Giải Pháp Bảo Mật Cơ Bản

GVDH: BI DUY CNG SVTH: TRNH KIM LONG

1 Gii Php Bo Mt C Bn

B GIO DC V O TO

TRNG I HC CNG NGH TP.HCM

KHOA CAO NG THC HNH

----0o0----

BO CO

MN: AN TON V BO MT THNG TIN

TI: CC GII PHP BO MT C BN

GVHD: BI DUY CNG

SVTH: TRNH KIM LONG

MSSV:12204369

LP:C12QM16

TP.H Ch Minh,Ngy 29, Thng 11, Nm 2013



Mc Lc Gii Php Bo Mt C Bn ............................................................................................................................ 3

1 M Hnh Thc Hin .................................................................................................................................... 3

2 Yu Cu Thc Hin ..................................................................................................................................... 3

3 Cu Hnh Router ......................................................................................................................................... 5

3.1 Cu Hnh Router .................................................................................................................................. 5

3.1.1 H Ni ........................................................................................................................................... 5

3.1.2 Nng ........................................................................................................................................ 8

3.1.3 Si Gn ....................................................................................................................................... 12

3.2 Bng Routing ..................................................................................................................................... 16

3.2.1 H Ni ......................................................................................................................................... 16

3.2.2 Nng ...................................................................................................................................... 17

3.2.3 Si Gn ....................................................................................................................................... 18

4 Kt Qu..................................................................................................................................................... 18

4.1 L Thuyt ........................................................................................................................................... 18

4.1.1 Gii Thch Cc T Vit Tt .......................................................................................................... 18

4.1.2 Phng Thc Hot ng Ca Telnet ......................................................................................... 19

4.1.3 Phng Thc Hot ng Ca SSH ............................................................................................. 20

4.1.4 So Snh Phng Thc Hot ng Ca Tenet V SSH ................................................................ 22

4.1.5 Phng Thc Hot ng Ca PAP ............................................................................................. 22

4.1.6 Phng Thc Hot ng Ca CHAP ........................................................................................... 23

4.1.7 So Snh Phng Thc Hot ng Ca PAP V CHAP................................................................. 24

4.1.8 Phng Thc Hot ng Ca RADIUS V TACACS+ ................................................................... 24

4.1.9 So Snh Phng Thc Hot ng Ca RADIUS V TACACS+ ..................................................... 26

4.1.10 Phng Thc Hot ng Ca SSL ............................................................................................ 27

4.1.11 Tng Quan V Nat V Cc Loi Nat .......................................................................................... 31

4.1.12 Tng Quan V ACL .................................................................................................................... 32

4.2 Thc Hnh ......................................................................................................................................... 33

4.2.1 Cu Hnh Cisco Secure ACS ......................................................................................................... 33

4.2.2 Hnh Chp Bng Wireshark ........................................................................................................ 36

5 Ti Liu Tham Kho .................................................................................................................................. 38



Gii Php Bo Mt C Bn

1 M Hnh Thc Hin

2 Yu Cu Thc Hin

1. Trin khai m hnh trn GNS3, VMWare. Cu hnh IP, nh tuyn OSPF.

2. SSH:

- Cu hnh SSH trn DANANG.

AN TON V BO MT THNG TIN

TRIN KHAI CC GII PHP BO MT MNG SSH, CHAP, AAA, HTTPS, NAT, ACL.

- Trnh by tng quan v phng thc hot ng ca TELNET, SSH. So snh



gia TELNET v SSH.

3. CHAP:

- Cu hnh xc thc CHAP gia DANANG v SAIGON

- Trnh by tng quan v phng thc hot ng ca PAP, CHAP. So snh

PAP v CHAP.

4. AAA:

- Trin khai RADIUS hoc TACACS. Trong : HANOI l AAA client, SERVER

l AAA server ( s dng phn mm Cisco ACS Server).

- Bt v phn tch cc thng ip chng thc AAA trong gi tin RADIUS hoc

TACACS bng phn mm Wireshark. Trnh by phng thc hot ng ca

dch v chng thc AAA. So snh RADIUS v TACACS.

5. HTTPS:

- Trin khai dch v HTTPS trn SERVER.

(https://.hutech.edu)

- Trnh by tng quan v phng thc hot ng ca SSL.

6. NAT:

- Thc hin NAT IP ca Server thnh 172.16.23.(X+2)/24

- Trnh by NAT v phn bit cc loi NAT.

7. ACL:

- Thc hin cm mng 30.0.0.0/8 truy cp dch v HTTPS trn SERVER



- Trnh by tng quan v ACL.

3 Cu Hnh Router

3.1 Cu Hnh Router

3.1.1 H Ni

version 12.4

service timestamps debug datetime

msec

service timestamps log datetime msec

no service password-encryption

!

hostname HANOI

!

boot-start-marker

boot-end-marker

!

enable password long

!

aaa new-model

!

!

aaa authentication login long group

tacacs+

aaa authentication login kim local

aaa authorization exec default group

tacacs+

aaa authorization commands 15 default

group tacacs+

aaa accounting exec default start-stop

group tacacs+

aaa accounting commands 15 default

start-stop group tacacs+

!

!

aaa session-id common

memory-size iomem 5

no ip icmp rate-limit unreachable

ip cef

!



!

!

!

no ip domain lookup

ip domain name

trinhkimlong.hutech.edu

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!

multilink bundle-name authenticated

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

archive

log config

hidekeys

!

!

!

!

ip tcp synwait-time 5

!

!



!

!

interface FastEthernet0/0

ip address 30.0.0.69 255.0.0.0

duplex auto

speed auto

!


no ip address

shutdown

duplex auto

speed auto

!

interface Serial1/0

ip address 172.16.12.69 255.255.255.0

serial restart-delay 0

!

interface Serial1/1

no ip address

shutdown


!

interface Serial1/2

no ip address

shutdown


!

interface Serial1/3

no ip address

shutdown


!

router ospf 1

log-adjacency-changes

network 30.0.0.0 0.255.255.255 area 0

network 172.16.12.0 0.0.0.255 area 0

!

ip forward-protocol nd

!

!



no ip http server

no ip http secure-server

!

!

!

!

!

!

tacacs-server host 10.0.0.69

tacacs-server key 123

!

control-plane

!

!

!

!

!

!

!

!

!

!

line con 0

exec-timeout 0 0

privilege level 15

logging synchronous

line aux 0

exec-timeout 0 0

privilege level 15

logging synchronous

line vty 0 4

login authentication long

!

!

end

3.1.2 Nng

version 12.4




msec



!

hostname DANANG

!

boot-start-marker

boot-end-marker

!

enable password long

!

no aaa new-model

memory-size iomem 5


ip cef

!

!

!

!

no ip domain lookup

ip domain name

trinhkimlong.hutech.edu



!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!



username long password 0 cisco

username itmanager password 0 hutech

!

!


!

!

!

!

!


ip address 20.0.0.70 255.0.0.0

duplex auto

speed auto

!


no ip address

shutdown

duplex auto

speed auto

!

interface Serial1/0

ip address 172.16.12.70 255.255.255.0


!

interface Serial1/1

ip address 172.16.23.70 255.255.255.0

encapsulation ppp


ppp authentication chap

ppp chap hostname admin

ppp chap password 0 hutech

!

interface Serial1/2

no ip address

shutdown


!

interface Serial1/3

no ip address



shutdown


!

!

router ospf 1


network 20.0.0.0 0.0.0.255 area 0

network 172.16.12.0 0.0.0.255 area 0

network 172.16.23.0 0.0.0.255 area 0

!


!

!

no ip http server


!

!

!

!

!

control-plane

!

!

!

!

!

!

!

!

!

!

line con 0

exec-timeout 0 0

privilege level 15

logging synchronous

line aux 0

exec-timeout 0 0

privilege level 15

logging synchronous

line vty 0 3



login local

transport input ssh

line vty 4

login

!

!

end

3.1.3 Si Gn

version 12.4


msec



!

hostname SAIGON

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

memory-size iomem 5


ip cef

!

!

!

!

no ip domain lookup



!

!

!

!

!

!

!



!

!

!

!

!

!

!

!

!

!

username admin password 0 hutech

!

!


!

!

!

!

!


ip address 10.0.0.70 255.0.0.0

ip access-group 101 out

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!


no ip address

shutdown

duplex auto

speed auto

!

interface Serial1/0

ip address 172.16.23.69 255.255.255.0

ip nat outside

ip virtual-reassembly

encapsulation ppp


ppp authentication chap



ppp chap hostname itmanager

ppp chap password 0 hutech

!

interface Serial1/1

no ip address

shutdown


!

interface Serial1/2

no ip address

shutdown


!

interface Serial1/3

no ip address

shutdown


!

!

router ospf 1


network 10.0.0.0 0.0.0.255 area 0

network 172.16.23.0 0.0.0.255 area 0

!


!

!

no ip http server


ip nat inside source list 1 interface

Serial1/0 overload

!

access-list 1 permit 10.0.0.69

access-list 101 deny tcp 30.0.0.0

0.0.0.255 10.0.0.0 0.0.0.255 eq 443

access-list 101 permit ip any any

!

!

!

!

control-plane



!

!

!

!

!

!

!

!

!

!

line con 0

exec-timeout 0 0

privilege level 15

logging synchronous

line aux 0

exec-timeout 0 0

privilege level 15

logging synchronous

line vty 0 4

login

!

!

end



3.2 Bng Routing

3.2.1 H Ni



3.2.2 Nng



3.2.3 Si Gn

4 Kt Qu

4.1 L Thuyt

4.1.1 Gii Thch Cc T Vit Tt

AAA-Authentication Authorization Accounting:l 3 t vit tt ca AAA protolcol

+Authentication ngha l xc thc ngi dng c c php kt ni hay khng

+Authorization ngha l thm quyn, xc nh user c php lm g trong h

thng

+Accounting ngha l tnh cc n s ghi li tt c nhng g user lm t lc kt ni

n server cho ti lc thot khi h thng

ACL-Access Control List: l mt danh sch cc cu lnh c p t vo cng( interface) ca router. Danh sch ny ch ra cho router bit loi packet no c chp nhn ( Allow) v loi packet no b hy b ( Deny)

CHAP-Challenge Handshake Protocol:l mt kiu xc thc nm trong Point-To-Point protocol, h tr mnh m hn giao thc PAP, cc thng tin c m ha



NAT-Network Address Translation:l mt giao thc dng chuyn i mt a ch ip private thnh mt hay nhiu a ch ip public

HTTPS-Hypertext Transfer Protocol Secure: N l mt s kt hp gia giao thc HTTP v giao thc bo mt SSL hay TLS cho php trao i thng tin mt cch bo mt trn Internet

TACACS-Terminal Access Controller Access Control System: l giao thc c chun ha s dng giao thc hng kt ni (connection-oriented) l TCP trn port 49, l giao thc xc thc nm trong AAA protocol

PAP-Password Authentication Protocol:l mt kiu xc thc nm trong Point-To-Point protocol, nhng thng tin truyn i khng c m ha

RADIUS-Remote Authentication Dial-In User Service: RADIUS l giao thc bo mt mng da theo m hnh client-server. N dng giao thc UDP, l giao thc xc thc nm trong AAA protocol

SSH-Secure Shell:l mt giao thc mng dng thit lp kt ni mng mt cch bo mt

SSL-Secure Sockets Layer: y l mt tiu chun an ninh cng ngh ton cu to ra mt lin kt c m ha gia my ch web v trnh duyt

4.1.2 Phng Thc Hot ng Ca Telnet

-Telnet l mt giao thc mng( Network Protocol) c dng trn cc kt ni vi

Internet hoc cc kt ni ti my tnh cc b Lan. Telnet thng c dng cung cp

nhng phin giao dch ng nhp gia cc my trn mng Internet bng dng lnh c

tnh nh hng ngi dng. Trnh telnet c ci sn trong hu ht tt c cc h iu

hnh Unix v c trn Window.

-Telnet l mt l mt giao thc client/server dng TCP thit lp phin lm vic gia

user terminal v remote host. Mc nh telnet hat ng port 23

-Hot ng ca telnet: Telnet hot ng theo phin, mi phin l mt kt ni truyn d

liu theo giao thc TCP vi cng 23.



4.1.3 Phng Thc Hot ng Ca SSH

-SSH l mt chng trnh tng tc gia my ch v my khch c s dng c ch m

ho mnh nhm ngn chn cc hin tng nghe trm, nh cp thng tin trn

ng truyn. Cc chng trnh trc y: telnet, rlogin khng s dng phng php

m ho. V th bt c ai cng c th nghe trm thm ch c c ton b ni dung ca

phin lm vic bng cch s dng mt s cng c n gin. S dng SSH l bin php

hu hiu bo mt d liu trn ng truyn t h thng ny n h thng khc.

-Cch thc lm vic ca SSH thng qua 3 bc n gin:

+ nh danh host - xc nh nh danh ca h thng tham gia phin lm vic SSH.

+ M ho - thit lp knh lm vic m ho.

+ Chng thc - xc thc ngi s dng c quyn ng nhp h thng.

-nh danh host: vic nh danh host c thc hin qua vic trao i kho. Mi my

tnh c h tr kiu truyn thng SSH c mt kho nh danh duy nht. Kho ny gm hai

thnh phn: kho ring v kho cng cng. Kho cng cng c s dng khi cn trao

i gia cc my ch vi nhau trong phin lm vic SSH, d liu s c m ho bng

kho cng khai v ch c th gii m bng kho ring. Khi c s thay i v cu hnh trn

my ch: thay i chng trnh SSH, thay i c bn trong h iu hnh, kho nh

danh cng s thay i. Khi mi ngi s dng SSH ng nhp vo my ch ny



u c cnh bo v s thay i ny. Khi hai h thng bt u mt phin lm vic SSH,

my ch s gi kho cng cng ca n cho my khch. My khch sinh ra mt kho

phin ngu nhin v m ho kho ny bng kho cng cng ca my ch, sau gi li

cho my ch. My ch s gii m kho phin ny bng kho ring ca mnh v nhn

c kho phin. Kho phin ny s l kho s dng trao i d liu gia hai my.

Qu trnh ny c xem nh cc bc nhn din my ch v my khch.

-M ho: sau khi hon tt vic thit lp phin lm vic bo mt (trao i kho, nh

danh), qu trnh trao i d liu din ra thng qua mt bc trung gian l m

ho/gii m. iu c ngha l d liu gi/nhn trn ng truyn u c m ho

v gii m theo c ch tho thun trc gia my ch v my khch. Vic la chn

c ch m ho thng do my khch quyt nh. Cc c ch m ho thng c chn

bao gm: 3DES, IDEA, v Blowfish. Khi c ch m ho c la chn, my ch v my

khch trao i kho m ho cho nhau. Vic trao i ny cng c bo mt da trn

inh danh b mt ca cc my. K tn cng kh c th nghe trm thng tin trao i trn

ng truyn v khng bit c kho m ho.

+Cc thut ton m ho khc nhau v cc u, nhc im ca tng loi:

. 3DES (cng c bit nh triple-DES) - phng php m ho mc nh cho SSH.

. IDEA - Nhanh hn 3DES, nhng chm hn Arcfour v Blowfish.

. Arcfour - Nhanh, nhng cc vn bo mt c pht hin.

. Blowfish - Nhanh v bo mt, nhng cc phng php m ho ang c ci itn.

-Chng thc: vic chng thc l bc cui cng trong ba bc, v l bc a dng nht.

Ti thi im ny, knh trao i bn thn n c bo mt. Mi nh danh v truy

nhp ca ngi s dng c th c cung cp theo rt nhiu cch khc nhau. Chng

hn, kiu chng thc rhosts c th c s dng, nhng khng phi l mc nh; n

n gin ch kim tra nh danh ca my khch c lit k trong file rhost (theo DNS

v a ch IP). Vic chng thc mt khu l mt cch rt thng dng nh danh ngi

s dng, nhng ngoi ra cng c cc cch khc: chng thc RSA, s dng ssh-keygen v

ssh-agent chng thc cc cp kho.



4.1.4 So Snh Phng Thc Hot ng Ca Tenet V SSH

-Khc bit gia Telnet v SSH:

+Khi dng telnet kt ni n my trm, th nhng d liu gi qua ng truyn khng

c m ha d liu dng (clear text) nn khng bo mt, ngc li vi SSH th thng

tin gi trn ng truyn s c m ha. Ngoi mc ch ra th cch s dng v cc

lnh iu ging nhau.

+Telnet khng s dng chng thc, SSH chng thc ngi dng

4.1.5 Phng Thc Hot ng Ca PAP

-PPP c xy dng da trn nn tng giao thc iu khin truyn d liu lp cao

(High-Level Data link Control (HDLC)) n nh ra cc chun cho vic truyn d liu cc

giao din DTE v DCE ca mng WAN nh V.35, T1, E1, HSSI, EIA-232-D, EIA-449. PPP

c ra i nh mt s thay th giao thc Serial Line Internet Protocol (SLIP), mt dng

n gin ca TCP/IP.

-PPP cung cp c ch chuyn ti d liu ca nhiu giao thc trn mt ng truyn, c

ch sa li nn header, nn d liu v multilink. PPP c hai thnh phn:

+ Link Control Protocol (LCP): (c cp n trong RFC 1570) thit lp, iu chnh

cu hnh, v hy b mt lin kt. Hn th na LCP cn c c ch Link Quality

Monitoring (LQM) c th c cu hnh kt hp vi mt trong hai c ch chng thc

Password Authentication Protocol (PAP) hay Challenge Handshake Authentication

Protocol (CHAP).

+ Network Control Protocol (NCP): NCP lm nhim v thit lp, iu chnh cu hnh v

hy b vic truyn d liu ca cc giao thc ca lp network nh: IP, IPX, AppleTalk and

DECnet.

-C LCP v NCP u hat ng lp 2. Hin c m rng ca PPP phc v cho vic

truyn d liu s dng nhiu links mt lc, l Multilink PPP (MPPP) trong s dng

Multilink Protocol (MLP) lin kt cc lp LCP v NCP.



-H tr 2 kiu chng thc

+Password Authentication Protocol (PAP)

+Challenge Handshake Protocol (CHAP)

-Xc thc kiu Password Authentication Protocol-PAP: Trong pha LCP, khi mt kt ni

PPP c yu cu bi client v PAP c chn dng, access server s ra lnh cho client

s dng PAP. Client sau s phi gi b username v password ca mnh, cc thng

tin ny u c truyn di dng clear text m khng c m ha g c v c

ng gi trong cc gi d liu ca PPP. Server sau s quyt nh chp nhn hay t

chi vic thit lp kt ni.y l c ch PAP mt chiu gia mt client v mt server.

Nu hai router ni chuyn vi nhau th Two-way PAP (PAP hai chiu) s c s dng

trong mi router s gi username v password, nh vy mi router s chng thc

ln nhau.

4.1.6 Phng Thc Hot ng Ca CHAP

-Challenge Handshake Protocol (CHAP): CHAP c s dng ph bin hn PAP, do n c

kh nng m ha mt khu cng nh d liu.Hai u kt ni chia s b m mt secret

CHAP ging nhau v mi u c gn mt local name ring.

-Gi s mt Router R1 quay s truy cp vo Router R2.



+R1 quay s vo R2, khi n s gi hostname ca n cho R2 ng thi dng thut

ton hashing m ha password ( y l cisco), nhng ko gi password ny i

2. R2 check danh sch username (nu cu hnh nhiu username) tm ra username

no ging hostname R1 ( y l username R1)

3. Sau khi tm c username , n dng thut ton hashing m ha password

tng ng vi username ( y password l cisco)

4. N gi password c m ha sang R1, y R1 s so snh password m n t

m ha trong bc 1 vi password m ha m n va nhn c t R2, nu 2 ci ny

ging nhau th xc thc thnh cng.

4.1.7 So Snh Phng Thc Hot ng Ca PAP V CHAP

-Khng ging nh PAP truyn password clear-text, CHAP khng truyn password dng

clear-text m password ch c truyn sau khi m ha.

4.1.8 Phng Thc Hot ng Ca RADIUS V TACACS+

-C hai giao thc bo mt dng trong dch v AAA l TACACS (Terminal Access

Controller Access Control System) v RADIUS (Remote Authentication Dial-In User

Service). C hai giao thc u c phin bn v thuc tnh ring. Chng hn nh phin

bn ring ca TACACS l TACACS+, tng thch hon ton vi TACACS. RADIUS cng c

s m rng khi cho php khch hng thm thng tin xc nh c mang bi RADIUS.

TACACS v RADIUS *1+ c dng t mt thit b nh l server truy cp mng (NAS) n

AAA server. Ngi dng gi t PC n NAS. NAS s hi thng tin xc thc ngi

dng. T PC n NAS, giao thc s dng l PPP, v mt giao thc nh l CHAP hay PAP



c dng truyn thng tin xc thc. NAS s truyn thng tin n AAA Server xc

thc. N c mang bi giao thc TACACS hoc RADIUS.

-TACACS: TACACS l giao thc c chun ha s dng giao thc hng kt ni

(connection-oriented) l TCP trn port 49. TACACS c cc u im sau :

+ Vi kh nng nhn gi reset (RST) trong TCP, mt thit b c th lp tc bo cho u

cui khc bit rng c hng hc trong qu trnh truyn.

+ TCP l giao thc m rng v c kh nng xy dng c ch phc hi li. N c th

tng thch pht trin cng nh lm tc nghn mng vi vic s dng sequence

number truyn li.

+ Ton b payload c m ha vi TACACS+ bng cch s dng mt kha b mt

chung (shared secret key). TACACS+ nh du mt trng trong header xc nh xem

th c m ha hay khng.

+ TACACS+ m ha ton b gi bng vic s dng kha b mt chung nhng b qua

header TACACS chun. Cng vi header l mt trng xc nh body c c m ha

hay khng. Thng th trong ton b thao tc, body ca mt gi c m ha hon

ton truyn thng an ton.

+ TACACS+ c chia lm ba phn: xc thc (authentication), cp quyn

(authorization) v tnh cc (accounting). Vi cch tip cn theo module, ta c th s

dng cc dng khc ca xc thc v vn s dng TACACS+ cp quyn v tnh cc.

Chng hn nh, vic s dng phng thc xc thc Kerberos cng vi vic cp quyn v

tnh cc bng TACACS+ l rt ph bin.

+ TACACS+ h tr nhiu giao thc.

+ Vi TACACS+, ta c th dng hai phng php iu khin vic cp quyn thc thi

cc dng lnh ca mt user hay mt nhm nhiu user :

Phng php th nht l to mt mc phn quyn (privilege) vi mt s cu lnh gii hn v user xc thc bi router v TACACS server ri th s c cp cho mc c quyn xc nh ni trn.



Phng php th hai l to mt danh sch cc dng lnh xc nh trn TACACS+ server cho php mt user hay mt nhm s dng.

+ TACACS thng c dng trong mi trng enterprise. N c nhiu u im v

lm vic tt p ng yu cu qun l mng hng ngy.

-RADIUS: RADIUS l giao thc bo mt mng da theo m hnh client-server. N dng

giao thc UDP. RADIUS server thng chy trn my tnh. Client l cc dng thit b c

th truyn thng tin n RADIUS server c ch nh trc v sau ng vai tr phc

p m n tr v. Giao tip gia client v RADIUS server c xc thc thng qua vic

s dng kha b mt chung khng c truyn qua mng.

-Mt s u im ca RADIUS l:

+ RADIUS c phn overhead t hn so vi TACACS v n s dng UDP, trong phn

overhead khng c a ch ch, port ch.

+ Vi cch thc phn phi dng source code, RADIUS l dng giao thc hon ton m

rng. Ngi dng c th thay i n lm vic vi bt k h thng bo mt hin c.

+ RADIUS yu cu chc nng tnh cc (accounting) m rng.

+ RADIUS thng c dng tnh cc da trn ti nguyn s dng. V d nh

ISP s tnh cc cho ngi dng v chi ph kt ni. Ta c th ci t RADIUS Accounting

m khng cn s dng RADIUS xc thc v cp quyn. Vi chc nng accounting m

rng, RADIUS cho php d liu c gi t cc thit b xut pht cng nh l thit b

ch, t gip ta theo di vic s dng ti nguyn (thi gian, s lng cc gi tin, s

lng byte,) trong sut phin lm vic.

4.1.9 So Snh Phng Thc Hot ng Ca RADIUS V TACACS+

c tnh ca RADIUS :

* Use UDP for transport

* Encrypts only the password in the access-request packet

* Combines authentication and authorization



* Non-proprietary

* Not support ARA access, Net BIOS Frame Protocol Control protocol, NASI, X.25

* Not allow users to control which commands can be executed on a router

c tnh ca TACACS+ :

* Uses TCP for tranport

* Encrypts the entire body of the packet, making it more secure

* Uses the AAA architecture, which separates authentication, authorization, accouting

* Cisco Proprietary

* Support Multiprotocol

* Provides two ways to control the authorization of router commands.

4.1.10 Phng Thc Hot ng Ca SSL

SSL (Secure Socket Layer ) l giao thc a mc ch c thit k to ra cc giao tip

gia hai chng trnh ng dng trn mt cng nh trc (socket 443) nhm m ho

ton b thng tin i/n, m ngy nay c s dng rng ri cho giao dch in t nh

truyn s hiu th tn dng, mt khu, s b mt c nhn (PIN) trn Internet.

Giao thc SSL (Secure Socket Layer) t hp nhiu gii thut m ha nhm m bo qu

trnh trao i thng tin trn mng c bo mt. Vic m ha d liu din ra mt cch

trong sut, h tr nhiu giao thc khc chy trn nn giao thc TCP.

Sercure Socket Layer (SSL) hin nay l giao thc bo mt rt ph bin trn Internet trong

cc hot ng thng mi in t (E-Commerce). Vit Nam ang trn ng hi nhp

vi nn cng ngh thng tin th gii, nn nay mai, cc hot ng giao dch trn mng

Vit Nam cng s din ra si ni, khi vn bo mt tr nn quan trng, vic trin



khai SSL l iu thit yu. Tuy nhin n nay hnh nh vn cha c trang Web no Vit

Nam s dng SSL trong cc giao dch ca mnh. Bi vit ny nhm gii thiu s lc v

SSL cng nh cch trin khai SSL trn Internet Information Server (IIS) 5.0 v Windows

2000

Giao thc SSL c hnh thnh v pht trin u tin nm 1994 bi nhm nghin cu

Netscape dn dt bi Elgammal v ngy nay tr thnh chun bo mt thc hnh trn

mng Internet. Phin bn SSL hin nay l 3.0 v vn ang tip tc c b sung v hon

thin.

SSL l giao thc tng (layered protocol), bao gm 4 giao thc con sau:

+ Giao thc SSL Handshake

+ Giao thc SSL Change Cipher Spec

+ Giao thc SSL Alert

+ SSL Record Layer

V tr ca cc giao thc trn, tng ng vi m hnh TCP/IP c minh ho theo biu

sau:

Bc u tin ca qu trnh s dng giao thc SSLchnh l thit lp knh lin lac bo

mt gia my khch v my ch. Hnh 3 m t cc thng ip trao i v hnh 4 l tng

hp chi tit cc bc



S qu trnh thng lng

Cc bc ca qu trnh thng lng



a. ClientHello

L thng ip dng bt u mt knh lin lac dng SSL gia hai i tng. My

khch dng thng ip ny yu cu my ch bt u qu trnh thng lng cc dch

v bo mt khi dng SSL. Hnh m t cu trc ca 1 mt thng ip ClientHello.

b. ServerHello

Khi my ch nhn c thng ip ClientHello n s tr li li vi thng ip

ServerHello. Hnh sau l danh mc cc trng ca ServerHello v n phn no tng t

nh ca ClientHello.

c. ServerKeyExchange

Tip n sau khi thng ip ServerHello my ch s gi thng ip ServerKeyExchange.

Thng ip ny s b sung thm ca trng CipherSuite trong ServerHello. Trong khi

CipherSuite cha thut ton m ha v chiu di kha s dng th thng ip ny cha

thng tin kha cng cng ca my ch. nh dng chnh xc ca kha ph thuc vo

thut ton s dng tnh ton. V thng ip ny gi i m khng c m ha. V

my khch s dng kha ny m ha kha phin nn thng ip ny s an ton khi i

trn ng truyn.

d. ServerHelloDone

L thng ip ni vi my khch rng my ch l kt thc vic thng lng ca n.

Mc d khng cha thng tin quan trng g nhng thng ip ny c bit quan trng

i vi my khch v n s quyt nh my khch c qua giai on k tip hay khng.

e. ClientKeyExchange

Khi my ch kt thc phn thng lng ca n my khch s tr li vi thng ip

ClientKeyExchange. Trong thng ip ny s cung cp thng tin v kha ca my khch.

Thng tin ny l thut ton m hoa i xng m hai

f. ChangeCipherSpec



Cha chnh xc tham s m ha s dng (thut ton v chiu di kha) c dng cho

phin lin lc ny. V b m ha ny phi nm trong danh sch m my khch gi trong

ClientHello.

g. Finished

Sau khi hon tt vic kch hot cc tnh nng bo mt vi ChangeCipherSpec c 2 bn s

gi thng ip Finished thng bo qu trnh bt tay kt thc v hai bn c th bt u

truyn d liu. Thng ip ny cha cc thut ton thng lng , cc kha, v

nhng thng tin quan trng khc v c m ha. Bn nhn s xc nhn tt c thng tin

nhn c xc nhn i tng ln cui.

h.Kt thc knh kin lc

kt thc mt phin lin lc c hai bn phi gi cho nhau mt thng ip thng bo

ClosureAlert thng bo ngt lin lc trnh cc cuc tn cng nhm mc ch hy

phin lin lc.

4.1.11 Tng Quan V Nat V Cc Loi Nat

-NAT hay cn gi l Network Address Translation l mt k thut c pht minh lc

khi u dng gii quyt vn IP shortage. Khi c hai my tnh trn cng mt lp

mng (cng subnet), cc my tnh ny kt ni trc tip vi nhau, iu ny c ngha l

chng c th gi v nhn d liu trc tip vi nhau. Nu nhng my tnh ny khng trn

cng mt lp mng v khng c kt ni trc tip th d liu s c chuyn tip qua li

gia nhng lp mng ny v nh th phi cn mt router (c th l phn mm hoc

phn cng) y l trng hp khi mt my tnh no mun kt ni ti mt my khc

trn internet.

-NAT C 3 loi NAT khc nhau gm c:

+Statis NAT:Vi static NAT, mt a ch IP private c ch nh s c nh x sang

mt a ch IP ch ip public khc

+Dynamic NAT:Vi dynamic NAT,mt a ch IP private s t ng nh x vi mt hoc

1 range cc IP public. Qu trnh nh x vn l gia 1 IP private vi mt IP public nhng

c din ra t ng.



+NAT Overload: NAT Overload khc phc nhc im ca Dynamic NAT, n c th nh

x cng lc ton b IP private thnh 1 IP public , cho php ton b LAN truy cp mng

internet, c xc nh bng s port khi ra vo h thng

4.1.12 Tng Quan V ACL

-ACL l mt danh sch cc cu lnh c p t vo cc cng (interface) ca router.

Danh sch ny ch ra cho router bit loi packet no c chp nhn (allow) v loi

packet no b hy b (deny). S chp nhn v hu b ny c th da vo a ch ngun,

a ch ch hoc ch s port.

-Ti sao phi s dng ACLs: qun l cc IP traffic, h tr mc c bn v bo mt cho

cc truy cp mng, th hin tnh nng lc cc packet qua router

-Chc nng: xc nh tuyn ng thch hp cho DDR (dial-on-demand routing), thun

tin cho vic lc gi tin ip, cung cp tnh sn sn mng cao

-C 2 loi Access lists l: Standard Access lists v Extended Access lists

+Standard (ACLs): Lc (Filter) a ch ip ngun (Source) vo trong mng t gn

ch (Destination).

+Extended (ACLs): Lc a ch ip ngun v ch ca 1 gi tin (packet), giao thc tng

Network layer header nh TCP, UDP, ICMP, v port numbers trong tng

Transport layer header. Nn t gn ngun (source).



-Cch t ACLs

+Inbound: ni nm na l 1 ci cng vo(theo chiu i vo ca gi tin) trn Router

nhng gi tin s c x l thng qua ACL trc khi c nh tuyn ra ngoi

(outbound interface). Ti y nhng gi tin s dropped nu khng trng vi bng nh

tuyn (routing table), nu gi tin (packet) c chp nhn n s c x l trc khi

chuyn giao (transmission).

+Outbound: l cng i ra ca gi tin trn Router, nhng gi tin s c nh tuyn n

outbound interface v x l thng qua ACLs, trc khi a n ngoi hng i

(outbound queue).

-Hot ng ca ACLs: ACL s c thc hin theo trnh t ca cc cu lnh trong danh

sch cu hnh khi to access-list. Nu c mt iu kin c so khp (matched) trong

danh sch th n s thc hin, v cc cu lnh cn li s khng c kim tra

na.Trng hp tt c cc cu lnh trong danh sch u khng khp (unmatched) th

mt cu lnh mc nh deny any c thc hin. Cui access-list mc nh s l lnh

loi b tt c (deny all). V vy, trong access-list cn phi c t nht mt cu lnh

permit.khi packet i vo mt interface, router s kim tra xem c mt ACL trong

inbound interface hay khng, nu c packet s c kim tra i chiu vi nhng iu

kin trong danh sch.Nu packet c cho php (allow) n s tip tc c kim tra

trong bng routing quyt nh chn interface i n ch.tip , router s kim

tra xem outbound interface c ACL hay khng. Nu khng th packet c th s c gi

ti mng ch. Nu c ACL outbound interface, n s kim tra i chiu vi nhng

iu kin trong danh sch ACL .

4.2 Thc Hnh

4.2.1 Cu Hnh Cisco Secure ACS

-Giao din chnh ca Cisco Secure ACS



-Cu hnh AAA server v AAA client



-To user long thuc group Administrators

-User guest thuc group Users



4.2.2 Hnh Chp Bng Wireshark

HTTPS



SSH

CHAP



TACACS+

5 Ti Liu Tham Kho

-vnpro.org

-wikipedia.org

-nhatnghe.com

-wordpress.com

Documents

Giải Pháp Bảo Mật Cơ Bản