Professional Documents
Culture Documents
2.
IV. Bo mt...10 V. Cc gii php bo mt..14 VI . M Ha...17 VII. Cc kiu tn cng trong mng WLAN...20 VIII. Wireless IDS.
1. Khi nim. .24
Cng Ngh Mng 1
2. Lch s ra i:
Cng ngh WLAN ln u tin xut hin vo cui nm 1990, khi nhng nh sn xut gii thiu nhng sn phm hot ng trong bng tn 900Mhz. Nhng gii php ny (khng c thng nht gia cc nh sn xut) cung cp tc truyn d liu 1Mbps, thp hn nhiu so vi tc 10Mbps ca hu ht cc mng s dng cp hin thi. Nm 1992, nhng nh sn xut bt u bn nhng sn phm WLAN s dng bng tn 2.4Ghz. Mc du nhng sn phm ny c tc truyn d liu cao hn nhng chng vn l nhng gii php ring ca mi nh sn xut khng c cng b rng ri. S cn thit cho vic hot ng thng nht gia cc thit b nhng dy tn s khc nhau dn n mt s t chc bt u pht trin ra nhng chun mng khng dy chung. Nm 1997, Institute of Electrical and Electronics Engineers(IEEE) ph chun s ra i ca chun 802.11, v cng c bit vi tn gi WIFI (Wireless Fidelity) cho cc mng WLAN. Chun 802.11 h tr ba phng php truyn tn hiu, trong c bao gm phng php truyn tn hiu v tuyn tn s 2.4Ghz. Nm 1999, IEEE thng qua hai s b sung cho chun 802.11 l cc chun 802.11a v 802.11b (nh ngha ra nhng phng php truyn tn hiu). V nhng thit b WLAN da trn chun 802.11b nhanh chng tr thnh cng ngh khng dy vt tri. Cc thit b WLAN 802.11b truyn pht tn s 2.4Ghz, cung cp tc truyn d liu c th ln ti 11Mbps. IEEE 802.11b Cng Ngh Mng 2
c to ra nhm cung cp nhng c im v tnh hiu dng, thng lng (throughput) v bo mt so snh vi mng c dy. Nm 2003, IEEE cng b thm mt s ci tin l chun 802.11g m c th truyn nhn thng tin c hai dy tn 2.4Ghz v 5Ghz v c th nng tc truyn d liu ln n 54Mbps. Thm vo , nhng sn phm p dng 802.11g cng c th tng thch ngc vi cc thit b chun 802.11b. Hin nay chun 802.11g t n tc 108Mbps-300Mbps.
4.u im v nhc dim ca WLAN: a. u im: + S tin li: Mng khng dy cng nh h thng mng thng thng. N cho php ngi
dng truy xut ti nguyn mng bt k ni u trong khu vc c trin khai(nh hay vn phng). Vi s gia tng s ngi s dng my tnh xch tay(laptop), l mt iu rt thun li. + Kh nng di ng: Vi s pht trin ca cc mng khng dy cng cng, ngi dng c th truy cp Internet bt c u. Chng hn cc qun Cafe, ngi dng c th truy cp Internet khng dy min ph.
+ Hiu qu: Ngi dng c th duy tr kt ni mng khi h i t ni ny n ni khc. + Trin khai: Vic thit lp h thng mng khng dy ban u ch cn t nht 1 access point. Vi mng dng cp, phi tn thm chi ph v c th gp kh khn trong vic trin khai h thng cp nhiu ni trong ta nh. + Kh nng m rng: Mng khng dy c th p ng tc th khi gia tng s lng ngi dng. Vi h thng mng dng cp cn phi gn thm cp. b. Nhc im ca WLAN: Bo mt: Mi trng kt ni khng dy l khng kh nn kh nng b tn cng ca ngi dng l rt cao.
+
+ Phm vi: Mt mng chun 802.11g vi cc thit b chun ch c th hot ng tt trong phm vi vi chc mt. N ph hp trong 1 cn nh, nhngvi mt ta nh ln th khng p ng c nhu cu. p ng cn phi mua thm Repeater hay access point, dn n chi ph gia tng. + tin cy: V s dng sng v tuyn truyn thng nn vic b nhiu, tn hiu b gim do tc ng ca cc thit b khc(l vi sng,.) l khng trnh khi. Lm gim ng k hiu qu hot ng ca mng. + Tc : Tc ca mng khng dy (1- 125 Mbps) rt chm so vi mng s dng cp(100Mbps n hng Gbps).
2. Cc ch hot ng ca AP: AP c th giao tip vi cc my khng dy, vi mng c dy truyn thng v vi cc AP khc. C 3 Mode hot ng chnh ca AP: + Ch gc (Root mode): Root mode c s dng khi AP c kt ni vi mng backbone c dy thng qua giao din c dy (thng l Ethernet) ca n. Hu ht cc AP s h tr cc mode khc ngoi root mode, tuy nhin root mode l cu hnh mc nh. Khi mt AP c kt ni vi phn on c dy thng qua cng Ethernet ca n, n s c cu hnh hot ng trong root mode. Khi trong root mode, cc AP c kt ni vi cng mt h thng phn phi c dy c th ni chuyn c vi nhau thng qua phn on c dy. Cc client khng dy c th giao Cng Ngh Mng 8
tip vi cc client khng dy khc nm trong nhng cell ( t bo, hay vng ph sng ca AP) khc nhau thng qua AP tng ng m chng kt ni vo, sau cc AP ny s giao tip vi nhau thng qua phn on c dy.
Ch cu ni(bridge Mode): Trong Bridge mode, AP hot ng hon ton ging vi mt cu ni khng dy. AP s tr thnh mt cu ni khng dy khi c cu hnh theo cch ny. Ch mt s t cc AP trn th trng c h tr chc nng Bridge, iu ny s lm cho thit b c gi cao hn ng k. Chng ta s gii thch mt cch ngn gn cu ni khng dy hot ng nh th no.
+
+ Ch lp(repeater mode): AP c kh nng cung cp mt ng kt ni khng dy upstream vo mng c dy thay v mt kt ni c dy bnh thng. Mt AP hot ng nh l mt root AP v AP cn li hot ng nh l mt Repeater khng dy. AP trong repeater mode kt ni vi cc client nh l mt AP v kt ni vi upstream AP nh l mt client.
10
IV Bo mt trong WLAN:
1. Ti sao phi bo mt mng khng dy(WLAN): kt ni ti mt mng LAN hu tuyn ta cn phi truy cp theo ng truyn bng dy cp, phi kt ni mt PC vo mt cng mng. Vi mng khng dy ta ch cn c my ca ta trong vng sng bao ph ca mng khng dy. iu khin cho mng c dy l n gin: ng truyn bng cp thng thng c i trong cc ta nh cao tng v cc port khng s dng c th lm cho n disable bng cc ng dng qun l. Cc mng khng dy (hay v tuyn) s dng sng v tuyn xuyn qua vt liu ca cc ta nh v nh vy s bao ph l khng gii hn bn trong mt ta nh. Sng v tuyn c th xut hin trn ng ph, t cc trm pht t cc mng LAN ny, v nh vy ai c th truy cp nh thit b thch hp. Do mng khng dy ca mt cng ty cng c th b truy cp t bn ngoi ta nh cng ty ca h.
11
cung cp mc bo mt ti thiu cho mng WLAN th ta cn hai thnh phn sau: + Cch thc xc nh ai c quyn s dng WLAN - yu cu ny c tha mn bng c ch xc thc( authentication) . + Mt phng thc cung cp tnh ring t cho cc d liu khng dy yu cu ny c tha mn bng mt thut ton m ha ( encryption).
12
13
Trong Controll Mode (hnh 3-3), EAS qun l cc AP v iu khin vic truy cp n mng khng dy, nhng n khng lin quan n vic truyn ti d liu ngi dng. Trong ch ny, mng khng dy c th b phn chia thnh mng dy vi firewall thng thng hay tch hp hon ton trong mng dy Enterprise. Kin trc WLAN h tr mt m hnh bo mt c th hin trn hnh 4. Mi mt phn t bn trong m hnh u c th cu hnh theo ngi qun l mng tha mn v ph hp vi nhng g h cn.
14
+ Device Authorization: Cc Client khng dy c th b ngn chn theo a ch phn cng ca h (v d nh a ch MAC). EAS duy tr mt c s d liu ca cc Client khng dy c cho php v cc AP ring bit kha hay lu thng lu lng ph hp. + Encryption: WLAN cng h tr WEP, 3DES v chun TLS(Transport Layer Sercurity) s dng m ha trnh ngi truy cp trm. Cc kha WEP c th to trn mt per-user, per session basic. +Authentication: WLAN h tr s y quyn ln nhau (bng vic s dng 802.1x EAP-TLS) bo m ch c cc Client khng dy c y quyn mi c truy cp vo mng. EAS s dng mt RADIUS server bn trong cho s y quyn bng vic s dng cc chng ch s. Cc chng ch s ny c th t c t quyn chng nhn bn trong (CA) hay c nhp t mt CA bn ngoi. iu ny tng ti a s bo mt v gim ti thiu cc th tc hnh chnh. +Firewall: EAS hp nht packet filtering v port blocking firewall da trn cc chui IP. Vic cu hnh t trc cho php cc loi lu lng chung c enable hay disable. +VPN: EAS bao gm mt IPSec VPN server cho php cc Client khng dy thit lp cc session VPN vng chc trn mng.
15
2. TKIP (Temporal Key Integrity Protocol) L gii php ca IEEE c pht trin nm 2004. L mt nng cp cho WEP nhm v nhng vn bo mt trong ci t m dng RC4 trong WEP. TKIP dng hm bm(hashing) IV chng li vic gi mo gi tin, n cng cung cp phng thc kim tra tnh ton vn ca thng ip MIC(message integrity check ) m bo tnh chnh xc ca gi tin. TKIP s dng kha ng bng cch t cho mi frame mt chui s ring chng li dng tn cng gi mo. 3. AES(Advanced Encryption Standard) L mt chc nng m ha c ph chun bi NIST(Nation Instutute of Standard and Technology). IEEE thit k mt ch cho AES p ng nhu cu ca mng WLAN. Ch ny c gi l CBC-CTR(Cipher Block Chaining Counter Mode) vi CBC-MAC(Cipher Block Chaining Message Authenticity Check). T hp ca chng c gi l AES-CCM . Ch CCM l s kt hp ca m ha CBC-CTR v thut ton xc thc thng ip CBC-MAC. S kt hp ny cung cp c vic m ha cng nh kim tra tnh ton vn ca d liu gi.
16
M ha CBC-CTR s dng mt bin m b sung cho chui kha. Bin m s tng ln 1 sao khi m ha cho mi khi(block). Tin trnh ny m bo ch c duy nht mt kha cho mi khi. Chui k t cha c m ha s c phn mnh ra thnh cc khi 16 byte. CBC-MAC hot ng bng cch s dng kt qu ca m ha CBC cng vi chiu di frame, a ch ngun, a ch ch v d liu. Kt qu s cho ra gi tr 128 bit v c ct thnh 64 bit s dng lc truyn thng. AES-CCM yu cu chi ph kh ln cho c qu trnh m ha v kim tra tnh ton vn ca d liu gi nn tiu tn rt nhiu nng lc x l ca CPU kh ln.
4 . 802.1x v EAP
802.1x l chun c t cho vic truy cp da trn cng(port-based) c nh ngha bi IEEE. Hot ng trn c mi trng c dy truyn thng v khng dy. Vic iu khin truy cp c thc hin bng cch: Khi mt ngi dng c gng kt ni vo h thng mng, kt ni ca ngi dng s c t trng thi b chn(blocking) v ch cho vic kim tra nh danh ngi dng hon tt.
17
5. WPA (Wi-Fi Protected Access) WEP c xy dng bo v mt mng khng dy trnh b nghe trm. Nhng nhanh chng sau ngi ta pht hin ra nhiu l hng cng ngh ny. Do , cng ngh mi c tn gi WPA (Wi-Fi Protected Access) ra i, khc phc c nhiu nhc im ca WEP. Trong nhng ci tin quan trng nht ca WPA l s dng hm thay i kho TKIP (Temporal Key Integrity Protocol). WPA cng s dng thut ton RC4 nh WEP, nhng m ho y 128 bit. V mt c im khc l WPA thay i kho cho mi gi tin. Cc cng c thu thp cc gi tin ph kho m ho u khng th thc hin c vi WPA. Bi WPA thay i kho lin tc nn hacker khng bao gi thu thp d liu mu tm ra mt khu. Khng nhng th, WPA cn bao gm kim tra tnh ton vn ca thng tin (Message Integrity Check). V vy, d liu khng th b thay i trong khi ang trn ng truyn. WPA c sn 2 la chn: WPA Personal v WPA Enterprise. C 2 la chn u s dng giao thc TKIP, v s khc bit ch l kho khi to m ho lc u. WPA Personal thch hp cho gia nh v mng vn phng nh, kho khi to s c s dng ti cc im truy cp v thit b my trm. Trong khi , WPA cho doanh nghip cn mt my ch xc thc v 802.1x cung cp cc kho khi to cho mi phin lm vic. C mt l hng trong WPA v li ny ch xy ra vi WPA Personal. Khi m s dng hm thay i kho TKIP c s dng to ra cc kho m ho b pht hin, nu hacker c th on c kho khi to hoc mt phn ca mt khu, h c th xc nh c ton b mt khu, do c th gii m c d liu. Tuy nhin, l hng ny cng s b loi b bng cch s dng nhng kho khi to khng d on (ng s dng nhng t nh "PASSWORD" lm mt khu). C mt l hng trong WPA v li ny ch xy ra vi WPA Personal. Khi m s dng hm thay i kho TKIP c s dng to ra cc kho m ho b pht hin, nu hacker c th on c kho khi to hoc mt phn ca mt khu, h c th xc nh c ton b mt khu, do c th gii m c d liu. Tuy nhin, l hng ny cng s b loi b bng cch s dng nhng kho khi to khng d on (ng s dng nhng t nh "PASSWORD" lm mt khu).
VI. M Ha:
M ha l bin i d liu ch c cc thnh phn c xc nhn mi c th gii m c n. Qu trnh m ha l kt hp plaintext vi mt kha to thnh vn bn mt (Ciphertext). S gii m c bng cch kt hp Ciphertext vi kha ti to li plaintext gc. Qu trnh xp xp v phn b cc kha gi l s qun l kha.
18
a.Mt m dng: Mt m dng phng thc m ha theo tng bit, mt m dng pht sinh chui kha lin tc da trn gi tr ca kha, v d mt mt m dng c th sinh ra mt chui kha di 15 byte m ha mt frame v mt chui kha khc di 200 byte m ha mt frame khc. Mt m dng l mt thut ton m ha rt hiu qu, t tiu tn ti nguyn (CPU).
19
b. Mt m khi: Mt m khi sinh ra mt chui kha duy nht v c kch thc c nh(64 hoc 128 bit). Chui k t cha c m ha( plaintext) s c phn mnh thnh nhng khi(block) v mi khi s c trn vi chui kha mt cch c lp. Nu nh khi plaintext nh hn khi chui kha th plaintext s c m thm vo c c kch thc thch hp. Tin trnh phn mnh cng vi mt s thao tc khc ca mt m khi s lm tiu tn nhiu ti nguyn CPU. Tin trnh m ha dng v m ha khi cn c gi l ch m ha khi m in t ECB (Electronic Code Block). Ch m ha ny c c im l cng mt u vo plaintext ( input plain) s lun lun sinh ra cng mt u ra ciphertext (output ciphertext). y chnh l yu t m k tn cng c th li dng nhn dng ca ciphertext v on c plaintext ban u.
20
truy cp ca cc ngi dng khc bao gm c ngi dng c php truy cp. b) Access Point gi mo t cc mng WLAN ln cn Cc my khch theo chun 802.11 t ng chn Access Point c sng mnh nht m n pht hin c kt ni. V d: Windows XP t ng kt ni n kt ni tt nht c th xung quanh n. V vy, nhng ngi dng c xc thc ca mt t chc c th kt ni n cc Access Point ca cc t chc khc ln cn. Mc d cc Access Point ln cn khng c thu ht kt ni t cc ngi dng, nhng kt ni v tnh l nhng d liu nhy cm. c)Access Point gi mo do k tn cng to ra Gi mo AP l kiu tn cng man in the middle c in. y l kiu tn cng m tin tc ng gia v trm lu lng truyn gia 2 nt. Kiu tn cng ny rt mnh v tin tc c th trm tt c lu lng i qua mng. Rt kh khn to mt cuc tn cng man in the middle trong mng c dy bi v kiu tn cng ny yu cu truy cp thc s n ng truyn. Trong mng khng dy th li rt d b tn cng kiu ny. Tin tc cn phi to ra mt AP thu ht nhiu s la chn hn AP chnh thng. AP gi ny c th c thit lp bng cch sao chp tt c cc cu hnh ca AP chnh thng l: SSID, a ch MAC v.v..Bc tip theo l lm cho nn nhn thc hin kt ni ti AP gi. Cch th nht l i cho ngui dng t kt ni. Cch th hai l gy ra mt cuc tn cng t chi dch v DoS trong AP chnh thng do vy ngui dng s phi kt ni li vi AP gi. Trong mng 802.11 s la chn AP c thc hin bi cng ca tn hiu nhn. iu duy nht tin tc phi thc hin l chc chn rng AP ca mnh c cng tn hiu mnh hn c. c c iu tin tc phi t AP ca mnh gn ngi b la hn l AP chnh thng hoc s dng k thut anten nh hng. Sau khi nn nhn kt ni ti AP gi, nn nhn vn hot ng nh bnh thng do vy nu nn nhn kt ni n mt AP chnh thng khc th d liu ca nn nhn u i qua AP gi. Tin tc s s dng cc tin ch ghi li mt khu ca nn nhn khi trao i vi Web Server. Nh vy tin tc s c c tt c nhng g anh ta mun ng nhp vo mng chnh thng. Kiu tn cng ny tn ti l do trong 802.11 khng yu cu chng thc 2 hng gia AP v nt. AP pht qung b ra ton mng. iu ny rt Cng Ngh Mng 22
d b tin tc nghe trm v do vy tin tc c th ly c tt c cc thng tin m chng cn. Cc nt trong mng s dng WEP chng thc chng vi AP nhng WEP cng c nhng l hng c th khai thc. Mt tin tc c th nghe trm thng tin v s dng b phn tch m ho trm mt khu ca ngi dng. d)Access Point gi mo c thit lp bi chnh nhn vin ca cng ty: V s tin li ca mng khng dy mt s nhn vin ca cng ty t trang b Access Point v kt ni chng vo mng c dy ca cng ty. Do khng hiu r v nm vng v bo mt trong mng khng dy nn h v tnh to ra mt l hng ln v bo mt. Nhng ngi l vo cng ty v hacker bn ngoi c th kt ni n Access Point khng c xc thc nh cp bng thng, nh cp thng tin nhy cm ca cng ty, s dng h thng mng ca cng ty tn cng ngi khc,
23
- K tn cng xc nh mc tiu tn cng l cc ngi dng trong mng wireless v cc kt ni ca h(Access Point n cc kt ni ca n). - Chn cc frame yu cu xc thc li vo mng WLAN bng cch gi mo a ch MAC ngun v ch ln lt ca Access Point v cc ngi dng. - Ngi dng wireless khi nhn c frame yu cu xc thc li th ngh rng chng do Access Point gi n. - Sau khi ngt c mt ngi dng ra khi dch v khng dy, k tn cng tip tc thc hin tng t i vi cc ngi dng cn li. - Thng thng ngi dng s kt ni li phc hi dch v, nhng k tn cng nhanh chng tip tc gi cc gi yu cu xc thc li cho ngi dng.
24
25
attack v De-authentication Flood Attack . + Ging nhau : v hnh thc tn cng , c th cho rng chng ging nhau v n ging nh mt i bc 2 nng , va tn cng Access Point va tn cng Client. V quan trng hn ht , chng "n pho" lin tc. + Khc nhau : - De-authentication Flood Attack : yu cu c AP v client gi li frame xc thc=> xc thc failed - Disassociation flood attack : gi disassociation frame lm cho AP v
client tin tng rng kt ni gia chng b ngt.
26
2.Nhim v ca WIDS: Gim st v phn tch cc hot ng ca ngi dng v h thng. Nhn din cc loi tn cng bit. Xc nh cc hot ng bt thng ca h thng mng. Xc nh cc chnh sch bo mt cho WLAN. Thu thp tt c truyn thng trong mng khng dy v a ra cc cnh bo da trn nhng du hiu bit hay s bt thng trong truyn thng. 3.M hnh hot ng:
b. WIDS phn tn (decentralize WIDS): WIDS phn tn thc hin c chc nng cm bin v qun l. M hnh ny ph hp vi mng WLAN nh v c t Access Point, wireless IDS phn tn tit kim chi ph hn so vi WIDS tp trung.
28
4. Gim st lu lng mng( Traffic monitoring): a. Xy dng h thng WIDS phn tch hiu sut hot ng ca mng
wireless Phn tch kh nng thc thi ca mng wireless l cp n vic thu thp gi v gii m. Sau ti hp gi li thc hin kt ni mng. Vic phn tch gip ta bit c s c xy ra i vi mng ang hot ng. H thng WIDS gim st ton b WLAN, chuyn tip lu lng c tng hp v thu thp lu lng t cc b cm bin. Sau phn tch lu lng thu thp c. Nu lu lng c phn tch c s bt thng th cnh bo s c hin th. Lu lng thu thp c c th c lu tr trn mt h thng khc hoc c log vo database. Cng Ngh Mng 29
b. H thng WIDS c th gi cnh bo trong mt s trng hp sau: b qu ti khi c qu nhiu trm kt ni vo. AP Knh truyn qu ti khi c qu nhiu AP hoc lu lng s dng cng knh. c cu hnh khng thch hp hoc khng ng nht vi cc AP khc trong AP h thng mng. cc gi fragment qu nhiu. S WIDS d ra c cc trm n. ln thc hin kt ni vo mng qu nhiu. S c. Lp bo co v kh nng thc thi mng Thng tin thu thp c bi WIDS to ra c s d liu c s dng lp bo co v tnh trng hot ng ca mng v lp ra k hoch cho h thng mng Bo co ca WIDS c th bao gm 10 AP c cnh bo nhiu nht, biu hot ng ca cc trm theo thi gian, cch s dng tri ph Xu hng gi cnh bo l khi AP biu hin mt s vn mi, hay l hot ng mng b gin on. Kho st cnh bo ca cc AP khc cng v tr gip ta nhn ra c s khc nhau ca cc thit b bt thng v iu kin mi trng lm nh hng n mi AP trong vng nh th no. Mt khc, so snh cnh bo ca cc AP qua nhiu v tr c th gip ta xc nh c vn gy ra do bi s khc nhau v cc dng sn phm, phin bn v phn mm h thng( firmware), v v cu hnh. n y chng ta hu nh c ci nhn s b v WIDS, v vic cn lm l dng nhng thit b WIDS p dng vo mng khng dy ca doanh nghip.
30
31