nhitng phitong tigi Khéc nha nif guia mang cye bo LAN (Local
‘Aiea Network), modem, modem cdp, dudng’ day thué bao sé xDSL..:ma khong
can quan tam dn nhing phan phic tap ben didi. os
2. Cac logi VPN
Hién tai ching ta 6 thé phan VPN ra lam ba loai nhu sau:
1. Cae VPN truy cap tit xa (Remote Access VPN): cic VPN nay cung cap tray
cap tin cdy cho nhiing nguéi ding ddu xa nh cde nhan vién di dong, cde
nhan vién 6 xa va cdc vin phong chi nhanh thudc mang ludi eda cOng ty.
TelcovintenevisP
May xach tay
«ing PPTP
86 din tuyén |
‘San bay
Ceng ty
Hinh 1: Cac VPN truy cap tu xa
Phén mé dau: Gidi thigu téng quan vé VPN ane a
2. Cac VPN ndi bd (Intranet VPN): chiing cho phép cae vain phong chi nhanh
ich bilo mat dén tru sé chinh cia cng ty (hinh 2).
duge lién ket mot
3. Cac VPN mé rong (Extranet VPN): cho phép cdc khach hang, cde nha cung
cdlp va cde d6i tae 6 thé truy cp mot cach bdo mat dé mang Intranet etia
cong ty.
3. Cau tréc cda VPN
Tat cd cic VPN déu cho phép try cap bio mat qua cée mang cong cong
bing cach sit dung nhitng dich vu bao mat, bao gdm vite dish dutng him
(tunneling) va cde bign phdp ma hod dif ligu, Trong phan nay sé gidi thigu vé
mOt sé thndt ngif, cdc sin phém va cdc cong nghé c6 lién quan dén VPN.
‘Van phong
xa
Interney
IP, FR, ATM
Nha cung cap
dich ww
Van pheng
xa
Hinh 2: Cac Intranet VPN
Tinh bao mat
Bao mata nhiing gi lam cho VPN tré nén cé tinh *
tranh va nhiéu ly do khde, viée bdo mat thong tin va cde qué tinh trao déi thong
lin cita cong ty td nén co tinh chat sOng cdn, dé 1a nguyén nhan cde gidi phap
WAN vai duting truyén kénh thué riéng due sit dung mot ciich ph6 bien nhut hiGn
nay. Nhu ne yéu cau cia VPN Ia phai bdo mat nhu duting d ly thué riéng. dong
AhGt mang Iai nhiing wu diém vé chi phi ma khong i bé nhifng tinh riéng ur
¢ sin phim va cong nghé v6i nhau dé dim bio
0” va “riéng”. Dé canh
ciia mang. Do do, céin két hop
bdo malt cho cdc két néi VPN.
12 Ky thuat mang riéng ap (VPN)
Dung hm
Cac dung ham (tunnel) chinh 1a dic tinh do cla VPN, n6 lam cho mét két
noi duéng nhy mot dong luu lugng duy nhat tén dudng day. Ding théi con tao
cho VPN kh nang duy tri nhifng yéu cau vé bao m: quyén wu tién nhu 4
duge Ap dung trong mang adi b6, bdo ddm cho vai trd kiém soat dng luu chuyén
di ligu. Dutng hém cing lam cho VPN cé tinh riéng ww.
Cac loai cong nghé dudng hdm duge ding phd bién cho truy cip VPN gém
6 giao thie dinh duéng hdm diém-diém PPTP (Point to Point Tunneling
Protocol), chuyén ti@p I6p 2 -. L2F (Layer 2 Forwarding) ho&e giao thife dinh
duéing ham Idp 2 - L2TP (Layer 2 Tunneling Protocol), Cac mang VPN ndi bd va
mé réng danh riéng cé thé si dung nhitng céng nghé nhu bao mat IP - IPSec (IP
security) hode boc géi dinh ty€n chung GRE (Generic Route Encapsulation) dé
tao aén cdc dudng hdm do thudng ye
M& hoa
Ma hod (encryption) 18 tinh nang tiy chon né eding déng gop vao dic diém
“riéng wr" cla VPN. Chi nén sit dung m& hod cho nhitng dong di liu quan trong
dic biét, con binh thutng thi kh6ng can vi vige ma hod 6 thé Anh hudng x4u dén
toc dé, tang ganh nang cho b6 xi ly.
Tudng hia
Ching ta sit dung tng Ita (firewall) dé bdo mat mang ndi bd cia minh
chéng lai nhitng cudc tan cong vao luu Iygng trén mang va rhing ke pha hoai,
gidi phdp bitc tung Nia tét 14 céng cu c6 kha ndng phan biét cdc Iuu lugng dua
én co sd ngudi ding, trinh tng dung hay ngudn gc, Tudng lita sé duge noi ky
hon trong phan II “Xay dyng cdc kh6i ctia mot VPN”
Dinh danh ngudi ding (User Identification)
Moi ngudi ding céu phai chju sy kiém tra xde thue dé bao cho mang biét
thong tin vé ho (quyén truy cap, mat khdu, ..) va phai chiu sy dy quyén dé bao
cho biét vé nhiing gi ma ho duge phép lam, Mét hé thong tt edn thye hién tinh
todn dé theo déi nhiing viéc ma ngudi ding da lam nhim muc dich tinh cudc va
bdo mat. Xe thyc (Authentication), trao quyén (Athorization) va tinh cuée
(Accounting) due goi 18 cdc dich vu AAA.
Tinh uu tién
Uu tin 1A qué trinh “gdn thé” cho dong luu lugng eta mGt tng dung nado dé
46i v6i cde dich vu duge xtic tién théng qua mang. Vi dy nhy hu thong cdc trinh
Phan mé dau: Gidi thiéu téng quan vé VPN 13
ting dung nghiep vu quan trong (chang han nhu cae dng dyag cu sd dit ligu danh
muc hodc ban hang) co thé nbn duge wu tién hang dau dé chuyén nhanh, phi
hgp vdi xu thé canh tranh trén thufong tung, trong khi céc dich vu nhv gifi e-mail
hay truyén tap tin thi cé uu tién thdp hon. Kha nang gdn quyén uu tién sé phai
d6c lap véi dif fiéu truyén dé dim bio tinh hoan hao thy su cilia dich vu.
4,Sd luge vé cdc giao thie ding cho VPN
Hién nay c6 ba giao thifc chinh ding dé xay dung VPN 1a:
Giao thife dinh dung hdm diém-diém PPTP
Day 1a giao thife djnh dudng hdm phé bién nhat hién nay, PPTP (Point-to-
Point Tunneling Protocol) duge cung c&p ah mt phan cia cc dich vu truy cAp
ty xa RAS (Remote Access Services) trong hé diéu hanh Microsoft Windows NT
4.0 va Windows 2000, sit dung céch ma hod s&n cé cia Windows, x4c thye nguéti
ding va co sé cu hinh ciia giao thifc diém-diém PPP (Point-to-Point Protocal) dé
thiét lp cdc khod ma.
Giao thife dinh dung ham lép 2 - L2TP
Day 1a giao thitc chudn cla IETF (Internet Enginneering Task Force) stt
dung ky thug khod céng cOng (public key technology) dé thyc hién viée xdc thye
ngudi ding va c6 thé hoat dng thong qua mot méji trudng truyén thong da dang
hdn so v6i PPTP. Mot diém dang Iu ¥ 1A L2TP (Layer 2 Tunneling Protocol)
khong thé sit dung dé thc hign viée ma hod. Microsoft bat ddu cung cap L2TP
nhu mot phan cita RAS trong hé diéu haah Windows 2000.
Giao thite bdo mat IP - IPSec
Day 14 mét giao thite chuan cla IETF ding dé cung ciip viée ma hod. Loi
4iém I6n nhat cia IPSec (IP Security) 1a giao thie nay cé thé duge sit dung dé
thi lap mot VPN mét cach wy dng va thich hyp véi chinh sch bao mat tap
trung va c6 thé sit dung dé thiét lp mot VPN dya trén co sd cdc may tinh ma
kh6ng phi 1a cde ngudi diing. IPSec duge cung cp nhu mot phdn trong hé digu
hanh Windows NT 4.0 va Windows 2000.
Ngoai ra con giao tht chuyén ti€p lép 2 L2F (Layer 2 Forwarding) I eo sé
dé xay dung nén L2TP.
Dé xéy dung m6t VPN bao mét, ching ta cé thé diing hai céch nhut sau:
C&ch 1: Cé thé dang PPTP m6t cach déc lap vi ban thin PPTP cé thé cung
cp mOt VPN bdo mat. Ding céch nay ta sé gidm thiéu duge chi phi va vide quan
ly sé it phifc tap.
14 Ky thuat mang riéng 4p (VPN)
Cach 2: Két hyp gitta L2TP va IPSec dé cung cp mét VPN bdo mat, cach
nay thich hgp cho nhizng cdng ty ddi hoi tinh béo mat mang cao, mae dd phudng
phap nay s
céch én,
& gay t6n kém va viée quan ly mang sé ¢6 AG phic tap hun so véi
5. Danh gia chung vé VPN
Tm lai, vai chi phi théa ding, VPN co thé gitip doanh nghiép tiép xc toan
cAu nhanh chong va hiéu qua hon vé chi phi so vai cdc gidi phép mang dién rong
WAN khie, Ta 6 thé gidm chi phi thutng xuyén m@t cdch ding ké thu héi
vn nhanh chong V6i VPN, ching ta c6 thé mé rong cdc trinh ting dung nghiép
vu ti quan trong dén cde van phong 6 xa va cdc d6i tic WAN khée qua Extranet,
Tam cho doanh nghiép cia minh c6 tinh canh tranh manh hon, ding thoi cing cai
thién kha nang phuye vu khach hang tt hon.
Ngay nay, trong
moj ding cho tre
kinh t néi mang t
bé nhank chéng, mot m6 hinh
thong thuong mai di
m6 hinh mdi nay,
¢ dich vu mang, a
nha cung céip dich vu hop téc vdi khach hang dé phan phéi
nén ting cho cde hoat dong kinh doanh eda ho va dé nang cao higu qua canh
tranh. Mang riéng do (VPN) da thé hién su d6t phd cong nghé, lam chuyén bién
nginh céng nghigp va cdch mang hod cde dich vu do khdch hang yéu
hinh mang nay hién dang chuyén nhu cdu ty dong hod viée diéu Hanh thong tin
ign tac riéng cita
c6ng ty sang quan hé hyp téc voi nha cung cap dich vu
thong qua VPN dé phat tr
én méng mang tinh chién luge ni:
n mang eila ho ra quy m6 ton
di mg ra nhiing én dé thaga Iyi dé ti
phat trign, khé nang chu igi ngay cang nhiéu va dat higu qua cao nhat cho cde nha
cung cp dich vu [din khéch hing.
PHANI
VPN VA BAO MAT INTERNET VPN
CHUONG |
GIO! THE U CHUNG
Ké tit khi nhitng nha kinh doanh bat déu sit dung nhitng chiée may tinh tai
nhiéu vi ui, bo cé mong mudn va nhu céu két ndi nhitng may tinh nay lai voi
nhau trong mt kiéu riéng va béo mat nhim dé dang cho viéc théng tin lien Jac
Vide xdy dung mot mang riéng wen mot khu vye ndi bG cha nhiing wa nha vin
phong co thé twong doi don gian, bdi Vi cae eng ty thuding oO kién tric vat ly
riéng. Nhung moi viée sé td nén kho khdin hon nhiéu khi xay dung mot mang
chung bao gém nhitng van phing khde nhau hay cdc ki€n trie cdch nhau rit xa tai
cde nuée hay cde bang khée nhau. Trong nhiéu trudng hyp, cdc aha kinh doanh
khdng ¢6 mOt sy Iya chon ndo khdc,ngoai viée sit dung mot kénh thué riéng
(leased line) ti 16ng dai not hat cla ho hay ding nhiing phuang tién khodng cdch
xa dé két n0i nhiing may tinh 6 cée vi tri dia ly phan biét (site) lai voi nhan
C4e nha kinh doanh tir au di 66 nhigu céch dé ndi két cdc dia diém eta ho
hinh thanh nhitng mang két hgp riéng (private corporate network), Nhung cho dén
gin day, nhiing mang nay trd nén citing nhéc vé ban chat (hard-wired), it tinh mém
d&o. Sau khi cde dich vu mang duge cung cap dé két ndi nhitng site ten eo si chia
‘dc két ni céng cong, thudt ngit “mang riéng 40” hay VPN (Virtual Private
Network) trd nén quen thudc. Tit “virtual” & day duge thém vao nhu mot tir bd
nghia dé chi ra ring mac di chting ta c6 thé xem ddng luu Ivong giffa hai site nhuy
mot kénh riéng, hung that ra n6 khong“duge gin eding va tn tai nhu mot ket ndi
16 Ky thuat mang riéng dp (VPN)
khi lw lugng mang (traffic) chuyén qua wén kénh. DS 1a mot kénh do (virtual
circuit). ze
1.1 Thé nao la Mét mang Internet VPN?
M6t mang riéng do dua trén Internet (Internet-based VPN) ding co sé ha
tang md va phan én cta Internet cho viéc truyén dif liéu giita cdc site cha cde
cng ty (corporate site). Vé ban ‘chat, nhiing cOpg ty sif dyng Internet VPN thiét
lap cdc két néi dé&n cdc diém két néi cuc b6 cla nha cung c&p dich vy Internet
ISP (Intemet Service Provider), goi 1a POP (Point of Presence) va dé cho ISP bdo
dam ring dif liéu dufye truyén dén dich thong qua Internet.
Két n6i duge tao ra dé hd tr cho mét phién théng tin giffa cdc site duge hinh
thanh m6t céch linh déng, him gidm ti cho mang, nén khOng cd nhitng ket noi
thubng tryc trong cfu trie cia Internet VPN. N6i mt cdch khéc, bang thong yéu
cdv cho mét phién lam vige khéng dugc chi dinh cho d&n khi né duge yéu cfu va
dude gidi phong khi mt phién Lim vide két théc. Trong nhiéu each thi kbfa canh
nay tvong ty vdi tinh chat cla mang chuyén ti€p khung (Frame Relay), nhung né
duge mé rGng thanh nhiéu kigu két ndi khdc wén Internet.
BGi vi Internet 1a mot mang cong cong vdi vide truyén hau hét dé ligu md
hoa dit ligu truyén gitfa cdc site VPN,
nhim bao mat dif liéu chéng lai nghe trm (sniffing) va can thiép (tampering) tr
nhiing thanh vién bat hgp php (unauthorized parties).
Vi Igi diém thém vao nay, Internet VPN ciing cung cap
cho nhiing ddi tugng di déng (mobile worker) béi dic tinh cila viée d4nh s6 cdc
két néi quay s& ma cdc ISP cung cap cho cc client (khdch hang) tai céc POP
ctia ho.
Internet VPN bao g6m cung
ni bao mat
1.2 Cac uu diém cba mét Internet VPN
MOt 86 Igi ich xudt hign ti viée sit dung VPN dua téa Internet cho di viée
x4y dung mang VPN ty du hiy viéc chuyén mang VPN truyén théng thanh
mang VPN sit dung Internet. Nhiag loi ich nay di true uép hay gidn tiép bao
g6m: tiét kiém chi phi (cost saving), tinh méin déo (flexibility), kha nang mé rong
(scalability) va mt sO wu diém khdc.
1.2.1 Chi phi thap
Qua ede bing 1.1, 1.2, 1.3, ching ta c6 thé so sinh chi phi khi si dung duting
kénh thué riéng T1 (1.5 Mbit/s) véi chi phi khi sit dung Internet VPN
PHAN I
VPN YA BAO MAT INTERNET VPN
CHUONG 1
GIGI THIEL U CHUNG
Ké ty khi nhiing nha kinh doanh bat dau sit dung nhitng chiée may tinh wi
nhiéu vi ti, ho cé mong muda va nhu edu két ni
nhau trong mét kiéu rigng
nhting may tinh nay lai voi
cho viée thay
Viée xéy dung mot mang riéng trén mot khu vue ndi bd cla nhing toa aba vin
a bao mat nhim dé da
lin lién fac.
phong c6 thé tong déi dun gidn, bi Vi cde cong ty thudng C6 kién tric vat ly
riéng. Nhung moi viée sé tris nén khé khan hon nhiéu khi x@y dung mot mang
chung bao gém nhiing van phdng khde nhau hay ede ki€n trie cach nhau rat xa tai
cde nue hay cde bang khae nhau. Trong nhiéu truding hyp, cde nha kinh doanh
khong c6 mét sy lya chon nao khéc ngoai viée stt dung mt kénh thué riéng
(leased line) tir téng dai ndt hat ciia ho hay ding nhiing phudng tién khodng céch
xa dé két noi nhitng may tinh 6 cdc vi tri dia ly phan biét (s
Cée nha kinh doanh tif lau da c6 nhiév cich dé ni két cic dia diém cia ho
hinh thanh nhiing mang ket hop riéng (private corporate network). Nhung cho dén
gan day, nhiing mang nay td nén cting nhac vé ban chat (hard-wired), it tinh mém
déo, Sau khi cde dich vy mang duge cung c&p dé két ndi nhiing site wén co sé chia
sé cde két ndi cng cong, thudt ng “mang riéng do” hay VPN (Virtual Private
Network) td nén quen thudc. Tit “virtual” 6 day duye thém vao ahu mot uit bo
nghia dé chi ra ring mac dit chting ta c6 thé xem dong Jue lvyng gitta hai site nh
mOt kénh riéng, nhung that ra n6 khdng due gin cting va tén tai nhu mot két ndi
e) lai voi ahau.
16 ky thuat mang riéng ap (VPN)
khi luu luong mang (traffic) chuyén qua én kénh, BS la mot kénh do (virtual
circuit).
1.1 Thé no Ia mét mang Internet VPN?
MOt mang riéng do dya trén Internet (Internet-based VPN) diag co sé ha’
ting mé va phan tén eda Internet cho vige truyén dif ligu gitla cde site cia cdc
cOng ty (corporate site). Vé ban chat, nhitny céng ty sit dung Internet VPN thiét
lap cc két néi dén cdc diém két ndi cyc b6 cia nhd cung cap dich vy Internet
ISP (Internet Service Provider), goi 1a POP (Point of Presence) va dé cho ISP b’io
dam ring df liéu dude truyén dén dich thong qua Internet.
Két néi duge tao ra dé hd try cho mét phién thong tin gia cdc site duge hinh
thanh mt céch linh dng, nh&m gidm tdi cho mang, nén khdng c6 nhiing két néi
thudng tryc trong tric cla Internet VPN. N6i mt cach khdc, bing thong yéu
cau cho m6t phién Jam viéc khong duc chi diahk cho dén khi n6 duge yéu edu va
duge gidi phéng khi mét phién lam vigc két thie. Trong ahiéu cach thi khia canh
nay tuong ty vi tinh chat ca mang chuyén tip khung (Frame Relay), nhung n6
duge md r6ng thanh nhiéy kiéu ket adi khdc ten Internet.
BGi vi Internet 1a m6t mang céng cong vdj viée Inuyén hau hét dit liéu ma
Internet VPN bao gém cung c&p co ché ma hod dif ligu truyén gitfa cdc site VPN,
chim bdo m4t d@ ligu chng [ai nghe trom (sniffing) va can thiép (tampering) tir
nhiing thanh vién bat hp phap (unauthorized parties).
Vdi Igi diém thém vao nay, Internet VPN ciing cung c&p két ndi bdo mat
cho nhing d6i tugng di ddng (mobile worker) bdi dic tinh cila vie dinh s6 cde
két néi quay s6 ma cdc ISP cung cap cho cdc client (khdch fang) tai cic POP
cla hg.
1.2 Cac uu diém cdc mot Internet VPN
MOt s6 Igi ich xuat hign tif viée sit dung VPN dya trén Internet cho dit viée
xdy dyng mang VPN ti ddu hay viéc chuyén mang VPN truyén théng thanh
mang VPN sit dung Internet. Nhing Igi fch nay dd trye tiép hay gidn tiép bao
g6m: et kigm chi phi (cost saving), tinh mém dbo Glexibility), kh& ndag md rong
(scalability) va m6t sO wu diém khac.
1.2.1 Chi phi thap
Qua céc bang 1.1, 1.2, 1.3, ching ta e6 thé so sénh chi phi khi sit dung duéng
kénh thué riéng TI (1.5 Mbit/s) véi chi phi khi sit dung Internet VPN.
‘Chudng 1: Gidi thigu chung
Bangt.
so vdi Internet VPN
7
: Chi phi hang thang cho cdc mang ding duéng kénh thué ring dan
Chi phi cho Internet |
‘Thanh pho’ Khong eéch | Chi phi cho
(dam) Tl VPN
i New York 194 $4570 |
New York - Washington 235 $4.75
Tong $9,345
so vdi Internet VPN
Bang1.2: Chi phi hang thang cho cdc mang mat ludi kénh thué riéng
Thanh pho
Khong céch | Chi phi cho
(dam) TI
Chi phi cho Internet |
rN
Boston - Wasi
$4,570
$5,915
ae
$1.900
‘Téng
$15.260
$5.700
So vdi Internet VPN
Bang1.3: Chi phi hang thang cho cdc mang ding duéng kénh thué riéng kép
San FranCisco - Denver
Denver - Chicago
Thanh pho Khodng cach | Chi phi cho | Chi phi cho Internet
(dim) 11 YPN
1.267 $13.535 $1.900
s71.4ss_|
$17,100
18 Ky thuat mang riéng ap (VPN)
1.2.2 Tinh mém déo
V6i cae mang VPN truyén théng, nhifng két néi danh cho cdc chi nhdnh van
phing nhé hon, cde may tinh tif xa vdi ede phudng tin di dong siy dung xDSL.
ISDN va nhitng modem t6e dé cao, cdn phai duge duy th véi cac thiét bi riéng (vi
dy nhu c&¢ dai modem) khéng thude phan cai dat cda ede dung kénh thud riéng
hay thim chi cde mang Frame Relay.
im
Trong mang VPN dua trén Internet, khéng chi T1 va T3 co thé dude sif dung
giita cdc vin phdng vdi ISP, ma nhiéu kiéu ket adi khéc cing e6 thé duge sit
dung dé két n6i cdc van phdng nhé va cdc di tugng di dong dén cac ISP va do
d6 dé mang riéng VPN. Diéu han ché duy nhat 14 méi tru’ng ma ISP hé tro va
sO méi trubng duge cung cp gia ting mot cdch déu dan.
Bai Vi nhiing kt néi diém-diém (point-to-point) khong phai 12 mot thanh
phan cia Internet VPN, cho nén khing phai cung c&p mdi trutng va toe a6
giGng nhau tai mdi diém (site), do dé 1am gidm thiét bi va chi phi cung cap.
ISP POP
‘56 Kbils modem ~————
122,08 SON =
x08 — =r Trang tim chin
1.544 Mbivs
ISP POP: Biém kat néi cuc bd eta nha cung ofp dich wy Internet
Hinh 3.1: Luding lu ivong dén hop nat
1.2.3 Kha nang mé réng
Do VPN st dung méi tung va céc cong nghé wong ty nhu Internet, cho
nén né 6 thé cung c&p cho nhiing nha kinh doanh hai huéng mé rng mang.
Trac tién dé 1a vé mat dia ly. Vi m9t Internet VPN, cdc van phdng, nhém
va d6i tugng di dng cé thé tr nén mot phén cia mot mang VPN 6 bat ky noi
nao [SP cung c4p mét diém két néi cuc bé POP. Hau hét cdc ISP lén déu cé mot
86 chi dinh cde POP duye tai rong én toin nude My va Canada, wong ad cb
ac diém POP & Chau Au va Chau A. Kha nang mo
rong (scalability) cing c6 thé link dong: mdt bG phan van phong d dia diém ctia
khdch hang c6 thé duge két néi mot cach dé dang dén m6t POP ndi bd trong mot
vai phut (bing cach sd dung dudng day dién thoai thong thudng va mot modem)
nhiéu ISP cing cung cap c
Chuong 1: Gigi thigu chung
va due gd ra dé ding khdi mang VPN khi vin phong nay bi dng ets
hoat d6ng nia. Di nhién, nhimng két noi doi hoi bang thong cao hon phai ma
nhiéu théi gian hon p, nhung dii vay viée thiét ip ciing twang ddi dé
dang hon khi thiét l4p mot duding kénh thué riéng.
Thit hai, dé [a kha nding mé rong bing thong. Ching ta di aén ISP
thanh todn dya trén viée sit dung, vi thé chi phi cho mt dung T1 sit dung ft thi
thap hon so vdi nhitng chi phi cho mdt duting TI sit dung nhiéu hun. Nhung cdc
ISP ciing co thé nhanh chong cung c&p mot chon Iya cde dé rong bing thong phi
hgp véi nhu cau ciia cae site. Vidu nhu mot van phong chinh c6 thé yeu cdu mot
duing TI hay tham chi mét két ndi T3, trong khi cic chi nhdnh 6 thé lién lac
bang m6t dudng quay s6 (dial-up) ding modem hay mét dung ISDN. Va néu nh
mét van phong chi nhdnh yéu cau bang thong Idn hon, thi nd c6.thé duge-nang
c&p dé dang ti mot duéng day dién thoai Ién dén 56 kbit/s hay tit két ndi ISDN
Ién két ndi bing dudng TI.
1.2.4 Gidm thiéu cdc hé tr¢ ky thuat
ty déi wang di dong (mobile worker)
a lam giim
Viée chudin hod trén mot kiéu ket noi
dén mot POP ctia ISP va viée chudin hod céc yéu cau vé bdo mat
Sn hd wy ky thudt cho mang VPN. Va cde nguén xudt VPN
cling c6 thé lam gidm cdc yéu cdu hé tro ky thuat bén trong khi cdc nha cung ciip
dich vy dim nhiém cc ahiém vu hé tg cho mang.
1.2.5 Gidm thiéu cdc yéu cdu vé thiét bi
ung c&p mot gidi phép don cho cdc mang xf nghiép wuy cap
in) va truy cap Internet, Internet VPN yéu cdu vé thiét bi ft
hon. Tot hon nhiéu so véi viéc bao tri céc dai modem (modem bank) riéng biét,
cde card tuong thich (adapter) cho thiét bi dau cudi va cdc may chit truy cap tir xa,
mOt doanh nghiép c6 thé thiét lap cdc thiét bj khdch hang CPE (Customer
Premises Equipment) cho mot méi trudng don, nhu mot dudng Th, voi phan cn
lai ctia két ndi duge thuc hién bai ISP. BO ph4n IT cé thé lam viée thiét lip két
ni WAN va duy tri bing cach thay cde dai modem va ede mach nhan cla Frame
Relay bang mét két néi dién rong don ¢6 thé dép ting Ivu lygng ctia cde nguti
ding ti xa, két ndi LAN-LAN va luu lugng Internet ciing mét hic.
Bing
bing quay sO (dia
1.2.6 Dap ting céc nhu céu thudng mai
Khi tich hyp nhiéu cong nghé méi vao mOt mang thudng mai thi ta van quan
tam dén céc van dé nhu: chugn hod, khaé-nang quén ti, kha ning md réng, kha
nang tich hyp mang tinh ké thifa, d6 tin cy va hiéu sudt hoat dong
20 ky thuat mang riéng ap (VPN)
phdm dich vu tuan theo cée chudn chung hién nay, mot phan dé
tho cda san phdm nhung c6 1é quan trong hon 1a sn phdm ti nhiéu
aha cung cap khdc c6 thé lam viée duye véi nhau, Ngay ca khi day, nhiéu cong ty
van chon sin phém cia m6t nba cung cdp cho thiét bi mang cia ho, vi thé gidm
dude nhu céu cho kha nang tudng thich ca cdc thiét bi, gidm duge kha nang xung
d6t cia cdc sd
din phdm thugc c4e nha cung céip khdc nhau.
Vi mang ngay cang trd nén phtfc tap va s6 lvdng ngudi ding ngay cang
ting, ngudi quan tri mang phai tim céch dé qtdn ly, gidm sat va c&u hinh cdc
thiét bi mang va phai thudng xuyén thuc hién cdc cdng viée nay cting v6i sé nhan
vién ngay cng gidm vi hiém khi ma thay s6 Ivgng nhan vién tng khi mang tang.
Vi thé, khi thém cdc dich vy hay thanh phan mdi nao vao mang can phai chti ¥ nd
c6 thich hop véi hé théng mang hién tai hay khdng, dic biét 1a bdo mat trong
mang VPN.
Newdi q mang phai lap k& hoach dy bio cho sy phat trién cla mang,
tanh su thay d6i nhiéu, khi nhu edu vé dich vu tang.
—
CHUONG 2
CAC LOAI MANG YPN
Intranet, Extranet
Quan iy va truy c€p tixa
tan phi hose
1c kinh doar
az
eS
Phin mém
VPN tray
cao tuxa
Extranet
6: wong
truyén in
igéng
van phing
cei nhanh =
8
VPN-10
186 dinh tuyén
Tnvranet
Hinh 2.1: Cac gidi phap VPN
C6 hai cach chi yéu sit dung cdc me
g riéng 40 VPN. Trude tién, cdc mang
VPN c6 thé két n6i hai mang vdi nhau. Diéu nay dude biét dén nhu mt mang két
ndi LAN-LAN VPN hay m6t mang site-ndi-site VPN. Thit hai, m6t VPN truy cAp
tir xa c6 thé két adi mOt nguoi ding ty xa vdi mang.
22. ky thuat mang riéng ap (VPN)
2.1 Cac ngudi ding truy cp td xa thong qua Internet (Access VPN)
Cung cap cdc truy cap ti xa d&n mot Intranet hay Extranet dua trén cu ude
ha tang chia sé Access VPN, ngudsi diing c6 khd nang truy c4p dén cae tai nguyén
trong VPN bit cif khi nao, 6 dau mA n6 cén. Divong truyén trong Access VPN
thé 1a tong tf, quay 80, ISDN, cé¢ dung thué bao s (DSL), IP di ddng va cap
dé ndi ngudi ding di chuyén, may tinh tit xa hay cdc van phdng lai voi nhaw.
Védy minh hoa trén hin 2.3.
Mang réng 30
(PN)
Lin két
én ISP
Lian két
aéniSP
Isp
Hinh 2.2: Dung VPN dé két néi client tu’ xa dén mang LAN riéng
(Cac trung tam
giao dich iPass
kkndp noi
May chit
chuyén ving |Pass
ae thue
(m3 hoa $8)
Internet
Tung hte
‘intranet / yay cha
= = =f Mang LAN | yee thye
rid
mach,
nN
Chuyén
Pass cho phép ver
ccung edp mang
+: Xée thye dudng
== K6t nd Internet
en
Hinh 2.3: T6 chic truy cp IPass
2.2 N6i cdc mang trén Internet (Intranet VPN)
C6 hai phudng phap sit dung mang VPN dé két ndi cée mang cuc bd LAN
(Local Area Network) tai cdc
Chuong 2: Cac foai mang VPN_ 23
- Ding cac du@ng kénh thué riéng dé noi mot van phdng chi nhénh dén
mang LAN céng ty: cdc vin phong chi nhanh va céc b6 dinh tuyén cd thé sit
dung m6t mach danh riéng cuc bd va ISP dia phuong dé két noi dén Internet.
Phan mém VPN stt dung cée cude néi ISP ndi bd va Internet cong cong dé tao
mét VP*: gitfa ce vain phdng chi nhanh va bé dinh tuyén cia cdc hub hyp nhat
- Ding dung day quay s6 dé két noi mt van phong chi nhanh dén mot
LAN: bé dinh tuyén 6 van phong chi nhanh quay sé dén ISP, phn mém VPN sit
dung cude adi dén ISP dé tao mot VPN giifa b6 dinh tuyén cila van phdng chi
nhanh va bd dinh tuy€n cia hub thong qua Internet.
Chit ¥: Trong ca hai wrung hyp, co sé ha ting dé ndi vin phong chi nhénh
va cde vin phOng lién két dén Internet mang tinh cuc b>. Ca VPN dang client-
server (may tram - méy cht) va server-server (may chi -
duge chi phi rat Ién trong viée sit dung phudng thifc truy cap quay sé.
chit VPN duge néi dén ISP bing mdt dudng kénh thué riéng (leased line) va phi
hoat d6ng 24/24 dé nhan ludng di li¢u dén,
LANA ane |
Mang riéng ae
(VPN)
=" itn kat riéng aes?
—] MND rode quay 86
in SP
Hinh 2.4: Ding VPN 48 két néi 2 vj tri tu xa
2.3 NGi cac may tinh trén mot Intranet (Extranet VPN)
Trong mét sé cdc lién két mang, mi cdc nguéi ding trong LAN ctla mot
phing, ban nao dé kh6ng duge két néi bing dudng truyén vat ly thi sé ndy sinh
van dé vé kha ning truy cap thong tin cda ngudsi ding do.
VPN sé cho phép cdc LAN duge két ndi vat ly dén mang hyp nhat va due
phan chia béi mot may chi VPN. Chit ¥ ring, may chii VPN khong hoat dong
gidng nh mot bd dinh tuyén gitfa cde mang hgp nhat va cic LAN. MGt bé dinh
tuy@n sé két nGi dén hai mang, cho phép quyén truy cfip dén LAN. Bi
dung mot VPN, ngudi quan ti mang c6 thé dim bio rang chi cd nhit
ding dé trén cdc mang hop nhét c6 ede tigu chudn phd hop (dua trén mot chinh
sdch cia cdng ty) c6 thé thiét lip mt VPN véi may chit VPN va truy cap duge
2 Kg thudt mang riéng 4p (VPN)
dén i nguyén duge bao vé cla phdng ban d6. Thém vio dé, tat c dif Ti
trong VPN duiyc dong ‘gop mOt ciich tin cay. Nhing ngudi ding ndo khong c6 cde
quyén thich hgp khdng thé xem duge LAN.
LANA LANA
Mangrriéng 80
APN
Internet ictal
én ISP
Hub
sn két eng
| Hub age quay 56
én ISP
Hinh 2.5: Ding VPN dé két néi 2 may tinh tit xa trong cing mét LAN
Tat cd hoat déng kinh doanh hoat dong 6 cd ché gidng nhv trong mot mang
riéng, bao gém cdc van dé vé bao mat, chat ludng dich vu QoS (Quality of
Sevice), quan tri va d6 tin cay.
CHUONG 3
KIEN TROC CUA MOT MANG RIENG AO YPN
Hai thanh phan co ban cila Internet tao nén cdc mang riéng do VPN, dé 1a:
- Thit nat, 1a tin trinh duge biét dén nby dinh dudng him (tunneling) cho
phép lam “Ao” mét VPN.
- Thif hai, dé 1a nhiing dich vy bio mat da dang nhim gift cho dif ligu cita
VPN dugc bao mat - riéng (private).
3.1 Kién tréc cOa mét mang VPN
3.1.1 Dudng ham: phan do trong VPN
- virtual mang § nghia La mang linh dong,
ket adi
Trong mang riéng 40 VPN, “io”
vi cde két ndi dude thiét Mp dua tén nhu cu 6 chife. Khong nhir nhth
sit dung dung kénh thué riéng trong cdc mang VPN truyén thdng, Internet VPN
khong duy tri nhiing két ndi thudng true gitta cdc diém cudi tao thanh mang cOng ty
(corporate network). Thay vao d6, m6t két néi dugc tao ra giita hai site khi cin dén.
Va khi két n6i nay khong cdn cn thiét nifa thi né sé bi hily bd, [Am cho bing thong
va cdc tai nguyén mang khac s&n sang cho nhiing két ndi khac stf dung.
Ao - “virtual” cing mang ¥ nghia ring cau tric logic cita mang due hinh
thanh chi cho nhiing thiét bj mang tung ting cita mang d6, bat cl
ly cla mang co sé (trong trudng hgp nay 1a Internet). Cac thiét bi nhu b6 dinh
tuyén (router), chuyén mach (switch) hay nhitng thanh phdn mang clla cdc ISP
¢ gidu di khéi nhitng thiét bj va ngu6i ding ciia mang do. Do dé, nhitng két
ao nén mang riéng 4o VPN khéng cé cing tinh chit vat ly voi nhitng kéi ndi
cd dinh (hard-wired) duge ding trong mang LAN. Viéc che gidu cd sé ha ting
ca ISP va Internet duge thyc hién béi m6t khdi-niém goi 1A dinh duéng ham
(tunneling).
26 Ky thuat mang riéng ap (VPN)
Nhifng duting hém due sit dung cho ede dich vu khdc trén Internet bén canh
VPN, nhv quing ba IP (IP multicasting) va IP di dong (mobile JP). Viée tao dung
ham tao ra mét két ndi dac bist pitta hai diém cudi, DE tao ra mot dung ham,
diém cudi ngudn phai dong g6i (encapsulate) céc gdi (packet) cla minh trong
nhitng géi IP (IP packet) cho viée truyén qua Interhet. Ddi vdi mang riéng do -
VPN, viéc déng géi (encapsulation) cé thé bao gdm viéc m4 hod gdi gde
(original) va thém yao m@t tiéu dé IP (IP header) mdi cho géi (hinh 3.1).
, cOng ndi (gateway) go bd tigu dé IP va gidi ma goi néu nhv can
g6i nguyén thy dén dich ctia né (hinh 3.2).
Vige tao du@ng hém cho phép nhiing ddng dif ligu va nhiing thong tin ngudi
ding két hgp duge truyén trén mot mang chia sé wrong mot dng do (virtual pipe).
Ong nay {4m cho viée dinh tuyén trén mang hoan ton rd nén trong sudt déi Voi
ngudi ding.
diém cuéi nha
thiét va chu
G61 Kibu duong hém
Goi géc
Hinh 3.1: Binh dang géi cho viéc tao dudng hdm
May tem & ‘|
May chi 3
Internet
Céng néi
bBo mat 1
Céng ndi
bao mat 2 Oo
‘a
Bia chi
ich
aa
A] 8 | Ovi} ———of 4
>
o
bao} +f To [or
aa)
Buse ma hoa,
Hinh 3.2: Cau tric mot dudng ham
hai Joai sau:
Thong thuiing, nhiing dudng ham duge dinh nghia 1a mOt tro:
thuding true (permunent), tam thoi (temporary), Nhitng duéng ham tinh (static
tunnel) thuge loai thudng true it duge sit dung trong VPN, bdi vi chting sé chi
Chusing 3: Kién tric cla mét mang riéng o VPN 27
dung bang thong ngay ca khi khong duge si dung. Dudng hdm tam théi hay con
goi 1 dudng him déng (dynamic tunnel) duge quan tim va hu dung hén cho
VPN, béi vi loai duding ham nay e6 thé duge thiét lip khi cain dén va sau dé duge
hily bé khi kh6ng cdn nhu cdu, vi dy nhu khi mot phién thong tin duge ket thie
Vi thé, nhitng duding ham dong khong yéu cdu dat trude bang théng cd dinh. Bdi
vi nhiéu ISP cung cdp nhitng két ndi cé gid phy thudc vao bing théng trung binh
sit dung trén mot két ndi, duting hdm ding c6 thé gidm bang théng sit dyng va
din dén gid thp hon
Nhing dugng hdm co thé bao gém hai ki€u diém cudi, c6 thé la mot may
tinh cé nhan hay mot mang LAN voi mot céng ndi bdo mat ma cing ndi nay ed
thé 1a mt b6 dinh tuyén hay twdng lita. Tuy nhién chi cé hai kiéu két hgp eta
nhéng diém cudi nay thudsng duge xem xét trong thiét ke VPN. Trong trudng hyp
dau tién, dugng hdm két ndi LAN-LAN, mét céng n6i bao mat tai’mdi diém cudi
phuc vu nhu b6 giao tiép gitfa duding hém véi mang LAN riéng (hinh 3.3). Trong
nhifng truting hop nhu vay, nguvi diing tn cde LAN 6 thé ding dudng hdm mot
h trong sudt dé théng tin vdi nhau
Trong trudng hyp thif hai, d6 1A nhitng dujng ham két noi client-LAN,
1a kigu thuting thiét 1p cho nguvi ding di déng (mobile user) mudn k
mang LAN cOng ty (corporate LAN). Client khéi tao viée tao dung ham trén dau
cudi cilia minh dé trao déi Ivu lugng vdi mang céng ty. Dé 1am duge viée nay,
ngu&i ding phai cl mét chudng tinh client dc biét tén may tinh clia nguoi
ding dé théng tin vi céng ndi bao mat dé d&n mang LAN dich.
day
voi
utng hém néi
a A LAN-LAN-—_Intemet
‘Buing hm néi
clentLAN
Client ai dong
Hinh 3.3: LAN va client: cdc duéng ham VPN
3.1.2 Cac dich vu bao mat: tinh riéng trong VPN
Quan trong ngang vi viée sit dung mot mang riéng do - VPN, thiim chi
khéng muGn néi 1A quan trong hin, 1a viée dua ra tinh riéng wf hay bilo mat
28 Kg thuat mang riéng 4p (VPN)
Trong hau hét cdc sit dung co ban cia nd, tinh “riéng tw” trong VPN mang ¥
nghi mot dying ham giifa 2 ngedi ding irén mot mang VPN xudt hién nh
m6¢ lién két ring (private link), thém chi n6 cé thé chay trén mOi trudng ding
chung (shared media). Nhung d6i vi viée sit dung eda céc nha kinh doanh, dic
biét cho két n6i LAN-LAN, “riéng” phdi mang ¥ nghia hon diéu d6, n6 phi ¢6
nghia la bdo mat, dé 1a thodt khdi nhitng con mat tO md va can thiép.
Mang VPN cén cung cap bén chife nang gibi han dé dim bdo d6 bdo mat
cho dif ligu. Bén chife nang d6 la:
- Xéc thyc (Authentication): dim bao diy liéu dén tiv mOt nguén yéu cau.
- Diéu khién truy cp (Access control): han ché viéc dat duge quyén cho phép
vao mang cia nhitng ngudi ding bat hop phdp.
- Tin cay (Confidentiality): ngin khéng cho mér ai dé doc hay sao chép dit
ligu khi div Hu duge truyén di qua mang Internet.
- Tinh toan ven cia dif ligu (Data integrity): dim bao khéng m6t ai Jam thay
adi dif ligu khi n6 truyén di ten mang Inemet.
Mac di nhitng duting him cé thé lam cho viéc truyén dan di liéu qua mang
Internet bdo mat, nhung viéc xdc thuc ngudi ding va duy tn} Unk todn ven dif liéu
phu thugc vao cde ti€n trinh mat ma (cryptographic), vi du nhw chit ky dién tit va
mat ma (encryption). Nhifng tién tinh nay sit dung nhitng diéu bi mat dude chia
sé goi lA cdc khod (key), cdc khod nay phai dugc quan ly va phan phéi cdn than,
hon nifa due thém vao viéc quan ly cdc nhiém vy cla mot mang VPN.
Cae dich vu bdo mat mét mang Internet VPN gdm: xde_ thue
(authentication), ma hod (encryption) va toan ven di liéu (data integrity) duge
cung cap tai [6p 2 - dp lién két dif Hiéu (Data-link) va Idp 3 - lép mang (Network)
cia m6 hinh OSI. Viéc phat trién cdc dich vu bao mat tai cdc Iép thép cia mo
hinh OSI lam cho céc dich vy nay tr nén trong sudt hdn déi vdi ngudi ding.
Nhung viéc thyc hién bao mat tai nhiing mife dé nay c6 thé dién ra hai
hinh thite ma né tac dong dén tréch nhiém cilia m6t cd nhan cho viéc bao mat dit
ligu ca riéng minh, Bdo mat c6 thé duge thyc hién cho cdc théng tin ddu cudi-
dén-ddu cudi (end-to-end communication), vi dy nhv gia hai méy tinh, hay
gitta cdc thanh phan mang khdc v6i nbau, vé dy nh tu8ng Ita hay bd dinh
tuyén. Trong audng hop cudi c6 thé duge xem nhy bdo mat két ndi ndit-ndit
(node-to-node security) trong hinh 3.4.
Vite ding cdc bign phép bdo mat én co sd két ndi nuit-ndt cd thé lam cho
nhiing dich vy bao mat trong sudt hon déi véi ngudi ding cudi va lam nhe bét nhiing
yéu cfu 1am nang tai, vi dy nh ma hoa (encryption). Nhung vide bdo mat két ndi
ntt-nat yéu céu nhiing mang ding sau nat phai 1a nhing mang 6 dO tin cay. Viee
Chuong 3: Kién tric cia mét mang riéng 40 VPN 29
bao mat dau cudi-dau cudi thi vn da bao mat hon két not nutnut, vi no bao gom
méi may tram, ngudi gifi vA ngudi nhan mot cach try wep. Tuy nhién vide bio mat
két ndi client-client c6 nhitng bat Idi, dé Ta n6 1am ting su phic tap cla ngudi
ding cudi va né 66 thé gay khé khan hon cho vige quan ly.
BB gS
Ket n6i abu cusiaéu cut
om)
z
Hinh 3.4: So sanh bdo mat nut-ndt va dau cudi-dau cudi
3.2 Cac giao thc cba mot mang Internet VPN
3.2.1 Cac giao thife dudng him va bao mat
Bon giao thite dugc dé nghi lic ban dau nhv nhitng gidi phap cho mang
VPN. Trong dé ba giao thife dude thiét ké dé lm viée & ldp thé 2, Idp lién ket dit
ligu, gdm: giao thite chuyén tiép lép 2 - L2F (Layer 2 Forwarding), giao thie dinh
dudng him diém-diém PPTP (Point-to-Point Tunneling Protocol) va giao thite
dinh dudng hdm lp 2 L2TP (Layer 2 Tunneling Protocol). Giao thie mang VPN
duy nhat cho Idp 3 1a IPSec, duge phat trién béi IETF vai nam tude oe Tat cd
cdc giao thie duge trinh trong bang 3.1.
Trong d6 nhiing chi tiét cla nhiing giao thie nay duge xem xét mot cach k¥
lung trong nhiing chuong sau, sau day 1d mét 6 dic diém cla cdc giao thife nay
- PPTP Ia mot cd ché xdy dung dudng ham diém-diém duve tao ra truée tién
dé hd tro cde gi duéng hdm (packet tunneling) trong phan cting may chit
truy cp tir xa ctia hang Ascend va phdn mém Microsoft Windows NT.
- Giao thife dinh dung ham I6p 2 lai ghép (Hybrid Layer 2 tunneling) cdn goi
1a giao thtfe dinh dung ham Idp 2 (Layer 2 Tunneling Protocol) duge Cisco
phat trién ti giao thifc L2F cia ho.
- IPSec 1A mét tiéu chudn dude tao ra dé thém vao tinh bdo mat cho mang
TCP/IP. -
30
ky thuat mang riéng ap (VPN)
Bang 3.1: So sanh cac giao thc VPN
Digmt manh
Diém yeu
Sit dyng trong m:
IPSce
+ Chuan giao thife rinh.
+ Hoat dong m6t eich d6c Hip eda
cdc ting dung mie cao han.
+ Cho php gid’u dia chi mang ma
khong cin stt dung dich dia chi
mang (NAT)
+ St dap ing phat trign ede ky
thud mi hod.
+ Khong 6 quan ly
ngudi ding
+ [Usain phim cé kha
ning twong tac gitta
cdc nha cung cap.
+ [Und 1g dino dig
(desktop support).
+ Phan mém tt nhit
trén may tinh ngudi
dang cho ede gidi phép
déc quyéa ctia nha eun;
cp déi vai vide truy
cAp ti xa bing quay
(dial-up).
ig
|
PPTP
+ Chay trén nén Windows NT,
Windows 95 va Windows 98.
+ Cung cap cho déu cud
cudi Va dink duting him két ndi
miit-ntit
+ Cae dic diém gia ti duge thém
vito phé bigin cho wey cip tir xa
+ Sif dung nhitng mién ngu’ti dt
Windows 6 sin cho vige xc
thue
+ Cung edip kha nang da giao thie
(muhtiprotocol capability).
+ Sir dung ma hod RSA RC-4,
+ Khong cung ciip ma
hod di ligu tit nhimg
méy chit truy efip tir
xa
+ Mang tinh die
quyén rong 16
cdu motméy cha chay
Win NT di
nhiing duding ham,
+ Chi sit dung ma hoa
bing RSA RC-4.
+ Duve ding tai cic
ny chil truy ep ti xa
cho dinh dudng him
proxy.
+. C6 thé duge dong
gidte
chi Win NT dé chay
(Routing and Remote
Access Server).
jing cho
nhdag avy dé
Winds hay miy tam
dung Win NT.
c vain phong 3 xa
mi c6 sit dung ede may
LaF
+ Cho phép dinh dung him da
gino thife
+ Duve cung céip bdi nhigu nha
cung ep.
+ Khéng ¢6 mi hoa
+ Yéu trong vise xe
thyfe agudi ding (user
authentication).
+ Khong 06 diéu
khién ludng cho duting
him (tunnel flow
control)
+ Ding cho truy cap tir
xa tai POP,
Lote
+ Két hop PPTP vi L28,
+ Chi cain mt géi dua tren mang
dé chay trén X25 va Frame relay.
+ Si dung IPSce cho vie ma hot
(eneryption).
+Chua dude ‘cung cap
trong nhiéu sin phim.
+ Khong bio mad
hing doan cud
+ Dang cho truy eSp air
xa tai POP.
Chuang 3: Kién tric cia mét mang riéng 40 VPN 31
5.2.2 Cac giao thife quan tri
Viée duy tri quyén truy cp cia ngu¥i diing trong mang va théng tin bao mat
lién quan d&n ho, vi du nhu cdc khod mat ma (cryptographic key) ki mot vain dé
quan ly quyét dinh trong céc mang VPN. Hai ho giao thie khac nhau hién nay
duge sit dung tly theo logi mang VPN dang duge quan ly. Ddi voi mang quay sé
VPN hay két ndi client-LAN ding duding ham PPTP va L2TP, cé mét giao thttc
goi la RADIUS c6 thé duge ding cho viée xdc thue (authentication) vA tinh cue
(accounting), DGi v6i mang VPN két néi LAN-LAN, giao thie ISAKMP/Oakley
duge sit dung 1a mot bi€n thé ciia IPSec. .
Cong cy phd bién nhat cho viée xdc thyc va tinh cude d6i vdi vie truy cap
uy xa la xde thye dich vy ngudi ding quay s@ tit xa RADIUS (Remote
Authentication Dial-In User Service) va day 1a giao thie thich hop cho ngudi
ding sit dung dudng hdm quay sd, nhu PPTP va L2F.
RADIUS hé trg viée xdc thyc va tinh cudc bing mot ed sé dir liéu lw wi ca
tép cau hinh (profile) truy cap ctia tat cd ngudi ding tin cay. Thong tin trén
tép cu hinh ctia ngudi ding bao gdm mat khiu (password), quyén truy cip
(access privilege), cho phép va cach sit dung mang (network usage) cho viée tinh
cue. Thiét bj wuy cdp mang tong tic vi may chi RADIUS mot céch bdo mat.
trong sudt va ty dong. Khi mot ngudi diing cé ¥ dinh dang nh§p vao mang UY xa,
chuy€n mach truy cdp mang (network access switch) truy vin méy chi; RADIUS
dé thu thap tép cdu hinh cia ngudi ding cho viée xdc thyte va c&p quyén. Mot
RADIUS proxy dé cho may chi RADIUS tai mGt nha cung cap dich vu truy cp
mt may chii RADIUS cia mét co quan dé thu thap bat ky thong tin cin thiét cia
ngudi ding, nhiing thong tin nay can thiét cho viée bio mat mang VPN dya wen
Internet.
Nhu da dé cap truée day, nhiéu phuong phdp xdc thye va ma hod stv dung
trong mang VPN yéu cau xdc dinh va phan phdi cila cdc khod. Ddi véi nhitng hé
thdng nh, viée phan phdi cdc khod duge thyc hién bing tay, trén mOt cude thoai
bao mat, hay qua mét ngudi thong tin cing dap ting dude, nhung déi vdi nhitng
mang VPN I6n thi cdc hé thOng ty dOng cén thiét hon, dit khong c6 mét tiéu
chudn nao duge yéu cdu cho vie quan l¥ khog nhan cOng (manual key), nhung
vai chudn.hod duge yéu cau cho nhiing hé thong ty dong, mot phan bdi vi tat cd
cdc thiét bi truy cép mang hau hét tuong tdc mot cach thudng xuyén va uy dong
vi hé thing quan ly khod (key-management system).
3.3 Cac khdi trong mang VPN
Theo hinh 3.5, ching ta thay c6 b6n thanh phan chinh cia mot mang
Internet VPN, dé la: Internet, céng ndi bio mat (security gateway), may chi
32 KG thuat mang riéng dp (VPN)
chinh séch bdo mat (security policy server) va c&p quyén CA (certificate
authority). :
3.3.1 Internet
Cé nhiéu kigu etia nha cung cap dich vy Internet (ISP) khac nhau, duge xép
Jogi tif cdc ISP ni hat nhd dén cdc ISP ving va ISP quote gia kay ten quic gia, tat
ca dude sip xép thanh nhiing bac (tier) tuy thude vao kha nang cla cdc ISP nay.
Nha cung c&p bic m6t, vi du nhy FiberNet, AT&T, IBM, GTE
Internetworking, ISP sé hu va van hanh céc mang quéc gia riéng cing vdi viée
md rong cdc mang xvdng sOng quéc gia, Nhitng mang déc lap nay gip nhau va
lién mang véi nhau tai diém tray cap mang ctia Internet NAP (Network Access
Point). Qua nhiing théa thugn ngang hang giifa cdc cOng ty riéng nay, wao adi c6
the ty cdc iuéng tin hiéu sO dude td nén dé dang giita cic mang khac nhau.
May cha
C=] May chi chioh sach J
chink séch bao mat
I] bdo mat
May rom A
&
r=) =
Céng noi
3 bdo mat
Mang LAN
Suge bao ve
Hinh 3.5: Cac thaah phan trong mét mang Internet VPN
Nha cung cap bac kai 18 mdt céng ty mua két ndi Internet ty mét trong
nhing nha ‘cung cp bac 1, cung cép truy cAp quay sé & nha riéng (residential
dial-up access) hay dua lén cdc trang Web hofe ban lai bang thong, Diéu liu ¥
quan trong 1a khéng c6 diém Internet NAP nao cung cap lién két Internet cho
ngui ding binh thy¥ng hay cho nha kinh doanh va cng nghiép. Nhitng diém
NAP chi la nhing diém ding cho viée trao d6i Iyu thoai mét cdch thé wy gitta
nhifng 6 chite duy tri toan mang duting tryc quée gia. Diém NAP khéng 1 diém
ma tai d6 céc nha kinh doanh hay nhifng cé nhdn cd thé thu Ioi ti viée truy cAp
Internet. Ngoai ra, nhiing két ndi dén cdc diém Internet NAP dude thuc hién tai
tc d6 thap nhat cia DS-3 (45 Mbit/s). Muc dich cia nhitng diém Internet NAP 1a
Chuong 3: Kién tric cla mt mang riéng 20 VPN 33
lim cho vic trao d6i Iuu lugng gitta mang nay dén mang khae tré nén dé dang,
cht khdng phai dé ban lién két Internet.
Dé ud thanh mot diém NAP cong nghiép (industry-recognized NAP) yéu
edu ddu wr Idn vao thiét bi chuyén mach Idp 2 (Layer 2 switching equipment) va
nhitng phuong tién POP. Dién hinh Ia, nhéng phuung tién nay e6 nhiing duting
vip quang da séng mang dy phdng (multiple carrier), hd try ket nOi kich thude
Ung (circuit sized up) va bao gdm OC-48 (2.4 Gbit/s).
Isp POP Sprint POP, Nap Mei PoP Isp POP
Bo dinh wyén
BG dinh tuyén 186 dinh tuyén BG dinh tuyén 89 dinh tuyén|
oe) oe)
J] 86 dinh tuyén Bo dinh tuyén 86 dinh tuyén
| May chi div cusi
|
BQ dinh tuyén
im |
May xach tay
Hinh 3.6: Truyén thong qua cae ISP, POP va NAP.
Hinh 3.6 m6 t& viée dit ligu duge truyén tir mot ngudi ding sit dyng modem
quay sO dén diém két ndi POP ciia mOt ISP dé két ndi vio Internet va vio mang
VPN. Dif ligu duge chuyén tiv mdy xdch tay (laptop) ciia ngudi ding dén diém
POP cue b6 va sau 46 dén mang Internet ving (regional Internet network) va cé
thé qua mét vai diém POP khic dé diém NAP thich hgp truéc khi n6é duge dinh
tuyén diém POP khdc gdn véi dich chi dinh hon. C6 hai ly do ding ké cho tat cd
tin trinh trén: trudc tién, nhitng ISP khée nhau quan ly nhitng mang tao nén
‘Iniernet hgp tc vdi nhau; thi hai, nhitng dic diém dia chi duge tm thiy trong
giao thifc IP thich hdp, gitip n6i két cc mang lai vdi nhau:
Cho di ngudi ding 1a mOt cd nban Jam vide tai nha hay trén dudng quay
vao Internet hay 1a nha kinh doanh vi két néi sudt ngay dén Internet. Tai d
POP, ISP diéu khién cdc kiéu khdc nhau cia mOi trudng ma khach hang sit dung
cho viée truy cdp Internet va giti chuyén ti€p luu lwdng cia khdch hang d&n mang
34 Kg thuat mang riéng ap (VPN)
duding truc di duge két néi voi phan cdn lai cla mang Internet tai mot vai diém
(hink 3.7).
CChuyn mach
Gi tyong tung tim
‘ing. ?
A PSTN ang 8g
o X
Trung ké
166.69 ca0
189 dinh tuyéal
chuyén mach lop 3
van phang nd
Van phdng tainka pso.0s3
Gy cS
Van phong
Mang duang
‘rye IP
Chuyén mach
a dich vy
89 tap trung
truy cp xa
Giemsst_ RADIUS, Web,
quin ly mang News, Nail
van phong ahd
\van phong iai nha
5
Van phong
tuxa
Hinh 3.7: Cau tric cla mét ISP POP théng dung
Diém POP gdm cé nhiing thiét bi Khéc nhau cho mdi mdi wudng wuyén din
n6é hd wd, vi du nh mot dai modem cho cdc phién quay s6 va CSU/DSU cho
Frame Relay va DDS; nhiing ISP khéc chon Iva khong hd ug cho moi tring
khée biét dén mang cong cng, thay vao dé quan Iy m@t dung kénh thué riéng
dén nh@ng diém POP cia ho. Dé quan ly nhiing moi tru@ing khdc nhau cho Iuu
ludng ngudi ding, POP bao gém cdc b} dinh tuyén, cdc chuyén mach IP dé két
néi mang LAN cyc b0 cia POP dén phan con lai cla mang cla ISP nhw diéu
khién quan ly mang (network management console). Trong mét s6 trudng hgp.
POP bao gém nhitng may chi cho viéc dang tai cdc trang Web, thu dién tt, tin
tifc, ... vA nhiing méy chi xéc thc RADIUS cho khach hang cia ISP.
Chuang 3: Kién tric cla mét mang riéng 40 VPN 35
3.3.2 Cac cdng néi bao mat
Cac cong ndi bao mat (security gateway) duge dat giita cic mang cong cong
va mang riéng, ngin chin xm nhap tréi phép vao mang riéng. Ching
thé cung c&p nhitng kha nang tao dudng hdm va ma hod dif liéu riéng (private
data) truéc khi duge chuyén dén mang céng cong.
N6i chung, mét céng néi bio mat cho mang VPN gdm mét trong nhifng loai
sau: bé dinh tuyén, tung ha, phdn mém tich hgp VPN va phan mém VPN.
Vi nhiing b6 dinh tuyén phai kiém tra va xit ly m6 g6i rdi khdi LAN, gdm
qua trinh ma hod gdi (packet encryption) trén b6 dinh wy€n. Nhiing nha cung cp
cla cdc dich vy VPN diya trén b6 dinh tuyén thudng dua ra hai loai sin pham
phdn mém thém vao hay mét mach dign thém vao v6i mt phuong tién ma hod
trén cd sd déng xit ly (coprocessor-based encryption engine). San phdm sau thich
hgp nhat cho nhit tri yéu cdu nang suat truyén In hon,
_ Nhiéu nha cung cap tudng lita c6 mot du@ng hdm manh trong sén phdm cia
ho. Gidng nhu bé dinh tuyén, céc tudng Mita phai xit ly tat cd Indng IP dé truyén
luéng dif ligu dya trén céc bd loc duge dinh nghia cho tung lita. Bdi vi tat cd tién
trink duge thyc hién bdi tuiing lita, khOng thich hgp cho viée xay dyng dudng him
trén nhitng mang I6n cé mot Iuu lugng \én. Viéc két hop tao dudng va ma
hod (encryption) vdi tung lita c6 1é chi duge sit dung tot nhat cho cdc mang nhd
v6i hu lugng thap.
Gidi phép VPN kh thi khdc 1a sit dung phan ettng dic biét dude thiét ké cho
nhiém vy tao duéng haém va ma hod (encryption). Nhing thiét bi thuéng hoat
dong nhu nhing cdu ma hod dude dat gitfa céc bd dinh tuy€n mang voi cdc két
néi WAN. Mac da hdu hét cdc thiét bi phn citng nay duge thiét ké cho cdc c&u
hinh két néi LAN-LAN, nhung vai sin pham cing hé trg cho viéc tao duéng ham
cha két ndi client-LAN.
Cudi cing, nhitng hé théng phan mém VPN thuting 1a nhitng chon Iya gid
thap trong nhiing mi trudng tudng di nhd va khong phai xit ly nhiéu luu lugng.
Nhitng gidi phdp nay c6 thé hoat d6ng trén nhiing may chti c6 sin va chia sé cdc
tai nguyén vdi nhau va duge xem 1a khdi dau t6t cho mang VPN.
3.3.3 Cac thanh phan bao mat khac
Thanh phan quan trong khdc cla m6t mang VPN 1a méy chii chinh séch bao
mat (security policy server). May chi nay bao quan cdc danh sdch diéu khién
truy cap va théng tin khéc lién quan dén ngudi ding ma céng noi diing dé xdc
dinh liu Wong nio duge cho phép. D6i v6i mét s6 hé thOng, vi du nhu nhiing hé
2 06
36 Kp thuat mang riéng dp (VPN)
thong ding PPTP, viée tray cap c6 thé duge diéu khién thong qua mot may chi
RADIUS, khi IPSec duge sit dung, may chi c6 tach nhiém déi vai viée quan ly
cae khod ding chung cho mdi phién 1am viée.
Cac céng ty c6 thé chon Iya dé bao quan cd 58 dif ligu cde ching nhan dién
tif cla riéng ho cho ngudi dang bling edch cai dit mot méy chit ching han cong
ty (corporate certificate server). D6i vdi nhiing nhém nguvi ding nhé, viée xde
thye cia cde khod ding chung cé thé yéu cdy vide kiém tra voi mét thanh vién
thi ba dang duy tri nhiing chitng nhan dign ti duge két hgp vGi céc khod duge
mat ma ding chung; nhiing thanh vién thi ba nay dude goi Ia nhitng “gidy ching
nhin” CA (certificate authorities). Néu mO¢ mang VPN ctia cng ty phat trién
trong mét mang Extranet, thi mot “gidy chting nhan” bén ngoai cé thé duge ding
dé xdc thyc nhiing ngudi ding tY nhitng hGi vién kinh doanh ctia cng ty dé.
3.4 Minh hoa kién tric truy cGp VPN theo dé nghi cUa Cisco
3.4.1 XAy dung cdc khdi trong truy cap VPN
Cée kh6i ndy am néa cho cdc ting dung thuiéng mai, né yéu cdu kha nang
tun theo cdc quy dinh giéng nhau nhu m6t mang riéng.
3.4.2 Bao mat
Van dé quan trong nhat trong way cdp VPN 1d dim bio 46 bao mat trén
dubng wuyén vy dau cudi cia thué bao, Néu mot mang cung e&p mot mic bio
mat gidi han 6 cdc dp cao thi nha cung cap sé khéng thé dam bao tinh toan ven
tia mot dich vu truy c4p VPN,
3.4.2.1 Kién triic xde the
Trong mét méi trading truy cp VPN, khia canh bao mat quan trong nhat lién
quan dén viéc nhan dang ra mOt nguéi ding nhu mét thanh vién cha mét cdng ty
va thiét lap mot dudng ham dén céng néi cba cng ty. Cong ndi nay phai 6 kha
nang xac thyc cdc ngudi ding, cdc quyén truy cp va tinh cude (AAA).
Xée thye don phuong
X4c thy nguBi ding 1a m6t diém quan trong cila truy cp VPN. Dé xéc dinh
xdc thyc nay, ddu tién client sé thiét lap mét két ndi dén mang cung cap dich vu
théng qua m6t POP, sau dé thiét lap mot két néi thif hai voi mang khdch hang.
Céc diém cuéi dudng ham trong truy c§p VPN xdc thyc vdi nhav. KE
cdc ngudi ding két ndi dén cdc thiét bi du cudi khdch hang (CPE). Céc cdng ndi
nguéi ding si dung giao thie phén tich chat lugng thanh vién hay giao thite
Internet tuyén nGi Gép SLIP (Serial Line Internet Protocol) va dude x4c thyc
Chuong 3: Kién tric cia mét mang ring 4o VPN 7
thong qua mét giao thitc xdc dinh tén/m§t khdéu nhw PAP (Password
Authentication Protocol), giao thie xdc the yéu cdu bat tay CHAP (Challenge
Handshake Authentication Protocol) hay h€ thing digu khién truy cap 6 diéu
khign truy cdp dau cuéi TACACS+ (Terminal Access Controller Access Control
System Plus). Cac cdng ndi céng ty duy tri mOt giao tiép vai may chi digu khign
tit xa (ACS), may cha AAA, sit dung giao thie TACACS hay RADIUS.
Cac nguéi ding
cela cae cong iy xée tye
nae en phuong
CO a] 1
cscs ae | oe
‘Nia cung cp
ich vy Interne}
ng ni
Internet cea cong ty
Xéc thuc
{don phucng
Cy (Cy fo ‘
fare boots
Cae ngu ding
xa cba cong y
cS)
May chi
Hinh 3.8: Xéc thyc don phuong
Tai cdc diém nay, cic quyén duge thiép lap st dung co ch& due liu wie
trong ACS va lién lac dén cong n6i & dau cudi khich hang. Thuding thi cde khdch
hang quan tri may ch: ACS cung cap nhifng yéu cau co ban va diéu kién ndo c6
thé truy cp mang cfing nhu nhitng may cht ndo duge truy cap.
Cac tap tin cau hinh (profile) ngudi ding xdc dinh ngudi ding ndo cé thé
duge lam viée trén mang. Ngudi diing dude c&p quyén, mang tao ra mot giao tiép
do cho méi ngudi ding.
Xac thyc song phuong
Trong mét sd trudng hgp, viéc .xdc thyc song phugng sif dung thich hgp hon
trong viée xdc thyc (hinh 3.9).
Dau tién, ngubi ding sé quay s6 dén diém truy cAp POP ciia ISP, sau dé ISP
sé nh4n dién ngudi goi théng qua mét sé nhan digi chung. May chii try cip
mang NAS (Network Access Server) sé biét dude sé nhdn dign nay thude mang
khdch hang nao. Ké tiép, NAS sé thiét ip mot dudng ham vdi cong ni phia
khach hang. Cudi cing, ngudi ding duge xée thuc Hn thi hai bdi cGng ndi phia
mang ctia cong ty.
38. Ky thuat mang riéng ap (VPN)
(Cae nguet ding
cola c&c céng ty ac thye
khac song phuong
ee Céng ty
Nha cung op
dich wy Interne}
Céng n6i
Internet ia céng ty
Xée thye May chis
song ph bao mat
2
Cae ngual dling
tu xa cba céng ty
Hinh 3.9: Xae thc song phuong
3.4.2.2 Cac san phém bao mat va cc ky thuat cho truy c3p VPN
Tudng Ita
Cisco IPX Firewall - sit dung mét hé thong khéng-Unix, bdo mat va thdi
gian thyc, cho phép 64,000 két ndi hoat d6ng cing mét lic, Uu diém cia cc
dong san phém Cisco PIX firewall la mét co ché bdo mat difa trén thuat todn bao
mat tuong thich ASA (Adaptive Security Algorithm), thuat toan nay bdo mat mét
cdch hiéu qua truy cap dén cdc may mang ndi bd.
Cisco IOS Firewall Feature Set - cung cap m6t gidi phdp tich hdp cho cdc
nha cung cp dich vu nhé va cho cdc chi nhénh van phong mdi trudng c nhé va
cdc van phong trang bj thiét bi dau cudi khéch hang (CPE) 6 xa. o 10S
Firewall Feature Set lam néi bat cdc dich vy bdo mat ciia Cisco [OS, cung cap hd
trg cdc ting dung da dang véi ed ché chon dutng day dé va cdc kha nding mang
WAN duc tich hgp trén cdc phan mém Cisco ISO. Cisco IOS Firewall feature set
c6 trong cdc b6 dinh tuy€n dong Cisco 1600, 2500, 2600 va 3600.
Cc dic diém chinh:
- Diéu khién truy cép dua wén ng cénh CBAC (Context-based access
control): cung c&p bdo mat, loc cde ting dung cho luu lugng IP, cung cp
giao thie méi nhat.
+ Java blocking - bao mat chéng lai cdc Java applet nguy hiém, chi cho phép
céc applet tiv cdc nguén dang tin cay.
‘Chuong 3: Kin tric cla mét mang ring 20 VPN 39
- Phat hién va ngdn ngiva tit choi dich vu (Denial-of-service detection and
prevention) dé bao mat céc tai nguyén b6 dinh tuyén chOng Iai cdc tin cong
théng thuting
- C&nh bdo thdi gian thyc (Real-time alert): cdnh bdo trong truéng hgp cia
cac tin cong WY chéi dich vu (denial-of-sevice) va cde tinh trang dic biet
khac.
- Theo déi, kiém tra (Audit trail): dd tim ngui ding truy cap bang thdi gian,
ing, tong sO byte dude truyén di.
dia chi nguén va dich,
Cac may chi bao mat
CiscoSecure ACS
CiscoSecure ACS 1a mt ho cde may chii AAA cung cp TACACS+ hay cdc
dich vu AAA trén co sé RADIUS. Cac méy chit nay cho phép ngudi cung cap va
khach hang cia ho tap trung cdc chinh séch bao mat, bao gdm diéu khién truy
cAp cd nhan qua cdc may chit truy cip mang va tng liva. Ho Cisco Secure cung
cp An phéim wy mite dun gian, dé sit dung (CPE cho cde khach hang ahd)
d€n cdc tng dung phite tap hay cdc ting dung chuyén nghiép nhv cic nhém quan
tri mang...
May chui béo mat chuyén ving toan céu cia Cisco (Cisco Secure Global
Roaming Server)
Cisco Secure Global Roaming Server (GRS) cho phép cdc nha cung cftp dich
vu cung cap khdc bigt dich vu Idn hon bing mdt mang riéng do truy cAp chuyén
ving toan clu (Global Roaming Access VPN). May chii nay c6 thé cung cép qué
trinh hoat dong phite tap cia “proxy” va dich ede giao thife bao mat TACACS+
va RADIUS.
Diém diéu khién ngudi ding
Diém diéu khiéa ngudi ding USP (User Control Point) néi ACS va GRS vii
hé thOng tén mién DNS (Domain Name System) va giao thtc cfu hinh dia chi
d6ng DHCP (Dynamic Host Configuration Protocol) thanh mét sin phdm chuyéa
nghiép, kién trie t¢
va d6 tin cy cao.
He thong gidm sat kiém todn tich cye
H@ thong Cisco NetRanger
Hé théng dd tim Cisco NetRanger cung cifp mot pham vi rng Idn, thdi gian
tht cla bdo mat mang. Hé théng NetRanger bao g6m hai thinh phdn: NetRanger
Sensor dude dit tai diém gidm sat két n6i mang (monitored network connection)
va NetRanger Director duge dat trong may chi trung tam Cisco Assure.
40 Ky thuat mang ring ap (VPN)
Céng néi RADIUS!
IUsY
nee TACACS+
TACACS+ May chi
Yeu cu cho cap AV (5)
Domain ngubi ting ho8e mat
khdu domain ngudi ding
‘Théng tin ung hm trong
cp AV (6)
Nhan dang éuéng hém
Bap img CHAP navi ding
Nh&n dang ap ting (17-22)
yach i
Ging Nas Mat kau NAS 6g 9 (18-23)
Loai dich vy ‘Mat khau HGW
‘Thiét ap cude gol (Call setup (1)) Thi6t lap duéng hdr (Tunnel setup (7))
—Sae—rv"um' >
‘Thiét lap PPP ICP (Setup PPP ICP (2)) Thu hin giao thie CHAP (CHAP challenge (8)
OO
eS
‘Thyc hign giao thie CHAP (CHAP challenge (3))_Bép Ung HGW CHAP (HGW CHAP response (11))
ap img CHAP (CHAP Response (4) ‘Thu hién giao tht CHAP (CHAP challenge (13))
< | CHAP (CHA eve idm laa ie CHAR: (CHE erelenos.
Bap tng NAS CHAP (NAS CHAP response (14))
Néi thong (Pass (15))
‘Bap Ung CHAP nguti ding + nh3n dang dap Ung +
ccc tham 86 d thuong luang PPP (16)
———E—EEOEOEOETOEr rr
Néi théng (Pass (19))
‘Bap img CHAP (20)
eon
Ni thong (Pass (22))
Hinh 3.10: So dé luéng giao thitc L2TP
Céc dic tinh bao mat cita Cisco 10S
Cac danh séch diéu khién truy cap chudn va mé réng ACL (Standard and
Extended Access Control Lists): cung c&p cdc diéu khién truy cap dén cdc doan
mang (segment) dic biét va x4c dinh Inu lugng nao chuyén qua mot doan mang.
Khoa va chia khod - ACL d6ng (Lock and Key - Dynamic ACLs): cho phép
wuy c4p tam thdi qua cdc bd dinh tuyén truy cap dua trén xde thyc ngudi ding
(én nguéi dang/mat khau).
Dich dia chi mang NAT (Network Address Tranlation): NAT lim ting tinh
riéng tu cla mang bing c4ch gidu di cdc dja chi IP ndi bd khdng dude dang ky
Cac giao thife duting ham eta Cisco 10S
Chuang 3: Kién tric cia mot mang riéng 20 VPN 4t
Chuyén tiép lip 2 - L2F (Layer 2 Forwarding)
Cisco dang ky ky thudt mdi nay dén IETF nham dua no td thanh mot tiéu
chudn. N6 cung cap cdc dic diém cé thé mé rong va dG tin ey cao.
Giao thite dink duong hdin Idp 2 - L2TP
Giao thife dinh dung him l6p 2 - L2TP (Layer 2 Tunneling Protocol) {4 mot
mé song cita PPP. Day [A mot ban thao cita Wéu chudn IETF xuat phat tt Cisco
L2F va giao thtfe dinh duting hém diém-diém ciia Microsoft. Tiéu chudn L2TP
dude hoan tat vao cudi nam 1998. L2TP 1d mot cong nghé chinh cilia Cisco Access
VPN cung cép va phan phdi pham vi diéu khién bao mat day dit va cae dic diém
quan ly chinh sdch, bao gdm viée diéu khién bao mat cho ddu cudi ngudi ding
Hinh 3.10 m6 td thiét lap duting ham dén cng ndi bing cach sit dung LTP.
Bi mat dif ligu (Data Privacy)
Cisco IPSec cung cap tinh riéng tw, toan ven va xde thye cho cdc yéu cau
mang mang tinh thuténg mai, chi yéu cho viéc truyén din cdc thdng tin nh:
trén céc mang cOng cong. Cong nghé Cisco IPSec duge cung c&p cho céc hé
thong Windows 95, Windows NT 4.0, phan mém Cisco [0S va Cisco PIX firewall.
Cisco hé trg ce céng nghé sau nhy mét gidi phdp dé dim bao tinh riéng wi cha
dit ligu:
- IPSec: sit dung ky thud
va tinh xdc thy gitfa céc bén tham gia trong mt mang riéng.
ma hod dé cung cp dif ligu tin cay, tinh toan ven
- IKE: xae thye méi bén ngang hing (peer) tong mt wong tic IPSec, dam
phén chinh sich bao mat va diéu khién sy trao di ctia cic khod cla phién
Iam viée.
- Quan Jy cde ching nhan (certificate management).
Céc thanh phan céng nghé IPSec bao gém:
- Diffie-Helman, m6t phuong phap khod céng céng cho trao déi khod. Tinh
cht nay duge sit dung trong IKE dé thiét lap cdc khod phién tam thoi
- DES: sit dung dé ma hod c4c gi dir liéu.
- MDS/SHA (Message Digest 5/Secure Hash Algorithms) duc sit dung dé xdic
thuc g6i dit ligu.
IPSec trong phdn mém Cisco IOS cung cap céc tiéu chudn sau:
+ Thudt todn ma hod IPSec va IKE bao gém:
+ DES-CBC véi Explicit IV.
+ 40-bit DES-CBC vi Explicit lV.
42
+ DES-CBC véj Derived IV trong RFC 1829.
Thuat todn xdc thie:
+ HMAC-MDS.
+ HMAC-SHA,
+ Keyed MDS trong RFC 1828.
Kg thuat mang riéng ap (VPN)
CHUGNG 4
BAO MAT TREN MOT MANG INTERNET ¥PN
M6t trong nhiing méi quan tam chinh cla bat ky céng ty nao la viée bao mat
dif liéu ca ho. Bao mat dif liu chéng lai céc truy cap va thay déi trai phép khong
chi lA mét vain dé trén cde mang. Viée truyén dif liéu giita cde may tinh hay giita
cde mang LAN vdi nhau cé thé lim cho dif liéu dé bj tn céng do rink md va dé bi
thdm nh§p hon 1a khi dif liéu vin con trén m6t méy tinh don.
Mét khung bao mat thich hgp cho métt6 chifc, cd quan bao gém 7 thanh phan
khéc nhau: xdc thy (authentication), tin cdy (confidentiality), tinh toan ven
(integrity), cho phép (authorization), céng nhan (nonrepudiation), quan ti
‘ém todn (audit trail), theo hinh 4.1.
(administration) va theo dé:
Tram quan tri
‘Theo doi kiém toan va
quan tr
He théng
Tong Wa hoe
‘e6ng néi bdo
Tin cay
Tinh toan ven
Hinh 4.4: Cac thanh phan cla mét hé théng bao mat
Bdi Vi cde giao thtte TCP/IP khéng duge thiét ké véi dy phong gin lién cho
bio mat, nhiéu hé théng b’o mal khdc nhau duge phat wién cho cde ting dung vi
luu lugng (traffic) chay un mang Internet. Phan mém c6 nhigm vy chudn bi dit
ligu cho viée truyén trén mOt mang cung cép m6t’sO kha nding cé thé dp dung xac
thye (authentication) va ma hod (encryption). Nhitng ting dung trén duge thc hién
44 Ky thuat mang riéng ap (VPN)
trong mét trong ba ldp: phdn mém ting dung (application software), chéng giao
vn/mang (network/transport stack), thiét bj lién két dit liéu (data link device) va
dia (driver) (hinh 4.2). Mt vai giao thtte mat ma cho cic tng dung bao gdm Secure
MIME (S/MIME) va Pretty Good Privacy (PGP) cho e-mail va Secure Sockets
Layer (SSL/TSL) va Secure HTTP (SHTTP) cho cdc ting dung Web. Nhung cdu
trdc quan trong nhat cla mang VPN 1a xdc thy va ma hod 6 Iép mang va Iép lién
két di ligu. é
(Cac ep img dung
7
Cac lop giao vanimang
@4)
Cae tap vat Won kt
dir ligu (1-2)
a oa op Ma hod lop
Nem kétdcrigu en kBt 7 gu
Hinh 4.2: So sanh ma hoa 6 Iép mang va Iép lién két div liéu
4.1 Bdo mat trén mang
u méi nguy hiém,
u trén cdc mang IP ¢6 thé phai chiu nhi
Viéc truyén di I
trong dé cé mét sé loai théng dung: danh lita (spoofing), an cdp phién (session
hijacking), nghe trom (sniffing / electronic eavesdropping) va tan céng chinh giita
(the man-in-the-middle attack).
4.1.1 Danh tifa
Gidng nhy nhitng mang khéc, c4c mang IP sit dung mdt dia chi s& cho méi
thigt bi duge g&n vao mang. Dia chi cha ngudn va ngudi nhan dy dinh duge gin
vao trong mi goi div liu duse truyén di trén mang IP. Tan cong kiéu ddnb lita
(spoofing) 18 viée mot nguBi tan cOng c6 thé sit dung dia chi IP cla mot ai dé vA
gid vi tra 1di nguBi khac.
Sau khi m6t ngudi tan cong (attacker) xdc dinh dude hai may tinh A va B dang
truyén thong véi nhau theo kiéu client/server, sé c ging thiét lap mét két ndi vai
may tinh B theo cdéch ma B cé thé tin ring dé [a két n6i v6i A, nhung thy té, ket
ni la v6i may tinh cila ngudi tn cong
Chucng 4: Bao mat trén mét mang Internet VPN 45
Ngudi tan c6ng thyc hién diéu nay bing cach tao ra mét ban tin gid véi dia
a dia chi ciia A, yéu cdu mot két néi dén B, Khi B nhan dude ban tin
nay, B sé dap ting bang m6t xdc thie (acknowlegment) co kém theo nhifng sO tuan
tw cho viée truyén dif ligu v6i A. Nhifng s6 tuan ty tit may chi B 1a duy nhat déi
v6i két n6i gitta hai my tinh. .
Dé hoan tat thiét lap phién lam viée nay gitfa A va B, B sé mong chi A xc
thuc con sé tudn tu cia B truéc khi tién hanh bat ky su trao déi thong tin nao.
Nhung dé cho ngudi tn c6ng déng vai bén A, anh ta phai dodn con sé wan ty ma B
sé sit dung va phdi ngan chan bén A tré Ii. Tuy nhién, trong nhiing hoan canh cu
thé, khong qué khé dé c6 thé don duge nhitng con sé tudn ty 1a gh.
Dé gif cho may tinh A khéng ddp ting duge bat ky viée trnyén di ligu nao
cla B, ngudi tin cng thudng xuyén truyén mée so iudng Ién cdc géi dén A, lam
cho A bi qué tai dé xi ly cdc géi nay va ngin chin A khdi viée dap ting cdc ban tin
cla B,
Spooting wong d6i dé dé béo mat, bang cich cau hinh cdc bd dinh tuyén dé
loai bé nhiing goi quay vé nao ma bat phi hinh thanh tir mdt may tinh trong mang
ndi bd, nhm ngin chan bat ky may tinh bén ngoai nao khdi viéc Idi dung cdc quan
hé cia phién lim viéc trong mang n6i b6. Néu c6 nhifag moi quan hé vuot qua
ahitng gidi han cia mang, nhv trén Internet, thi viéc bao mat chOng lai cdc danh
lita IP sé kh6 khan Adn. :
4.1.2 An cap phién
Trong An cép phién, thay vi co g&ng khdi tao mot phién lam viéc bing cdck
d4nh lita, ngudi tan cong c6 ging tiép quan mt két ndi cé san giéfa hai my tinh.
Du tién, ngudi tn cong diéu khién chiét bi mang trén mang LAN, cé thé 1
mOt tung lita hay 12 may tinh khdc, do'd6 c6 thé gidm sat két néi. Qua viée gidm
s4t Két ni giita hai m4y tinh, ngudi tn cong c6 thé x4c dinh nhifag s6 tuan ty dude
sit dung bi hai bén.
Sau khi gidm s4t két n6i va da xdc dinh duge nhitng con sO tuan wr, nguvi
céng c6 thé tao ra mot lwu lugng, luu lugng nay xudt hién dé déa tt’ mot trong cdc
bén truyén thong, chiém lay phién lam viéc u¥ mot trong nhifng cd nhan tham gia.
Giéng nhu dénh liva IP, ngudi tan cOng sé 1am cho mét trong cdc may tinh truyén
thong bj qua tdi vai viéc xit ly cdc géi tin. Do dé bi loai khdi phién truyén thong.
in
Nhding van aé gay ra béi an cdp phién chi ra ring cdn c6 m6t sy x4c nhan
thanh vién trong mot phién lam viéc. Sy that IA vige xdc dinh ngudi tham gia viée
truyén thong khong c6 nghia 1a c6 thé dua tén IP dé bao dim. Tham chi cde
46 Ky thuat mang riéng ap (VPN)
phuong phép xéc thy manh khéc cling khéng lun luén thanh céng trong viée
ngin chan tn cOng an cp phién, Bién phdp bdo mat duy nhit chdng lai nhitng tan
cing dé a viée sit dung rng kh4p cdc bién phap ma hod.
4.1.3 Nghe tr6m
Nghe trom 1a mét cdch t&n cong khéc xdy, ra trén cdc mang cé méi trudng
ding chung gidng nhv nhiing mang IP trén co sd Ethernet (Ethernet-based IP), hau
hét nhitng mang LAN Ethernet, cdc gi sn sang tit méi nuit Ethernet trén mang. Sy
thod thudn théng thudng cho méi card giao tiép mang cia mdi nuit 18 chi. dé ling
nghe va dap ting nhitng g6i mang dia chi dac biét dén né. Diéu nay cé vé dé dang,
tuy nhién dé dt nhiéu card giao ti€p mang Ethernet NIC (Network Interface Card)
vao ché d ngdu nhién, 6 nghia 1a phdi thu thap méi géi chil yéu tren dudng day.
Mt NIC nhu thé khong thé duge nhan ra tit mOt tram khéc trén mang, vi NIC
khong lam gi déi vi nhéing g6i ma né thu thap duge.
M6t loai phan mém goi 1a danh hdi (stiffer) c6 thé Igi dung dic diém nay cia
Ethernet. Nhing cOng cy nhv vay c6 thé ghi lai tt cd lwu wong mang chuyén qua
chting. VA nhu thé, d6 12 mt phan cdn thiét cia bd cdc cong cu cla bat ky su chan
doén mang nio lam viée v6i mang Ethernet, cho phép x4c dinh mét céch nhanh
chong diéu gi dang dién ra trén m6t doan bat ky cla mang. Tuy nhién, sniffer cing
1a m6t céng cu manh mé dé nghe lén. Vi du, mét ngudi tn céng cé thé sit dung
mot g6i sniffer dé ghi lai tt cé nhitng géi ding nh4p vao mang va sau dé sit dung
nhiing théng tin ding nhap nay dé x4m nhap vao mét mang ma anh ta khéng cé
quyén truy cap.
Nghe trom ciing c6 thé duge sit dung dé thu thap dif liéu cia cong ty va nhifng
ban tin dude truyén di trén mang, sau 46 phan tich cdc luu lugng mang dé biét duge
ngudi ndo dang truyén thong. Co ché x4c thye manh sit dung mat khdu mot dn
(one-time password) hay sit dung thé bai (token) 1a mét cdch dé gi cho mot nguvi
ding nao dé sit dung sniffer khong thé sit dung Jai mat khdu ma ngudi ding dé
dang git m6t c4ch trai phép. Ma hod dif Jigu cling 1A mot cdch dé bao mat di liéu
chéng lai viéc nghe trom, mac di day kh6ng phi la gidi ph4p hitu hiéu, nguvdi tan
cong cé nhiing tai nguyén dé luu gif lai cdc di ligu duge ma hod va cé ging gidi
ma nhitng ban tin d6 ngoai tuyén.
Gidm sat vat ly cla céc mang la mOt-cdch tt dé 1am gidm nguy co An trom,
bdi cdc sniffer phai dugc géin mOt cach vat ly vao mang dé gitf lay cdc g6i. Mac di
& mét sO m4y tinh chay trén Unix, co thé dé dang kiém tra khi nao NIC dude cai
dat dé chay trong ché dd ngdu nhién.
‘Chuang 4: Bao mat trén mot mang Internet VPN a7
4.1.4 Tan cong ngay chinh giifa
Mac di duting nhu ro ring 1a viée sit dung nhitng ky thuat ma hod dé bao mat
va xde thye dif ligu duge chuyén di trong cdc géi IP 14 mét gidi phap cho nhitng
nguy co dén bao mat IP da duge dé c4p, nhung ma hod khdng phdi 1a mot gidi
phap kh6ng cé 18i. Chiing ta van can quan \¥ mOt cdch cén th4n hé thong ma hod
dé bdo mat chong lai nhéing tn cOng khac, nhy tén cong ngay chinh gitfa (the man-
in-the-middle attack).
Dé sit dung ma hod, truéc tién phai trao 46i cae khod ma hod. Nhung viée
trao déi nhitng khoa khéng dugc bdo mit trén mang cé thé dé dang lam that bai
toan b6 muc dich cia hé thdng bdi vi nhitng khod d6 c6 thé bj git Jai va dua dit
dén mét kiéu tdn cong khdc dé 1a bi tn cong ngay chinh gitta. Mot ngudi tin
céng sit dung phyong phdp ddnh lia, an cdp phién va nghe trém c6 thé thu duge
mét s6 trao déi khoa nhu vay. Ngudi dé cé thé nhanh chéng tao ra khod riéng cho
minh trong tén trinh, vi thé trong khi ngudi ding tin ring minh dang truyén thong
véi mét khod cia mét thanh vién, thi trén thyc t€ ngudi ding d6 dang ding mdt
khod da bj tn cng ngay chinh gitfa.
4.2 Hé théng xac thyc
Xac thye (authentication), 1A mt phan khong thé thi€u duge cia kién tric bdo
mat cia mét mang VPN. Trif khi hé thong ctia ching ta cé thé xdc thyc ding mét
cach tin cdy nhitng ngudi ding, nhiing dich vy va cdc mang, chting ta c6 thé khong
cn phai diéu khién truy cAp d€n cdc tai nguyén ding chung va gif nhiing ngudi
dang bat hgp php (unauthorized), kh6ng duge truy c4p vio mang.
Xde thyc duge dya tén ba thudc tinh sau: cdi gi ta c6 (m6t khod hay mét card
token); cdi gi chting ta biét (mOt mat khdu) hay c4i gi nhan dang ching ta (giong
noi, quét vong mac, dau van tay,..). Nhing chuyén gia vé bdo mat cho ring mét
gidi phap xdc thy don, vi dy nhu mot mat khdu, thi sé khong di manh dé bdo mat
hé thing. Thay vao d6, ho dé nghi x4c thc s4u han, hay viée sit dung it nhat hai
trong sO cdc thuéc tinh duge néu 6 trén cho viéc xdc thyc.
Su da dang cila cdc hé théng VPN hién nay dya trén cdc phuong phdp xdc
thuc khée nhau hay 1A sy két hgp gitta ching. C6 thé phan loai theo cach sau: mat
khdu truyén théng, mt khdu mét lan (S/Key) hay c4c hé théng mat khdu khéc
(PAP, CHAP, TACACS va RADIUS), hay dya trén co sé phan cting (token, smart
card, PC card) va cdc nhan dién sinh tric hoc (biometric ID) nhu dau van tay, giong
ndi,, quét v6ng mac,... :
48 Ky thuat mang riéng ap (VPN)
4.2.1 Mat khgu truyén thong
Ngudi ta cong nhan rang, cdc Joai xa the don gidn, nhu sO nhan dang ID cia
nguéi ding, mat khdu khong di manh cho viée bdo mat truy cAp mang. Mat khau
6 thé bi dén bat va giit ldy wong suét gud trinh truyén div liéu cita mang. Tham chi
khi ngudi ding cdn than trong viéc bdo mat mat khdu cla ho, thi ho c6 thé khong
ahdin ra ring céc dich vu Internet khéc khéng cpng cifp bao mat cho céc mat khdu
cla ho.
Hé théng mat khdu mét ldn cé thé duge xem 1a phuong php tét d6i voi mot
sO van dé xay ra xung quanh viéc sit dung mat khdu truyén thong.
4.2.2 Mat khu mét lin
M6t cach dé ng&n chin vige sit dung trai phép cdc mt khdu bi giff Jai JA ngan
khOng cho chting duge ding tré Jai, bing cach yéu cdu mét mat khdu méi cho moi
¢ méi.
phién lam
Nhiing hé théng nay, trong d6 S/Key 1& mét vi du dién hinh, loai b6 khé khan
cia nguéi ding khi luén ju6n phai chon mét mat khau méi cho mdi phién lam viéc
ké tiép bang céch tao ra mot céch ty dong mét danh sch mat khdu cd thé chap
nhn duge cho nguéi ding. Vi du IETF thyc hién tiéu chudn S/Key theo RFC 2289.
S/Key ding m6t nhém théng qua bi mat, dude tao ra béi ngwdi ding cho viéc
tao ra mét tudn ty ctia cdc mat kh@u mét lan OTP (One-Time Password). Nhém
thong qua bi mat cla ngudi ding khong bao gid di chuyén vugt qué may tinh
b6 va khong di chuyén trén mang, do d6 no khng 1a 46i tugng cho cdc cudc tan
céng, Cling thé, vi m6t OTP khdc nhau dude tao ra cho riéng mi phién lam viéc,
do 46 mét mat khdu da bi chiém gif khong thé’ dude sit dung lai thanh céng, vi thé
né khOng mang lai cho cdc tin tic bat ky thong tin no vé mat khau ké ti€p sé dude
stt dung.
Mé6t chudi tudn ty cdc OTP dugc tao ra béi viée Ap dung mgt ham bam bdo
mét (secure hash function) da théi gian dén cac ban tin dd duge tao ra trong buée
khdi tao. N6i m6t cach khdc, OTP dau tién dude tao ra bdi viéc chuyén ban tin tom
tt (message digest) qua ham bam N lan, trong a6 N duge chi dinh bdi nguéi ding,
OTP ké tiép dude tao ra bdi viéc chuyén ban tit tom t&t qua ham bam N-1 lan va
ctf nhu thé cho dén khi OTP thtt N duge tao ra.
Khi mt ngudi ding cd ging dang nhap vao mang, may chi cia mang ¢6 kha
nang S/Key bdo mét tham nhap mang, dua ra m@t con 86 thach 46 gdm mé6t con sé
vA mé6t chudi cdc ky tw, dude goi IA seed. DE dap ting, ngudi ding nhap vao con sé
thdch dé va seed kém theo nhém thé At riéng cia minb vao phan mém
Chugng 4: Bao mat trén mét mang Internet VPN. 49
phat S/Key chay trén may tinh cia minh. Phin mém nay sau dé két hop nhém
thong qua bi mat vi seed va nhdc mot ham bam hoat dOng lp lai vdi sé kin lip
lai phu thudc vio con sé thdch dé. Két qua cia viée tinh todn Ja mot mat khdu mot
lin bao gdm 6 ky wy,
OTP duge giti dén cdc may chi mang, cing lap lai ham bam va so sdnh két
qua vai OTP da duge luu gid duc ding cho hau hét cdc dang nhap ;
phi hgp, ngudi ding sé duge phép ding nhap vao mang, con sO thach d6 nay bi
Jam gidim di, OTP cui cing duge gitt lai cho lan dang nhap ké tiép.
Gidng nhu S/Key, cdc hé théng OTP yéu céu phiin mém cda may ehti duge
cp nhat dé thc hién ede tinh todn duge yéu cdu va do d6 méi méy tinh tir xa o6
mét ban sao chép cla phdn mém danh cho khach hang (client). Nhuge diém ct
cdc hé théng nay 1a kh6 6 thé quan tri nding danh.séch mat khdu cho mot sé
lugng ldn cdc nguvi ding.
4.2.3 Cac hé thing khdc
4.2.3.1 Giao thite xc thc mt khéu PAP
Giao thife xdc the mat khdu PAP (Password Authentication Protocol) dude
thiét ke mét cach don gidn cho mot may tinh w xdc thy dén mét may tinh khidic
khi giao thite diém-diém (Point-to-Point Protocol) duye sit dung lim giao thite
truyén théng. PAP Ia mét giao thie bat tay hai chiéu; d6 1A, may tinh chil tao két
tkhdu kép (password pair) dén hé thong
fi VA sau d6 hé thong dich xd thye ring
n6i giti mot nhan dang ngudi ding va
dich ma n6 c6 ging thiét lap mot két ndi
may tinh d6 dude xdc thue ding va duge
Xac thy PAP cé thé duge ding khi bat dau cia két ni PPP, ciing nhu trong
sudt mét phién Jam viée cla PPP dé xéc thyfc lai két ndi.
Khi mot két n6i PPP duge thiét |p xac thyc PAP cé thé duge dién ra trén két
ndi 46, Diém ngang hang giti mét nhan dang ngudi ding va mat khdu trong mot si
16 rang dén b6 xdc thc cho dén khi b6 xdc thye chap nhan két ndi hay két ndi bi
hiy bé. PAP khéng bdo mat bdi vi théng tin xde thye duge truyén di 16 rang va
khdng cé gi bdo mat chéng lai tan cOng tré lai hay lap lai qué nhiéu béi nhitng
ngu®i t{n cng nhim cd ging dodn ra mét mat khdu ding hay m6t dodn ra mGt cap
nhan dang ngudi ding.
4.2.3.2 Giao thife xdc thy yéu cau bat tay CHAP
Giao. thie xéc thy yéu cau b&t tay CHAP (Challenge Handshake
Authentication Protocol) duge thiét ké cho viée sit dung tudng ty nhu PAP nhung li
fadt phuting phdp bao mat hon doi vdi xdc thie cdc ket ndi PPP. CHAP 1a mot giao
(p nhiin cho vigc truyén thong
50 ky thuat mang riéng ap (VPN)
thtfe bat tay ba chiéu. Gidng nhu PAP, CHAP co thé ding khi bat du két noi PPP
va sau dé dude lap lai sau khi két noi duge thiét lap xong.
CHAP duge xem nhu mé
giao thite bat tay ba chiéu bai vi n6 bao gdm ba
bude dé thy hign mét két ni duge kiém tra dting sau khi kél ni duve khéi tro
dau tién hay tai bat ky thoi diém nao sau khi lap va duge kiém
tra dling. Thay vi ding mot mat khdu hai bude don gidn hay tién trinh chap thuan
giding nhu da ding trong PAP, CHAP sc dung m6t ham bam m6t chiéu (one-way
hashing function) theo kiéu tong ty nhu dude ‘ding béi S/Key. Duve trinh bay nh
sau day (hinh 4.3):
1. BO xée thyc giti mOt ban tin thach dé (challenge message) dén may tinh
ngang cap (peer). :
nv
. May tinh ngang c&p tinh todn mét gid tri sit dung mOt ham bam mot chiéu va
giti urd lai cho b6 xdc thyc.
3. May tinh xdc thy (authenticator) cé thé dap tng chap nhan néu tong tng
vdi gid tri mong muén.
fe ‘Thach a ADSADA NN
<_G sp naootene —
nowt ain
Cho phép ae thie
Hinh 4.3: Hé théng dap Ung thach dé ding CHAP
Tién trinh nay c6 thé duge lap lai tai bat ky thoi diém nao trong suét lién ket
PPP dé dim bao ring két ndi khéng duge n&im quyén hay bi suy yeu trong bat ky
trudng hop nao. Khong giéng nhu PPP dude diéu khién bdi phia client, may chi
diéu khién qué tinh xdc thc lai CHAP.
CHAP cing cé thé g@ bd khd ning ma ngudi tn cong cé thé c ging ding
nhdp trén cling mét két ndi. -
Khi xdc thye CHAP sai, may chit duge yeu cdu hily két noi, Diéu nay gay kho
khan cho viéc dodn mat khdu cla ngudsi tan céng béi vi khong thé cd ging cd
nhitng suy dodn méi trong mot két ndi don.
PAP va CHAP déu cé6 nhiing nhuge diém. Ca PAP & CHAP déu phu thude
vao mOt mat kh@u bj mat phdi duge Ie gid trén mt may tinh ciia nguei ding 6 xa
va méy tinh noi bd. Néu bat ky may tinh nao chiu su diéu khién cla mot ké tdn
cOng mang, sau dé mat khdu bi mat dude thay déi, Cing vay, vii xdc thc CHAP
54
Chuong 4: Bao mat ’én mét mang Internet VPN
hay PAP, khong thé dang ky chi dinh nhitng dic quyén truy cap mang khie nhau
dén nhing ngudi ding 6 xa khde nhau sit dung cing m6t host - may chti xa.
Mac dit CHAP 1a m@t phugng phdp manh hon PAP cho vige xdc thie quay s6
ngudi ding, nhung CHAP c6 thé khong dp ting nhifng yéu cdu mang tinh mo rong
eda nhiing cdng ty hay ede 6 chite 16n. Cho dit nd khong teuyén bit ky nhitng bi
mat nado qua mot mang. » nhung né cling yéu cu m6t sé Idn cdc bi mat ding chung
chay qua ham bam, Cac t3 cht véi nhiéu nguéi ding quay s6 phai duy tri nhitng
chinh séch rat Idn dé c6 thé dap ting tat c& ho.
4.2.3.3 H@ thdng diéu khién truy cap bd diéu khién truy cap ddu cudi -
TACACS
TACACS (Terminal Access Controller Access Control System) IA m6t trong
nhiing hé thong dude phat trién dé khdng chi cung cap cd ché xdc thuc, ma con dé
thém vio hai chéte nang 2A trong viée bio mat truy cap tit xa, dé 1a: cho phép
(authorization) va tinh cue (aecouting). Khong nhu nhitng méi quan hé. ngang cp
St k& trong PAP vi CHAP, TACACS duit thiét ké c6 chite ning nhu mét
due t
he thing client/server, trong dé mang tinh mém déo han, dic bi€t trong vi
ly bdo mat mang. Trung tm hoat déng ciia TACACS vi RADIUS 1a mét may chit
xdc thyc (authentication server) (hinh 4.4).
e quan
LAN
Pc nguét
ding tx May cha ty
(mt a ee TACACSIRADUS:
fam)
. May chi xac thue va co 58 di
ligu nhan dang ngudi ding :
Baca :
O rassaing (2) sera na EO
quay $6 va0 TACACS/RADIUS, may idm ta cae yéu sayy chi xa¢ thy thdng
may chi wy chi tuy c€p git céc yéu Su voi co 88 dit bio. cho may chi truy e@p
cap edu xc nhanicdp quyéa ligu nhan dang titxa cho phép hay tis chai
én may chd xéc hye niguii ding cia né6 gui dng truy cBp vao
Hinh 4.4: Cac méy chi xdc thuc cdp quyén truy cap t xa
M6t may chi xdc the TACACS gift cdc yéu cdu tir phdn mém client xc thye
due chi dat tai mét gateway hay tai mot diém truy cAp mang (network enuy
point), May chii xéc thyfe duy tri mét co sé dif ligu cla cdc nhGn dang ngudi ding,
At khdu, PIN va cic khod bi mat duge sit dung dé dat duge hay wy chdi cdc yéu
Tat cd xdc thyc (authentication), cp quyén (authorization) va
cau truy cp ma
62 Kg thuat mang riéng ap (VPN)
dif liu cude duge huéng dén may chi tung tam khi mot ngudi ding cd ging ding
nhap vao mang,
M6t wu diém cia TACACS 1a né hoat dng nhu mot may chi proxy déi vdi
nbiing hé thOng xdc thye khdc, vi dy nhu: mOt tén mién bao mat trong Win NT,
NDS, dya trén Unix; hay nhitng hé théng bao mat khée (cc hé thong sit dung thé
bai). Céc kha ning proxy cing lam cho viéc mot client chia sé d@ ligu bao mat cla
VPN voi mgt ISP duge dé dang hon, diéu nay c&h thiét khi m6t VPN 1a ngudn xud
ISP chay m6t may chi proxy dé diéu khién. viée truy cap quay sé dya trén cdc
quyén truy c4p duge diéu hanh béi hiép-h6i khdch hang trén may chi béo mat
riéng cla ho. Nhung viéc truyén céc g6i xdc thu gitta my chi chinh va my chit
proxy qua m6t mang cdng cong cé d6 rdiro nbat dinh, Ma hod RADIUS va
TACACS duge dya trén cdc khod tinh, tén ngudi ding, mat khdu va théng tin may
cha xdc thie duge giti trén m6t g6i don lam cho ching dé dude sit dung hon néu
nhur bi liu gitt,
4.2.3.4 Dich vu xde thyfe ngvéi ding quay sé tif xa - RADIUS.
RADIUS (Remote Authentication Dial-In User Service) cing sit dung mét
kiéu clienvserver dé chitng nhdn mot cdch bdo mat va quan tr cdc két ndi mang UY
xa cila c&c ngudi ding véi cdc phién lam viéc. RADIUS gitip cho. viée diéu khién
tuy cap dé quan ly hon va né o6 thé hé wg cde kidu xde thue ngudi ding khac
nhau bao g6m PAP va CHAP.
Kiéu RADIUS clienvserver ding mOt may chit truy cp mang NAS (Network
Access Server) dé quai I cdc két ndi ngudi ding. Mac di NAS hoat d6ng nhu mot
may chi cung c&p truy cdp mang nhung né cling hoat déng nhu mot client doi vdi
RADIUS (hinh 4.4). NAS cé tréch nhiém chap nhan cde yéu cdu két adi cla ngudi
ding, thu thap cdc théng tin nhan dang ngudj ding, mat khdu déng thii chuyén cdc
théng tin nay mOt cdch bao mat d&n méy chd RADIUS. Méy chi RADIUS td lai
ché d6 xae thyc dé chap nhan bay ty chéi citag nhu khi cd bat ky di kigu cu hinh
nao dude yéu'cdu dé NAS cung c&p cdc dich vu dén dau cudi ngudi ding.
C&c client RADIUS va may chi truyén thong vdi nhav mét céch bdo mac
bing viée str dung cdc bi mat ding chung cho viéc xc thye va ma hod ddi vdi viée
truyén mat khdu nguéi ding.
RADIUS tao mét co si di Hie don va tap tring cila ngudi ding va ede dich
Vu, mot dic diém quan trong cd ban dGi vi cdc mang bao gém cde dai modém
(modem bank) I6n ya c nhiéu hon mot may chit truyén thong w xa (remote
communication server). Vdi RADIUS, thong tin nguGi ding duge luu gift tai mot
ngi 12 may chi RADIUS nhiim quan ly viée xde thye ngudi ding va cde truy ep
Chuong 4: Gao mat tén mét mang internet VPN 53
dén cic dich vy tif mOt site. Bai vi vdi bat ky thiét bi nao hé trg RADIUS cé thé 1a
RADIUS client, mt ngudi ding G xa sé dat duge quyén truy cAp dén cde dich vu
ahw nhau tit bat ky mot may chi truyén thong nao dang truyén théng vdi mdy chi
RADIUS.
4.2.4 Céc hé thong phan cifng eo ban
4.2.4.1 Smart Card va PC Card
Card thong minh (Smart Card) 1a thiét bi c6 kich thude giéng nhu mét thé in
dung, bao gim: mt b6 vi xi ly duge gin chat vao card va b6 nhd.
cudi Smart Card hay b6 doc tuong dugng cho Smart Card due yéu cau dé giao tiép
v6i Smart Card, vi thé théng tin mi c6 thé duge trao déi nhy mong muén. Nhiéu
b6 doc ki€u nay hin nay dugc ding voi mét 6 dia mém PC hay duge tich hop vao
ban phim lam cho viée sit dung ching vi PC don gidn hon nhigu so véi truée day.
Smart Card ¢6 thé luu giif mt khod riéng cia ngudi ding cing vii bat ky ting
dung nao duge cai dat nhim don gidn hod wén trinh xac thue, dic biét ddi voi cdc
agudi ding di dgng. Mgt sé Smart Card hién nay gdm mot bd déng xit ly ma hod
va gidi m& [im cho viée ma hod dif ligu dé dang hon va nhanh hon céc loai cd.
Nhiéu nha phat trién phan mém tng dung cdc chudn hod APIS nhu CryptoAPI cho
vigc ding vi Windows, nhim lam cho cdc Smart Card va PC phit hgp véi nhau,
Cfc hé thong ching nhan dién ti dun gidn nhat yéu cdu ngudi ding nhip vaio
m6t sO nhan dién c4 nhan PIN dé hoan tat tién trinh xdc thuc. Trong mot sé truding
hgp, PIN dude Ivu trif trén Smart Card va viée sit dung PIN dé xac thye ngudi ding
duge kiém tra mOt cdch ty dong bdi Smart Card truéc khi dién ra bat ct rao déi
nao khac véi phan cdn lai cia hé thong. Khi PIN khong duge luu gid trén card thi
phuong phap nay cé thé khéng cd di bao mat, vi thé, cdc hé thong dau cudi manh
hon két hop thong tin duge Iuu trén Smart Card véi cdc thong tin vé sinh thc hoe
(biometric). Dé ding nhing hé thdng nay, cdc b6 doc card bao gdm mot thiét bi
kiém tra sinh hoc, vi du nhu may quét van tay... Dif ligu duge quét sau d6 duge so
sdnh vi div li€u dad duge luu trén Smart Card.
C6 mét kiéu khdc cho viée sit dung card dién tit, diigc ding d€ gain vao PC, vi
dy nhu PC Card. PC Card con duge goi la PCMCIA Card, dé 1 c4c bo mach nhé e6
thé duge gdn vao cdc khe dic biét bén trong may tinh dé ban, dic biét la may tinh
xdch tay, dé cung cap cde chite nang mé rong. Nhiing card nay. 6 thé cung cp mot
sO chife niing nhu Smart Card nhung bi han ché 1a chi ding duge vii cée PC c6 cde
khe PCMCIA, Biéu nay lam cho chting kém linh dng hdn so ydi cic thiét bi tray
cap khic dang dude sit dung. Tuy nhién, PCMCIA Card 6 nhitng wv diém 1a bd
nhé lén, cho phép lau wif cdc tép tin I6n hon duye ding cho 'muc dich xac thy.
54 Ky thuat mang riéng ap (VPN)
4.2.4.2 Cac thiét bj thé bai (Token Devices)
hé théng thé bai cd ban thing duge dya trén cae phan citng riéng diet
dang (passcode) thay déj mA ngudi ding sau dé phai
ding dé hién thj cde ma nha
nhap vao may tinh dé thy hién viée x4c thc.
Co ché hoat dong cia xdc thue thé bai co ban nhu sau: mét b6 xif ly ben trong
thé bai lu gift m6t tap hp cdc khod m& hod bf mat duge ding dé phat cdc ma
nhan dang mot lin. Céc ma nhan dang nay duge chuyén dn mot may chi bdo mat
trén mang, may chi nay kiém tra tinh hgp 1é va cap quyén truy cAp cho ngudi
ding. Sau khi cdc ma duge Mp tinh, khOng c6 ngudi ding nao hay quan tri mang
nao cé quyén truy cAp dén ching.
. Trude khi cde ngudi ding dude cho phép xac thuc chinh ho, céc thiét bi thé
bai yéu céu mot PIN, sau dé sit dung mot trong ba co ch& khde nhau dé xdc dinh
ngudi ding 1a ai.
- Co ché thong dung nhat 1a dap ting thach dé (challenge- response) (hinh 4.3)
trong dé may chi bao mat phat ra mOt con sO ngdu nhién khi ngudi ding ding
nhap vio mang. Mét s® théch dé (challenge) xuat hign wén man hinh cia
ngudi dang, sau d6, ngudi ding nhap vao cdc con sé trong thé bai. Thé bai ma
hod con sO théch 46 nay véi khod bi mat ciia né va hién thi két qua lén man
hinh LCD, sau dd, ngudi diing nhap két qua dé vao trong my tinh. Trong khi
46, may chit ma hod con s6 thach 40 vdi cling mot khod va n@u nhu hai ket
qua nay phi hap, ngudi ding sé duge phép vao mang.
= MOt co ché kha la sit dung sy déng b6 thii gian (time synchcronization). 6
day, thé hién thi mt sO duge ma hod vdi khod bi mat ma khod nay sé thay
di ct mdi 60 gidy. Ngudi ding duge nh&c cho con sé khi c6 ging dé dang
ahip vac may chil. Bdi vi cde dong hé én may chii va thé duve déng bd, cho
nén, may cht cé thé xde thye nguéi ding bing cach gidi ma con s@ thé
(Token number) va so snh céc k6t qua.
~ Co ché thit ba 1a déng bd su kign (ev:
thoi gian. O day, mot bd dém ghi la
ngudi ding. Sau méj lin vag mang, b>
dang khdc duge tao ra cho [4n dang nhap ké-
nichcronization), mOt bién déng bh
dn vio mang duge thyc hién bisi
‘m due cAp nbat va mot ma nhan
4.2.5 Hé thong sinh tric hoe
Hé thing sinh tréc hoc (biometric) phy thudc vao viée sit dur
aban duy ahdat dé xdc dinh ngutti ding, Cac ky thuat sinh tréc hoe danh gid
tinh, tinh chat cha con nguai hu: van tay, giong ndi, dau vong mac ... Nhung cae hé
Chuang 4: Bdo mat trén mét mang Internet VPN 55
chia due sit dung trong nhiéu thye tién bdi vi gid thanh dat va cde hé thong
At nay thuting Ja tt cd trong mot, Kim cho ching khé khan trong vide giao
thor
bao
tiép véi cde hé thong kha
Mot trong nhitng ky thuat phat trién manh mé nhat Ja viéc quét van tay. Cac
may quét van tay vdi gid c& chap nhan duge, duge két hop vao ban phim etta PC
vao khodng nam 1998. Mét may quét én mét con chip duge phat trién cho phép
quét dau van tay két hgp mot cach true tigp vao mot Smart Card.
Mot hé théng chudn dodn khudn mat c6 thé hoat dong trén mot PC véi gid
thi, trong dé, camera cé d6 phan gidi thp thuding duge ding cho cde cude hoi
nghi truyén hinh, Mot co sé di ligu trung tm Iuu git nhifng hinh anh cla cde ngudi
ding hgp I va so sdnh hinh anh duge trayén tir camera vei hinh anh da duge lv
gitt dé cap quyén truy cap.
Mic du viéc str dung cdc hé théng sinh tric hoc xuat hién ngay cang tang
nhung vin thi€u mét tiéu chudn dat ra cho céé giao dién chuong tinh ting dung
API (Application Programming Interfaces) cho héu hét céc phuong phap sinh trie
hoe gay ra khé khan khi sin sang két hgp sinh tréc hoc vio cde hé thong bio
mAt san cé.
4.3 Mat ma
4.3.1 Thé nao la ma hod?
M& hod duge dua trén hai thanh phén: dé 14 mot thuat todn va mot khod. MOL
thudt todin ma hod 1a mOt chife nang todn hoe néi phan van bin hay cae théng tin
dé higu vdi mot chudi cdc sO goi 1a khod dé
Mac di cé mOt vai thuat todn ma hod dic biét khéng sit dung khod cé sin nhung
¢ thuat todn sit dung cdc khod thi dac biét quan trong hon. Ma hod trén mot
hé thong khod co ban cung cép hai wu diém quan trong: mt Ia bing viée ding mot
ora mOt van ban mat ma kho hiéu.
khod c6 thé si dung cing m6t thudt todn dé truyén thong véi nhiéu ngudi; rat cd
nhitng g) phai lam 1a sit dung mot khod khdc cho méi thanh vién wong ting. Thit
n chuyén mot khod mdi dé bat
é thye hign
hai, n@u nhu ban tin duge ma hod bi bé gay, chi
dau ma hod ban tin dé lai ma khdng can phai déi m6t thuat todn mdi
qué trinh 46.
SO khod ma thuat todn o6 thé cung ep phu thudc vao sé bit trong khod. Vi
dy: mét khow dai 8 bit cho phép 6 256 sd két ndi c6 thé hay cdn goi 1 khod. SO
-Khod cang 16n thi kha nang mot ban tin d& duge ma hod bi bé khod cng thp. Mite
d6 khé phu thudc vao chiéu dai ciia khod.
56 Ky thuat mang riéng ap (VPN)
Khoa bi mat
Ban tin a6
: ‘ Bn tin 8 duge ma hod
(van bin éon gin)
(van bin d ma hod)
hoa bi mat
Bain tin 48 duge ma hoa Ban tin g6e
(van ban d3 m8 hoa) (van ban don gin)
Hinh 4.5: Ma hod d6i xing ding mét khod bi mat don dé ma hoa va giai ma
Hinh thifc cf nhat cia ma hod dang khod cd ban duge goi hod khod bi
mat (secret key) hay con goi la ma hod d6i xting (symmetric). Trong ed ché nay, cd
nguvi giti Vin ngu’i nhan déu chiém git cing mot khod; c6 nghia 1a, cd hai bén c6
thé ma hod va gidi ma dif ligu vi khod dé. Nhung ma hod déi xting xuai hig mot so
cée 6 ngai: vi dy, c& hai bén phdi déng ¥ wén mde khod bi mat duge Néu
nhu ching ta c6 nhiéy sy trao dd} thi ching ta phai gilt du ciia n khod bi mat vi mdi
khoa dude ding cho méi su trao déi. Néu nhv sit dung cing mét khod cho nhiéu trao
di thi ngu®i nhn sé c6 kh nang doe thu cia ngudi khéc (hinh 4.5).
Co ché ma-hod di xting cling 6 mot van dé véi viée xdc thye bdi vi dic
diém nhan dang cia mét ban tin géc hay ngudi nhan kh6ng thé chitng minh due.
Do hai bén cing chiém git’ mét khod gidng nhau nén déu c6 thé tao va ma hod va
cho a ngudi khac giti ban tin dé. Diéu nay gay ra sy mo hé vé tac gid cla ban tin
46, Dé gidi quyét tinh hudng nay, ngudi ta sit dung ma hod khod céng c6ng,
4.3.2. Thé nao 1a ma hod khod cong cong?
MA hod khod céng cong (Public key) duge diva trén ¥ nigm cia khod adi. Mot
phan cila khod di, khod riéng (Private key) chi duge biét dén bdi ngudi thiét ke:
phan khdc 14 khod cong cong c6 thé duge cong bé mot céch rong rai nhung vin
duge két hyp v6i ngudi sé hitu. Cée khod d6i c6 mot dac diém duy nhat A di ligu
4 ma hod véi mot khod c6 thé duge gidi ma vi mOt khod khde trong cing mot
cap (hinh 4.6)
Chung 4: Bao mat trén mat mang Internet VPN 87
kno8 cong céng
‘eda nguéi nhan
Ban tin ge
(van ban dan gi) Ban tind duge ma hos
(van bln d ma hod)
Khoa ring ctia
foi nkan
Ban tin 68 usc ma hoa Ban tin ge
(van bin di ma hea) (van ban dn gin)
Hinh 4.6: Si dyng mét cap khod dé ma hod va gidi ma ban tin
Nhiing khod nay c6 thé duge ding trong hai cdch kh4c nhau: cung cap bin tin
mot cach tin cay va chtfng minh sy tin cay cia mét ban tin géc. Trong trudng hgp
dau tién, ngudi giti st dung khod cong cong coda ngudi dy dinh nhan dé ma hod mét
ban tin, do dé, n6 sé van cdn tin cy cho dén khi duge gidi ma bdi ngudi nhdn vdi
khod riéng. Trong trudng hgp thi hai, ngudi giti m4 hod mot bin tin bang c4ch sit
dung m6t khod riéng (khod ma chi c6 ngudi giti truy cdp duge).
Uu diém
- Khoa cOng cOng ctia khod d6i c6 thé duge phan phat mdt céch sén sang ma
khong sg ring diéu nay lam Anh hudng dén viée sit dung cdc khod riéng.
Khong cdn phai giti mOt ban sao chép khod cong cOng cho tat cd cdc dip ting
ma ching ta co thé lay né tY mot may chi duge duy tri bdi mét cong ty hay 1a
nha cung ep dich vu.
- Cho phép xdc thy nguén phat cia ban tin.
‘Vi du minh hoa: hinh 4.7
Viéc sit dung cdc thuat todn ma hod khod cong céng dé ma hod cdc ban tin
tudng d6i cham. Vi thé, mét gidi ph4p dude dua ra IA ban tin tom tt (Message
Digest) c6 thé duge ma hod va sau dé dude ding nhu chit ky dién wr. Cac thuat
ton mi hod sir dung phudng phap nay duge biét dén 1a céc ham bam mét chiéu.
Ham bam mét cl khong ding mét khod, né chi don gidn 14 mét céng thttc aé
58 Ky thuat mang riéng ap (VPN)
chuyén d6i mot ban tin c6 chiéu dai bat ky thanh mgt chudi don cic sO go 1a mot
ban tin tom tat
= co
ehinciatin | Sem
{van bin don gin)
Buoe ma
hoa MD | John Doe Gu cho Ann
108
1K
an
John Doe
T
t
Ban tin cia Ann § Gio
Khoa cong cong
‘dug¢ tinh sang MD
"CEBV236ndsA"
MO
PCBBVZ35nIAT
MO duge tin
ging ban tin
Timm git
Bung’ Sai
Bin tin khang bj
lam gia. N6 dang
tin cay
Chisky hoae ban
tin d8 bj fam gh
Mo
Ban lin tom tht (message digest)
1h 4.7: Xac nhan mét cha ky sé
Chuang 4: Bao mat trén mat mang Internet VPN 59
Khi diing mot ham bam 16-bit, van ban duge xif l¥ sé tao ra 16 bit va ket qual
Ja mot chudi, vi du nhu: “CBBV235ndsA63D67”. Va mdi biin tin tao ra mot ban tin
wm tit nga
gdu nhién
Cae ban tin tom tat c6 thé chitng t6 sy hitu dung nhu mt bd xdc dinh ring dit
liéu khéng bj thay d6i, tuy nhién, chit ky dign te duge xem Ia tin cdy hon nhiéu,
M6t van dé véi phuong phdp nay 1a khi mt ban sao eda doan van bin duge
gtti di nhy m6t phan cia ban tin va do d6, su riéng tu khong con duge duy tri. Néu
nh muGn duy tri sy riéng tv cla dif ligu thi nén ma hod ban tin. Nhung dé lim
m anh hung dn cdc phan dau, nén ding mot thuat todn d6i xing vdi mot khoa
bi mat.
4.3.3 Hai phudng phap khod céng cong quan trong
4.3.3.1 K¥ thuat Diffie - Hellman
KY thuat Diffie - Hellman 1a thuat todn
tin. Trong thye t&, ky thudt nay duge ting dung rat nhiéu cho viée quan ly khod
Co ché | : hai bén trao dGi c6 thé sit dung ky thuat Diffie - Hellman dé
tao ra mot gid tri bi mat ding chung ma sau dé c6 thé dude diing nhu mot khod
chung cho mdt thudt todn ma hod khod bi mat (xem hinh 4.8).
@ hod khod céng cong thy té
am vié
Trong hinh 4.8, Tim va Ann déu tao ra m6t con sO ngdu nhién trén mbi may
tinh riéng ctia ho; hai sO ngau nhién nay td thanh cae khod ri Aho, BE
truyén thong, trude tién ho trao ddi mot sO dit liu chung duge xem 1a khod chung.
Sau dé, Ann ghép khod riéng cia minh véi khod cong cong clia Tim dé tinh ton
mOt gid tri bi mat duc chia sé va Tim ceding Lam nhu vay.
Néu nhu c6 mot ngudi khdc cd dude cde gid tri khod cOng cOng nay thi khong
thé dé dang tinh todn ra duge gid trj bi mat ngdu nhién wW dd. Diém quan trong
thudt toan Diffie - Hellman la cd Ann va Tim déu két thie voi mot két qua gidng
nhau va khong mot ai khdc c6 thé dé dang tinh ra két qua tong ty ti thong tin
cong cong siin cd.
Trong ky thuat Diffie - Hellman, c& Ann va Tim déu déng ¥ mat con s6 cd sd
riéng bigt va con sO may dude chon 1 Khoa riéng cla mdi cd nhan, mot sO hing
ln cde con sO ngdu nhién tré thanh khod céng cdng, vi du (B)A cho Ann. Khoa
cng eng ctta Tim cd thé 14 (BYT. Khi Tim nhn duye khod cong Sng cia Ann,
(B)A, anh ta cd thé tao thanh khod riéng (BA)T dé lay bi mat duge chia sé. Khi
Ann nhin duge khod cong cong cla Tim, ¢6 ta cé thé tao thanh Khoa riéng (BT)A
ma khod nay thi gidng hév ket qua ma Tim da tinh todn.
bea Ky thuat mang néng &p (VPN)
Dirligu
May tinh cia Ann eng cong May tinh ota Tin
7 fo
gd nhién koa fee
Bimat da , : Bima da
Hinh 4.10: Ching nhan khoa céng céng hgp ié
Chitng nhan khoa cng cdng (Public key Certificate) trén hinh 4.9 la cdc khdi
di liu duge sp xép mot cach dc biét cho diet gi
tén cia ngudi sé hu khod va mot chi ky dién uh cla cd quan cung c&p, diige gai la
m6t chitng nhdn dién wt CA (Certificate Authority), Nhitng ching nhan nay duge
ding dé xc dinh ngudi sé hitu cla mot khod cng céng cu thé. Va khi cé mot ban
sao chép khoa céng cong cia ngudi cé quyén, c6 thé ding khod dé dé kiém tra
nhifng chitng nhan ma no da dang ky (hinh 4.10). Bat ky phan mém ma hod nado
cling phdi c6 mét ban sao chép khod céng cdng ctia CA dé kim tra mot chit ky
dién ur.
Tigu chudn chinh cho céc chifng nhdn la X.509 - ITU dua ra cé
ching nhaa va
tri cla mt khod cong cong,
dang thiic eta
dc diéu kién dé tao va sit dung cdc chtfng nhan na
Chuang 4; B40 mat trén mét mang Internet VPN. 63
4.3.5.2 Tao ra khod cong cong
C6 hai céch dé tao ra mat ep khod cong cong. d6 |
khod trén may chd tiy thudc vao ngudi gif khod va mot
hu mot phan eta viée tao ra cde chtfng nhin.
mOt sé hé thong phiit ra cde
¥hé théng kl
tao ra cde Khoa
May tinh eda Tim {ID va khoa céng céng cla ngudt ‘Ching ahin din tir
dding duce phén phéi tin cay ‘rung thye
(Gee) Ten:
: Khoa: 355555
Khoa eda
Cac knad ade quyén
‘Khoa chung
hoa riéng
Khod chung]
Tih toan
hoa
‘nod riéng Day higu
chang nhan
duce danh day
Hinh 4.11: Tao mét khod céng céng
Thit nat: tao cdc khod thy thudc vao ngudi gitf cde khod (khod sé hitu), duge
mé td trong hinh 4.11, Ng ding tgo ra mot cap khod cOng cng, gift lai khod
rigng va phat khod edng cng dén CA dé tao ra mot chting nhan.
Thi hai: c6 mét CA tao mét déi khod céng céng (khod dac quyén), phat ra
chting nhan da duge ding ky va chuyé!
cA khod déi va chifng nhdn dé dén
ngudi ding.
Bang 4.4: Cac uu diém va nhuge diém cla cac phuong an tao khoa
Tao cdc khod sd hitu Teo cde khod dic quyén
+ Cie ngudi ding phdi chuyén + Yéu cau ft bude thye hign hon cho
khod dén CA. nguvi diing.
+ Khoa riéng khéng cin dude + Khoi ring c6 thé duge dy phdng.
sao chép Ii. + Vige tao khod 6 thé dude chia sé
+ Khoa chr ky ed nhdn khong gilta cde ngudi ding.
lity tr tai
43.5.3 Phan phdi chitng nhié
Cho dit cdc khoa cong cng dé phan ph6i hun cac khod bi mat, nhung vin cén
cée phuung tién ding tin cay dé chuyén cdc khod céng cong. Néu khdng, n6 sé dé
inva khoa
64 Ky thuat mang riéng ap (VPN)
c6 kha nang chiu mdt t&n cOng ngay chinh giifa can td mét cip khod cng cong
cla ngu@i ding trong viéc chia sé théng tin riéng. Phuong phdp chung cho viée
chuy€n cic khod cong cong J8 théng qua cdc chitng nhan dién tit hay cdc chitng
nhan khod cong cong.
Cac chitng nhan cung cap mot gidi phap bao mat cho viéc phan phii
cong céng qua mdi trudng dién tit, Sau khi cdc ching nhan dui
tip {4 chuyén cdc chitng nhan nay dén cdc may’cd nhu cdu. Céc k¥ thuat thudng
duge sit dung trong thyc té 1a phan phéi trong suét (Transparent distribution) va
phan phdi lién t4c (Interactive distribuiton).
Phan phéi trong suét gém cdc may chti thy muc hay c4c giao thie trao déi
khod, Cac giao thitc th’ muc (Directory Protocol) cho viée chuyén cae chiing nhan
khod cOng cOng dutge phat trign tY X.500, Mic dd c6 mét so In céc thu myc chinh
cho céc chitag ahan c6 thé duge dya trén X.500, nhung c6 mOt giao thitc dang Iuu ¥
khéc cling duge sit dung d6 la LDAP (Lightweight Directory Access Protocol) duge
sit dung nhiéu hon trén cdc mang TCP/IP.
Phan phéi lién t4c bao gém cdc yéu cdu e-mail, sy truy cAp d&n website, hay
cdc yéu edu sit dung giao thttc Finger. Nhiéu hé thong e-mail hd tro cho ma hod,
cung cap mét phuong phdp dé giti kém mét chtfng nhan trong ban tin duge giti di.
Trong mét s6 trudng hgp, mét may cht x4c thc c6 thé duge c&u hinh dé chap nhan
cée yéu cdu e-mail cho cdc chitng nhan.
4.3.5.4 Chitng nhan dic quyén CA
C6 hai kiéu khéc nhau cla cdc hé théng phan phdi chiing nhdn dé 1a: mot hé
thOng c6 cai dat phan c&p va mét trang web tin cAy, nhung ching ta chi tap trung
vao cdc hé thdng cé phan cap.
Trong m6t hé théng phan c&p, m6t khod cong cong géc (root public key), c6
tai dinh ciia hé théng phan cp dude sif dung dé danh d&u cho tit cd cée quyén 3
mifc cao, kho4 géc nay cé thé thuge vé mét cd quan chinh phi (vi du nhy DoD hay
US Postal Service). Cac CA @ mite hap hon trong hé théng phn c&p, c6 céc
chitng nhan duge dénh du béi cde CA 6 mite cao va sé dénh ddu cho cdc CA mite
thap hon ching trong hé thong phan cap va tyong ty nhu thé cho dén mifc thap nhat
ciia hé thong. :
Dé xc thie tinh hop 1é mét ching nhan cla ngudi ding mot cdch day di,
chting ta phi xdc thy tat cd cde CA trong mot hé théng phan cép gitta CA ndi b6
vGi ndi phat CA. Diéu nay c6 thé bao gém viée di chuyén [én trén mt nhénh trong
mét hé thOng phan cap CA (CA hierarchy) lén dén g6c va xuGng mOt nhénh khéc
(hinh 4.12).
Chuang 4: Bao mat trén mot mang Internet VPN 65
Ching nin
6c
‘Chimg nhan CA
cp due
cA ee
(ching ahan
8
Aon
Hinh 4.12: Phan cap cla ching nhan dae quyén
Trong thyc té, cdc hé thong CA khong sau. Cac hé thong nay khéng c6 nhié
mife va mife con. Vi thé thdi gian duge yéu cdu dé xdc thy mOt khoa ngdn va
khdng tac dong mdt céch nghiém trong dén viée sit dung mang. Thyc ra, di véi
mt mang VPN, mét cong ty lién doanh cé thé phuc vu nhu CA ma khong yéu cdu
két ndi dén bat k} mot hé thong phan cp quéc gia hay quéc t€ nao.
Nhung néu nhy mang VPN duge md rong cho cdc déi tde kinh doanh, tr
thanh mét mang Extranet, thi ching ta phai tly thugc vao mot s6 hé thong phin
cp CA cho vige x4e dinh cdc chitng nhan. Néu nint sé ngudi ding ngoai mang ciia
mang VPN Extranet ciia ban tuong d6i it, ho cé thé six dung CA bén trong cfia ban.
Viée stt dung mt hé thong phan cp CA cé thé khéng 6 van dé gi trong thoi
diém hiGn tai do sO lugng céc CA tong 661 nhd va cdc hé théng nay khéng sau.
Nhung Khi cé cing nhiéu ching nhan dude tao ra va cO cang nhiéu ching nhan
duge sit dung thi sé lugng cdc CA nhat dinh gia ting va nhitng hé thOng nay sé
phifc tap hon.
C4c chttng nhan dic quyén cé thé cung c&p nhiéu céch dé ngdn mach viée
xdc nhan phéin c&p bling c4ch chting nhan ngang. Néu hai CA déng y chting nhan
lin nhau, mo. yéu céu cho viée xdc thy tinh hgp 1é mt chiing nhan duc phat bi
m6t CA cé thé duge chuyén mot céch tryc tiép dén CA khdc m& khong gm phan
con lai etia hé thdng phan cap CA.
= Ky thuat mang riéng ap (VPN)
dch phan phdi céc khod cong cong t6t hon va tin cay hon 1a phat ra mét
quyén chitng nhan (certificate authority). Mot ching nhan dc quyén sé chap nhan
khod céng cong d6, kém theo mét sé chitng et cda nhdn dang nguéi ding va
phuc vu niu mét 66 luu tri cla mét ching nhn dign tit ma ngudi khdc c6 thé yeu
céu dé xéc thyc khod céng cong cla ngudi ding, cdc ching nh§n dién tit hoat dong
gidng nhu khod cong cong.
Céc ching nha dic quyén nhu VeriSign, CyberTrust va Nortel, phat ra cde
chitng nhan dién tt (digital certificate). M6t ching nh4n bao gdm tén cia nguvi
gid, tén cia ching nhan dic quyén, mt khiod cng céng cho ma hod, gidi ma va
mt gidi han thdi gian sit dung cla chi’ng nhan, thu@ng 1a 6 thang hay mot nim.
MOt ching nhan dién ui c6 thé duge phat ra 6 1 trong 4 Idp, nhim chi ra ngudi
gid 46 dude xdc thyc 6 mite 6 nao. Lép 1 1 16p dé dat duge nhat béi vi céc phép
it nhat trén nén cilia ngudi ding; chi cé tén va dia chj e-mail 1a duge xde
thuc. Déi vai ching nhan I6p 2, quyén phat ra (issuing authority) kiém tra mt gidy
phép Idi xe, s@ chifng minh va ngay sinh, Cac ngudi ding sit dung Iép 3 cé thé cho
gi mét thé tin dung kiém tra siv dung m6t dich vy nhu Equifax dé thém vao thong
tin yéu cdu cho m6t ching nhdn Iép 2. MOt chifng nhan I6p 4 bao gém théng tin vé
tinh trang c4 nhan trong mét té chic, nhung nhing yéu cau xdc thy tinh hgp 1é cho
nhifng chting nh4n nay van chua dugc két thiic béi cdc noi phat ra chting nh§n.
Céc CA cing c6 tréch nhiém duy ti va tao tinh sin sang cho mét danh sdch
hity bd chifng nhan CRL (Certificate Revocation List), danh s4ch nay cho phép cdc
ngudi ding biét nhiing chiing nhan nao khdng con duge sit dung, CRL khong bao
g6m céc chting nhan hét han, béi vi méi chéfag ahdn c6 mOt thdi gian han dinh
duge xay dung. Tuy nhién, céc ching nh§n cé thé bj hy bé do ching bj mat, hay
bi lay trom, hay do m6t ngudi ndo dé roi khdi cdng ty.
Né€u mét cong ty tao CA bén trong riéng, nd phai dude chudn bi d ra cdc
Khoa d6i, phat ode ching nhin va quan IY nhting khod va cdc chting nhan nay. Cai
dt nhu trén bao gdm cac dich vu sau:
- Chiing nhan khod céng cong.
= Luu wif chéfag aban,
- Hiby bé chiing nhan,
- Khod dy phong va phuc héi.
- Héw¢ vige khéng ay choi chit ky dién ti.
- Ty dong cap nhat cdc khod d6j va cdc chitng nhan.
- Quan If lich sit khoa.
- Hé wg cho chefng nhan ngang .
- Phan mém phia client.
CHUONG $
GIAO THUC IPSEC
Cée giao thie nguyén thily TCP/IP khong bao gdm cic dic tinh bio mat vin
c6. Trong giai doan déu ctia Internet khi mA agudi ding thude cde mung dai hoe
va cde vign nghién cifu thi van dé bio mat dif ligu khong phai ld vain dé quan trong
nhu bay git khi ma cde ing dung thudng mai cé mat khp noi wn Internet
DE thiét |:
Jp tinh bao mat trong IP 4 cap do g6i, IETF da dua ra ho giao thite
IPSec. Ho giao thite IPSec dau tién, cho xde thyc, m4 hod cde g6i dit ligu IP. due
in hod thanh cdc RFC tif 1825 dén 1829 vio nam 1995. Ho giao thie nay mé ta
kién tric co ban clia IPSec bao, gdm 2 loai tiéu dé duge sit dung trong goi IP. Goi
IP 1a don vi dit ligu co sé trong mang IP. IPSec dinh nghia 2 loai tiéu dé cho cée goi
IP dé diéu khién qua trinh xdc thife va ma hod: mot lA xdc the tiéu dé IP-AH UIP
Authentication Header) diéu khién vide xdc thule va hai Ia boe gdi bao mat tdi ESP
(Encapsulating Security Payload) cho muc dich ma host
ho giao thtte IP
IPSec due phat trién nhdm ‘Ep 1a IPv6, nhuing do vide
chap nhn IPv6 con lau va can thiét cho viée bdo mat cae g6i IP nén IPSec da dge
thay déi cho phi hgp véi IPv4. Viée hé trg cho IPSec chi 18 wy chon ctia IPv4
nhung déi v6i IPV6 thi cé sin IPSec.
5.1 Dang thic cua IPSec
Hoat ding ciia IPSec & mtfc co ban ddi hdi phai cé cde phan chinh dé a:
* — Két hyp bao mat SA (Security Association).
«Xe thye tigu dé AH (Authentication Header).
* Boe géi bao mat tdi ESP (Encapsulating Security Payload).
© Ché do lam viée.
ee Kg thuat mang riéng ap (VPN)
5.1.1 Két hp bao m
” DE hai bén cé th Su da duge bilo mat (dit ligu da duge xe thyte
¢ duc ma hod hode hai bén phai co. Gag ahat sty dung gidi thudt
ma hod, Rim céch nao dé chuyén khod va chuyén khod nu nhu can, Cé hai bén
¢ din théa thuan bao lau thi sé thay déi khod mot lan. Tat cd cde tha thudn
trén 1d do SA dim tréch, Vige truyén thong gitfa bén giti va ben rh§n doi hdi it
nhat mot SA va cé thé di héi nbiéu hon vi mdi giao thife IPSec ddi hdi phdi 6
mot SA cho riéng nd. Do dé mdt goi duge xde thyc ddi hi mdt SA, mot gsi duige
ma hod cing yéu cau phdi c6 mot SA. Tham chi néu cling ding chung mdt gidi
thuat cho xéc thye va ma hod thi cling cn phai 06 2 SA khde nhau do sit dung
nhiing b6 khod khdc nhau.
M6t IPSec SA mé ta cae vain dé sau:
= Gidi thuae xc thye sit dung cho AH va khod cia né.
hoa
- Giai thuat ma hod ESP va khod ctia nd
- Dang thifc va kich thutie ciia bd mat ma si’ dung trong gidi thudt ma hod
- Giao thie, gidi thuat, khod sit dung cho viée truyén thong
- Giao thtfe, gidi thuat ma hoa, khod sit dung cho viée truyén thong riéng.
- Bao lu thi khod duye thay déi.
- Gidi thudt xdc thie, ki€u, chife nang sit dung trong ESP va khod duye sif dung
bdi gidi thuat dé.
- ThOi gian sOng ctia khod.
- Théi gian séng cia SA.
- Dia chi nguén SA.
C6 thé xem SA nhv mét kénh béo mat thong qua’ mot mang cong cong dén
mOt ngudi hay mot nh6m Lm viée cu thé.
5.1.2 Xdc thc liu dé AH
Trong hé thong IPSec, xdc thuc tidu dé AH (Authentication Header) duge
dung cho cdc dich vu xde thc. AH duge chén vao giita tiéu dé IP va ndi dung phia
sau (hinh 5.3), khong lam thay déi ngi dung cia g6i dif ligu.
Xée thye tiéu dé gdm 5 trudng: tring tiéu dé ke tiép (Next Header Field).
chiéu dai tdi (Payload Length), chi so tham s@ béo mat SPI (Security Parameter
Index), sO wan ty (Sequence Number), dif liéu xée thyte (Authentication Data). Hai
khdi nigm mdi trong AH d6 1a SPI mang ¥ nghia chi ra thi¢t bi nhan géi biét ho
Chugng 5: Giao thic IPSec ange
giao thie bao mat ma phia giti ding trong wuyén thong, hai la dit ligu xde thyfe
mang thong tin v thudt ma hod due dinh nghia béi SPI.
HMAC két hyp voi MDS, HMAC &ci hop vGi SHA-1 di thudt ma hod
dye chon lam nhifng phudng thite mac dinh cho vite tinh todn téng kiém tra
(checksum). Ac dinh nay 4a két qué ciia nhitng thay déi IPSec dé cai thién co
ché xdc thyc bi vi mae dinh trude d6 MDS duge phat hién 18 khdng tranh duge ede
tn cong dung dd.
Thii tue st dung cho cde phuting thife ny (HMAC-MDS5 hay HMAC-SHA-!)
gidng nhau. Tuy nhién SHA-1 c6 chife ning bam hon MDS, Trong ca bai twuding
hop, gidi thuat hoat dong wén nhitng khdi div ligu 64 byte. Phung thite HMAC-
MDS sinh ra b6 xde thye 128 bit ong khi HMAC-SAH-I sinh ra bd xdc thie 160
bit. BGi vi chiéu dai dinh cla x4c thue duge dinh nghia trong AH chi cd 96 bit
nén cae gid tri xde thye sinh ra phdi dude chia nhd true khi hu vao trong truting
xd thy cilia AH
True khi gn AH
ipva | Teva’ iP ode | TOP | Ovkeu
Sau khi gan AH
wa | Tussi ose |an | top | Daieu
a xae thee khong id ce ing thay 86:—x}
“Trutic kn gn AH
Cac ieu a8 prv | yop
tpv6 | Tieu dé i g6e
Sau khi gin AH
Hop-ndi-Hiop, dich. Tau Top | owieu |
: ‘Bich |
je xa tye khong 8 ca trctng they &6i +]
Hinh 8.3: Xac thuc tiéu dé
nd 1a
Khi nhan g6i di lieu, ddu nhdin 8é tinh todn gid tri bO xde thie cia rid
128 bit hay 160 bit (uy theo IA sit dung loai nao), chia nhd n6 ra tuy theo chigy dai
i tei xae thife
luge chi dinh ong tudng xde thy va so sanh gid tri ctia nd vdi g
vhain duge, Khi ma
Do 6 thé c6 cude tin céng bing cich chin mot loat cdc g6i v!
42 gidng nhau thi dit liu khong bi thay déi wen duding truyén.
sau dé phat lai
70 Kj thuat mang riéng ap (VPN).
chiing vao théi diém sau nén AH cung cap dich vu chéng phat lai dé ngain chan cdc
tan cong dia trén cdch thife trén.
n chi ¥ 18 AH khéng gid cho di ligu bi mat duge. »
chan cdc géi trén mang lai va sit dung mot mat ma thich hgp thi cing cé thé doc
dutge ndi dung eda dit ligu mac div khOng-thé thay déi dude ndi dung ciia ditt
chéng lai viée nghe trém chiipg ta cdn phai sit dung thanh phan
thif 2 clia IPSec dé la ESP.
mot ké tin eding
5.1.3 Boc g6i bdo mat tai ESP
Boc gi bdo mat t4i ESP (Encapsulating Security Payload) duge sit dung cho
: ma hod dif ligu. Giéng nhu ti¢u dé AH, tiéu dé ESP duge chén vio giffa tiéu
dé IP va ndi dung tiép theo cia géi (hinh 5.4). Tuy nhién ESP ¢6 nhiém vu ma hod
di ligu nén ndi dung cia goi sé bi thay déi.
Truée khigén ESP
ine [ ravaswese | ror | ove |
Sau khi gdn ESP
Cap quyén
SP
wa | Ti
ae wose | TES? | top
ESP.
J ‘Buse ms hoa——}
fuged the]
Truc khi gan ESP.
Cactieu #8 phy | sep
es oatieu
leve | Tieu 66 1P ge
Seu Khi gin ESP
7 : : a
'Pv@ | TieudétP 96 | Ginntuyén, phan mann |ES?| tj chon | TOP | Outitu | "Esp ESP
ae
joe xt nye eee
Hinh 5.4: Boc g6i bao mat tai
Gidng nhw tiéu dé AH, ESP gém ex SPI dé chi cho bén nhan biét ev ché bio
mat thich hgp cho viée xt ly g6i. SO tan ty trong tigu dé ESP 18 bd dém sd ving
méi khi mot g6i duve giti dén ciing mot dia chi va sit dung cing SPI. SO tudn te chi
ra co bao nhiév goi due giti c cing mot nhém cde tham $0. SO tudn tw gitp cho
thet uf dé 1am r6i loan qué inh wuyén thdng. Phan cdn lai cia goi (ngoai ti xc
thie dif ligu) sé duge ma hoa true khi gifi lén mang.
ESP c6 thé hé ug bat ky giao thife ma hod nao. Ngudi ding co thé ding
abiing giao thtfc khéc nhau cho mdi két ndi truyén thong. Tuy nhién IPSec qui dinh
mat ma DES-CBC (DES with Cipher Block Chaining) ld gié tri mae dinh dé bao
dam tinh hoat déng lién mang.
Sit dung ESP yéu céu khod DES 56 bit. Dé sit dung mOt chudi céc tir ma, mét
vector 64 bit duge khdi dong va dif liéu duve xif ly theo tting kh6i 64 bit.
ESP ciing vs thé sit dung cho muc dich xe thyc. Trung xc thy ESP, mot
trudng tuy chon trong tiéu dé ESP, bao gdm mot kiém tra téng ma hod. DS dai cia
téng kiém tra nay thay d6i tuy theo gidi thuat xdc thufe duge sit dung. N6 cing 66
thé duge bé qua néu nh dich vu xdc thyc khéng duve chon trong ESP. Xac thuc
duge tinh toda sau khi in tinh ma hod dit li@w da hoan thanh,
Dich vu xc thye cung e&p boi AH khéc so v6i ESP I dich vy
ESP khong bio mat tiéu dé IP dat trade ESP mac dit nd bio mat tidu dé IP da boc
g6i trong ché d6 dung him. Hinh 5.5 minh hoa su khéc biét giita ching.
eva | Tiguaé iP gee | AM] TOP } Dutiey
+
thie trong
e—Xac thye khéng «é cde trutng thay 4
See, [| oe | | one
tPv6 | Tieu dé 1 98 | gah tuyén, phan manh tuy chon
jp Xie the king kd cc sé thay 4g»
[Phan ausil Cap quyén
tpvt | TauaeiPme: | ESP | Tigudé pose | TCP | ouneu [PRLS CHE awy
Jp ue md toa +
}¢ uve xa tye]
Phan dui] Cap quyén |
Tidy 0 mai Titu a6 [Tet 38966] rom | oa vey [PHD eau
tvs | Tiusé rma | “Tseng | ESP | pase | morecn
[#0 ma hos ———_———}
jee thye ———§——+
Hinh 5.5 So sdnh xac thyc bdi AH va ESP
72 Ky thuat mang riéng ap (VPN)
Néu ahu AH duge si? dung vdi muc dich xée thy thi tai sao con tuy chon xde
thuc trong ESP? AH chi sit dung trong nhifng trudng hgp khi xde thye goi la can
thiét. Mat khée khi xc thyfe va tinh riéng wr due yéu edu thi si? dang ESP voi wy
hon. Sit dung ESP cho ma hod va xde thufe, thay vi sit du
206i sé duge xit ly
chon xae thye s
va ESP khong ed tuy chon xdc thye, sé gidim kich thutéc nén
higu qua hon.
5.1.4 Ché d6 lam viée
C6 2 ché dé 1am vige trong IPSec:
- Ché d6 giao van (Transport mode): chi cé doan Iép giao van trong gdi La
duge xtt ly.
- Ché dé dvdng hdm (Tunnel mode): Toan bé g6i sé duge xt ly cho ma hos
xde thi
Ché d6 giao van sit dung cho ca e i va host, cung mat
cho céc giao thite 1ép uén. Trong ché d6 giao van, AH duge chén vao sau lidu dé
IP va tru@e cdc giao thite lép trén (TCP, UDP hay ICMP) hode true bat ky tidu dé
IPSec da duge chén vao true dé.
Trong ché d6 duvsng ham tiéu dé IP chifa dia chi nguén va dia chi dich, trong
khi bo xudt tiéu dé IP chita cde dia chi IP khdc (chng han nv dia chi ciia céng
ndi). AH bao mat toain bd goi IP bao gdm ca bo ahdp tigu dé IP (hinh 5.6).
Tieu 68 IP
m6
Tigy 681
Pv Tee | oviev
AH | | cp | 04
ac the Wodng ké ca trating
I thay 261 trong ti6u 6 IP ma
pws | TevasiP ] Toads Ty] Teoge | Tew asme
mor | ma rBng (nv 8) a6 | wg (nbucs)
Ter | Dittiée
fe ——— xe myc krona ee bing tay ah wong bud P mim ——|
Hinh 5.6: Ché a6 duéng ham AH
BGi vi AH chi bao mat chéng Iai viée thay déi noi dung di tigu nén cdn phai
6 phuung tin khée dé bao dam tinh riéng tw etia dif liéu. Trong ché d6 dung him
digu dé due thie hién bing cdch mé rong bio mat noi dung tiéu dé IP dic bidt 1a
dia chi nguén va dia chi dich. Mae dit trong ché d6 giao van ESP bao mat chén,
e (rm mot cach c6 higu qua nhimg nd kKhéng bdo mat duge todn bd hu luyng
Mt vu tan cong tinh vi van c6 thé doc duge dia chi nguén va dia chi dich sau dé st
phan tich Iwu lugng dé bi
t duge phuong thife truyén thong
Chuang 5: Giao thc IPSec 73
pve
: aaa lieu | Phan audi] Cap quyén
Tieu a6 Tewa6iP ase | ror | oxi
svatena | eo | reser | ror [oom PEA] Oy
a an
it
Tidy 66 mai Tiéu 48 | Tidu 48 g6e
au 0618 mei sriow [Phin du8i] CB quyén
Tau asiema | TESS me) esp | Tags [TeUAE 95°} rcp | owigy [Prindvi] Copa
juve m hoa +]
|e duce xéc nue —
Hinh 5.7: Ché d6 duéng ham ESP
onsen ga0van [art | an [PHS
l
Prén
wet | esp | Pai
ver | an [ese [a
créepasononin [ire | an | mr [Pe
] Phan
v2 [ese] [
Cché 96 Ket hop we | an | 12 | an | aps | Phd
we [ese] m2 | an | wr [Pe
v2 | an [es] 2 | an | we [a
Hinh §.8: Cac truéng hop ella ché dé giao van va duéng ham
Ché dé dudng him ESP cung cap thém cde eo ché bio mat cho cée gi bing
c&ch ma hod ton bd g6i (hinh 5.7).
Sau khi toan b6 ndi dung di ligu (bao gdm tiéu dé g6e) di duge ma hod, che
d6 duting him ESP sé tao ra mot tiéu dé IP mdi dé dinh tuyén cho cdc gsi dit liéu
ti bén giti dén bén nhan
14 Ky thuat mang riéng ap (VPN)
46 duding hdm, ESP cing khéng bao dam chong lai duye
tt cd cde loai phan tich Iu lugng vi dia chi IP cla bén gui va eda céng noi nhin
van 6 thé doc duge trong tiéu dé ciia g6i. Diéu nay cho phép ké nghe trom biét
duge cd hai déi wong dang truyén thong vdi nhau nhung lai khong cé chit manh
moi nao dé biét hai déi twdng ay 1A ai
Dé co thé 4p dung cd AH va ESP trong ché do dudng him hay ché d6 gieo
van, IPSec yéu cau phai hd tro dude cho 16 hgp eda ché do dudng ham va ché do
giao van (hinh 5.8). Diéu nay duge thye hién bing cach siz dung chd do duting hav
dé ma hod va xac thye cae géi va tiéu dé cia né rdi gain AH, ESP hoac ding ca hai
trong ché d6 giao van dé bao mat cho tiéu dé mdi dude tao ra
Cn chi y la AH va BSP khéng thé sir dung chung trong ché d6 dudng him.
Ly do 1a ESP da cd'riéng thy chon xdc thye, tuy chon nay nén sif dung trong ché dd
duéing ham khi cdc g6i can phai ma hod je thye.
5.2 Quan ly khod
thong sit dung giao thite IPSec ddi héi phdi c6 chuyén giao khod
Trong truy
do d6 d0i héi phai e6 ev ché quan ly khoa. C6 hai phuong thie dé chuyén khod d6
fi chuyén khog bang tay va chuyén khod Internet IKE (Internet Key Exchange).
Ca hai phudng thie ndy khong thé thi€u duge trong IPSec. MOU hé thing [PSce phy
thudc phai hd uy phuung thie chuyén khod bling tay, Phuong thie chia khod trac
tay nay ching han nhu khod thugng mai ghi wén gidy, én dia mém hay thong qua
giti buu phém hoge e-mail. Mac di phuong thife chia khod tao tay thich hyp voi
gitfa bdo mat Internet ISA (Internet Security Association) va
(ISAKMP). IKE con c6 mét tén goi khdc 1a ISAKMP/Oakley.
IKE c6 cic kha nding sau:
- Cung cap cde phuong tién cho 2 bén thod thudn sit dung ede giao thite, gid
thudt va khod.
- Dam bdo ngay ti hic bat ddu chuyén khod 18 truyén thong ding déi tugng.
- Quan ly cde khod sau khi chting duge chp nhan trong tin trinh thoa thud.
- Dam bio cdc khod duge chuyén mot céch bao mat
Chuyén khoa tong tt nhu quan Jy két hop (Internet Association). Khi cdn tao
m6t SA eda phdi chuyén khod. Do dé cau trie ciia IKE boc ching lai vi nhau va
chuyén ching di nhu mt géi tich hop
Chuong 5: Giao thic IPSec . : carats)
5.2.1 Cac ché do cia Oakley va cdc pha cla ISAKMP
Theo dinh nghia nguyén thy tong ISAKMP thi IKE hoat dong 2 giai doan
Giai doan 1 thiét lap mot duting hém bao mat cho ede hoat dong ISAKMP dién ra
trén dé. Giai doan 2 1a tin trinh dam phan cde mye dich SA.
Oakley dua ra 3 ché dé chuyén khod va cai dit cdc ISAKMP SA: hai cho giai
doan | eta ISAKMP v3 mét cho giai doan 2.
-. Ché d6 chinh (Main mode): Hoan thanh giai doan | cia ISAKMP sau khi da
thiét lap m6t kénh bao mat.
- Ché dO nang dong (Aggressive mode): Mot eich khae dé hoan thanh giai
doan m6t ctia ISAKMP. N6 don gidn hon va nhanh hon ché do chinh, nhung
khéng bao mat nhan dang cho vige dam phan giita cée nuit, bdi vi nd truyén
nhan dang etia ching true khi dim phan duc mot kénh bao mat.
- Ché d9 nhanh (Quick mode): Hoan thanh giai doan 2 ciia ISAKMP bing eich
dam phan mot SA cho cdc muc dich cita viée truyén thong.
IKE ciing con mét ché do khée dé 1a ché do nh6m mdi. ch€ db nay Khong that
su 18 ctla giai doan 1 hay giai doan 2, Ché dé nhém mdi theo sau dam phan cia
giai doan va dufa ra mét co ché dinh nghia nhém riéng cho chuyén giao Diffie-
Hellman.
Dé thiét Jép mt b’o mat IKE cho mOt ntit, mGt host hay mot cong not ean it
nhat 4 yeu ws
- Mot gidi thuat ma hoa dé bao mat dé ligu.
- Mot gidi thudt bam dé gidm dif liéu cho bao higu.
- M6t phusng thife xdc thuc cho bdo hiéu dit
- Thong tin vé nhém lam viée qua tong dai.
Yéu tS tht’ 5 c6 thé duge dua ra trong SA, ham gid ngdu nkién (pseudo-
random function) sit dung d@ bam gid tri hién tai xu@ng qué trinh chuyén khod cho
mue dich kiém tra. Néu trong SA khong bao gém né thi HMAC eta gidi thuat bam
(yéu t6 thit 2) duge sit dung.
Ché dé chinh
Ché dé chinh dua ra co ché dé thiét lap giai doan mot ctia ISAKMP SA, bao
gm cade bude sau:
+ Sit dung ché d6 chinh dé khdi dong mot ISAKMP SA cho két néi tam,
- “Sit dung ché d6 nhanh dé dam phin mét SA.
- Sit dung SA duge tao ra & trén dé truyén thong cho dén khi nd hét han.
76. Ky thuat mang riéng dp (VPN)
Bp phat 88 dap ing
Tiew | —
sa | Ye 7
7
6
Nenee] Key | TE i) }
SI Te | eo vee}
dna
CS TET Jost] sis
Gert 46¢ ching nhén ti
ID: Mgt akan dang ta
Key — : Mato a0 i
once : Mét in ti
SA MB 68 agh kt Rgp bo mal a
Sig: Mat chirky ti
Tiéu
36
Hinh 5.10: Ché d6 chinh ISAKMP
BuGe thi nhat, st dung ché d9 chinh dé bao mat mot ISAKMP SA, dién ra
theo 3 bute trao déi hai chiéu gitfa SA gifi va SA nhan (hinh 5.10). Buse trao déi
dau Gén thod thudn v thudt va bam. Bude trao déi thi 2 chuyén giao khod
chung va cde nonce eda nhau (18 nhitng con sé ngdu nhién ma mot bén ghi va tré
lai dé chttng minh danh dinh ca nd), Buse thi 3, hai bén sé kiém tra danh dinh
cia nhau va tién trinh trao d6i hoan tat
Hai bén 6 thé si dung khod ding chung khi ching nhan duyc. Hai bén phil
bam ching 3 Mn: dau tign tao ra mOt khod gc (dé sit dung tao khod phy trong ché
6 mhanh sau nay), sau dé 14 khod xde thue va cudi cing khod ma dé sit dung cho
ISAKMP SA.
d6 chinh bao mat cée danh dinh cia cdc d6i tugng truyén thong. Néu nhtt
khong cdn viée bao mat, dé cho viéc trao déi nhanh hon, thi ché dé nang dong
duge sit dung '
Ché 46 nang dong
Ché dd nang dong (Aggressive mode) dua ra dich vy cing tuong ty nhu ché do
Ap mot ISAKMP SA nguyén thiyy, Cl Ang dong trong cing gidng
nhu ché d6 chinh nzoai tir chi c6 2 bude trao déi thay vi 3 bude nhur ché dé chinh.
‘Chuong 5: Giao thife IPSec ue
Trong ché d6 nang dong khi bat dau chuyén déi bén phat sé tao ra MOI doi
Diffie-Heliman, dua ra mot SA, chuyén di gid tri Diffie-Hellman cong cong.
nonce cho dau bén kia ghi nhn va giti mot g6i ID dé bea dp ung c6 thé sit dung dé
kiém tra danh dinh. Phia dap ting 6 thé giti tra vé moi thi can thiét dé hodn tat qua
tinh chuyén déi. Vide dap ting nay tS hgp 3 bude dap ting trong ché dé chinh thanh
mét do d6 bén khdi dau chi cn xdc thy viée chuyén ddi (hinh 5.11).
giti mot
Bo phat Be dap ing
&
Tiéu
once] Key | sa |
Cert = Mbt ching ahan ta)
$0 Mat nn dang tai
Key: Mat khod trao déi tai
Nonce Mat in tab
SA: MB dé aghi ket bgp bdo mat 31
Sig: MGt chi ky
Hinh §.11: Ché d6 nang déng ISAKMP
Do ché dé ning dgng khong dua ra céch bao mit danh dinh cho céc bén tham
gia truyén thong nén can phai trao déi théng tin danh dinh truéc khi thiét lap mat
SA bio mat. Ai dé theo déi viée chuyén déi theo ché dé nang dong c6 thé nhan
dién ai da thiét lap m6t SA mdi. Uu diém cia ché dd nding dong 1a téc a6.
Ché 46 nhanh
Sau khi hai déi tugng da thiét lap m6t ISAKMP SA bing ché d@ chinh hay
ché d6 nang d6ng thi tiép dén 1a sit dung ché d6 nhanh (Quick Mode).
Ché d6 nhanh c6 hai mue dich ta: dim phan yé.dich vy bdo mat IPSec va tao
ra vat liéu khod tugi (fresh keying material). Ch 46 nhanh duge coi 14 don gidn
hon ché d6 chinh va ché d6 nang dng. Bdi vi nd da c6 sin mét dudng him ben
trong (tat cd cdc g6i déu dude ma hod). Cdc géi ché do nhanh déu duge ma hod va
duge khéi 10 Vdi mGt tai bam. Tai bam duge tao ra bling céch ding mgt ham tao
gid ngdu nhicn da duoc déng § trudc va mot khod xc thyc nhan duye. Tai bam
diing dé xdc thye phan con lai ciia géi di ligu. Ch dé nhanh dinh nghia nhiing
phan nao cla g6i di liéu nim trong phan bam.
78 ky thuat mang riéng ap (VPN)
Khoa c6 thé duge jam tuoi bing | hay 2 cach: Néu nhu khong cén chuyén tiép
6 nhanh chi lam toi khod trong ché d6 chinh
thong cé thé giti cde
m6t cach bi mt hodn toan thi ché
“hay ché d6 nang d6ng véi bam thém. Hai déi wong tru
nonce qua dung ham bao mat va ding ching dé bam khod dang tén tai. Nw nh
thém mot chuyén déi
ja Khoa.
can chuyén tiép mOt cach bi mat hoan tan thi c6 thé yeu
Diffie-Hellman théng qua SA dang tén tai va d6i gid tri
ty
Bo pnat 89 aap img
nb | ¢Key}| Nonce| sa [Mash] Tey Ty
a6 2 SA | Nonce | {Key}
et \
ree
Cort: Mot ching nhan tdi
10: Mgtnhan dang
Key = M@t knoa trao d6\ ti
Nonce : Mgt ida tai
SA: MGtdé ngni két hop bao mat tS
Hash: Métal bm
0 Chi thi mgt tuy ongn ta
Hinh §.12 Ché dé nhanh ISAKMP
5.2.2 Dam phan SA
Dé thiét lap mot SA bén khdi tao viti mot thong bao ché dd nhanh thong qua
yéu cau mot SA mdi cia ISAKMP SA. Mot dam phan SA 1a két qua cia hai SA:
mét hudng vé (inbound) dén bén khéi tao va mot husng di (outbound), Dé tinh
xung dot vé SPI, ntit nhdn phai lu6n chon SPI. Do dé trong ché dO nhanh bén phat
thong bao cho bén dap ting biét SPI sé sif dung va bén dap ting sé theo SPI da duc
chon, Mdi SPI, két hop vai dia chi IP dich, chi dinh mét IPSec SA don duy nhat.
Tuy nhién trén thyc té nhiing SA nay ludn cé hai hudng vé va di, ching e6 danh
i thudt, khod, bam 1a mét phan trong SPI
dinh vé tham sé, gi
5.3 SU dung IPSec
Hinh 5.13 a mot vi du vé tng dung Intermet VPN. Cé 3 nai trang bi phan
mém IPSec Ong noi bé 1, client di dong (mobile client) va host. Tuy
nhién, n» Khong phat tat ed ede thiét bi déu | edn pha e cai phan mém IPSec ma A 9 theo
Chuang 5: Giao thifc IPSec 79
qua cdc ISP (Internet Service Provider) thi phan mém client IPSee can cai wén cae
may tinh ctia ede doi tugng di déng. Néu mudn tao mot VPN ma tat cd ce may
tinh c6 thé lién Jae voi cde may tinh thong qua giao the IPSee thi cn phai citi dat
phan mém IPSec trén tat cd cde may tinh.
Mang LAN a3
dutge bio ‘oO
aa K6tngi LANLAN
Internet _! a
‘cing ea ng nd
‘bdo mat bao mat
Mang con 63
Kens ge bdo ve
clentLan
Client 6 dong
leuy cp terxap
Hinh 5.13: Cac thanh phan cia mét Internet VPN
5.3.1 Cac cong néi bao mat
Céng néi bao mat (security gateway) 1A mot thiét bi mang chang han nhu bd
dinh tuyén hay wing lita, chia cit va bao mat mang bén trong chong lai xam
nhap khOng duge cho phép tif bén ngoai. St dung IPSec trén cdng ndi bdo mat
lam cho lutu lugng qua cong ndi bao mat bi that nt c6 chai trude khi ra ben ngodi
Khi x4y dung mét VPN thi can cai cng néi bao mat n phong chinh
va sau d6 thiét lap lién két bao mit gitfa cdc céng ni bao mat vai nhau. Sit dung
ly cde khod vi chi cdn gin
icde
céng n6i bao mat [am gidm d6 phifc tap eda viée qua
mot khod duy nhat cho céng néi bdo mat. Céng ndi bdo mat 6 thé chuyén céc
g6i di 1a 6 ché d6 giao van hay ch€ 46 dudng ham. Dé cho d6 bdo mat cao thi
ché do duéng ham thich hdp hon do no gidu di cdc dia chi IP that suf cda ngudi gti
va ngudi nhan va bdo mat chong lai cdc tn cong c&t-din tiéu dé (header cut-
and-| paste). Tuy nhién ché dd ding ham doi hdi phai cé tinh todn 6 cOng ndi bao
Jing kich thudc g6i nén sé lam gidm thong lugng ea mang. Sit dung
ché d6 giao van giffa cdc cong, ndi sé lam gidm téng phi truyén thong nhung nd
khong gidu cde dia chi IP thy cla nguén va dich. Néu nh b’o mat dai dién
(wild card) khong dude sit dung cho liu lugng qua céng ndi bao mat thi edt che
quan ly khoa sé thém phifc tap hon.
You might also like
- Her Body and Other Parties: StoriesFrom EverandHer Body and Other Parties: StoriesRating: 4 out of 5 stars4/5 (822)
- A Heartbreaking Work Of Staggering Genius: A Memoir Based on a True StoryFrom EverandA Heartbreaking Work Of Staggering Genius: A Memoir Based on a True StoryRating: 3.5 out of 5 stars3.5/5 (231)
- The Sympathizer: A Novel (Pulitzer Prize for Fiction)From EverandThe Sympathizer: A Novel (Pulitzer Prize for Fiction)Rating: 4.5 out of 5 stars4.5/5 (122)
- Team of Rivals: The Political Genius of Abraham LincolnFrom EverandTeam of Rivals: The Political Genius of Abraham LincolnRating: 4.5 out of 5 stars4.5/5 (234)
- Devil in the Grove: Thurgood Marshall, the Groveland Boys, and the Dawn of a New AmericaFrom EverandDevil in the Grove: Thurgood Marshall, the Groveland Boys, and the Dawn of a New AmericaRating: 4.5 out of 5 stars4.5/5 (266)
- The Yellow House: A Memoir (2019 National Book Award Winner)From EverandThe Yellow House: A Memoir (2019 National Book Award Winner)Rating: 4 out of 5 stars4/5 (98)
- The Emperor of All Maladies: A Biography of CancerFrom EverandThe Emperor of All Maladies: A Biography of CancerRating: 4.5 out of 5 stars4.5/5 (271)
- Hidden Figures: The American Dream and the Untold Story of the Black Women Mathematicians Who Helped Win the Space RaceFrom EverandHidden Figures: The American Dream and the Untold Story of the Black Women Mathematicians Who Helped Win the Space RaceRating: 4 out of 5 stars4/5 (897)
- The World Is Flat 3.0: A Brief History of the Twenty-first CenturyFrom EverandThe World Is Flat 3.0: A Brief History of the Twenty-first CenturyRating: 3.5 out of 5 stars3.5/5 (2259)
- The Unwinding: An Inner History of the New AmericaFrom EverandThe Unwinding: An Inner History of the New AmericaRating: 4 out of 5 stars4/5 (45)
- The Little Book of Hygge: Danish Secrets to Happy LivingFrom EverandThe Little Book of Hygge: Danish Secrets to Happy LivingRating: 3.5 out of 5 stars3.5/5 (401)
- On Fire: The (Burning) Case for a Green New DealFrom EverandOn Fire: The (Burning) Case for a Green New DealRating: 4 out of 5 stars4/5 (74)
- Shoe Dog: A Memoir by the Creator of NikeFrom EverandShoe Dog: A Memoir by the Creator of NikeRating: 4.5 out of 5 stars4.5/5 (540)
- Grit: The Power of Passion and PerseveranceFrom EverandGrit: The Power of Passion and PerseveranceRating: 4 out of 5 stars4/5 (590)
- Elon Musk: Tesla, SpaceX, and the Quest for a Fantastic FutureFrom EverandElon Musk: Tesla, SpaceX, and the Quest for a Fantastic FutureRating: 4.5 out of 5 stars4.5/5 (474)
- The Subtle Art of Not Giving a F*ck: A Counterintuitive Approach to Living a Good LifeFrom EverandThe Subtle Art of Not Giving a F*ck: A Counterintuitive Approach to Living a Good LifeRating: 4 out of 5 stars4/5 (5810)
- The Hard Thing About Hard Things: Building a Business When There Are No Easy AnswersFrom EverandThe Hard Thing About Hard Things: Building a Business When There Are No Easy AnswersRating: 4.5 out of 5 stars4.5/5 (346)
- The Gifts of Imperfection: Let Go of Who You Think You're Supposed to Be and Embrace Who You AreFrom EverandThe Gifts of Imperfection: Let Go of Who You Think You're Supposed to Be and Embrace Who You AreRating: 4 out of 5 stars4/5 (1092)
- Never Split the Difference: Negotiating As If Your Life Depended On ItFrom EverandNever Split the Difference: Negotiating As If Your Life Depended On ItRating: 4.5 out of 5 stars4.5/5 (843)
- Slide PowerPoint Dep So 10 - TinHocOnlineDocument20 pagesSlide PowerPoint Dep So 10 - TinHocOnlineNguyễn ThắngNo ratings yet
- Cấp phát băng thông độngDocument2 pagesCấp phát băng thông độngNguyễn ThắngNo ratings yet
- T REC G.Sup51 201706 I!!PDF EDocument46 pagesT REC G.Sup51 201706 I!!PDF ENguyễn ThắngNo ratings yet
- T REC G.983.1 200303 S!Amd2!PDF EDocument18 pagesT REC G.983.1 200303 S!Amd2!PDF ENguyễn ThắngNo ratings yet
- Báo cáo truy nhập quangDocument52 pagesBáo cáo truy nhập quangNguyễn ThắngNo ratings yet
- Tieu Luan Cuoi KiDocument34 pagesTieu Luan Cuoi KiNguyễn ThắngNo ratings yet
- Mã HammingDocument2 pagesMã HammingNguyễn ThắngNo ratings yet
- Bao Cao Ly Thuyet PDFDocument7 pagesBao Cao Ly Thuyet PDFNguyễn ThắngNo ratings yet
- Lay Linh Kien Proteus 8Document4 pagesLay Linh Kien Proteus 8Nguyễn ThắngNo ratings yet
