Skl 002336

'J-

, BO GIAo DUC & DAo TAOTRUONG DAIHOC SUPHAMKY THUAT TP. HCM

. KHOA DIEN .-DIEN TIT .BQ MON DI~N TIT - VI~N THONG

~, ~ .-DO AN TOT NGHIEP

r '

? .-.

BAOMATVPN" ~ ,TREN NEN MPLS

GVHD: TH.S J)~U TRQNG HIENSVTH:

NGUYEN TRUONG J)I-E:P 06117017TRA.NXUAN THANH THAo 06117071

TP. HO CHi MINH - 2/2012

Baa mat VPN tren nen MPLS Trang xviii

Khi nghien ciru va trien khai irng dung cong nghe VPN tren nen MPLS,ngiroi ta d(ic biet quan Him toi tinh baa m~t an toan thong tin cua no. Do rnoi tnrongtruyen dftn vo tuyen nen cong nghe VPN tren nen MPLS rftt de bi ro ri thong tin dotac dong cua moi tnrong va d(ic biet la sir tftn cong cua cac Hacker.

Do do, di doi voi phat tri~n cong nghe VPN tren nen MPLS phai phat triencac kha nang baa mat cua cong nghe VPN tren n~n MPLS an toan, d~ cung cftpthong tin hieu qua, tin c~y cho ngiroi su dung.

Tir nhtrng yeu cAu do, d~ tai dff huong toi nghien ciru v~ baa mat VPN trennen MPLS, noi dung cua d~ tai g6m bay chuang nhu sau :

Chuang I: Trinh bay tfmg quan v~ baa m~t mang, cac loai Hacker, nhtrng 16 hongcua ba~ mat, cac ki~u tftn cong cua Hacker, cac bien phap phat hien SlJ tftn cong vanhtrng quy t~c cAnco cua baa m~t mang,

Chuang II: Trinh bay v~ cftu true t6ng quan cua mang rieng ao VPN, phan loai cacloai mang VPN, cac thanh phan co trong mang va cac giao tlnrc tao dirong ham.

Chuang III: Trinh bay v~ baa m~t Co' ban cua mang VPN, cac vftn d~ an toan baam~t tren internet, cac each tlnrc baa mat VPN, baa m~t trong giao tlnrc PPTP, baam~t trong giao tlnrc L2TP, baa mat trong SSL va baa mat trong IPsec.

Chuang IV: Trinh bay v~ cftu true t6ng quan cua mang MPLS, cac chS d9 heat dongva cac giao tlnrc trong MPLS

Chuang V: Ung dung mang rieng ao VPN tren mang MPLS, mo hinh chong 1ftn,mo hinh ngang hang, cac b9 dinh tuyen ao MPLS VPN, kien true MPLS VPN vachftt hrong dich vu,

Chuang VI: Baa m~t VPN tren n~n MPLS, IPsec MPLS VPN, baa m~t VPN lap 2r

MPLS, v~n hanh baa m~t va baa tri 15iMPLS.

Chuang VII: Mo phong baa m~t VPN tren n~n MPLS dung IPsec.

Chuang VIII: KSt luan va huang phat trien d~ tai.

T6m t~t - Absract

Bao mat VPN tren nen MPLS Trang 145

TAl LIEU TRAM KHAo.

Tai lieu trong nuue:

[1] Th.S Hoang Trong Minh, Th.S Nguy~n Thanh TRa, Ky Thu~t Chuyen M~chNhan' 1,HQcVi~n Biru Chinh Vi~n Thong, 2010.

[2] Th.S Hoang Trong Minh, Th.S Nguy~n Thanh TRa, Ky Thu~t Chuyen M~chNhan 2, HQcVi~n Biru Chinh Vi~n Thong, 2010.

Tai lieu nuue ngoai:

[3] Michael H.Behringer, Monique J.Morrow, MPLS VPN Security, Cisco Press,June 08, 2005 (Part III: Chapter 6,7,8).

[4] Rosen E., Viswanathan, Calion R., Multi-Protocol Label SwitchingArchitecture, Work in Progress, July 1998

Website

[1] www.tapchibcvt.gov.vn

[2] www.vntelecom.org

[3] www.vnpro.com

[4] www.cisco.com

Tai lieu tham khao

Bao m~t VPN tren nen MPLS Trang ii

"

MlJC LlJC

r.or cAM ON : . : i. ..

MVC LVC >- 11

LIBT KE BANG xLIBT KEHlNH ; xiLIBT KE TU VIET TAT xivTOM TAT xvni

ABSTRACT XIX

CHUONG I : 1oX. .?.- 1

TONG QUAN VE BAa MAT MANG ., .-. ,).? .-. 2

1.1 GIGI THIEU VE BAO MAT ., , 21.1.1 Su din thiet cua bao m~t .

1.1:2 CAnbao v~ tai nguyen 3, , 31.1.3 Doi nrong tan cong .

1.1.3.1 Hacker mil den 3

1.1.3.2 Hacker mil trang : 3

1.1.3.3 Hacker mil xam 3

1.1.3.4 Hacker la l~p trinh vien gioi A

1.1.3.5 Hacker la chuyen gia mang va h~ thong .4

1.1.3.6 Hacker la chuyen gia phAn cirng .4

1.2 NHUNG LO HONG BAo M.AT .4

1.2.1 L6 hong bao m~t .- 4

1.2.2 Phan loai 16hong bao mat.. 5

1.2.2.1 L6 hong loai C 5

1.2.2.2 L6 hong loai B 6

1.2.2.3 L6 hong loai A 6

1.2.3 AM huong cua cac 16hong bao m~t tren rnang Internet 7

1.3 cAc KIEU TAN CONG CUA HACKER 71.3.1 T~n cong tnrc tiSp 7

1.3.2 Ky tb.u~tdanh lira :'Social Engineering 8

1.3.3 Ky thuat t~n cong vao vung An 81 3 4 T~ " , , 1~ h ~ b' ".. an cong vao cae 0 ong ao mat. , 8

t

BaQm~t VPN tren nen MPLS Trang iii

1.3.5 Khai thac tinli trang trim b9 d~m 9

i.3.6 Nghe trom 9

1.3.7 Ky thuat gia mao dia chi 9

1.3.8 Ky thuat chen rna lenh 9

1.3.9 TAncong vao h~ thongcocau hinh khong an toan lO

1.3.10 TAn cong dung Cookies : , 10

1.3.11 Can thiep vao tham s6 tren URL 10

1.3.12 VO hieu hoa dich vu : 10

1.4 cAc BIeN PHAp PHAT HIeN He THONG BI TAN CONG 11

1.5 cAc QUY TAc BAo MAT 12

CHVONG II : 14

TONG QUAN VE CONG NGHe MANG RIENG Ao VPN 14

2.1 GIGI THIeU VB VPN 15

2.2 cAc LO~I MANG VPN 17

2.2.1 VPN truy c~p tir xa (Remote access VPN) 17-

2.2.2 Intranet VPN 18

2.2.3 Extranet VPN 18

2.3 cAc THANH PHAN TRONG MANG VPN 18

2.3.1 Mang khach hang (Customer Network) 19

2.3.2 Mang ~ha cung cAp (Provider Network) 19

2.4 cAc GIAO THUC T~O DVdNG HAM TRONG VPN 21

2.4.1 Giao thirc PPTP(Point-To-Point Tunning Protocol) , 21

2.4.2 Giao thirc L2TP (Layer 2 Tunneling Protocol) 23

2.4.3 Giao tlnrc IPSec (IP Security Protocol) 25

2.4.3.1 Chung tlnrc ngucn g6c dfr Iieu/Tinh toan ven dfr lieu phi k~t n6i 1 25I

2.4.3.2 Bao v~ chong replay 25

2.4.3.3 Bad\m~t ' 26

2.4.3.4 Encapsulating Security Payload (ESP) 27

2.4.3.5 Tieu d clnrng thuc (AH) : 28

2.4.3.6 Trao d6i khoa Internet (IKE) 28

2.4.3.7 Ch~ d9 v~n hanh 29

243 8 Ch~ do zi ". . . e 9 glao v~n "11 29'f

Baa m~t VPN tren nen MPLS Trang iv

-2.4.3.9 Ch dQTunnel 29

2.4.4 SSL VPN (Secure Socket Layer VPN) 30

2.4.4.1 Lich sir SSL 30

2.4.4.2 MQt irng dung cu th~ cua SSL la trong viec trien khai bao m~t VPN ..31

2.4.4.3 Khi mot VPN khongphai la mot VPN 32

2.4.4.4 Sir dung SSL cho cac irng dung 32

2.4.4.5 Danh gia v~ gia ca , , 33

CHUONG III: 34

BAo MAT TRONG VPN 34

3.l vpNvA cAc vAN DE AN ToAN BAo MAT TREN INTERNET 35

3.1.1 Xac thirc ..................................................... ; 35

3.1.~ Tinh kha dung 36

3.1.3 Tinh bao mat 36

3.1.4 Tinh toan ven 36

3.1.5 Tinh khong ch 37

3.1.6 Tinh khong th~ ch6i cai 37

3.2 cAc CACH THUC BAo MAT VPN 37

3.2.1 Tuong lira 37

3.2.2 M~t ma truy cap ~ 37

3.2.2.1 M~t ma rieng 37

3.2.2.2 Mat ma chung : 38

3.2.3 May chu AxA 38

3.2.4 Baa m~t trong co ch duong h~m 38

3.3 BAo MAT TRONG GIAO THUC PPTP 38

3.4 BAo MAT TRONG GIAO TRUC L2TP 39

3.5 BAo MAT TRONG SSL 42

3.6 BAo MAT TRONG GIAO THUC IPSEC .43

3.6.1 Gioi thieu 43

3.6.2 Tinh nang 45

3.6.3 IPSec SA 47

3.6.3.1 Cftu true 47

3.6.3.2 Cac mode hoat dong cua SAs trong IPSEC ~ .47\! t1

'- Bao 'm~t VPN tren nen MPLS Trang v

a) ChS dQvan chuyen 49

b) ChS dQduong ham 50

3.6.4 IKE SA 51,

3.6.4.1 IKE Phases ........................................................................................... 51

a) Giai doan I cua IKE : 52

b) Giai doan II cua lKE 52

3.6.4.2 IKE Modes 53" 3a) Che dQ chinh 5

b) ChS dQ linh hoat 53

c) ChS dQnhanh 54

d) ChS dQnhom moi 5 5

CHVONG IV : : 56

CONG NGHB CHVYEN MACH NHAN DA GIAO THUC MPLS 56

4.l GI6I THIBu VB CONG NGHB MPLS 57

4.1.1 Khai niem co ban v6 MPLS 57

4.1.2 Dinh Nghia 57

4.1.3 Mi6n MPLS 57

4.1.4 Lap chuyen tiSp tirong dirong (FEC-Forwarding Equivalence Class) 58

4.1.5 Nhan 59

4.1.6 Hoan d6i nhan : 61

4.1.7 Duong chuyen mach nhan LSP 61

4.1.8 Chuyen goi qua mien MPLS 62

4.2 cAc THANH PHAN, KHAI NIBM TRONG MPLS 624.2.1 Mat phang di6u khien 62

4.2.2 Mat phang chuyen tiSp 63/

"4.3 cAc suoc HOAT DONG CUA MPLS 654.3.1 Buoc 1 -\ Bao hieu 65

4.3.2 Buoc 2 - Dan nhan 66

4.3.3 Buoc 3 - Van chuyen goi dfr lieu 66

4.4 cAc GIAO THUC sir Dl,JNG TRONG MPLS 664.4.l Giao thirc phan ph6i nhan - LDP (Label Distribution Protocol) 66

4.4.1.1 Buoc 1) Chi dinh nhan ~, 67,,'

Mvclvc

Bao m~t VPN tren nen MPLS Trang vi

4.4.1.2 Buoc 2) Thi~t l~p phien LDP 67

4.4.1.3 Biroc 3) Phan phoi nhan 68

4.4.1.4 Buoc 4) Duy tri nhan 68

4.4.2 Giao tlnrc CR-LDP 69

4.4.2.1 Khai niern 69

4.4.2.2 M6 rong eho dinh tuyen rang buoc 69

4.4.2.3 Thi~t l~p mot CR-LSP 69

4.4.3 Giao tlnrc chiem dung tal nguyen RSVP 70

4.4.3.1 Hoat dong cua RSVP 70

a) Cac Ioai thong di~p trong RSVP 70

b) Cac chirc nang cua RSVP 71

4.4.3.2 Thi~t l~p dirong di dung RSVP 71

a) Qua trinh thiet l~p dirong di 71

b) Vi d1,1SlJ thiet l~p duong di dung RSVP 72

4.4.3.3 Duy tri dirong di - 73

4.4.3.4 Huy dirong di 73

4.4.3.5 Bao 16i 73

4.4.3.6 Co eh~ "Make-Before-Break" 74

4.4.3.7 Phan chia tai 74

4.4.3.8 Dinh dang goi RSVP 75

4.4.3.9 Dinh dang 16p d6i tUQ11gRSVP 76

CH1JdNG V: 78

UNG Dl)NG MANG RIENG Ao VPN TREN MANG MPLS 785.1 MO HINH CHONG LAN 79

5.2 MO HINH NGANG HANG 80

'5.3 cAc BO DJNH BO DJNH TUYEN Ao MPLS vpN 815.4 KIEN TRUC MPLS VPN 82.

5.4.1 Giri chuyen ti~p trong MPLS VPN 84

)G'J h ~ .~a UI e uyen tiep 84

b) Giri chuyen ti~p trong MPLS VPN 87542Nh~ b~td). bo di h ~ l~ ~ MPLSVPN.. an Ie ong 9 !n tuyen an can trong 88

5.4.3 DiffSer trong MPLS VPN 88

f !

BaQ'm~t VPN tren nen MPLS Trang vii

5.5 CHAT LVQNG DlCH vu TRaNG MPLS VPN 885.5.1 Mo hinh "6ng" h6 tro QoS 89

5.5.2 Mo hinh "voi" h6 tro QoS 91

5.5.3 Cac tham s6 chftt hrong 93

5.5.3.1

Baomat VPN tren nen MPLS Trang viii

7.1 TIWC HIBN MPLS VPN: 125

7.1.1 Sa db mang - c~u hinh cac interface Co' ban 125

7.1.2 Tao 15iMPLS 128

7.1.2.1 Buoc 1: Thirc hien dinh tuyen IGP (OSPF) .128

7.1.2.2 Buoc 2: Bat MPLS tren t~t ca cac router PE va P 129

7.1.2.3 Buoc 3: Bat BGP tren cac router PE 129

7.1.2.4 Buoc 4: Bat tinh nang VPNv4 cho BGP .129

7.1.3 Tao MPLS VPN cho cac khach hang 130

7.1.3.1 Khach hang A chay dinh tuyen tinh 130

7.1.3.1.1 Bmrc 1: Tao VRF cho khach hang A tren cac router PE 130

7.1.3.1.2 Buoc 2: Gan cac VRF nay VaGcac interface tuong irng va dftt diachi IP 130

'l.1.3.1.3 Buoc 3: Ping kiem tra gitra PE va CE 131

7.1.3.1.4 Buoc 4: Chay dinh tuyen tinh tren VRF A (y cac router PE 131

7.1.3.1.5 Buoc 5: Chay dinh tuyen tinh cho khach hang A tren cac router CE....................................................................................................................... 131

7.1.3.1.6 Buoc 6: Tren cac router PE, thirc hien redistribute cac dinh tuyentinh VaGMP-BGP de cac router nay co the di duoc d~n d~u kia cua khachhang 131

7.1.3.1.7 Buoc 7: Kiem tra tren cac router PE dff nhan duoc dinh tuyen tlnhhay chua 132

7.1.3.1.8 Buoc 8: Kiem tra cac CE dffthay duoc nhau hay chua 132

7.1.3.2. Khach hang B chay dinh tuyen dong RIPv2 132

7.1.3.2.1 Buoc 1: Tao VRF cho khach hang B tren cac router PE .132

7.1.3.2.2 Buoc 2: Gan cac VRF nay vao cac interface nrong irng va dftt diachi IP 133

7.1.3.2.3 B tree 3: Ping kiem tra gitra PE va CE 133

7.1.3.2.4 Buoc 4: Chay dinh tuyen RIPv2 tren VRF B (y cac router PE 133

7.1.3.2.5 Biroc 5: Chay dinh tuyen RIPv2 cho khach hang B tren cac routerCE 134

7.1.3.2.6 Buoc 6: Kiem tra bang dinh tuyen VRF B tren cac router PE 135

7.1.3 .2.7 Buoc 7: Tren cac router PE, thuc hien redistribute cac dinh tuyenRIPv2 vao MP-BGP de cac router nay co the di duoc d~n d~u kia cua khachhang 135

f

BaQ'm~t VPN tren nen MPLS Trang ix

7.1.3.2.8 Buoc 8: Kh~mtra tren cac router PE dfl nhan duoc dinh tuyen RIPv26 d~u kia hay chua 136

7.1.3.2.9 Buoc 9: Tren cac router PE, thuc hien redistribute cac BGP nhanduoc vao RIPv2 136

7.1.3.2.10 Buoc 10: Ping kiem tra cac CE dfl thfty duoc nhau hay chua, xembang dinh tuyen -., 136

7.2 TRIEN KHAI IPSEC VPN 137

7.2.1 Biroc 1: Cau hinh ISAKMP policy .137

7.2.2 Buoc 2: Cftu hinh Ipsec transform set.. 138

7.2.3 Bmrc 3: Cftu hinh crypto access control list ACL. 139

7.2.4 Bmrc 4: Cftu hinh crypto map 139

7.2.5 Buoc 5: Dua crypto map vao c6ng ra .140

7.2.6 Kiem tra: 140

a, Ki~m tra mang LAN _ 140

b) Ki~m tra crypto map 141

7.3 Nhanxet , 141

CHUONG VIII: ; 142

KET LUAN & HUONG PHAT TRIEN .142

8.1 K~t luan 14382H' hat trie d:l- ,.. irong P a tnen e tai. 144

TAl LIB,U THJ\M KHAo 145

I

Mvc1vc

Documents

Skl 002336