Tim hiểu VPN

TRNG H CNG NGH THNG TIN V TRUYN THNGKHOA CNG NGH THNG TIN----------

THC TP TT NGHIP

TI NGHIN CU V XY DNG MNG RING O VPN CHO TRUNG TM VIN THNG PH YN

Sinh vin thc hin : Nguyn Khnh TonLp : MTT & TT K9AGio vin hng dn : Th.S Dng Thu My

Thi Nguyn, thng 3 nm 2015

MC LC

CHNG 1: M U5CHNG 2: KHI QUT V MNG RING O62.1.nh ngha mng ring o62.2.Lch s pht trin ca VPN72.3.Chc nng v u im ca VPN82.3.1.Chc nng82.3.2.u im82.4.Phn loi mng VPN102.4.1.Mng VPN truy cp t xa102.4.2.Mng VPN cc b112.4.3.Mng VPN m rng122.5.Giao thc nh hng lp 2 L2F142.5.1.u nhc im ca L2F142.5.2.Thc hin L2F142.5.3.Hot ng ca L2F152.6.Giao thc ng hm im im PTPP162.6.1.Kin trc PTPP162.6.2.S dng PTPP242.7.Giao thc ng hm lp 2 L2TP252.7.1.Kin trc ca L2TP262.7.2.S dng L2TP312.8.Giao thc bo mt IP - IPSEC322.8.1.Hot ng ca IPSec332.8.2.V d v hot ng ca IPSec41CHNG 3: KHO ST V PHN TCH H THNG433.1 Bi ton433.2 Gii quyt bi ton433.2.1 Kho st h thng433.2.2 S hin trng h thng443.3 Gii php463.3.1 S dng dch v Internet Leased line463.3.2 Thip lp mng ring o VPN493.4 La chn gii php51CHNG 4: XY DNG V CU HNH CHO H THNG534.1 M hnh h thng534.2 Cu hnh h thng544.3 Kt qu cu hnh59KT LUN66TI LIU THAM KHO68NHN XT CA GIO VIN HNG DN69

:

LI CM NLi u tin, em xin gi li cm n chn thnh ti Th.S Dng Thu My tn tnh gip em trong sut qu trnh thc tp tt nghip. Em cng xin gi li bit n su sc ti cc thy, c gio trong trng i hc Cng ngh Thng tin v Truyn thng - i hc Thi Nguyn. Cc thy, c xy dng cho chng em mt kho tri thc khng l, khng ch l kin thc chuyn ngnh, cc thy c cn dy bo chng em o lm ngi, rn luyn cho chng em ngh lc, kht vng vn ln, pht huy kh nng t duy sng to trong mi lnh vc. Cui cng, em xin c cm n gia nh, bn b, nhng ngi thn yu nht ca em. Mi ngi lun bn cnh, ng vin, khuyn khch em vn ln trong hc tp v trong cuc sng. Thi Nguyn, thng 3 nm 2015 Sinh vin Nguyn Khnh Ton

CHNG 1: M U1.1. L do chn tiNgy nay, vi s pht trin nhanh chng ca khoa hc k thut c bit l Cng ngh thng tin v Vin thng gp phn quan trng vo s pht trin kinh t th gii. Cc t chc, doanh nghip c nhiu chi nhnh, cc cng ty a quc gia trong qu trnh hot ng lun phi trao i thng tin vi khch hng, i tc, nhn vin ca h. Chnh v vy i hi phi lun nm bt c thng tin mi nht, chnh xc nht, ng thi phi m bo tin cy cao gia cc chi nhnh ca mnh trn khp th gii, cng nh vi cc i tc v khch hng. p ng c nhng yu cu trong qu kh c hai loi hnh dch v Vin thng m cc t chc, doanh nghip c th chn la s dng cho kt ni l: thu cc ng Leased- line ca cc nh cung cp kt ni tt c cc mng con ca cng ty li vi nhau, s dng internet lin lc vi nhau.S ra i ca k thut mng ring o VPN dung ha hai loi dch v trn, n c th xy dng trn c s h tng sn c ca mng internet nhng li c c cc tnh cht ca mt mng cc b nh khi s dng cc ng Leased line. V vy, c th ni VPN chnh l s la chn ti u cho cc doanh nghip kinh t.Vi ti: Nghin cu v xy dng mng ring o VPN cho trung tm vin thng Ph Yn trong t thc tp ny, em hy vng n c th gp phn tim hiu cng ngh VPN, ng thi gp phn ph bin rng ri k thut VPN.1.2. Mc tiu ca tiNm c nhng kin thc c bn, tng quan v mng ring o VPN, nu c u nhc im, phn loi v kh nng bo mt ca VPN. Xy dng c h thng VPN th nghim. Do c s vt cht khng p ng nn ch dng mc tm hiu, ci t m hnh rt gn.Thc hin m phng trn phn mm m phng GNS31.3. ngha ca tiGip cho ngi c c ci nhn tng qut v mng ring o VPN, bit c li ch khi s dng, cch phn bit v trin khai xy dng mt mng VPN, vi cc bc cu hnh c bn cng nh x l khi c s c. Nm vng nguyn tc hot ng nng cao hiu sut lm vic cng nh tnh bo mt ca h thng.CHNG 2: KHI QUT V MNG RING O2.1. nh ngha mng ring oMng ring o - VPN(Virtual Private Network) v c bn l mt mng ring s dng h thng mng cng cng (thng l Internet) kt ni cc a im hoc ngi s dng t xa vi mt mng LAN tr s trung tm. Thay v dng kt ni tht kh phc tp nh ng dy thu bao s, VPN to ra cc lin kt o c truyn qua Internet gia mng ring ca mt t chc vi a im hoc ngi s dng xa.

Hnh 1.1: M hnh VPNCc thut ng dng trong VPN:Vitual ngha l kt ni ng, khng c gn cng v tn ti nh mt kt ni khi lu lng mng chuyn qua. Kt ni ny c th thay i v thch ng vi nhiu mi trng khc nhau v c kh nng chu ng nhng khuyt im ca mng internet. Khi c yu cu kt ni th n c thit lp v duy tr bt chp c s h tng mng gia nhng im u cui.Private ngha l d liu truyn lun lun c gi b mt v ch c th b truy cp bi nhng ngi s dng c trao quyn. iu ny rt quan trng bi v giao thc internet ban u TCP/IP khng c thit k cung cp cc mc bo mt. Do , bo mt s c cung cp bng cch thm phn mm hay phn cng VPN.Network l thc th h tng mng gia nhng ngi s dng u cui, nhng trm hay nhng node mang d liu. S dng tnh ring t, cng cng, dy dn, v tuyn, internet hay bt k ti nguyn mng dnh ring khc sn c to nn mng.Khi nim mng ring o VPN khng phi l khi nim mi, chng tng c s dng trong cc mng in thoi trc y nhng do mt s hn ch m cng ngh VPN cha c c sc mnh v kh nng cnh tranh ln. Trong thi gian gn y, do s pht trin ca mng thng minh, c s h tng mng IP lm cho VPN thc s c tnh mi m. VPN cho php thit lp cc kt ni ring vi nhng ngi dng xa, cc vn phng chi nhnh ca cng ty v i tc cng ty ang s dng chung mt mng cng cng.2.2. Lch s pht trin ca VPNS xut hin mng chuyn dng o, cn gi l mng ring o (VPN), bt ngun t yu cu ca khch hng, mong mun c th kt ni mt cch c hiu qu vi cc tng i thu bao (PBX) li vi nhau thng qua mng din rng (WAN). Trc kia, h thng in thoi nhm hoc l mng cc b (LAN) trc kia s dng cc ng thu bao cho vic t chc mng chuyn dng thc hin vic thng tin vi nhau.Cc mc nh du s pht trin ca VPN: Nm 1975, Franch Telecom a ra dch v Colisee, cung cp dch v dy chuyn dng cho cc khch hng ln. Colisee c th cung cp phng thc gi s chuyn dng cho khch hng. Dch v ny cn c vo lng dch v m a ra cc ph v nhiu tnh nng qun l khc. Nm 1985, Sprint a ra VPN, AT&T a ra dch v VPN c tn ring l mng c nh ngha bng phn mm SDN. Nm 1986, Sprint a ra Vnet, Telefonica Ty Ban Nha a ra Ibercom. Nm 1988, n ra i chin cc ph dch v VPN M, lm cho mt s x nghip va v nh chu ni cc ph s dng VPN v c th tit kim gn 30% chi ph, kch thch s pht trin nhanh chng dch v ny ti M. Nm 1989, AT&T a ra dch v quc t IVPN l GSDN. Nm 1990, MCI v Sprint a ra dch v VPN quc t VPN; Telstra ca Australia a ra dch v VPN trong nc u tin khu vc chu Thi Bnh Dng. Nm 1992, Vin thng H Lan v Telia Thy in thnh lp cng ty hp tc u t Unisource, cung cp dch v VPN. Nm 1993, AT&T, KDD v vin thng Singapo tuyn b thnh lp Lin minh ton cu Worldparners, cung cp hng lot dch v quc t, trong c dch v VPN. Nm 1994, BT v MCI thnh lp cng ty hp tc u t Concert, cung cp dch v VPN, dch v chuyn tip khung, Nm 1995, ITU-T a ra khuyn ngh F-16 v dch v VPN ton cu (GVPNS). Nm 1996, Sprint v Vin thng c, Vin thng Php kt thnh lin minh Global One. Nm 1997 c th coi l mt nm rc r i vi cng ngh VPN, cng ngh ny c mt trn khp cc tp ch khoa hc cng ngh, cc cuc hi tho Cc mng VPN xy dng trn c s h tng mng internet cng cng mang li mt kh nng mi, mt ci nhn mi cho VPN. Cng ngh VPN l gii php thng tin ti u cho cc cng ty, t chc c nhiu vn phng, chi nhnh la chn. Ngy nay, vi s pht trin ca cng ngh, c s h tng mng IP ngy mt hon thin lm cho kh nng ca VPN ngy mt hon thin.Hin nay, VPN khng ch dng cho dch v thoi m cn dng cho cc dch v d liu, hnh nh v cc dch v a phng tin.2.3. Chc nng v u im ca VPN2.3.1. Chc nngVPN cung cp ba chc nng chnh l: tnh xc thc (Authentication), tnh ton vn (Integrity) v tnh bo mt (Confidentiality).Tnh xc thc : thit lp mt kt ni VPN th trc ht c hai pha phi xc thc ln nhau khng nh rng mnh ang trao i thng tin vi ngi mnh mong mun ch khng phi l mt ngi khc.Tnh ton vn : m bo d liu khng b thay i hay m bo khng c bt k s xo trn no trong qu trnh truyn dn.Tnh bo mt : Ngi gi c th m ho cc gi d liu trc khi truyn qua mng cng cng v d liu s c gii m pha thu. Bng cch lm nh vy, khng mt ai c th truy nhp thng tin m khng c php. Thm ch nu c ly c th cng khng c c.2.3.2. u imVPN mang li li ch thc s v tc thi cho cc cng ty. C th dng VPN khng ch n gin ho vic thng tin gia cc nhn vin lm vic xa, ngi dng lu ng, m rng Intranet n tng vn phng, thm ch trin khai Extranet n tn khch hng v cc i tc ch cht . Nhng li ch ny d trc tip hay gin tip u bao gm: Tit kim chi ph (cost saving), tnh mm do (flexibility), kh nng m rng (scalability) ... Tit kim chi ph Vic s dng mt VPN s gip cc cng ty gim c chi ph u t v chi ph thng xuyn. Tng gi thnh ca vic s hu mt mng VPN s c thu nh, do ch phi tr t hn cho vic thu bng thng ng truyn, cc thit b mng ng trc v duy tr hot ng ca h thng. Gi thnh cho vic kt ni LAN-to-LAN gim t 20 ti 30% so vi vic s dng ng thu ring truyn thng. Cn i vi vic truy cp t xa gim t 60 ti 80%. Tnh linh hotTnh linh hot y khng ch l linh hot trong qu trnh vn hnh v khai thc m n cn thc s mm do i vi yu cu s dng. Khch hng c th s dng kt ni T1, T3 gia cc vn phng v nhiu kiu kt ni khc cng c th c s dng kt ni cc vn phng nh, cc i tng di ng. Nh cung cp dch v VPN c th cung cp nhiu la chn cho khch hng, c th l kt ni modem 56 kbit/s, xDSL, T1, T3 Kh nng m rngDo VPN c xy dng da trn c s h tng mng cng cng (Internet), bt c ni no c mng cng cng l u c th trin khai VPN. M mng cng cng c mt khp mi ni nn kh nng m rng ca VPN l rt linh ng. Mt c quan xa c th kt ni mt cch d dng n mng ca cng ty bng cch s dng ng dy in thoi hay DSL Gim thiu cc h tr k thutVic chun ho trn mt kiu kt ni t i tng di ng n mt POP ca ISP v vic chun ho cc yu cu v bo mt lm gim thiu nhu cu v ngun h tr k thut cho mng VPN. V ngy nay, khi m cc nh cung cp dch v m nhim cc nhim v h tr mng nhiu hn th nhng yu cu h tr k thut i vi ngi s dng ngy cng gim . Gim thiu cc yu cu v thit bBng vic cung cp mt gii php n cho cc x nghip truy cp bng quay s truy cp Internet, VPN yu cu v thit b t hn, n gin hn nhiu so vi vic bo tr cc modem ring bit, cc card tng thch (adapter) cho cc thit b u cui v cc my ch truy cp t xa. p ng cc nhu cu thng miCc sn phm dch v VPN tun theo chun chung hin nay, mt phn m bo kh nng lm vic ca sn phm nhng c l quan trng hn l sn phm ca nhiu nh cung cp khc nhau c th lm vic vi nhau.

2.4. Phn loi mng VPNMc tiu t ra i vi cng ngh mng VPN l tho mn ba yu cu c bn sau: Ti mi thi im, cc nhn vin ca cng ty c th truy nhp t xa hoc di ng vo mng ni b ca cng ty. Ni lin cc chi nhnh, vn phng di ng. Kh nng iu khin c quyn truy nhp ca khch hng, cc nh cung cp dch v hoc cc i tng bn ngoi khc.Da vo nhng yu cu c bn trn, mng ring o VPN c phn lm ba loi: Mng VPN truy nhp t xa (Remote Access VPN). Mng VPN cc b (Intranet VPN) Mng VPN m rng (Extranet VPN)2.4.1. Mng VPN truy cp t xaCc VPN truy nhp t xa cung cp kh nng truy nhp t xa. Ti mi thi im, cc nhn vin, chi nhnh vn phng di ng c kh nng trao i, truy nhp vo mng ca cng ty. VPN truy nhp t xa m rng mng cng ty ti nhng ngi s dng thng qua c s h tng chia s chung, trong khi nhng chnh sch mng cng ty vn duy tr. Chng c th dng cung cp truy nhp an ton t nhng thit b di ng, nhng ngi s dng di ng, nhng chi nhnh v nhng bn hng ca cng ty. Nhng kiu VPN ny c thc hin thng qua c s h tng cng cng bng cch s dng cng ngh quay s, IP di ng, DSL v cng ngh cp v thng yu cu mt vi kiu phn mm client chy trn my tnh ca ngi s dng.

Hnh 1.2: M hnh mng truy cp t xaCc u im ca mng VPN truy nhp t xa so vi cc phng php truy nhp t xa truyn thng nh: Mng VPN truy nhp t xa khng cn s h tr ca nhn vin mng bi v qu trnh kt ni t xa c cc ISP thc hin. Cung cp dch v kt ni gi r cho nhng ngi s dng xa. Bi v cc kt ni truy nhp l ni b nn cc Modem kt ni hot ng tc cao hn so vi cc truy nhp khong cch xa. VPN cung cp kh nng truy nhp tt hn n cc site ca cng ty bi v chng h tr mc thp nht ca dch v kt ni.Mc d c nhiu u im nhng mng VPN truy nhp t xa vn cn nhng nhc im c hu i cng nh: Mng VPN truy nhp t xa khng h tr cc dch v m bo QoS. Nguy c b mt d liu cao. Bi v thut ton m ho phc tp, nn tiu giao thc tng mt cch ng k.2.4.2. Mng VPN cc bCc VPN cc b c s dng bo mt cc kt ni gia cc a im khc nhau ca mt cng ty. Mng VPN lin kt tr s chnh, cc vn phng, chi nhnh trn mt c s h tng chung s dng cc kt ni lun c m ho bo mt. iu ny cho php tt c cc a im c th truy nhp an ton cc ngun d liu c php trong ton b mng ca cng ty. Nhng VPN ny vn cung cp nhng c tnh ca mng WAN nh kh nng m rng, tnh tin cy v h tr cho nhiu kiu giao thc khc nhau vi chi ph thp nhng vn m bo tnh mm do. Kiu VPN ny thng c cu hnh nh l mt VPN Site- to- Site.

Hnh 1.3: M hnh mng VPN cc b.Nhng u im chnh ca mng cc b da trn gii php VPN bao gm: Gim c s nhn vin k thut h tr trn mng i vi nhng ni xa. Bi v nhng kt ni trung gian c thc hin thng qua mng Internet, nn n c th d dng thit lp thm mt lin kt ngang cp mi. Tit kim chi ph thu c t nhng li ch t c bng cch s dng ng ngm VPN thng qua Internet.Tuy nhin mng cc b da trn gii php VPN cng c nhc im nh: Bi v d liu c truyn ngm qua mng cng cng - mng Internet - cho nn vn cn nhng mi e da v mc bo mt d liu v mc cht lng dch v (QoS). Kh nng cc gi d liu b mt trong khi truyn dn vn cn kh cao. Trng hp truyn dn khi lng ln d liu, nh l a phng tin, vi yu cu truyn dn tc cao v m bo thi gian thc l thch thc ln trong mi trng Internet.2.4.3. Mng VPN m rngKhng ging nh mng VPN cc b v mng VPN truy nhp t xa, mng VPN m rng khng b c lp vi th gii bn ngoi. Thc t mng VPN m rng cung cp kh nng iu khin truy nhp ti nhng ngun ti nguyn mng cn thit m rng nhng i tng kinh doanh nh l cc i tc, khch hng, v cc nh cung cp.

Hnh 1.4: M hnh mng VPN m rngCc VPN m rng cung cp mt ng hm bo mt gia cc khch hng, cc nh cung cp v cc i tc qua mt c s h tng cng cng. Kiu VPN ny s dng cc kt ni lun lun c bo mt v c cu hnh nh mt VPN Site-to-Site. S khc nhau gia mt VPN cc b v mt VPN m rng l s truy cp mng c cng nhn mt trong hai u cui ca VPN. Nhng u im chnh ca mng VPN m rng: Chi ph cho mng VPN m rng thp hn rt nhiu so vi mng truyn thng. D dng thit lp, bo tr v d dng thay i i vi mng ang hot ng. Bi v cc kt ni Internet c nh cung cp dch v Internet bo tr, nn gim c s lng nhn vin k thut h tr mng, do vy gim c chi ph vn hnh ca ton mng.Bn cnh nhng u im trn gii php mng VPN m rng cng cn nhng nhc im i cng nh: Kh nng bo mt thng tin, mt d liu trong khi truyn qua mng cng cng vn tn ti. Lm tng kh nng ri ro i vi cc mng cc b ca cng ty.Hin nay c nhiu gii php gii quyt hai vn v ng gi d liu v an ton d liu trong VPN , da trn nn tng l cc giao thc ng hm. Mt giao thc ng hm s thc hin ng gi d liu vi phn Header tng ng truyn qua Internet. Giao thc ng hm l ct li ca gii php VPN. C 4 giao thc ng hm c s dng trong VPN l: Giao thc nh hng lp 2 - L2F (Layer 2 Forwarding) Giao thc ng hm im-im-PPTP (Point to Point Tunneling protocol) Giao thc ng hm lp 2 - L2TP (Layer 2 tunneling protocol) Giao thc bo mt IP - IPSec (Internet Protocol Security)2.5. Giao thc nh hng lp 2 L2FGiao thc nh hng lp 2 L2F do Cisco pht trin c lp v c pht trin da trn giao thc PPP (Point-to-Point Protocol). L2F cung cp gii php cho dch v quay s o bng cch thit lp mt ng hm bo mt thng qua c s h tng cng cng nh Internet. L2F l giao thc c pht trin sm nht, l phng php truyn thng cho nhng ngi s dng xa truy cp vo mt mng cng ty thng qua thit b truy cp t xa. L2F cho php ng gi cc gi PPP trong L2F, nh ng hm lp lin kt d liu. 2.5.1. u nhc im ca L2Fu im: Cho php thit lp ng hm a giao thc. c cung cp bi nhiu nh cung cp.Nhc im: Khng c m ho. Yu trong vic xc thc ngi dng. Khng c iu khin lung cho ng hm.2.5.2. Thc hin L2F L2F ng gi nhng gi lp 2 v trong trng hp ny l ng gi PPP, truyn xuyn qua mt mng. L2F s dng cc thit b:NAS: Hng lu lng n v i t my khch xa (remote client) v gateway home. H thng ERX hot ng nh NAS.Tunne:l nh hng ng i gia NAS v home gateway. Mt ng hm gm mt s kt ni.Home gateway: Ngang hng vi NAS.Kt ni (connection): L mt kt ni PPP trong ng hm. Trong CLI, mt kt ni L2F c xem nh l mt phin.im ch (Destination): L im kt thc u xa ca ng hm. Trong trng hp ny th Home gateway l im ch.

Hnh 1.5: M hnh c trng L2F2.5.3. Hot ng ca L2FHot ng L2F bao gm cc hot ng: thit lp kt ni, ng hm v phin lm vic. Ta xem xt v d minh ho hot ng ca L2F:1) Mt ngi s dng xa quay s ti h thng NAS v khi u mt kt ni PPP ti ISP.2) H thng NAS v my khch trao i cc gi giao thc iu khin lin kt LCP (Link Control Protocol). 3) NAS s dng c s d liu cc b lin quan ti tn vng (domain name) hay nhn thc RADIUS quyt nh c hay khng ngi s dng yu cu dch v L2F. 4) Nu ngi s dng yu cu L2F th qu trnh tip tc: NAS thu nhn a ch ca gateway ch (home gateway). 5) Mt ng hm c thit lp t NAS ti gateway ch nu gia chng cha c ng hm no. S thnh lp ng hm bao gm giai on nhn thc t ISP ti gateway ch chng li tn cng bi nhng k th ba.6) Mt kt ni PPP mi c to ra trong ng hm, iu ny tc ng ko di phin PPP t ngi s dng xa ti home gateway. Kt ni ny c thit lp nh sau: Home gateway tip nhn cc la chn v tt c thng tin nhn thc PAP/CHAP, nh tho thun bi u cui ngi s dng v NAS. Home gateway chp nhn kt ni hay n tho thun li LCP v nhn thc li ngi s dng. 7) Khi NAS tip nhn lu lng d liu t ngi s dng, n ly gi v ng gi lu lng vo trong mt khung L2F v hng n vo trong ng hm. 8) Ti home gateway, khung L2F c tch b, v d liu ng gi c hng ti mng cng ty.2.6. Giao thc ng hm im im PTPPGiao thc ng hm im - im PPTP c a ra u tin bi mt nhm cc cng ty c gi l PPTP Forum. Nhm ny bao gm 3 cng ty: Ascend comm., Microsoft, ECI Telematicsunication v US Robotic. Giao thc PPTP c xy dng da trn chc nng ca PPP, cung cp kh nng quay s truy cp to ra mt ng hm bo mt thng qua Internet n site ch. PPTP s dng giao thc bc gi nh tuyn chung GRE (Generic Routing Encapsulation) c m t li ng gi v tch gi PPP, giao thc ny cho php PPTP mm do x l cc giao thc khc khng phi IP nh: IPX, NETBEUI.Do PPTP da trn PPP nn n cng s dng PAP, CHAP xc thc. PPTP c th s dng PPP m ho d liu nhng Microsoft a ra phng thc m ho khc mnh hn l m ho im - im MPPE (Microsoft Point- to- Point Encryption) s dng cho PPTP.Mt u im ca PPTP l c thit k hot ng lp 2 (lp lin kt d liu) trong khi IPSec chy lp 3 ca m hnh OSI. Bng cch h tr vic truyn d liu lp th 2, PPTP c th truyn trong ng hm bng cc giao thc khc IP trong khi IPSec ch c th truyn cc gi IP trong ng hm.2.6.1. Kin trc PTPP

Hnh 1.6: Kin trc PTPP PPP v PPTPPPP tr thnh giao thc quay s truy cp vo Internet v cc mng TCP/IP rt ph bin hin nay. Lm vic lp lin kt d liu trong m hnh OSI, PPP bao gm cc phng thc ng, tch gi cho cc loi gi d liu khc nhau truyn ni tip. c bit, PPP nh ngha hai b giao thc: giao thc iu khin lin kt LCP (Link Control Protocol) cho vic thit lp, cu hnh v kim tra kt ni; Giao thc iu khin mng NCP (Network Control Protocol) cho vic thit lp v cu hnh cc giao thc lp mng khc nhau.PPP c th ng cc gi IP, IPX, NETBEUI v truyn i trn kt ni im-im t my gi n my nhn. vic truyn thng c th din ra th mi PPP phi gi gi LCP kim tra cu hnh v kim tra lin kt d liu.Khi mt kt ni PPP c thit lp th ngi dng thng c xc thc. y l giai on tu chn trong PPP, tuy nhin n lun lun c cung cp bi cc ISP. Vic xc thc c thc hin bi PAP hay CHAP.Vi PAP mt khu c gi qua kt ni di dng vn bn n gin v khng c bo mt trnh khi b tn cng th v li. CHAP l mt phng thc xc thc mnh hn, CHAP s dng phng thc bt tay 3 chiu. CHAP chng li cc v tn cng quay li bng cch s dng cc gi tr thch (challenge value) duy nht v khng th on trc c. CHAP pht ra gi tr thch trong sut v sau khi thit lp xong kt ni, lp li cc thch c th gii hn s ln b t vo tnh th b tn cng.PPTP c thit k da trn PPP to ra kt ni quay s gia khch hng v my ch truy cp mng. PPTP s dng PPP thc hin cc chc nng: Thit lp v kt thc kt ni vt l. Xc thc ngi dng. To cc gi d liu PPP.Sau khi PPP thit lp kt ni, PPTP s dng cc quy lut ng gi ca PPP ng cc gi truyn trong ng hm. tn dng u im ca kt ni to ra bi PPP, PPTP nh ngha hai loi gi: Gi iu khin; Gi d liu v gn chng v 2 knh ring l knh iu khin v knh d liu. Sau PPTP phn tch cc knh iu khin v knh v knh d liu thnh lung iu khin vi giao thc TCP v lung d liu vi giao thc IP. Kt ni TCP c to gia client PPTP v my ch PPTP c s dng tryn thng bo iu khin.Cc gi d liu l d liu thng thng ca ngi dng. Cc gi iu khin c gi theo chu k ly thng tin v trng thi kt ni v qun l bo hiu gia client PPTP v my ch PPTP. Cc gi iu khin cng c dng gi cc thng tin qun l thit b, thng tin cu hnh gia hai u ng hm.Knh iu khin c yu cu cho vic thit lp mt ng hm gia client PPTP v my ch PPTP. Phn mm client c th nm my ngi dng t xa hay nm ti my ch ca ISP.

Hnh 1.7: Cc giao thc dng trong mt kt ni PTPPSau khi ng hm c thit lp th d liu ngi dng c truyn gia client v my ch PPTP. Cc gi PPTP cha cc gi d liu IP. Cc gi d liu c ng gi bi tiu GRE, s dng s ID ca Host cho iu khin truy cp, ACK cho gim st tc d liu truyn trong ng hm.PPTP hot ng lp lin kt d liu, nn cn phi c tiu mi trng truyn trong gi bit gi d liu truyn trong ng hm theo phng thc no? Ethernet, Frame Relay hay kt ni PPP?

Hnh 1.8: Bc gi PPTP/GREPPTP cng c c ch iu khin tc nhm gii hn s lng d liu truyn i. C ch ny lm gim ti thiu d liu phi truyn li do mt gi.

Cu trc gi ca PPTP * ng gi d liu ng hm PPTPD liu ng hm PPTP c ng gi thng qua nhiu mc: ng gi khung PPP, ng gi cc gi GRE, ng gi lp lin kt d liu. Cu trc gi d liu c ng gi:

Hnh 1.9: Cu trc gi d liu trong ng hm PPTP ng gi khung PPPPhn ti PPP ban u c mt m v ng gi vi phn tiu PPP to ra khung PPP. Sau , khung PPP c ng gi vi phn tiu ca phin bn sa i giao thc GRE.i vi PPTP, phn tiu ca GRE c s i mt s im sau: Mt bit xc nhn c s dng khng nh s c mt ca trng xc nhn 32 bit. Trng Key c thay th bng trng di Payload 16bit v trng nhn dng cuc gi 16 bit. Trng nhn dng cuc goi Call ID c thit lp bi PPTP client trong qu trnh khi to ng hm PPTP. Mt trng xc nhn di 32 bit c thm vo. GRE l giao thc cung cp c ch chung cho php ng gi d liu gi qua mng IP. ng gi cc gi GRETip , phn ti PPP c m ho v phn tiu GRE c ng gi vi mt tiu IP cha thng tin a ch ngun v ch cho PPTP client v PPTP server. ng gi lp lin kt d liuDo ng hm ca PPTP hot ng lp 2 - Lp lin kt d liu trong m hnh OSI nn lc d liu IP s c ng gi vi phn tiu (Header) v phn kt thc (Trailer) ca lp lin kt d liu. V d, Nu IP datagram c gi qua giao din Ethernet th s c ng gi vi phn Header v Trailer Ethernet. Nu IP datagram c gi thng qua ng truyn WAN im ti im th s c ng gi vi phn Header v Trailer ca giao thc PPP. * X l d liu ng hm PPTPKhi nhn c d liu ng hm PPTP, PPTP client hay PPTP server s thc hin cc bc x l: X l v loi b phn Header v Trailer ca lp lin kt d liu. X l v loi b IP Header. X l v loi b GRE Header v PPP Header. Gii m hoc/v gii nn phn PPP payload nu cn thit. X l phn payload nhn hoc chuyn tip.* S ng gi PPTP

Hnh 1.10: S ng gi PPTP

Qu trnh: Cc IP datagram, IPX datagram, hoc NetBEUI frame c a ti giao din o bng giao thc tng ng (giao din o i din cho kt ni VPN) s dng NDIS (Network Driver Interface specification). NDIS a gi d liu ti NDISWAN, ni thc hin mt m, nn d liu v cung cp PPP header. Phn mo u PPP ny ch bao gm trng m s giao thc PPP (PPP protocol ID field), khng c cc trng flag v FCS (frame check sequence). Gi nh trng a ch v iu khin c tho thun giao thc iu khin ng truyn LCP (Link Control Protocol) trong qu trnh kt ni PPP. NDISWAN gi d liu ti giao thc PPTP, ni ng gi khung PPP vi phn mo u GRE. Trong GRE header, trng Call ID oc t gi tr thch hp xc nh ng hm. Giao thc PPTP sau s gi gi va hnh thnh ti giao thc TCP/IP. TCP/IP ng gi d liu ng hm PPTP vi phn mo u IP, sau gi gi kt qu ti giao din i din cho kt ni quay s ti ISP a phng s dng NDIS. NDIS gi gi NDISWAN, n cung cp cc phn PPP header v trailer. NDISWAN gi khung PPP kt qu ti cng WAN tng ng i din cho phn cng quay s. ng hmPPTP cho php ngi dng v ISP c th to ra nhiu loi ung hm khc nhau. Ngi dng c th ch nh im kt thc ca ng hm ngay ti my tnh ca mnh nu c ci PPTP, hay ti my ch ca ISP (my tnh ca ISP phi h tr PPTP). C hai lp ng hm: ng hm t nguyn v ng hm bt buc.ng hm t nguyn: c to ra theo yu cu ca ngi dng. Khi s dng ng hm t nguyn, ngi dng c th ng thi m mt ng hm bo mt thng qua Internet v c th truy cp n mt Host trn Internet bi giao thc TCP/IP bnh thng. ng hm t nguyn thng c s dng cung cp tnh ring t v ton vn d liu cho lu lng Intranet c gi thng qua Internet.ng hm bt buc c to ra khng thng qua ngi dng nn n trong sut i vi ngi dng. im kt thc ca ng hm bt buc nm my ch truy cp t xa. Tt c d liu truyn i t ngi dng qua ng hm PPTP u phi thng qua RAS. Do ng hm bt buc nh trc im kt thc v ngi dng khng th truy cp phn cn li ca Internet nn n iu khin truy nhp tt hn so vi ng hm t nguyn. Nu v tnh bo mt m khng cho ngi dng truy cp Internet cng cng th ng hm bt buc ngn khng cho h truy cp Internet cng cng nhng vn cho php h dng Internet truy cp VPN (ngha l ch cho truy cp v c cc site trong VPN m thi).Mt u im na ca ng hm bt buc l mt ung hm c nhiu im kt ni. c tnh ny lm gim yu cu bng thng cho cc ng dng a phin lm vic.Mt khuyt im ca ng hm bt buc l kt ni t RAS n ngi dng nm ngoi ng hm nn d b tn cng.

Hnh 1.11: ng hm bt buc v ng hm t nguynS dng RADIUS cung cp ng hm bt buc c mt vi u im l: Cc ng hm c th c nh ngha v kim tra da trn xc thc ngi dng v tnh cc da vo s in thoi, cc phng thc xc thc khc nh th bi (token) hay th thng minh (smart card). Xc thc v m hoCc client PPTP c xc thc cng tng t nh cc client RAS c xc thc t my ch PPP. Microsoft h tr xc thc CHAP, PAP, MS-CHAP. MS-CHAP s dng hm bm MD4 to th bi thch t mt khu ca ngi dng. PAP v CHAP c nhc im l c hai da trn mt khu lu ti my u xa v ti my cc b. Nu nh my tnh b iu khin bi k tn cng t mng th mt khu s thay i. Vi PAP v CHAP khng th gn cc c quyn truy cp mng khc nhau cho nhng ngi dng khc nhau ti cng mt my tnh xa. Bi v khi cp quyn c gn cho mt my tnh th mi ngi dng ti my tnh u c c quyn truy cp mng nh nhau.Vi PPTP th d liu c m ho theo m ha im-im ca Microsoft - MPPE (Microsoft point-to-Point Encryption). Phng thc ny da trn chun RSA RC4, giao thc iu khin nn CCP (Compression Control Protocol) c s dng bi PPP tho hip vic m ho. MS-CHAP c dng kim tra tnh hp l ngi dng u cui ti tn min Windows NT.

Hnh 1.12: M ha trong gi PPTPMt kho phin 40 bit c s dng cho m ho nhng ngi dng ti M c th ci t mt phn mm nng cp ln 128 bit. MPPE m ho cc gi PPP ti client trc khi chuyn chng vo ng hm PPTP nn cc gi c bo mt t trm lm vic n my ch PPTP. Vic thay i kho phin c th c tho thun li sau mi gi hay sau mt s gi. ng hm kt ni LAN-LANGiao thc PPTP nguyn thu ch tp trung h tr cho vic quay s kt ni vo mt mng ring thng qua mng Internet, nhng ng hm kt ni LAN-LAN khng c h tr. Mi n khi Microsoft gii thiu my ch nh hng v truy cp t xa (Routing and Remote Access Server) cho NT server 4.0 th mi h tr ng hm kt ni LAN-LAN. K t cc nh cung cp khc cng cung cp cc my ch tng thch vi PPTP c h tr ng hm kt ni LAN-LAN.ng hm kt ni LAN-LAN din ra gia hai my ch PPTP, ging nh IPSec dng 2 cng ni bo mt kt ni 2 mng LAN. Tuy nhin, do kin trc PPTP khng c h thng qun l kho nn vic cp quyn v xc thc c iu khin bi CHAP hoc thng qua MS-CHAP. to ng hm gia hai site, my ch PPTP ti mi site s c xc thc bi PPTP site kia. Khi my ch PPTP tr thnh client PPTP ca my ch PPTP u bn kia v ngc li, do mt ng hm t nguyn c to ra gia hai site.

Hnh 1.13: ng hm kt ni LAN-LANDo ng hm PPTP c th c n gi bi bt k giao thc mng no c h tr (IP, IPX, NETBEUI), ngi dng ti mt site c th truy cp vo ti nguyn ti site kia da trn quyn truy cp ca h.2.6.2. S dng PTPPTng qut mt PPTP VPN yu cu phi c: mt my ch truy cp mng dng cho phng thc quay s truy cp bo mt vo VPN, mt my ch PPTP, v PPTP client.

Hnh 1.14: Cc thnh phn c bn ca 1 VPN s dng PPTPCc my ch PPTP c th t ti mng ca cng ty v do mt nhm ngi ca cng ty qun l nhng NAS phi do ISP h tr. My ch PPTPMy ch PPTP thc hin hai chc nng chnh l: ng vai tr l im kt ni ca ng hm PPTP v chuyn cc gi n t ng hm ti mng LAN ring. My ch PPTP chuyn cc gi n my ch bng cch x l gi PPTP c a ch mng ca my tnh ch.My ch PPTP cng c kh nng lc gi bng cch s dng lc gi PPTP. Lc gi PPTP c th cho php my ch ngn cm, ch cho php truy cp vo Internet , mng ring hay c hai.Thit lp mt my ch PPTP ti site mng gy nn mt gii hn nu nh my ch PPTP nm sau tng la. PPTP c thit k sau cho ch c mt cng TCP/IP (1723) c s dng chuyn d liu i. S khim khuyt ca cu hnh cng ny c th lm cho tng la d b tn cng hn. Nu nh tng la c cu hnh lc gi th phi thit lp n cho php GRE i qua. Phn mm client PPTPNu nh cc thit b ca ISP h tr PPTP th khng cn phn cng hay phn mm no cho cc client, ch cn mt kt ni PPP chun. Nu nh cc thit b ca ISP khng h tr PPTP th mt client Win NT (hoc phn mm tng t) vn c th to kt ni bo mt bng cch: u tin quay s kt ni ti ISP bng PPP, sau quay s mt ln na thng qua cng PPTP o c thit lp client.2.7. Giao thc ng hm lp 2 L2TPGiao thc ng hm lp 2 L2TP l s kt hp gia hai giao thc PPTP v L2F- chuyn tip lp 2. PPTP do Microsoft a ra cn L2F do Cisco khi xng. Hai cng ty ny hp tc cng kt hp 2 giao thc li v ng k chun ho ti IETF.Ging nh PPTP, L2TP l giao thc ng hm, n s dng tiu ng gi ring cho vic truyn cc gi lp 2. Mt im khc bit chnh gia L2F v PPTP l L2F khng ph thuc vo IP v GRE, cho php n c th lm vic mi trng vt l khc. L2TP mang c tnh ca PPTP v L2F. Tuy nhin, L2TP nh ngha ring mt giao thc ng hm da trn hot ng ca L2F. N cho php L2TP truyn thng qua nhiu mi trng gi khc nhau nh X.25, Frame Relay, ATM. Mc d nhiu cng c ch yu ca L2TP tp trung cho UDP ca mng IP, nhng c th thit lp mt h thng L2TP m khng cn phi s dng IP lm giao thc ng hm. Mt mng ATM hay frame Relay c th p dng cho ng hm L2TP.2.7.1. Kin trc ca L2TPCc thnh phn chc nng ca L2TP bao gm: giao thc im-im, ng hm, h thng xc thc v m ho. L2TP c th s dng qun l kho tng thm bo mt. Kin trc ca L2TP nh hnh v:

Hnh 1.15: Kin trc ca L2TP PPP v L2TPL2TP da trn PPP to kt ni quay s gia client v my ch truy cp mng NAS. L2TP s dng PPP to kt ni vt l, tin hnh giai on xc thc ban u, to gi d liu PPP v ng kt ni khi kt thc phin lm vic.Sau khi PPP to kt ni xong, L2TP s cc nh NAS ti site chnh c chp nhn ngi dng v sn sng ng vai tr l im kt thc ca ng hm cho ngi dng . Sau khi ng hm c thit lp, L2TP s ng cc gi PPP ri truyn ln mi trng m ISP gn cho ng hm . L2TP c th to nhiu ng hm gia NAS ca ISP v my ch mng, v gn nhiu phin lm vic cho ng hm. L2TP to ra cc s nhn dng cuc gi (Call ID) cho mi phin lm vic v chn vo tiu L2TP ca mi gi ch ra n thuc phin lm vic no?Ta c th thc hin chn v gn mt phin lm vic ca ngi dng vo mt ng hm thay v ghp nhiu phin lm vic vo mt ng hm, vi cch ny cho php gn cc ngi dng khc nhau vo cc mi trung ng hm tu theo cht lng dch v.

Hnh 1.16: Cc giao thc s dng trong mt kt ni L2TPGing nh PPTP, L2TP cng nh ngha hai loi thng bo l thng bo iu khin v thng bo d liu. Thng bo iu khin c chc nng iu khin vic thit lp, qun l v gii phng phin lm vic trn ng hm. Thng bo iu khin cng cho ta bit tc truyn v tham s ca b m dng iu khin lung cc gi PPP trong mt phin lm vic. Tuy nhin, L2TP truyn c hai loi thng bo ny trn cng gi d liu UDP v chung trn mt lung.Do L2TP lm vic lp th hai- lp lin kt d liu trong m hnh OSI nn trong thng bo d liu L2TP bao gm tiu mi trng ch ra ng hm lm vic trong mi trng no? Tu thuc vo ISP m mi trng c th l Ethernet, X.25, Frame Relay, ATM, hay lin kt PPP.

Hnh 1.17: Bc gi L2TPL2TP cung cp c ch iu khin lung gia NAS (hay b tp trung truy cp L2TP_ LAC (L2TP Access Concentrator)) v my ch ca mng ring (hay my ch mng L2TP _LNS ( L2TP network Server) ).

Cu trc gi d liu L2TP *ng gi d liu ng hm L2TPng hm d liu L2TP c thc hin thng qua nhiu mc ng gi. Hnh v ch ra cu trc cui cng ca d liu ng hm L2TP trn nn IPSec.

Hnh 1.18: Cu trc gi d liu trong ng hm L2TP ng gi L2TP phn ti PPP ban u c ng gi vi mt PPP header v mt L2TP header. ng gi UDP Gi L2TP sau c ng gi vi mt UDP header, cc a ch ngun v ch c t bng 1701. ng gi IPSec Tu thuc vo chnh sch IPSec, gi UDP c mt m v ng gi vi ESP IPSec header v ESP IPSec Trailer, IPSec Authentication Trailer. ng gi IP Gi IPSec c ng gi vi IP header cha a ch IP ngn v ch ca VPN client v VPN server. ng gi lp lin kt d liuDo ng hm L2TP hot ng lp 2 ca m hnh OSI- lp lin kt d liu nn cc IP datagram cui cng s c ng gi vi phn header v trailer tng ng vi k thut lp ng truyn d liu ca giao din vt l u ra. V d, khi cc IP datagram c gi vo mt giao din Ethernet th IPdatagram ny s c ng gi vi Ethernet header v Ethernet Trailer. Khi cc IP datagram c gi trn ng truyn WAN im-ti-im (chng hn ng dy in thoi hay ISDN, ) th IPdatagram c ng gi vi PPP header v PPP trailer.

* X l d liu ng hm L2TP trn nn IPSecKhi nhn c d liu ng hm L2TP trn nn IPSec, L2TP client hay L2TP server s thc hin cc bc sau: X l v loi b header v trailer ca lp ng truyn d liu. X l v loi b IP header. Dng IPSec ESP Authentication xc thc IP payload v IPSec ESP header. Dng IPSec ESP header gii m phn gi mt m. X l UDP header v gi gi L2TP ti lp L2TP. L2TP dng Tunnel ID v Call ID trong L2TP header xc nh ng hm L2TP c th. Dng PPP header xc nh PPP payload v chuyn tip n ti dng giao thc x l. ng hm L2TPL2TP s dng nhng lp ng hm tng t nh PPTP, tu theo ngi dng s dng l client PPP hay client L2TP m s dng ng hm l t nguyn hay bt buc.ng hm t nguyn c to ra theo yu cu ca ngi dng cho mc ch c th. Khi s dng ng hm t nguyn th ngi dng c th ng thi m ng hm bo mt thng qua Internet, va c th truy cp vo mt host bt k trn Internet theo giao thc TCP/IP bnh thng. im kt thc ca ng hm t nguyn nm my tnh ngi dng. ng hm t nguyn thng c s dng cung cp tnh ring t v ton vn d liu cho lu lng Intranet gi thng qua Internet.

Hnh 1.19: Cc ng hm t nguyn v bt bucng hm bt buc c to t ng khng cn bt k hnh ng no t pha ngui dng v khng cho php ngi dng chn la. Do ng hm bt buc c to ra khng thng qua ngi dng nn n trong sut i vi ngi dng u cui. ng hm bt buc nh trc im kt thc, nm LAC ca ISP v nn kiu ng hm ny iu khin truy cp tt hn so vi ng hm t nguyn. Mt u im ca ng hm bt buc l mt ng hm c th ti nhiu kt ni, iu ny lm gim bng thng mng cho cc ng dng a phin lm vic. Mt khuyt im ca ng hm bt buc l kt ni t LAC n ngi dng nm ngoi ng hm nn b tn cng. ng hm kt ni LAN-LANMc ch ban u ca L2TP l quay s truy cp VPN s dng client PPP, nhng L2TP cng thch hp cho kt ni LAN-LAN trong VPN.ng hm kt ni LAN-LAN c thit lp gia hai my ch L2TP nhng t nht mt trong 2 my ch phi c kt ni ti ISP khi to phin lm vic PPP. Hai my ch ng vai tr va l LAC, va l LNS v c th khi to hay kt thc ng hm khi cn.

Hnh 1.20: ng hm kt ni LAN-LAN Qun l khoKhi hai i tng mun chuyn giao d liu mt cch bo mt v kh thi th cn phi m bo chc chn rng c hai bn x l d liu nh nhau. C hai bn phi cng s dng chung gii thut m ho, cng chiu di t kho, cng chung mt kho d liu. iu ny c x l thng qua bo mt kt hp SA.2.7.2. S dng L2TPBi v chc nng chnh ca L2TP l quay s truy cp VPN thng qua Internet nn cc thnh phn ca L2TP bao gm: b tp trung truy cp mng, my ch L2TP, v cc L2TP client. Thnh phn quan trng nht ca L2TP l nh ngha im kt thc mt ng hm, LAC v LNS. LNS c th ci t ngay ti cng ty v iu hnh bi mt nhm lm vic ca cng ty cn LAC th thng c h tr ca ISP. Cc thnh phn c bn ca L2TP nh hnh v:

Hnh 1.21: Cc thnh phn c bn ca L2TP My ch mng L2TPMy ch L2TP c hai chc nng chnh l: ng vai tr l im kt thc ca ng hm PPTP v chuyn cc gi n t ng hm n mng LAN ring v ngc li. My ch chuyn cc gi n my tnh ch bng cch x l gi L2TP c c a ch mng ca my tnh ch.Khng ging nh my ch PPTP, my ch L2TP khng c kh nng lc cc gi. Chc nng lc gi trong L2TP c thc hin bi tng la.Tuy nhin trong thc t, ngi ta tch hp my ch mng v tng la. Vic tch hp ny mang li mt s u im hn so vi PPTP, l: L2TP khng i hi ch c mt cng duy nht gn cho tng la nh trong PPTP. Chng trnh qun l c th tu chn cng gn cho tng la, iu ny gy kh khn cho k tn cng khi c gng tn cng vo mt cng bit trong khi cng c th thay i. Lung d liu v thng tin iu khin c truyn trn cng mt UDP nn vic thit lp tng la s n gin hn. Do mt s tng la khng h tr GRE nn chng tng thch vi L2TP hn l vi PPTP. 2.8. Giao thc bo mt IP - IPSECCc mt trong IP cp gi, IETF a ra h giao thc IPSec. H giao thc IPSec u tin c dng cho xc thc, m ho cc gi d liu IP, c chun ho thnh cc RFC t 1825 n 1829 vo nm 1995. H giao thc ny m t kin trc c b giao thc nguyn thu TCP/IP khng bao gm cc c tnh bo mt vn c. Trong giai on u ca Internet khi m ngi dng thuc cc trng i hc v cc vin nghin cu th vn bo mt d liu khng phi l vn quan trng nh by gi khi m Internet tr nn ph bin, cc ng dng thng mi c mt khp ni trn Internet v i tng s dng Internet rng hn bao gm c cc Hacker. thit lp tnh bo v ca IPSec bao gm hai loi tiu c s dng trong gi IP, gi IP l n v d kiu c s trong mng IP. IPSec nh ngha 2 loi tiu cho cc gi IP iu khin qu trnh xc thc v m ho: mt l xc thc tiu IP AH (IP Authentication Header) iu khin vic xc thc v hai l ng gi ti tin an ton ESP (Encapsulation Security Payload) cho mc ch m ho.IPSec khng phi l mt giao thc. N l mt khung ca cc tp giao thc chun m cho php nhng nh qun tr mng la chn thut ton, cc kho v phng php nhn thc cung cp s xc thc d liu, tnh ton vn d liu, v s tin cy d liu. IPSec l s la chn cho bo mt tng th cc VPN, l phng n ti u cho mng ca cng ty. N m bo truyn thng tin cy trn mng IP cng cng i vi cc ng dng.IPsec to nhng ng hm bo mt xuyn qua mng Internet truyn nhng lung d liu. Mi ng hm bo mt l mt cp nhng kt hp an ninh bo v lung d liu gia hai Host.IPSec c pht trin nhm vo h giao thc IP k tip l IPv6, nhng do vic trin khai IPv6 cn chm v s cn thit phi bo mt cc gi IP nn IPSec c thay i cho ph hp vi IPv4. Vic h tr cho IPSec ch l tu chn ca IPv4 nhng i vi IPv6 th c sn IPSec. 2.8.1. Hot ng ca IPSec Ta bit rng, mc ch chnh ca IPSec l bo v lung d liu mong mun vi cc dch v bo mt cn thit v hot ng ca IPSec c th chia thnh 5 bc chnh nh sau:

Hnh 1.22: 5 bc hot ng ca IPSec. A gi lu lng cn bo v ti B Router A v B tho thun mt phin trao i IKE Phase 1 IKE SA IKE Phase IKE SA Router A v B tho thun mt phin trao i IKE Phase 2IPSec SA IKE Phase IPSec SA Thng tin c truyn dn qua ng hm IPSec Kt thc ng hm IPSecBc 1: Lu lng cn c bo v khi to qu trnh IPSec. y, cc thit b IPSec s nhn ra u l lu lng cn c bo v chng hn thng qua trng a ch.Bc 2: IKE Phase 1 IKE xc thc cc i tc IPSec v mt tp cc dch v bo mt c tho thun v cng nhn (tho thun cc kt hp an ninh IKE SAs (Security associations)). Trong phase ny, thit lp mt knh truyn thng an ton tin hnh tho thun IPSec SA trong Phase 2. Bc 3: IKE Phase 2 IKE tho thun cc tham s IPSec SA v thit lp cc IPSec SA tng ng hai pha. Nhng thng s an ninh ny c s dng bo v d liu v cc bn tin trao i gia cc im u cui. kt qu cui cng ca hai bc IKE l mt knh thng tin bo mt c to ra gia hai pha. Bc 4: Truyn d liu D liu c truyn gia cc i tc IPSec da trn c s cc thng s bo mt v cc kho c lu tr trong c s d liu SA.Bc 5: Kt thc ng hm IPSec kt thc cc SA IPSec do b xo hoc do ht hn (time out).Sau y s trnh by c th hn v 5 bc hot ng ca IPSec:Bc 1 - Kch hot lu lng cn bo v.

Hnh 1.23: Kch hot lu lng cn bo vVic xc nh lu lng no cn c bo v l mt phn vic trong chnh sch an ninh (Security Policy) ca mt mng VPN. Chnh sch c s dng quyt nh lu lng no cn c bo v v khng cn bo v (lu lng dng bn r (clear text) khng cn bo v). Chnh sch sau s c thc hin giao din ca mi i tc IPSec. i vi mi gi d liu u vo v u ra s c ba la chn: Dng IPSec, cho qua IPSec, hoc hu gi d liu. i vi mi gi d liu c bo v bi IPSec, ngi qun tr h thng cn ch r cc dch v bo mt c s dng cho gi d liu. Cc c s d liu, chnh sch bo mt ch r cc giao thc IPSec, cc node, v cc thut ton c s dng cho lung lu lng.V d, cc danh sch iu khin truy nhp (ACLs Access Control Lists) ca cc router c s dng bit lu lng no cn mt m. ALCs nh ngha bi cc dng lnh. Chng hn: Lnh Permit: Xc nh lu lng phi c mt m. Lnh deny : Xc nh lu lng phi c gi i di dng khng mt m.Khi pht hin ra lu lng cn bo v th mt i tc IPSec s kch hot bc tip theo: Tho thun mt trao i IKE Phase 1.Bc 2 - IKE Phase 1Mc ch c bn ca IKE Phase 1 l tho thun cc tp chnh sch IKE (IKE policy), xc thc cc i tc ngang hng, v thit lp knh an ton gia cc i tc. IKE Phase 1 c hai ch : Ch chnh (main mode) v ch nhanh (Aggressive mode).

Hnh 1.24: IKE phase 1Ch chnh c 3 trao i hai chiu gia bn khi to v bn nhn: Trao i th nht Cc thut ton mt m v xc thc (s dng bo v cc trao i thng tin IKE) s c tho thun gia cc i tc. Trao i th hai S dng trao i DH to cc kho b mt chung (shared secret keys), trao i cc s ngu nhin (nonces) khng nh nhn dng ca mi i tc. Kho b mt chung c s dng to ra tt c cc kho mt m v xc thc khc. Trao i th ba xc minh nhn dng ca nhau (xc thc i tc). Kt qu chnh ca ch chnh l mt ng truyn thng an ton cho cc trao i tip theo ca hai i tc. Ch nhanh thc hin t trao i hn (tt nhin l t gi d liu hn). Hu ht mi th u c thc hin trong trao i th nht: Tho thun tp chnh sch IKE; to kho cng cng DH; v mt gi nhn dng (identify packet), c th s dng xc nh nhn dng thng qua mt bn th ba (third party). Bn nhn gi tr li mi th cn thit hon thnh (complete)vic trao i. cui cng bn khi to khng nh (confirm) vic trao i. Cc tp chnh sch IKEKhi thit lp mt kt ni an ton gia Host A v Host B thng qua Internet, mt ng hm an ton c thit lp gia Router A v Router B. Thng qua ng hm, cc giao thc mt m, xc thc v cc giao thc khc c tho thun. Thay v phi tho tng giao thc mt, cc giao thc c nhm thnh cc tp, chnh l tp chnh sch IKE (IKE policy set). Cc tp chnh sch IKE c trao i trong IKE Phase 1 ch chnh v trong trao i th nht. Nu mt chnh sch thng nht (matching policy) c tm thy hai pha th ch chnh tip tc. Nu khng tm thy chnh sch thng nht no th ng hm s b loi b.

Hnh 1.25: Tp chnh sch IKEV d, Router A gi cc tp chnh sch IKE Policy 10 v IKE Policy 20 ti Router B. Router B so snh vi tp chnh sch ca n, IKE Policy 15, vi cc tp chnh sch nhn c t Router A. Trong trng hp ny, mt chnh sch thng nht c tm thy: IKE Policy 10 ca Router A v IKE Policy 15 ca Router B l tng ng.Trong nhiu ng dng im- ti im, mi bn ch cn nh ngha mt tp cc chnh sch IKE. Tuy nhin mng trung tm c th phi nh ngha nhiu chnh sch IKE p ng nhu cuca tt c cc i tc t xa. Trao i kho Diffie-HellmanTrao i kho Diffie-Hellman l mt phng php mt m kho cng khai cho php hai bn thit lp mt kho b mt chung qua mt mi trng truyn thng an ton. Kho mt m ny s c s dng to ra tt c cc kho xc thc v m ho khc.Khi hon thnh vic tho thun cc nhm, kho b mt chung SKEYID s c tnh. SKEYID c s dng to ra 3 kho khc SKEYID_a, SKEYID_e, SKEYID_d. Mi kho c mt mc ch ring: SKEYID_a oc s dng trong qu trnh xc thc.SKEYID_e c s dng trong qu trnh mt m.SKEYID_d c s dng to ra cc kho cho cc kt hp an ninh khng theo giao thc ISAKMP (non-ISAKMP SAs). C bn kho trn u c tnh trong IKE Phase 1.Khi bc ny hon thnh, cc i tc ngang hng c cng mt mt m chia s nhng cc i tng ny khng c xc thc. Qu trnh ny din ra qu trnh th 3, qu trnh xc thc i tc. Xc thc i tcXc thc i tc l bc trao i cui cng c s dng xc thc cc i tc ngha l thc hin kim tra xem ai ang bn kia ca ng hm. Cc thit b hai u ng hm VPN phi c xc thc trc khi ng truyn thng c coi l an ton. Trao i cui cng ca IKE Phase 1 c mc ch l xc thc i tc.

Hnh 1.26: Xc thc cc i tcBa phng php xc thc ngun gc d liu: Pre-shared keys (Cc kho chia s trc) mt gi tr kho b mt c nhp vo bng tay xc nh i tc. RSA signatures (Cc ch k RSA) s dng vic trao i cc chng nhn s (digital certificates) xc thc i tc. RSA encryption nonces Cc s ngu nhin (nonces_mt s ngu nhin c to ra bi mi i tc) c m ho v sau c trao i gia cc i tc ngang hng, 2 nonce c s dng trong sut qu trnh xc thc i tc ngang hng.Bc 3 - IKE Phase 2 Mc ch ca IKE Phase 2 l tho thun cc thng s bo mt IPSec c s dng bo mt ng hm IPSec.

Hnh 1.27: Tho thun cc thng s bo mt IPSecIKE Phase 2 thc hin cc chc nng sau: Tho thun cc thng s bo mt IPSec (IPSec security parameters), cc tp chuyn i IPSec (IPSec transform sets). Thit lp cc kt hp an ninh IPSec (IPSec Security Associations). nh k tho thun li IPSec SAs m bo tnh an ton ca ng hm. Thc hin mt trao i DH b xung (khi cc SA v cc kho mi c to ra, lm tng tnh an ton ca ng hm). IKE Phase 2 ch c mt ch c gi l: Quick ModeCh ny din ra khi IKE thit lp c ng hm an ton IKE Phase 1. IKE Phase 2 tho thun mt tp chuyn i IPSec chung , to cc kho b mt chung s dng cho cc thut ton an ninh IPSec v thit lp cc SA IPSec. Quick mode trao i cc nonce m c s dng to ra kho mt m chung mi v ngn cn cc tn cng Replay t vic to ra cc SA khng c tht.Quick mode cng c s dng tho thun li mt SA IPSec mi khi SA IPSec c ht hn. Cc tp chuyn i IPSecMc ch cui cng ca IKE Phase 2 l thit lp mt phin IPSec an ton gia cc im u cui. Trc khi thc hin c iu ny th mi cp im cui cn tho thun mc an ton cn thit (v d, cc thut ton xc thc v mt m dung trong phin ). Thay v phi tho thun tng giao thc ring l, cc giao thc c nhm thnh cc tp, chnh l cc tp chuyn i IPSec. Cc tp chuyn i ny c trao i gia hai pha trong Quick Mode. Nu tm thy mt tp chuyn i tng ng hai pha th qu trnh thit lp phin tip tc, ngc li phin s b loi b.

Hnh 1.28: Tp chuyn i IPSecV d: Router A gi IPSec transform set 30 v 40 ti Router B , Router B so snh vi IPSec transform set 55 ca n v thy tng ng vi IPSec transform set 30 ca Router A, cc thut ton xc thc v mt m trong cc tp chuyn i ny hnh thnh mt kt hp an ninh SA. Kt hp an ninh (SA)Khi mt tp chuyn i c thng nht gia hai bn, mi thit b VPN s a thng tin ny vo mt c s d liu. Thng tin ny bao gm cc thut ton xc thc, mt m; a ch ca i tc, Ch truyn dn, thi gian sng ca kho .v.v. Nhng thng tin ny c bit n nh l mt kt hp an ninh SA. Mt SA l mt kt ni logic mt chiu cung cp s bo mt cho tt c lu lng i qua kt ni. Bi v hu ht lu lng l hai chiu nn phi cn hai SA, mt cho u vo v mt cho u ra.Thit b VPN sau s nh s SA bng mt s SPI (Security Parameter Index ch s thng s bo mt). Thay v gi tng thng s ca SA qua ng hm, mi pha ch n gin chn s SPI vo ESP Header. Khi bn thu nhn c gi s tm kim a ch ch v SPI trong c s d liu ca n SAD (Security Association database), sau x l gi theo cc thut ton c ch nh bi SPI / ra trong SPD

Hnh 1.29 : Cc kt hp an ninhIPSec SA l mt s t hp ca SAD v SPD. SAD c s dng nh ngha a ch IP i tc ch, giao thc IPSec, s SPI. SPD nh ngha cc dch v bo mt c s dng cho i tc SA, cc thut ton m ho v xc thc, mode, v thi gian sng ca kho.V d, i vi mt kt ni mng Cng ty Ngn hng , mt ng hm rt an ton c thit lp gia hai pha, ng hm ny s dng 3DES, SHA, tunnel mode, v thi hn ca kho l 28800, gi tr SAD l 192.168.2.1, ESD v SPI l 12. Vi ngi s dng t xa truy nhp vo e-mail th ng hm c mc bo mt thp hn c tho thun, s dng DES, MD5, tunnel mode, thi hn ca kho l 28800, tng ng vi SPI l 39. Thi hn (lifetime) ca mt kt hp an ninhVn tng ng vi thi hn ca mt mt khu s dng mt khu trong my tnh, thi hn cng di th nguy c mt an ton cng ln. Cc kho v cc SA cng vy, m bo tnh an ton cao th cc kho v cc SA phi c thay i mt cch thng xuyn. C hai thng s cn c xc nh thay i kho v SA: Lifetime type- Xc nh kiu tnh l theo s Byte hay theo thi gian truyn i. Duration Xc nh n v tnh l Kbs d liu hay giy.V d: lifetime l 10000Kbs d liu truyn i hoc 28800s. Cc kho v SAs cn hiu lc cho n khi lifetime ht hn hoc c mt nguyn nhn bn ngoi, chng hn mt bn ngt ng hm, khi kho v SA b xo b.Bc 4 - ng hm mt m IPSecSau khi hon thnh IKE Phase 2 v quick mode thit lp cc kt hp an ninh IPSec SA, lu lng trao i gia Host A v Host B thng qua mt ng hm an ton. Lu lng c mt m v gii m theo cc thut ton xc nh trong IPSec SA.

Hnh 1.30: ng hm IPSec c thit lpBc 5 - Kt thc ng hm

Hnh 1.31: Kt thc ng hmCc kt hp an ninh IPSec SA kt thc khi b xo hoc ht hn. Mt SA ht hn khi lng thi gian ch ra ht hoc mt s lng Byte nht nh truyn qua ng hm. Khi cc SA kt thc, cc kho cng b hu. Lc cc IPSec SA mi cn c thit lp, mt IKE Phase 2 mi s c thc hin, v nu cn thit th s tho thun mt IKE Phase 1 mi. Mt ho thun thnh cng s to ra cc SA v kho mi. Cc SA mi c thit lp trc cc SA c ht hn m bo tnh lin tc ca lung thng tin. 2.8.2. V d v hot ng ca IPSec tm tt ton b qu trnh hot ng ca IPSec, ta xt mt v d nh trong hnh v.

Hinh 1.32: Qu trnh trao i thng tinTrong v d ny, B mun truyn thng an ton vi A. Khi gi d liu ti Router B, Router ny s kim tra chnh sch an ninh v nhn ra gi ny cn c bo v. Chnh sch an ninh c cu hnh trc cng cho bit Router A s l im cui pha bn kia ca ng hm IPSec. Router B kim tra xem c IPSec SA no c thit lp vi Router A cha? nu cha th yu cu mt qu trnh IKE thit lp IPSec SA. Nu hai Router tho thun c mt IPSec SA th IPSec SA c th c to ra tc thi. Trong trng hp, hai Router cha tho thun mt IKE SA th u tin chng phi tho thun mt IKE SA trc khi tho thun cc IPSec SA. Trong qu trnh ny, hai Router trao i cc chng thc s, cc chng thc ny phi c k trc bi mt CA m hai pha cng tin tng. Khi phin IKE c thit lp, hai Router c th tho thun IPSec SA. Khi IPSec SA c thit lp, hai Router s thng nht c thut ton mt m (chng hn DES), thut ton xc thc (chng hn MD5), v mt kho phin s dng chung. Ti y, Router B c th mt m gi tin ca B, t n vo trong mt gi IPSec mi, sau gi ti Router A. Khi Router A nhn gi IPSec, n tm kim IPSec SA, x l gi theo yu cu, a v dng gi tin ban u v chuyn ti A. Qu trnh phc tp ny c thc hin hon ton trong sut i vi A v B.

CHNG 3: KHO ST V PHN TCH H THNG3.1 Bi tonTheo quyt nh s 685/Q-TCCB/HQT ca Tp on Bu chnh Vin thng Vit Nam, Vin thng Thi Nguyn c thnh lp trn c s t chc li cc n v kinh doanh dch v vin thng - cng ngh thng tin v cc n v trc thuc khc ca Bu in tnh Thi Nguyn sau khi thc hin phng n chia tch bu chnh - vin thng trn a bn tnh. Vin thng Thi Nguyn vi 11 trung tm trc thuc l n v kinh t trc thuc, hch ton ph thuc Tp on Bu chnh Vin thng Vit Nam, c chc nng hot ng sn xut, kinh doanh v phc v chuyn ngnh vin thng - cng ngh thng tin Trung tm vin thng Ph Yn l chi nhnh ca vin thng Thi Nguyn ti huyn Ph Yn. Theo c cu t chc, trung tm vin thng c nhim v cung cp y cc sn phm, dch v Vin thng v cng ngh thng tin. y l mt doanh nghip nh nc c rt nhiu cc chi nhnh nn vic kt ni gia cc chi nhnh xa vi nhau rt tn km v kh qun l. Yu cu ra y l phi c mt gii php no gii quyt c vn t ra l : Cc doanh nghip c th kt ni gia cc chi nhnh vi nhau mt cch an ton v chi ph r nht. m bo ph hp v cc mt: Gi thnh, tc truyn d liu, bo mt, d s dng, k tha v m rng.3.2 Gii quyt bi ton3.2.1 Kho st h thngQua qu trnh kho st trung tm vin thng, thu c kt qu nh sau: c kt ni mng ni b trong trung tm. S lng my tnh: 20 my tnh (Dng h iu hnh Windows XP). C 3 my ch: Database server, Mail server, Backup server s dng h iu hnh Linux. ng kt ni Internet hin ti l ng cp quang 35Mbps ca VNPT, tc ti a: Download/Upload l 35Mbps/35Mbps, vi cc trn gi l 1,080,000 VN/Thng, c cp 01 IP tnh (Min ph). Cc thit b mng hin c gm: 1 Switch Planet 16 cng RJ45, 6 Switch 24 cng RJ45.3.2.2 S hin trng h thng

Hnh 2.1: S hin trng h thng mng ti Thi NguynV s h thng ca cc chi nhnh l tng ng nhau nn ta ch cn xt s h thng mng trung tm vin thng Ph Yn nh hnh 2.1 thy c hin trng h thng mng ca cc chi nhnh.nh gi h thng : S c m phng mt cch khi qut cn c vo kt qu kho st hin trng h thng mng trung tm vin thng Ph Yn. Cc thit b s dng trong h thng kh t yu cu v cht lng cng nh cc tnh nng cn thit cho mc ch s dng ca trung tm. H thng mng ni b c lp t t tiu chun. ng truyn ADSL tc cao kh m bo, n nh. Cc nhn vin c trnh chuyn mn p ng c nhu cu s dng.

Tuy nhin vn cn tn ti mt s vn v bo mt: Nguy c mt mt thng tin t ngoi internet: Mng ca trung tm kt ni n internet, nhng khng c mt thit b bo mt no bo v h thng khi cc nguy c xm nhp t bn ngoi vo. Nhng hacker c th s dng virus di dng Trojan truy cp vo h thng n cp hoc ph hoi thng tin. Trong khi , cc nhn vin ca cng ty thng xuyn phi trao i vi nhau qua Mail, Web chia s, trn mng internet, do kh nng d liu b tn cng l rt cao, mt an ton thng tin. Nguy c mt mt thng tin t bn trong h thng: Vi cc Switch hin ti , nhng ngi trong h thng mng c th d dng dng cc chng trnh nghe ln ly cp cc thng tin c truyn i trong mng v nguy c mt mt thng tin t trong h thng l nguy c ngy cng cao trong cc h thng mng hin nay. i vi nhn vin khi i cng tc xa cng nh cc chi nhnh xa khi mun truy cp thng tin ni b ca tng cng ty th thng thc hin mt trong cc cch sau: Gi in cho nhn vin ti trung tm gi mail cho nhng ti liu cn thit. Gi mail trc tip cho nhn vin qun l Server yu cu d liu. V mt s l do v bo mt thng tin cn truy xut m mt s nhn vin s dng phn mm Remote Server trung tm cng nh cc my tnh trong mng ni b t tm kim d liu cn thit.C ba cch trn u l cch m hin thi nhn vin trung tm ang s dng. T y ta c th thy mt s vn v mt an ninh cn gii quyt ngay, l: Vic gi in thng qua nhn vin trung tm l iu khng phi ti u. Khi vic bo mt thng tin ca ngi cn s khng cn. Bi vy y ch p dng c vi d liu thuc dng Public m nhn vin no cng c th s dng c.Gii php gi mail trc tip n nhn vin qun l Server cng khng kh quan, bi nh vy s khng nhng hn ch nh vn trn m cn thm vn na l ngi cn thng tin s phi qu ph thuc vo nhn vin qun l. iu ny s gy chm tr, m chm tr l iu khng nn tn ti trong kinh doanh.Gii php s dng phn mm Remote qua Internet l gii php hin nay c nhn vin dng nhiu nht. Tuy nhin, n li mc phi mt li rt trm trng. l lm mt an ninh cho c h thng mng. Bi l, phn mm Remote l phn mm m khi kich hot n s cho ngi s dng ton quyn thao tc trn my tnh ang chy ng dng khi c mt khu truy cp. V tt nhin khi tt c cc cng v d nh : 80, 23, 139, 445 s c m. M cng cng thi im trn mng lun c hng trm nghn lt Hacker Scan mng. V vic b Hacker tn cng h thng mng ni b ca doanh nghip cng nh Server d liu l iu s xy ra. Ngoi ra d liu gi i v nhn v khng c m ha nn vic d liu b mt cng l mt nguy c tim n.Trn y l nhng vn v an ninh cn tn ti ca trung tm v cn c khc phc kp thi.3.3 Gii phpT hin trng h thng kho st trn v nhng yu cu mi t ra v cht lng ng truyn v an ton thng tin, ta c th a ra 2 gii php sau:3.3.1 S dng dch v Internet Leased liney l knh thu ring c tc ti xung v ti ln ngang bng nhau ti mi thi im, m bo an ton, tin cy cao. Tuy nhin chi ph lp t v cc ph hng thng l rt cao, cha k nhng chi ph khc pht sinh. C th tham kho bng gi di y thy r iu : Cc u ni ha mng ni tnhTc Cc

n 2M2.500.000 VN

Trn 2M n 34M5.000.000 VN

Trn 34M20.000.000 VN

Cc u ni ha mng knh lin tnhTc Cc

n 2M8.000.000 VN

Trn 2M n 34M30.000.000 VN

Trn 34M45.000.000 VN

Cc hng thngSTTTc Ni htVng cc 1Vng cc 2

1128 Kb/s1.190.0003.810.0004.480.000

2256 Kb/s1.870.0005.690.0006.620.000

3512 Kb/s2.890.0008.270.0009.450.000

41.024 Kb/s4.340.00012.510.00014.000.000

51.536 Kb/s6.010.00018.020.00020.320.000

62.048 Kb/s7.000.00020.970.00023.640.000

734 Mb/s31.500.00099.104.000112.708.000

845 Mb/s45.500.000143.136.000162.783.000

9155 Mb/s127.390.000360.690.000396.810.000

10622 Mb/s231.620.000728.000.000747.300.000

S h thng leased line tng qut: Hnh 2.2: S h thng Leased line kt ni cc chi nhnh.

Chi ph cho vic lp t h thng nh sau: Cc thit b:STTTn thit bS lngn giTng

1Router Cisco11667$1667$

2Firewall ASA 5510 12.000$2.000$

3Switch CAT 2950 16 cng1800$800$

4Switch CAT 2950 24 cng61.300$7.800$

5Modem Leased Line1600$600$

Tng12.867$

S dng gi tc 34Mbps: Chi ph lp t: 5.000.000VN Cc trn gi hng thng: 31.500.000 VNNh vy trin khai mt ng truyn Leased Line th chi ph phi b ra ban u l 12.867$, ngoi ra hng thng cng ty cng phi tr mt khon chi ph duy tr l : 31 triu VN. Vi chi ph ny m ch cn mt ng leased line cho ton doanh nghip th cng khng phi l qu t, nhng vi vic doanh nghip c nhiu chi nhnh v nhn vin i cng tc, hoc khch hng mun lin kt vi doanh nghip th y s l gii php rt tn km. Gi s chng ta ch tnh 5 ng leased line vi tc 2Mbps th chi ph ban u phi b ra hn 27.700$, cha k hng thng phi chi ph khong 35.000.000 VN cho thu bao v bo dng 5 ng truyn ny. T y ta c th thy phng n s dng ng leased line cho doanh nghip vi rt nhiu vn phng i din v nhn vin i cng tc thng xuyn trong thi gian ny l khng kh thi.

3.3.2 Thip lp mng ring o VPNT hin trng h thng kho st trn v cc loi VPN tm hiu phn l thuyt ta c th p dng cu hnh VPN cho bu in, c th l Intranet VPN cho 2 chi nhnh trn.

Hnh 2.3: S VPN kt ni 2 chi nhnh.Vn bo mt, gii php ny bo mt da trn nhng c ch sau: Thit lp ti khon v mt khu ch dnh cho nhng ngi c c quyn ng nhp vo router. ng thi cc ti khon v mt khu ny cng c th c m ha bng nhng thut ton m ha mnh nhm tng tnh bo mt. Thit lp danh sch iu khin truy cp ACLs cho php hay khng cho php mt lu lng qua router. D liu c trao i ngm trong ng hm VPN s c m ha bng nhng thut ton phc tp v c gii m pha thu. Nh vy khng mt ai c th truy cp thng tin m khng c php. Thm ch nu c ly c th cng khng c c. a ch IP cng c bo mt v thng tin c gi i trn VPN c m ha do cc a ch bn trong mng ring c che giu v ch s dng cc a ch bn ngoi Internet.

Chi ph lp t h thng nh sau: Cc thit b:STTTn thit bS lngn giThnh tinTng

1Router Cisco11667$1667$12.267$

2Firewall ASA 5510 12.000$2.000$

3Switch CAT 2950 16 cng1800$800$

4Switch CAT 2950 24 cng61.300$7.800$

Chi ph lp t: 2.000.000VN/1 knh-ln/ im truy cp Cc trn gi hng thng ( bao gm c cc thu cng v cc thu knh) y ta la chn Tc 10Mbps s dng cho ni ht vi chi ph 5.557.000 VN cp n vn bo mt thng tin th khng ch ring mt cng ty, mt t chc hay mt dch v no quan tm, m n lun l vn chung ca tt c nhng ai quan tm n cng ngh, v ang tng tc vi n. V vi nhng nh pht trin cng ngh VPN cng vy, vn an ninh lun c t ln hng u. Bi th m c th ni cng ngh VPN p ng c phn no yu cu v bo mt thng tin d liu m ngi dng mong mun. H thng VPN s dng mi trng Internet lm ng truyn v th nu khng c gii php bo mt d liu th mt mt d liu l iu ng nhin. Bi th cng ngh VPN s dng cc giao thc ng hm lm nguyn l hot ng ca mnh. Cc giao thc m cng ngh VPN thng dng l : L2F, PPTP, L2TP v c bit l giao thc bo mt IPSec- L giao thc c bo mt tt nht hin nay. Ta c th hiu cng ngh VPN dng cc giao thc ng hm nh l mt gii php m ta cp cho mi ngi dn trn cc hn o gia bin khi Internet rng ln mt chic tm ngm mini. Khi mi chic tu ngm ny s c khng gian ring v c th i li ty mt cch an ton v tin cy trong mt i dng rng ln m cc phng tin khc khng nhn c bn trong.Bn cnh , vi s gip ca cc thit b nh Firewall s tng thm rt nhiu kh nng an ton cho d liu. V mi nht hin nay c th k n cc dng Firewall ASA ca tp on Cisco.Ngoi ra cng ngh VPN cn s dng cc h m ha m ha d liu : h m ha cng khai v h m ha ring (i xng) vi cc hot ng m ha , xc thc tnh ton vn d liu v ngun gc d liu s cng m bo hn v mc an ninh d liu m cng ngh VPN mang li.3.4 La chn gii phpDa trn nhng phn tch nu trn c th thy v mt cht lng v bo mt th gii php leased line p ng tt yu cu, nhng v ti chnh th li qu ln (c th l cc ph thu bao mng leased line hng thng), nht l i vi doanh nghip c nhiu chi nhnh.Vi gii php VPN : Cht lng ng truyn kh tt v ngy cng c ci thin hn, d liu c truyn trong ng hm VPN cng rt an ton, chi ph lp t, vn hnh v khai thc h thng VPN li thp, ph hp vi doanh nghip c nhiu chi nhnh.

Ta c th ly mt v d so snh chi ph gia gii php leased line vi gii php VPN c trin khai ti mt s bang ca M thy c r hn v vn ny:

Hnh 2.4: Bng so snh chi ph Leased line v VPNn y ta c th kt lun gii php VPN l tit kim ln v chi ph lp t v bo dng, ph hp vi yu cu ban u doanh nghip a ra.Do VPN c xy dng da trn c s h tng mng cng cng (Internet), bt c ni no c mng cng cng l u c th trin khai VPN. M mng cng cng c mt khp mi ni nn kh nng m rng ca VPN l rt linh ng. Do nhn vin c th s dng ti nguyn cng ty bt c lc no, u c Internet mt cch d dng.Ngoi ra khi vn phng i din m rng ra v ln ln th vic tng bng thng cng c thc hin d dng vi nh cung cp dch v.Do cng ngh VPN l xy dng kt ni ni b da trn mi trng Internet cng cng, v cc cng ngh ca VPN, c bit l cng ngh xy dng ng hm nn d c m ha rt nhiu nhng tc truyn vn l tng i tt.T c th thy ng dng VPN cho trung tm vin thng Ph Yn - Thi Nguyn l gii php kh thi v n m bo mt s yu cu ban u doanh nghip a ra : chi ph thp, hiu qu cao, bo mt kh an ton, ph hp vi tnh hnh hot ng ca trung tm vin thng hin nay cng nh m rng v sau.

CHNG 4: XY DNG V CU HNH CHO H THNG4.1 M hnh h thng

Hnh 3.1: M hnh m phng h thng VPN trn GNS34.2 Cu hnh h thng Bc 1: Cu hnh a ch.+ Ti router PY:PY(config)# interface f0/0PY(config-if)# ip address 10.2.0.1 255.255.255.0PY(config-if)# interface s1/0PY(config-if)# ip address 10.0.0.1 255.255.255.0PY(config-if)#clock rate 64000PY(config-if)# no shutdown+ Ti router ISP:ISP(config)# interface s1/0ISP(config-if)# ip address 10.0.0.2 255.255.255.0ISP(config-if)# no shutdownISP(config-if)# interface s1/1ISP(config-if)# ip address 10.1.0.2 255.255.255.0ISP(config-if)# clockrate 64000ISP(config-if)# no shutdown+ Ti router TX:TX(config)# interface loopback 0TX(config-if)# ip address 172.16.2.10 255.255.255.0TX(config-if)# interface s1/0TX(config-if)# ip address 10.1.0.1 255.255.255.0TX(config-if)# no shutdown Bc 2: Cu hnh nh tuyn EIGRP+ Ti router PY:PY(config)# router eigrp 1PY(config-router)# no auto-summaryPY(config-router)# network 10.0.0.0PY(config-router)# network 10.2.0.0+ Ti router ISP:ISP(config)# router eigrp 1ISP(config-router)# no auto-summaryISP(config-router)# network 10.0.0.0ISP(config-router)# network 10.1.0.0+ Ti router TX:TX(config)# router eigrp 1TX(config-router)# no auto-summaryTX(config-router)# network 172.16.2.0TX(config-router)# network 10.1.0.0 Bc 3: To cc IKE policy+ Ti router PY:PY(config)# crypto isakmp enablePY(config)# crypto isakmp policy 1PY(config-isakmp)# authentication pre-sharePY(config-isakmp)# encryption aes 256PY(config-isakmp)# hash shaPY(config-isakmp)# group 5PY(config-isakmp)# lifetime 3600+ Ti router TX:TX(config)# crypto isakmp enableTX(config)# crypto isakmp policy 1TX(config-isakmp)# authentication pre-shareTX(config-isakmp)# encryption aes 256TX(config-isakmp)# hash shaTX(config-isakmp)# group 5TX(config-isakmp)# lifetime 3600 Bc 4: Cu hnh cc Pre-Shared KeyPY(config)# crypto isakmp key cisco address 10.1.0.1TX(config)# crypto isakmp key cisco address 10.0.0.1 Bc 5: Cu hnh transform set IPsec v lifetime+ Ti router PY:PY(config)# crypto ipsec transform-set ToTX esp-aes 256 esp-sha-hmac ah-sha-hmacPY(cfg-crypto-trans)# exitPY(config)# crypto ipsec security-association lifetime seconds 3600+ Ti router TX:TX(config)# crypto ipsec transform-set ToPY esp-aes 256 esp-sha-hmac ah-sha-hmacTX(cfg-crypto-trans)# exitTX(config)# crypto ipsec security-association lifetime seconds 3600Bc 6: Xc nh lu lng cn quan tmPY(config)# access-list 101 permit ip 10.2.0.0 0.0.0.255 172.16.2.0 0.0.0.255TX(config)# access-list 101 permit ip 172.16.2.0 0.0.0.255 10.2.0.0 0.0.0.255Bc 7: To v p dng cc crypto map+ Ti router PY:PY(config)# crypto map vpn 10 ipsec-isakmpPY(config-crypto-map)# match address 101PY(config-crypto-map)# set peer 10.1.0.1PY(config-crypto-map)# set pfs group5PY(config-crypto-map)# set transform-set ToTXPY(config-crypto-map)# set security-association lifetime seconds 3600+ Ti router TX:TX(config)# crypto map vpn 10 ipsec-isakmpTX(config-crypto-map)# match address 101TX(config-crypto-map)# set peer 10.0.0.1TX(config-crypto-map)# set pfs group5TX(config-crypto-map)# set transform-set ToPYTX(config-crypto-map)# set security-association lifetime seconds 3600

# p dng cc crypto map vo cc cng routerPY(config)# interface s1/0PY(config-if)# crypto map vpnTX(config)# interface s1/0TX(config-if)# crypto map vpn Cu hnh ti ASA-VPN: Cu hnh a ch:ASA-VPN(config)#int g0ASA-VPN(config-if)#ip add 192.168.20.1 255.255.255.0ASA-VPN(config-if)#nameif insideASA-VPN(config-if)#no shutASA-VPN(config)#int g1ASA-VPN(config-if)#ip add 10.2.0.2 255.255.255.0ASA-VPN(config-if)#nameif outside Cu hnh VPN Remote Access:ASA-VPN(config)#crypto isakmp enable outsideASA-VPN(config)#crypto isakmp policy 1ASA-VPN(config-isakmp-policy)# authentication pre-shareASA-VPN(config-isakmp-policy)#encryption aes-256ASA-VPN(config-isakmp-policy)#hash shaASA-VPN(config-isakmp-policy)#group 2ASA-VPN(config-isakmp-policy)#lifetime 86400ASA-VPN(config-isakmp-policy)#exitASA-VPN(config)#ip local pool REMOTE_SALES_POOL 192.168.50.1-192.168.50.254 mask 255.255.255.0ASA-VPN(config)#group-policy REMOTE_SALES_POLICY internalASA-VPN(config)#group-policy REMOTE_SALES_POLICY attributesASA-VPN(config-group-policy)# vpn-tunnel-protocol-ipsecASA-VPN(config-group-policy)#banner value UNAUTHORIZED ACCESS IS TRICTLY PROHOBITTEDASA-VPN(config-group-policy)#dns-server value 192.168.20.10ASA-VPN(config-group-policy)#exitASA-VPN(config)#username vpn pass 123ASA-VPN(config)#username vpn attributesASA-VPN(config-username)#vpn-group-policy REMOTE_SALES_POLICYASA-VPN(config-username)#vpn-tunnel-protocol ipsecASA-VPN(config-username)#exitASA-VPN(config)#tunnel-group REMOTE_SALES_GROUP type remote-accessASA-VPN(config)#tunnel-group REMOTE_SALES_GROUP ipsec-attributesASA-VPN(config-tunnel-ipsec)#pre-shared-key ciscoASA-VPN(config-tunnel-ipsec)#exitASA-VPN(config)#tunnel-group REMOTE_SALES_GROUP general-attributesASA-VPN(config-tunnel-general)#address-pool REMOTE_SALES_POOLASA-VPN(config-tunnel-general)#default-group-policyREMOTE_SALES_POLICYASA-VPN(config-tunnel-general)#exitASA-VPN(config)#crypto ipsec transform-set REMOTE_SALES_SET esp-aes-256 esp-sha-hmacASA-VPN(config)#crypto dynamic-map REMOTE_SALES_MAP 65535 set transform-set REMOTE_SALES_SETASA-VPN(config)#crypto map OUTSIDE_MAP 10 ipsec-isakmp dynamic REMOTE_SALES_MAPASA-VPN(config)#crypto map OUTSIDE_MAP interface outside

4.3 Kt qu cu hnh Kim tra cu hnh IpsecS dng lnh show crypto ipsec transform-set hin th cu hnh cc IPsec policy trong transform set:

Hnh 3.2: Kim tra b chuyn i trn router PYS dng lnh show crypto map hin th cc crypto map s p dng trong router:

Hnh 3.3: Kim tra crypto map Kim tra hot ng ca Ipsec:S dng lnh show scrypto isakmp sa hin th cc SA IKE :

Hnh 3.4: Kim tra SA IKES dng lnh show crypto ipsec sa hin th bng thng tin v cc gi tin SA gia router PY v router TX:

Hnh 3.5: Kim tra cc gi tin SA gia router PY v TX Kim tra qu trnh m ho gi tin:T Router PY ta tin hnh telnet qua Router TX, ngay khi chng ta s dng chng trnh Wireshark bt gi tin trong qu trnh hai router trao i. Trc tin ta tt chc nng crypto map trn Router PY v Router TX, sau tin hnh telnet.

Hnh 3.6: Lnh telnet m rng t router PY n router TX

Hnh 3.7: Chi tit gi tin telnet cha c m ho t Router PYSau ta bt li chc nng crypto map trn Router PY v Router TX, khi gi tin s c m ho.

Hnh 3.8: Chi tit gi tin telnet c m ho t Router PY Cc bc test h thng Remote VPN.Bc 1: Chy phn mm VPN Client trn my Client v thc hin kt ni.

Hnh 3.9: To kt ni VPN n ASA

Trong : Connection Entry: t tn kt ni ( t ty mang tnh gi nh). Description : Gii thch v kt ni. Host: a ch cng outside ca ASA 5510 (IP: 10.2.0.2) Name: tn Group ca User. Password: password chng thc group. Confim password: Xc nhn li password ca groupSau khi in y thng tin ta save li kt ni ny. Nu kt ni thnh cng n ASA 5510 th s c yu cu xc thc ngi dng hin ln yu cu chng thc. ( Name v password ca Group do nhn vin qun tr mang cp cho User)Bc 2: Chng thc ngi dng.Sau khi kt ni thnh cng n ASA 5510, mt hp thoi hin ln yu cu xc thc ngi dng (hnh 3.10). V khi kt ni vo h thng Server v mng ni b th mi User s c nhng quyn cao thp khc nhau, v th qu trnh xc thc ny gip phn quyn s dng cng nh iu khin ti nguyn h thng cho mi User.

Hnh 3.10: Chng thc ngi dng

Sau khi kt ni thnh cng v xc thc ngi dng thnh cng, giao din ca phn mm VPN Client s hin th nh hnh 3.11

Hnh 3.11: Kt ni thnh cngBc 3: Kim tra v truy xut d liu nh mt my ni b.Khi ny my Client c vai tr nh mt my tnh ni b v c th thc hin mi thao tc m n c trao quyn.My Client c a ch IP thc l 192.168.30.10, sau khi VPN n mng ni b s c cp mt a ch IP trong di l 192.168.50.1-192.168.50.50

Hnh 3.12: Kim tra IP ca my Client

Hnh 3.13: Truy cp t Client vo Server ni bKhi ngi dng truy xut n d liu trong mng ni b th giao din ca phn mm VPN Client s thng bo c th v qu trnh :

Hnh 3.14: Trng thi VPN Client sau khi truyn d liu

KT LUNCng ngh mng ring o VPN cho php tn dng c s h tng mng cng cng (Internet ) xy dng mng WAN ring, vi nhng u im v mt gi thnh, phm vi khng hn ch, linh hot trong trin khai v m rng mng. Ngy nay, VPN rt hu ch v s cng hu ch trong tng lai. Cc chun c thi hnh, iu s ci tin kh nng lin vn hnh v qun l. Cht lng mng trn cc VPN cng s c ci thin, cho php cung cp cc ng dng mi nh hi ngh truyn hnh, in thoi IP, cc dch v a phng tin. ti ny em tm hiu mt s vn k thut lin quan n vic thc hin VPN, ni dung gm nhng vn chnh sau: Cc khi nim c bn, c im ca cc giao thc ng hm PPTP, L2PT v IPSec. Trong , IPSec p ng c tt cc nhu cu cao v an ton d liu, l gii php chnh cho bo mt cc VPN ca cc t chc, cng ty. Cc thnh phn c bn ca mng VPN: cc yu cu v cc thit b phn cng, phn mm xy dng mt mng VPN. Mt iu thun li l hin nay do s pht trin ca cng ngh nn cc thit b phn cng v phn mm c tch hp nhiu chc nng, d s dng v d qun l. Hn na c s h tng mng cng cng ngy mt hon thin nn vic xy dng mng VPN d dng hn v cht lng ca VPN cng tt hn, p ng c cc dch v mi. Giao thc bo mt IPSec: bo mt IP cp gi, thc hin 2 qu trnh chnh l xc thc v mt m. Phn ny gii thiu mt s thut ton xc thc mt m thng c s dng trong VPN nh MD, SHA, MAC,,DES, AES, DH v hot ng c bn ca IPSec to ra ng hm bo mt gia 2 thit b u cui. Mt s khi nim tng quan v h iu hnh Cisco IOS: Cisco IOS l h iu hnh c ci trn cc Cisco router. c th thit lp mt mng VPN, i hi ngi lp trnh mng phi nm vng kin thc v Cisco IOS v cc cu lnh cu hnh.

Sau khi tm hiu mt cch tng quan v mng ring o VPN, em nm vng c mt s vn c bn nu trn, t ng dng cu hnh VPN cho trung tm vin thng Ph Yn, tnh Thi Nguyn. Hin ti VPN c mt s u im sau: Gim c chi ph kt ni cng nh s nhn vin k thut h tr mng D m rng v bo tr h thng mng Cho php la chn gii php ph hp vi nhu cu ca mi c quanCui cng, do VPN lin quan n nhiu giao thc, thut ton phc tp v thi gian nghin cu ti cn hn hp nn phm vi ca ti kh c th cp ht, em rt mong nhn c nhng kin ng gp ca thy c v cc bn.Em xin chn thnh cm nThi nguyn, thng 3 nm 2015Sinh vin Nguyn Khnh Ton

TI LIU THAM KHO

Ti liu ting vit[1]. Trn Cng Hng,K thut mng ring o,Hc Vin Bu chnh vin thng,7/2002.Ti liu ting anh[1]. Cisco Networking Academy Program, CCNA 1- 4, Cisco Systems,V3.1.1 [2]. Cisco Networking Academy Program, Network Security 2, Cisco Systems, 2.0[3]. Cisco Networking Academy Program, CCNP, Cisco Systems, v 3.2[5]. Cisco Networking Academy Program, CCSP, Cisco Systems, v 3.2Cc trang Web[1]. http://vnpro.org/[2]. http://tailieukythuat.com/[3]. http://www.saigonlab.com.vn/[4]. http://www.itexpert.org/[5]. http://www.cisco.com/[6]. http://www.dynamips.com

NHN XT CA GIO VIN HNG DNThi Nguyn, ngy thng 03, nm 2015Gio vin hng dn

1

Documents

Tim hiểu VPN