tailieutonghop.com---do an bao mat thong tin ipsec va trien khai he thong ipsecvpn tren windows...

7/28/2019 TaiLieuTongHop.com---Do an Bao Mat Thong Tin Ipsec Va Trien Khai He Thong Ipsecvpn Tren Windows Server

1/59

1

HC VIN CNG NGHBU CHNH VIN THNG C STPHCM

KHOA CNG NGH THNG TIN

***

n mn hc

Bo mt thng tin

IPSEC v TRIN KHAIH THNG IPSEC/VPN TRN

WINDOWS SERVER 2003

Gio vin hng dn: Thy L PHCNhm sinh vin thc hin:

1.Trng Th Linh2.T nh Ngh3.Phng Huy Khng4.Nguyn Th Phc

TPHCM / 11. 2009


2/59

n bo mt thng tin IPSEC v Trin khai h thng IPSEC/VPN trn Windows Server 2003 2

Mc lc

I. Li mu ................................................................................................................. 4II. Tm hiu v IPSEC ...................................................................................................... 5

1. Gii thiu v IPSEC ......................................................................................... 52. Kin trc giao thc IPSEC................................................................................ 52.1M hnh chung 5

2.2Cc giao thc c bn... 62.3Lin kt bo mt. 62.4Transport mode v Tunnel mode 7

3. Giao thc AH 73.1Cc c ch bo vc cung cp bi giao thc AH.. 73.2Cu trc ca AH. 83.3V tr ca AH.. 83.4Cc mode lm vic trong AH.. 93.5Nested v Adjacent header trong AH.. 103.6Qu trnh xl tiu IPSEC 113.7Qu trnh x l ca AH vi cc gi tin Outbound . 123.8Qu trnh x l ca AH i vi cc gi tin Inbound.. 163.9Mt sim phc tp trong giao thc AH 18

3.9.1 Vn phn mnh v vic qun l cc gi ICMP trong giao thc AH 193.9.2 Mi quan h gia NAT v IPSEC. 203.9.3 Vn auditing (gim st ) trong AH.21

4. Giao thc ESP224.1Cc c ch bo vc cung cp bi ESP. 224.2Cu trc ca ESP. 234.3 V tr v cc mode lm vic ca ESP. 254.4Nested v Adjacent header trong ESP264.5Qa trnh x l ca ESP i vi cc gi tin Ounbound. 274.6Qa trnh x l ca ESP i vi cc gi t in Inbound304.7Mt sim phc tp trong giao thc ESP 304.8Mt snh gi ,ph bnh ca cc chuyn gia v ESP 314.9L do s dng hai tiu bo v. 32

5. Qun l kha vi IKE 325.1 Tng quan v qun l kha ............................................................................325.2 IKE phases....33

5.3 IKE modes....33

6. PF keys trong IPSEC ..............................366.1Gii thiu...366.2Cu to...37


3/59


7. Mc ch v u khuyt im ca IPSEC ...388. Trin khai IPSEC ...............................................................................................40

8.1 .Cc tc ng bo mt...408.2 Cc phng php chng thc c Microsoft h tr....................................418.3 IPSEC policy ...............................................................................................41

8.4 IPSEC lm vic nh th no ........................................................................42

III.Trin khai h thng IPSEC/VPN trn Windows Server 2003..........................................431. M hnh trin khai ..............................................................................................432. Cc bc thc hin .............................................................................................43

IV Ti liu tham kho..58


4/59


I.Li ni u:

Trong thi i Internet pht trin rng khp nh ngy nay, nhng dch vnh o to t xa, muahng trc tuyn, t vn y t trc tuyn trthnh hin thc. Tuy nhin, do Internet c phm viton cu, khng mt t chc hay chnh ph no qun l nn s c rt nhiu kh khn trong vicbo mt, m bo an ton d liu cng nh cht lng ca cc dch v trc tuyn thng qua

ng truyn mng. T, ngi ta a ra m hnh mi nhm tha mn nhng yu cu trnm vn tn dng c c sh tng mng vn c, chnh l mng ring o (Virtual PrivateNetwork-VPN). c th gi v nhn d liu thng qua mng cng cng m vn bo m tnhan ton v bo mt, VPN cung cp c ch m ha d liu trn ng truyn to ra mt ngng bo mt gia ni gi v ni nhn (Tunnel) ging nh mt kt ni point-point trn mngring.V IPSEC (Internet Protocol Security) chnh l mt trong nhng giao thc to nn cchng ng bo mt cho VPN.

Thng qua ti liu ny s gip chng ta hiu nhng khi nim gn nh c bn nht v IPSECcng nh cch trin khai mt h thng IPSEC/VPN trn Windows Server 2003. Trong qu trnh

bin son chc khng trnh khi nhng sai st, mong c sng gp ca thy v cc bn.Xinchn thnh cm n.

Nhm thc hin.


5/59


II.Tm hiu v IPSEC

1:Gii thiu v IPSEC

IPSEC ( Internet Protocol Security) l giao thc lp Network (OSI) cho php gi nhn cc giIP c m ha. Ty theo mc cn thit, IPSEC c th cung cp c tnh bo mt v xc thccho qu trnh trao i d liu da trn hai kiu dch v m ha: AH, ESP.

Mc ch chnh ca vic pht trin IPSEC l cung cp mt c cu bo mt tng 3 trong mhnh OSI.

IPSEC cng l mt thnh phn quan trng h trgiao thc L2TP ( Layer two tunneling protocol) trong cng ngh mng ring o VPN.

2 Kin trc giao thc IPSEC:

2.1 M hnh chung:


6/59


2.2 Cc giao thc c bn trong IPSEC:

-Hai giao thc c bn thc thi IPSEC l AH v ESP.

-AH ch cung cp cc dch v xc thc,ESP va cung cp cc dch v bo mt va cung cp ccdch v xc thc

2.3 Lin kt bo mt:

-SA (Security Associations) :L mt khi nim c bn ca b giao thc IPSEC. SA l mtkt ni lun l theo mt phng hng duy nht gia hai thc th s dng cc dch v IPSEC.SA gm c 3 trng :

Hnh biu din 3 trng ca SA


7/59


-SPI (Security Parameter Index) : l mt trng 32 bits dng nhn dng giao thc bo mt, cnh ngha bi trng Security protocol, trong b IPSEC ang dng. SPI nh l phn u cagiao thc bo mt v thng c chn bi h thng ch trong sut qu trnh tha thun caSA.

-Destination IP address : a ch IP ca nt ch. C ch qun l hin ti ca SA chc nh

ngha cho h thng unicast mc d n c thl a ch broadcast, unicast, hay multicast.

-Security protocol : m t giao thc bo mt IPSEC, l AH hoc l ESP.SA trong IPSEC ctrin khai bng 2 ch l Tunnel mode v Transport mode.

2.4 Transport mode v Tunnel mode:

Hin ti, IPSEC c hai ch lm vic: Transport Mode v Tunnel Mode. C AH v ESPu c th lm vic vi mt trong hai ch ny.

Hnh minh ha hai ch lm vic ca IPSEC

3.Giao thc AH

3.1 Cc c ch bo vc cung cp bi giao thc AH:

-Tnh ton vn thng tin( intergrity):C chny m bo gi tin nhn c chnh l gi tin gi.

-Xc thc ngun gc thng tin :C chny m bo gi tin c gi bi chnh ngi gi banu m khng phi l ngi khc.

-C ch chng pht li(Replay protection)(y l c ch ty chn(optional),khng bt buc):Cchny m bo rng mt gi tin khng b pht li nhiu ln.C ch ny l mt thnh phn btbuc i vi bn gi tuy nhin bn nhn c th ty chn s dng hoc khng s dng .


8/59


3.2 Cu trc ca AH:

Cc trng trong AH:

-Next header(8 bits):Xc nh loi d liu cha trong tiu AH.S dng cc quy c caTCP/IP.

-Payload len(8 bits):Xc nh di tiu AH , tnh bng n v t I( 32 bits) tri 2 n v.

-Reserved(16 bits):Dnh ring cha s dng,c gn chui bit 0.

-SPI(security paramaters index)(32 bits):Nhn dng lin kt SA.Gi tr t1 n 255 c ginhring.Gi tr0 c dng vo mc ch c bit.V d mt c ch qun l kha c th s dngSPI vi gi tr0 th hin rng khng c mt SA no tn ti trong qu trnh IPSEC yu cub qun l kha to mt SA mi nhng SA ny vn cha c khi to.

-Sequence number(32 bits):S th t gi truyn trn SA.Thng qua vic theo gii ch s ny vgi n cho bn nhn,bn gi c th gip bn nhn thc hin vic chng pht li (anti-replay) nu

bn nhn mun.

-Authentication data:Trng ny c kch thc khng xc nh,khng xc nh trc,m nhimvai tr chnh ca AH.N bao gm ICV(intergrity check value:kim tra s ton vn) . Bn nhns dng n kim tra tnh ton vn v tnh xc thc ca thng ip.Trng ny c thcchn thm nu cn thit m bo tng chiu di ca AH l bi s ca 32 bits ( i vi Ipv4)v 64 bits (i vi Ipv6).

3.3:V tr ca AH trong gi tin IP:


9/59


Hnh trn m t v tr ca tiu AH trong cc gi tin Ipv4 v Ipv6.

-Trong Ipv4 ,AH theo sau tiu ca gi tin Ip,tip n l cc tiu ca cc giao thc trn (TCP,UDP ,ICMP) hoc tiu ESP.

-Trong Ipv6,v tr ca AH cng tng tnh trn , tuy nhin trong Ipv6 c thm cc tiu tychn.Vtr tng quan ca cc tiu ny v AH nh sau: Cc tiu ca cc ty chn mrngtrong Ipv6 ng trc AH l cc tiu hop-by-hop,tiu nh tuyn (routing header),tiu phn mnh ( fragment header); Tiu ch ty chn( dest options header) c thng trchoc theo sau AH.Vtr tng quan ca tiu ny vi AH ph thuc vo vic qu trnh x lxc nh i vi n din ra trc hay sau khi qu trnh xc thc din ra.

3.4 Cc ch lm vic trong AH:


10/59


Hnh trc minh ha v tr ca AH trong ch Transport,chny thng c s dng xc thc u cui gia hai host.Tuy nhin trong trng hp hai SG (security gateway) c sdng bo v cho nhiu host trong mt mng th chtunnel c s dng.Hnh trn m tv tr ca AH trong ch tunnel.Ch tunnel cng c th s dng trong truyn thng gia haihost trong trng hp ny a chtrong tiu ip ban u v tiu ip b sung l nh nhau.

3.5:Nested header(tiu lng) trong AH:

-Nhiu SA c th p dng cho mt thng ip.Nu mt trong hai u cui ca cc thng ipny l ging nhau th cc AH ca cc SA ny c gi l Adjacent AH.Nu mt hoc hai ucui ca cc SA khc nhau th cc AH ny c gi l cc AH lng ( nested AH).

-Adjacent AH khng cung cp thm bt c s bo v no c , vic p dng chng l khng btbuc (not mandated).

-Nested AH c thc p dng trong mt strng hp nht nh.


11/59


-Hnh trn minh ha vic mt trng hp s dng nested AHs.Trongv d ny :Host 1 v host 2 yu cu xc thc u cui.Tuy nhin cc gateway ca mi host nyli yu cu xc thc tt c cc gi tin qua gateway.Trong tnh hung ny nested AHs c sdng tha mn yu cu trn.

3.6:Vic xl tiu IPSEC:

Thng thng c ch xl i vi thng ip trong mng nh sau:i vi ccthng ip i ra ( Outbound messages ),tiu ip c thm vo cc thng ip,sau chng c

thc phn mnh nu cn.Tip theo chng c chuyn xung cc tng di v i rangoi.i vi cc thng ip i vo, cc thng ip sc gii phn mnh nu cn thit,sau b phn tiu ip ri chuyn ln cc lp trn x l.

Khi s dng IPSEC th cc c ch x l trn cn c s bin i.C ba hng tip cn giiquyt vn ny:


12/59


-Thay i cu trc mng (IP stack code) .y l cch tip cn trc tip nht.Tuy nhin iu nydn ti phi thay i trong lp nhn ( kernel code) .Do n thng p dng i vi cc nhpht trin h thng.N c th p dng cho c cc host v gateways.

-Tch cu trc ip ra khi cu mng.Cch lm ny khng cn thay i cu trc ca nhn.Tuynhin n ko theo vic phi thay i li cc c ch phn mnh v gii phn mnh.Cch lm ny

thng c gi l Bump in the stack (BITS) bi v gi ipsec nm gia tng internet v tngnetwork ca m hnh mng.Cch ny thng p dng cho c host v gateway.Tuy nhin nthng c p dng i vi cc host trong mt hiu hnh c.(legacy operating systems)

-t IPSEC ra ngoi h thng,cch lm ny gi l Bump in the wire (BITW).Trong cch lmny IPSEC c thc tch hp trong router hay firewall v c t trong router hocfirewall,hoc n c thng c lp trong mt IPSEC box.n c thc gn cho mt host,gateway hoc mt my a nng.

3.7:Qu trnh x l ca AH i vi cc gi tin Outbound:

Mt khi xc nh rng thng ip gi i (outbound message) c bo v bi AH,v xcnh c mt SA ph hp qun l vic truyn thng ip ny.Thng ip c chuyn ti qutrnh x l IPSEC.Qu trnh ny gm cc bc nh sau:

-1: Thm mt khun dng AH vo v tr thch hp .

-2: Thm vo trng next header.

-3: Thm vo trng SPI bng gi tr SPI ca SA c chn trn.

-4: Tnh gi tr sequence number ( gi tr max ca trng ny l 2^32 -1 ).Nu gi trnycha

t gi tr max th ch cn tng sequence number ln mt n v.Gi tr mi ny c ct vo AHv SAD.Ngc li khi sequence number t n gi tr max th c th xy ra cc tnh hungnh sau:Nu kha b mt gia cc bn ca SA c tha thun,y l thi im tha thunmt kha mi bt k bn nhn c s dng chc nng chng pht li hay khng.Thng ip nyc thc gi li hoc hy bcho n khi qu trnh tha thun kha mi din ra.Nu kha caSA c to ra th cng ,ngha l hai bn tha thun kha vi nhau thng qua mt s cch xcnh nh l qua in thoi hoc s dng th v nu bn gi bit rng bn nhn khng s dngchc nng chng pht li th sequence number n gin c reset v gi tr mt.i vi victha thun kha thcng,trong trng hp ngi nhn s dng chc nng chng pht li,cn

phi tha thun mt kha mi.Cho ti lc thng ip cha c gi i v qu trnh x l AHlc ny b treo ( halt).

-5: i vi chtransport ,trng next header c chuyn thnh AH.


13/59


-6: Thm trng tiu tunnel nu cn thit.Nu SA s dng ch tunnel th mt tiu ip bsung c to ra v thm vo thng ip.a ch ngun v ch ca tiu ip b sung ny l ccu cui ca tunnel c xc nh bi SA.

Nu ctiu bn trong v bn ngoi u l Ipv4 th mt strng sau c chp t innerheader ra outer header :Version,TOS,Protocol,Fragment identification,MF Flag v Fragment

offset.Mt strng sau cn phi tnh ton li:Header length,total length, v headerchecksum.Vic tnh ton li cc gi tr ny l cn thit v cc trng ny th hin cho c outerheader v inner header ln AH.Trng next header c thit lp l AH.Trng optional khngc sao chp.Trng TTL c thit lp gi tr mc nh ca h thng.Gi tr ca cDF ( dontfragment) ty thuc vo cc policy ca h thng cc b.Gi tr ny c thc chp t innerheader hoc c gn gi tr bng 1 chng phn mnh,hoc gn gi tr bng 0 cho phpphn mnh.Cc trng ca inner header c gi nguyn ngoi tr mt ngoi l:Nu a chngun ca inner header v outer header l khc nhau c ngha l gi tin bn trong i n aim ngun ca tunnel do gi tr TTL( Time to live ) b gim v do cn phi tnh li gi trchecksum trong inner header phn nh sthay i ny.

Nu chai tiu u l Ipv6,mt strng sau c chp t inner header ra outerheader:Version v Traffic class.Trng Payload length c tnh ton li do ti thi im nytrng ny th hin gi tr tng cng ca inner header ,outer header v AH .Trng next headerc thit lp l AH hoc l gi tr ca phn mrng ty chn ng trc AH.Nhng trng mrng ny khng th sao chp mt cch thun ty.Trng Hop limited c gn gi tr mc nhca h thng.Cc trng ca inner header c gi nguyn ngoi tr mt ngoi l nu a chngun ca inner header v outer header khc nhau tc l gi tin inner i n a im ngunca tunnel.Lc ny gi tr Hop-limmited b gim i mt n v.iu ny dn ti vic phi tnhton v cp nht li gi tr ca trng checksum trong inner header.

Nu inner header l Ipv4 header v outer header l Ipv6 header hoc ngc li th qu trnh x lc vi im khc bit.Trng version field c thit lp l 4 i vi Ipv4 header v 6 i viIpv6 header.Trng Traffic class c chuyn sang TOS,a ch ngun v a chch cchuyn i sang nh dng ph hp nu cn thit.

-7:Tnh ton d liu xc thc.Lu rng ton bthng ip khng c bo v bi AH,bi v ipheader cha 3 loi d liu c bn sau:Immutable data ( cc d liu khng thay i trong qutrnh truyn),mutable data but predicable ( cc d liu thay i trong qu trnh truyn nhng cth don c) v mutable unpredicable data ( cc d liu thay i trong qu trnh truyn v

khng th don trc c).Bng di y s phn loi cc trng ny trong Ipv4 header vIpv6 header.Ch nhng trng cha immutable data hoc mutable data but predicable c avo hm bm tnh.Trong transport mode ch nhng trng ny ca ip header c a vohm bm.Trong tunnel mode ton binner header v thng ip gc c a vo hm bm tuynhin ch nhng immutable data v mutable data but predicable ca outer header c a vohm bm.i vi cc trng cha d liu mutable unpredic data c cc hng gii quyt nh


14/59


sau.Khng a chng vo hm bm hoc thay th chng bng cc gi tr zero.Trn thc tngita p dng cch th 2.V cch lm ny m bo hm bm lun thc hin trn d liu c chiu dixc nh ,y l cch lm tng qut.

Thut ton bm p dng vi AH l HMAC-MD5 (sinh ra 128 bits ) v HMAC-SHA1 (sinh ra160 bits).Trong AH m bo cho slng byte ngoi bin c ph hp cho qu trnh x l

,AH gim slng bits xung cn 96 bits.Mt khi thm trng ICV vo AH thng ip sn sng .


15/59


-8:Phn mnh thng ip nu cn thit.Nu vic thm AH v c bit thm cc tiu trongtunnel mode lm kch thc thng ip qu ln th vic phn mnh l cn thit.Vic phn mnhc th din ra ti thi im ny.

-Trong transport mode a ch ngun lun lun l a ch khi to ca thng ip nn ton bthng ip c th xc thc trc khi qu trnh phn mnh din ra.

-Trong tunnel mode a ch ngun ca inner header lun l a ch khi to ca thng ip,nua chny khc a ch source ca outer header th thng ip c th b phn mnh trc khiri khi host ban u.Trong trng hp tunnle header xc thc trn thng ip b phnmnh v c th s b phn mnh ti thi im ny.


16/59


3.8:Qu trnh x l ca AH i vi cc gi tin Inbound:

Khi nhn c mt thng ip c cha AH,qu trnh xl ip trc tin s tng hp cc phnmnh thnh thng ip hon chnh.Sau thng ip ny sc chuyn ti qu trnh x lIPSEC.Qu trnh ny gm cc bc nh sau:

-1:Xc nh inbound SA tng ng trong SAD.Bc ny c thc hin da trn cc thngs:SPI,a ch ngun,giao thc AH.SA tng ng kim tra trong gi AH xc nh xem modeno c p dng transport mode hay tunnel mode hay c hai.Gi cng phi cung cp mt sthng s gii hn tm tc ng ca SA(v d:port hay protocol).Nu y l tunnel header SAphi so snh cc thng s ny trong packer inner v cc thng s ny khng c sao chp sangtunnel header.Khi SA ph hp c tm thy,qu trnh c tip tc ,ngc li gi tin s b hy

b.

-2:Nu chc nng chng pht li c kch hot,pha xut pht ca gi tin AH lun tng s mchng pht li.Bn nhn c th b qua hoc s dng ch sny chng pht li.Tuy nhin giaothc IP khng m bo rng trnh t ca cc gi khi n bn nhn ging nh trnh t cc gi lcchng c gi i.Do ch s ny khng thdng xc nh th t ca cc gi tin.Tuy nhin


17/59


ch s ny vn c th s dng xc nh mi lin h v th t vi mt ca s c chiu di lbi s ca 32 bits.

i vi mi inbound SA,SAD lu tr mt ca s chng pht li.Kch thc ca ca s l bi sca 32 bits vi gi tr mc nh l 64 bits.Mt ca s chng pht li c kch thc N kim sotsequence number ca N thng ip c nhn gn nht.Bt cthng ip no c sequence

number nhhn min gi tr ca ca s pht li u b hy b.Cc thng ip c s sequencenumber tn ti trong ca s pht li cng b hy b.

Mt bit mask ( hoc mt cu trc tng t ) c s dng kim sot sequence number ca Nthng ip c nhn gn nht i vi SA ny .Ban u mt bit-mask 64 bt c th gim stsequence number ca cc thng ip c sequence number nm trong on 1 , 64.Mt khi xuthin mt thng ip c s sequence number ln hn 64 ( v d 70),bit-mask s dch chuyn gim st cc ssequence number trong on 7 , 70. Do n s hy bcc thng ip csequence number nhhn 7,hoc cc thng ip c ssequence number xut hin trong cas chng pht li.hnh di y minh ha hot ng ca ca s chng pht li.

-3:Kim tra tnh xc thc ca d liu.Hm bm c tnh ton tng tnh outboundmessage.Nu kt qu tnh khng trng vi ICV trong thng ip th hy bthng ip ,ngc lis chuyn sang giai on tip theo.

-4:Loi b AH v tip tc qu trnh x l IPSEC cho cc phn cn li ca tiu IPSEC.Nu cmt nested IPSEC header xut hin ti ch n ny.Mi header cn phi c xl cho n khimt trong hai iu kin c tha mn.Khi ipsec header cui cng c x l thnh cng v


18/59


qu trnh x l tip cn n cc protocol ca lp trn gi tin c gi n chu trnh x l gi iptip tc di chuyn trong tng ip.Trong trng hp khc,nu qu trnh x l tip cn vi mttunnel ip header m ch n khng phi l host ny th thng ip c chuyn n host phhp ti cc giai on tip theo ca qu trnh xl IPSEC c din ra.

-5:Kim tra trong SAD m bo rng cc ipsec policy p dng vi thng ip trn tha mn

h thng cc policy yu cu.Giai on quan trng ny rt kh minh ha trong trng hp qutrnh xc thc ch s dng mnh AH.Mt v d c sc thuyt phc cao hn khi chng ta tip tctm hiu mt loi tiu bo mt khc,ESP.

3.9:Mt sim phc tp trong giao thc AH:

3.9.1:Vn phn mnh v vic qun l cc gi ICMP trong giao thc AH:

Hai vn sau trong giao thc ip lm cho giao thc AH trnn phc tp:Qu trnh phnmnh v cc thng ip ICMP li.Chng ta s tm hiu vn ny thng qua cc v d sau:

Xt v d sau:Gi stunnel mode c thit lp SG1 v SG2 bo v truyn thng gia haimng N1 v N2.Nu mt gi tin t H1 n H2 c phn mnh trc khi n n SG1(ta giyl trng hp 1) ( vic ny c thc thc hin bi mt router trung gian ( trong Ipv4 )hoc host xut pht (trong Ipv6),SG1 s tnh cc gi tr ICV cho tng phn mnh.Khi cc phnmnh ny n SG2 tng phn mnh c xc thc ring bit trc khi chng c gii phnmnh.Gi tin sau khi c gii phn mnh v c xc thc c chuyn tip n ch nH2.Tip theo ta gi s tnh hung sau qu trnh phn mnh c thc hin ti mt router nm

gia SG1 v SG2 ( ch xt trong Ipv4) ( ta gi y l trng hp 2).SG1 tnh ICV cho tonb gi tin.Khi cc phn mnh n SG2 chng cn phi c tng hp li trc khi xc thc vICV c tnh trc khi vic phn mnh din ra.

Ta thay i tnh hung nh sau.Gi s SG1 bit mt son (segment) ca ng truyn gpvn nghn c chai vkch thc gi.Do SG1 quyt nh khng thc thi tunnel mode trongAH trnh vic thm outer header nhm lm gim kch thc gi tin.Cch gii quyt ny


19/59


khng ph hp vi kin trc ca giao thc ipsec v n loi b mt s thnh phn trong ipsecm c th l (tunnle mode ).

Ta tip tc thay i m hnh mng nh sau:

Gi s ngoi SG2,cn c SG3 phc vN2,c minh ha nh hnh v trn.Nu SA gia N1 vN2 tt cu l tunnel mode SA, c tha thun gia SG1 v SG2 th tt c cc gi phn mnhsc nh tuyt qua cc gateway thch hp v thng ip sc x l mt cch chnhxc.Tuy nhin nu SG1 v SG2 quyt nh gim kch thc cc gi tin v thit lp transportmode SA th vn s xut hin.SG2 thit lp transport mode SA vi ginh rng n l ngvo duy nht vi N2 do n c th bt c tt c cc gi tin v thc hin xc thc trc khicc gi tin n H2.Nu bt k mt gi tin no c nh tuyn thng qua SG3 th qu trnh tnghp s din ra khng chnh xc.Trng hp 1 ,SG2 xc thc mi gi tin n nhn c v cgng tng hp chng li .Tuy nhin v khng phi tt c cc phn mnh u i qua SG2,nn gitin ang tng hp ds b hy b khi thi gian tng hp ht(reasembly timer expires).Cng lc phn mnh n SG3 c th b SG3 hy b hoc chuyn tip n H2,ti y khng xc nhc SA ph hp cho phn mnh trn ,nn n b hy b.Trong trng hp 2 ,SG2 c gng tnghp cc gi tin trc khi xc thc chng.Tuy nhin kt qu vn din ra tng tnh trnghp1.y l trng hp xu nht.Nhng trn thc t tnh hung ny li xy ra vi tn sut ngbo ng.Minh ha trn l gii v sao phi p dng tunnel mode gia hai gateway.

- chng qu trnh phn mnh ,cc gateway cn phi thng bo vi cc host m n bo v vkch thc header m n c th thm vo gi c gi bi host .Host ban u thng c gnggi cc gi tin c kch thc xp x PMTU (path maximum tranmisstion unit).Ch cn tri kchthc header m cc security gateway phi thm vo th qu trnh phn mnh c thtrnh c.


20/59


Ngoi ra cn c mt cch trnh vic phn mnh.Host ban u c th kim tra m hnh mng xc nh gi tr PMTU v da vo iu chnh kch thc gi tin cho ph hp.K thut nytrong Ipv4 i hi host source phi bt bit DF (Dont fragment) ln mt, trnh vic phn mnhti cc router trung gian.Cch lm ny c th lm xut hin vn khi p dng i viIPSEC.Nu mt gi tin c kch thc qu ln ,khng thi qua ton b cc route, khi mtrouter trung gian s gi mt ICMP vi thng ip l gi tin qu ln n host ban u.Trongtrng hp tunnel mode SA,gi ICMP sc gi n cho security gateway c a chl i chsource trong outer header.Vn rt nghim trng t ra l khi gi tin ICMP trn khng phic gi tch n cui cng ca thng ip m l t mt router trung gian.iu ny li cngnghim trng khi p dng IPSEC v trong ipsec cc gi tin u phi xc thc r ngungc.Gateway sau khi nhn c gi tin trn s phi la chn gia cc phng n:Liu c th tintng thng ip trong gi ICMP cha xc thc trn hay khng ? Nu tin tng th phi chuyntip gi tin ICMP trn cng vi s PMTU mi n host ngun ban u( trong inner header).Nugateway khng chuyn tip gi tin ICMP trn v host ngun th mt l hng ln s xuthin:Host ngun tip tc gi cc gi tin vi cDF c bt ln v n khng bao ginhn c

gi tin thng bo v s PMTU mi, do n khng gim kch thc ca gi tin.Do cc gitin c tip tc c gi i lm tng truyn thng trn mng mt cch v ch v chng khng baogin c ch cui cng.

Vic s dng cc gi tin ICMP gi thng ip v PMTU c th b li dng tn cng denyof service.Mt attacker gi mt gi ICMP vi mt s PTMU nhhn gi tr PMTU cnthit.Nu gateway chp nhn gi tin ICMP cha c xc thc ny v chuyn tip cho host banu .Host ban u sgim kch thc cho tt ccc gi tin lu thng trn con ng .iuny dn ti vic gia tng slng ca cc gi tin c kch thc nhhnng ngha vi vic giachi ph tnh ton vi cc vn IP lin quan,c thlm gia tng lu lng trn mng v lm

gim cht lng dch v.

Mt s gii php a ra khc phc vn a ra v PMTU.Gii php u tin i hi s hptc gia SG1 v SG2.SG1 cho php cc gi tin phn mnh t H1 tip tc con ng cachng.lm c iu ny nu innner header set bit DF th outer header khng set bit ny.KhiSG2 nhn c cc gi tin b phn mnh.N gi mt sPMTU n SG1,thng bo cho SG1bit vkch thc ca phn mnh ln nht i qua on ng tSG1 n SG2 thnh cng.Biv on ng tSG1 n SG2 thit lp cc c ch bo v gi tin.Gi tin PMTU ny khc sovi cc gi tin PMTU thng thng v PMTU c gi sau khi nhn cc phn mnh.Trongkhi bnh thng,gi PMTU l kt qu ca vic truyn khng thnh cng mt phn mnh.Mt

cch khc SG2 c thlu trPMTU nh mt thnh phn ca SA v u n thng bo SG1 gitr PMTU mi nht.Nu H1 c gng gi mt gi tin c kch thc qu ln,SG1 s thng bo gitr PMTU hin ti vi H1.Cho n thi im ny cha c thm gii php no cho vn nyc a ra.

3.9.2:Mi quan h gia NAT v IPSEC:


21/59


- Mt NAT(network address translation) box c th l mt thc th ring bit hoc c kt hpvi cc security gateway.NAT c p dng trong hai tnh hung sau.Th nht trong cc mngring i hi tnh b mt nhm bo m tnh bo mt v ring t.Th hai l trong cc mng rings dng cc a ch ring c th c s dng ti mt ni no trong mng internet,cchlm ny nhm tit kim a ch ip.Khi mt gi tin i qua NAT box .a ch ngun ring ca gitin outbound c chuyn i thnh mt a ch chung (public address) v a chn chung camt gi tin inbound ( public destion address ) c chuyn i a chring tng ng.Vic pdng NAT c th lm cho vic xc thc AH trong transport mode b sai.V trong mode ny AHxc thc ca ch ngun v a chch.Vic thay i li a ch ngun v a chch lm choqu trnh xc thc b sai khi gi tin ti ch.Nu qu trnh chuyn i NAT c din ra trcqu trnh x l IPSEC cho cc gi tin outbound v sau qu trnh x l IPSEC cho cc gi tininbound c ch bo v gateway to gateway vn c tha mn.Hnh di y m t mt trnghp mt cu hnh mng gia NAT v cc security gateway c th hot ng tt.

Mt giao thc IPSEC thn thin vi NAT vi tn gi realm-specific-internetprotocol (RSIP) uc xut hin .Khi p dng RSIP cc gi tin t mt host vi a ch ringkhng cn s dng a chny cho cc gi tin ch nm ngoi mng ring.Host ny ng vai trl mt RSIP client c th xin mt a ch ip cng cng (public ip address) t RSIP server .Bngcch ny a ch ngun ca cc gi tin xut pht l mt tr tr duy nht trong mng internet v cth s dng trong xc thc u cui .

3.9.3:C ch gim st trong IPSEC:


22/59


Nu mt s kin c lu tr trong audit log th gi trlu tr cn cha ngy ,gi,a chngun,a chch,SPI ,ring i vi Ipv6 th flow ID cng cn c lu tr.Ngoi ra nu hthng c p dng khnng gim st vi IPSEC th cn c mt c ch h tradmin kch hothoc v hiu ha chc nng ny.Cc gi tin cnh bo khng yu cu phi gi cho cc bn v nc thlm tng truyn thng gia cc bn nh hng n cht lng mng.

-Mt s cc s kin c lu tr li trong audit log l:

+Vic c gng s dng mt outbound SA c replay counter t n gi tr max trong tnhhung bn nhn c s dng chc nng chng pht li.

+Vic x l IPSEC trn mt gi tin inbound b phn mnh.

+Vic nhn c mt gi tin inbound m khng tm thy SA ph hp.

+Vic nhn c mt gi tin inbound m vic kim tra li tnh xc thc ca gi tin khng png c yu cu.

4. Giao thc ESP

4.1:Cc c ch bo vc cung cp bi c ch ESP

ESP cung cp hai c ch bo v mt c ch l ca ring ESP v mt c ch l s lp li c chc cung cp bi AH.Cc c ch bo vsau c cung cp bi ESP m khng c trong AH:

-Tnh ring t (confidentialy):iu ny m bo mt thng ip nu b bt trn ng truyn thbn trung gian khng th hiu c ni dung ca thng ip m iu ny ch c bn gi v bnnhn mi hiu c.

-Bo v vic phn tch truyn thng(ch trong mode tunnel):iu ny m bo rng cc bntrung gian khng thxc nh c cc i tng ang lin lc vi nhau,tn sv lng thngtin trao i gia cc bn.

ESP c th cung cp mt sc ch bo v c cung cp trong AH:Tnh ton vn d liu,xc thc ngun gc ,chng pht li.

C mt sim khc bit v tnh ton vn d liu v xc thc ngun gc c cung cp bi AHv ESP .Mt AH hot ng transport mode bo v ctiu ip v d liu trong gi trong khitransport mode ESP ch bo v d liu trong gi tin.Trong ch tunnel c2 c chu bo v

tiu ban u ,tuy nhin ch mnh AH bo vtiu bn ngoi.Tuy nhin vic to ra SA, c thgin tip xc thc a chip do gip xa b s khc bit ny.

4.2 Cu trc ca ESP:


23/59


ESP gm c cc trng sau:

-SPI gi trc ct vo SAD.

-Sequence number:Tng tnh i vi AH.

-Pay load data l gi d liu ip c m ha

-Padding( di bt k ) v pad length ( 8 bits) d liu chn v kch thc ca n.

-Next header :Loi d liu bn trong ESP.

-Authentiaction data (bi s ca 32 bits):Thng tin xc thc c tnh trn ton b gi ESPngoi tr phn authentiaction data.

ESP header thng c chia lm bn phn nh sau:

-Initial ESP header cha SPI v sequence number.

-Data cha mt s d liu c bit khng m ha(nu c),phn mrng tiu ca a chchtheo sau ESP header ( ch xt trong Ipv6),TCP hoc UDP header,v d liu ca thng ip.

-ESP trailer cha padding ( nu c ),trng pad length, v trng next header

-ESP authentication data cha cc d liu xc thc nu c.

4.3:V tr v cc mode lm vic ca ESP:

ESP header c thc s dng trong c transport mode v tunnel mode.Hnh di y m tv tr ca ESP transport header trong c Ipv4 v Ipv6.Trong Ipv4 n c th theo sau bi ip headerhoc AH.K l trng next header (TCP,UDP,ICMP).Trong Ipv6 khng hoc nhiu tiu mrng (hop by hop,routing,fragment,hoc destination header option) c thng trc ESP


24/59


header.Ngoi ra trng destination header option c thng sau ESP header.Vtr tng quangia trng ny v ESP header ty thuc vo qu trnh x l ring ca n c thc hin trchay sau qu trnh x l ESP.Nu gi tin c m ha mt destionation option header theo sautrng ESP header khng thc c bi bt c mt ch n trung gian no.N ch xut hin(visible ) trli khi qu trnh x l ESP header m ha thc hin ch n cui cng.

Hnh tip theo minh ha v tr ca ESP header trong tunnel mode.Trong Ipv4 ESP header theosau IP header mi v IP header gc.Trong Ipv6 ESP theo sau cc trng mrng (nu c) nhtrong transport mode v ng trc IP header gc.


25/59


4.4: Nested v Adjacent header trong ESP

Vi hai loi security header vic vic p dng nhiu hn mt SA cho mt thng ip trnnphc tp hn.Nu adjacent header c s dng ( v d: khi cc im u cui ca c hai SA lging nhau),AH header sng trc ESP header.iu ny c ngha l gi tin sc m hatrc ri mi c xc thc.Bng cch ny gi tin c m ha c bo v khi vn xotrn .Tuy nhin kt qu ny c tht c mt cch tt hn bng cch s dng mt ESP headercung cp c xc thc v m ha.

Nested header thng c s dng thng xuyn hn.Trong trng hp hai( trnh by phn v AH) ,nu 2 gateway SG1 v SG2 yu cu tt c cc truyn thng gateway to gateway

u c xc thc v m ha.iu ny c th thc hin bng hai cch nh sau: Thng qua mtESP SA cung cp c xc thc v m ha ,hoc thng qua mt adjacent AH v ESP SA.i vinhng gateway bo v truyn thng gia cc host H1 v H2 ,SA nn l tunnel mode SA.Tuynhin iu ny dn ti truyn thng gia H1 v SG1 cha c bo v.Nu H1 khng tngsecurity gateway ca n vn chuyn truyn thng ,hoc c mt user trong mng cc b caH1 khng ng tin cy,lc ny H1 cng cn xc thc truyn thng trong mng cc b.t


26/59


c iu ny ,s dng mt nested (lng) SA l gii php l tng.Mt cp ESP tunnel mode SAgia SG1 v SG2 v mt cp AH transport mode SA gia H1 v H2.Hnh di y m t cchs dng ca mt nested SA.

Trong trng hp ny khi mt thng ip c truyn tH1 n H2,n c mt tranport mode AH k tthi im n ri H1 n khi n ti SG1.Khi n c truyn tSG1 n SG2 n kt hp gia AH v ESPthng qua mt inner transport mode AH header v mt outer tunnel mode ESP header.Khi truyn t SG2n H2, lc ny n ch cn transport mode AH header.

4.5 Qu trnh xl ESP i vi cc thng ip Outbond

Mt sbc x l din ra tng tnh i vi AH.Nhng bc ny skhng c trnh by li chi tit y.Mt khi xc nh thng ip Outbound c bo v bi ESP header v Outbound SA m nhnvic qun l thng ip ny c tm thy hoc c tha thun,thng ip ny c chuyn sang ccqu trnh x l trong IPSEC,bao gm cc bc sau:


27/59


-1:Thm mt khun dng ESP header vo v tr thch hp.

-2:Thm vo trng SPI bng gi tr SPI ca SA uc chn.

-3:Tnh ton trng sequence number.

-4: Nu qu trnh m ha din ra,thut ton m ha ph hp s yu cu mt s d liu cn thit ( khng

c m ha) v thm nhng d liu ny vo gi tin.

-5:Thm tunnel header nu cn thit.

-6:Thm cc d liu cn li ca gi tin.

-7:Tnh ton chiu di ca phn padding nu cn thit.Cc gi tr padding cn phi c xc nh bi mtthut ton m ha xc nh hoc nu khng xc nh trc mt thut ton m ha no mt chui cc s tnhin lin tip c th s dng lm phn padding.

-8:Thm trng next header.

-9:M ha thng ip nu SA yu cu m ha d liu .Cc trng packet data, padding,pad length v nextheaderc m ha cng vi tunnel header ca tunnel mode SA.Cc thut ton m ha c xc nhcho qu trnh x l IPSEC i vi ESP l DES-CBC hoc null encycrypt algorithm.Thut ton sau khngcup cp s m ha d liu.Bi v ESP header cn phi cung cp tnh ring t,tnh xc thc hoc c hai ,khi null encycrypt algortithm c s dng cho vic m ha, null authentication algorithm khng cs dng xc thc.

-10:Tnh ton d liu xc thc nu vic xc thc c yu cu bi SA.Cc d liu c xc thc gm cinitial ESP header cng nh cc d liu c m ha.Thut ton xc thc c dng trong qu trnhxl IPSEC i vi ESP l HMAC-MD5 ,HMAC-SHA1 v null authentication algorithm.Thut toncui cng khng cung cp s xc thc.Bi v ESP header cn phi cung cp tnh ton vn ,tnh xc thc

hoc chai ,nn khi null authentication algorithm c s dng xc thc th null encycript algorithmkhng c s dng m ha.

-11:Phn mnh nu cn thit.

4.6:Qu trnh xl ESP i vi cc thng ip Inbound:

Khi nhn c mt thng ip c cha ESP header.Qu trnh x l gi tin IP sm bo tnghp tt c cc phn mnh thnh mt thng ip hon thin.Thng ip sau c chuyn sangqu trnh x l IPSEC,gm cc bc sau:

-1:Tm kim trong SAD xc nh inbound SA ph hp qun l thng ip ny.

-2:Nu bn nhn c s dng chc nng chng pht li,thc hin vic kim tra chng pht li.

-3:Kim tra tnh xc thc.Nu vic kim tra xc nh rng gi tin khng xc thc c th s loibgi tin ny,ngc li tip tc chuyn sang bc tip theo.Vic thc hin xc thc trc qu


28/59


trnh gii m gip bt chi ph tnh ton m ha khi thng ip b xo trn ( khng th xc thcng).

-4:M ha phn cn li ca gi tin.Nu qu trnh gii m khng thnh cng hoc kt qu gii mb xo trn so v v tr ca cc trng th thng ip s b hy b.

-5:Loi b phn padding nu chng c thm vo.

-6:Loi btrng ESP header v tip tc qu trnh xl IPSEC i vi bt k tiu IPSEC nocn li.

-7:Kim tra sSPI m bo cc chnh sch IPSEC p dng cho thng ip trn ph hpvi cc chnh sch IPSEC c yu cu cho thng ip.

Vic xc thc v m ha thnh cng mt thng ip inbound bng mt SA trong SAD cha chcm bo SA ny nn c s dng bo v cc loi truyn thng tng t.

Trong trng hp 1 ( c trnh by chng trc),gi sH1 v H2 thit lp mt s SA bo v truyn thng gia hai u cui ca chng.SA1 v SA2 bo v cc gi tin HTTP khngb xo trn l cc AH SA. SA3 v SA4 bo v cc gi tin FTP l cc ESP SA.

Khi mt thng ip n H2 v cc thng snh SPI,protocol(ESP) v a chch gn gi tinvi SA3,SA ny sc s dng m ha thng ip.Tuy nhin iu g s xy ra nu H1 sdng nhm SA3 cho cc gi tin HTTP gi n H2.Cc ch s ca thng ip inbound nh achch ,SPI,protocol (ESP) tt cu chn SA3.Ch s port number (ch sny dng xc


29/59


nh gi tin ny khng phi l gi FTP(lu rng theo ginh ca ta SA3 chdng bo vcc gi FTP)) khng thc c trc khi gi tin c m ha.Gi tin ny s tip tc c mha v n xc nh c mt SA ph hp trong SAD.Qu trnh kim tra cc policy p dngcho gi tin xc nh rng policy p dng cho gi tin trn khng ging vi cc policy yu cui vi SA3 v do gi tin b hy b.Vic ny khin chi ph tnh ton m ha..l v ch.(vn ny sc tho lun tip mc sau).

Mt tnh hung nghim trng hn khi SA s dng mt SA budle ,mt nhm cc SA c quan hvi nhau, bo v cng mt thng ip

Gi s H1 v H2 thit lp hai SA bo vu cui (end to end):SA1 v SA2 l cc ESP encycryptonly SA (Cc ESP SA ch cung cp vic m ha) v SA3,SA4 l cc AH SA xc thc cc thngip c m ha v ip header ca chng.iu g xy ra nu H1 ch s dng SA1 gi ccFTP request n H2.Cc thng s ca gi tin inboud nh SPI,protocol,a chch u chnSA1.Gi tin sc m ha thnh cng v n chn mt SA hp l trong SAD.Tuy nhin khichuyn sang qu trnh kim tra cc policy p dng cho gi tin trn c ph hp khng th gi tin


30/59


trn s b loi b v qu trnh kim tra policy xc nh rng gi tin trn phi c hai securityheader tuy nhin n ch c mt security header.Trng hp a trong hnh trn m t tnh hung sdng sai SA bundle cn trng hp b m t tnh hung s dng SA bundle ng.

4.7:Mt sim phc tp trong ESP

Mc d vic m ha cc tiu ca lp trn nhm mc ch bo mt,n m ha lun mt strng transport header bao gm transport protocol v port.N cng m ha lun mt strng m cc trng ny thng c s dng phn tch truyn thng trn internet.Mt strng trong transport header c th s dng cho mt s mc ich khc nh network trafficanalyst ( phn tch truyn thng trn mng):s qun l ,cch ci tin hiu sut, kim tra s xmnhp bt hp php v cch x l cho mt s loi truyn thng nht nh (c phn loi thnhmt s loi cht lng dch v (QOS) khc nhau.

Mt giao thc mi vi tn gi transport-friendly ESP (TF-ESP) c xut ( tuy nhin chitit ca giao thc ny vn cha c a ra).C hai gii php c a ra:

+Xc nh mt TF-ESP header snhn i cctrng d liu cn thit v lu trchng didng khng m ha.

+Thc hin vic m ha ti cc trng trong ca gi tin v li cc trng cn thit dngkhng m ha.

Gii php th nht c hai nhc im :

+Vic nhn i mt strng cn thit lm tng kch thc gi tin.

+Vic chp nhn tn ti c dng m ha v khng m ha ca mt strng ti mt s v tr xc

nh trong gi tin l mt l hng bo mt.Thng qua vic phn tch cc d liu ny hacker c thxc nh c cch gii m gi tin.

Gii php th hai lm phc tp ha mt giao thc vn phc tp,n i hi phi thm vo mts qu trnh x l nht nh

4.8:Mt snh gi ph bnh ca cc chuyn gia:

Nh mt m hc ni ting Bruce Schneier v cng s ca ng Neil Ferguson c bit ch trchkin trc ca IPSEC v IKE.Hai ng cho rng s phc tp l i th ln ca bo mt(iu nyc th hiu l mun c tnh bo mt cng cao th ng ngha phi xy dng cc giao thc ngycng phc tp).ng nhin quan im ca hl ng.Tuy nhin tht khng may l IPSECc xy dng nhm vo mt trong nhng lnh vc c bit phc tp v a phng din.IPSEC khng ch nhm bo v cc gi tin IP m n cn phi m bo tnh tng thch ,s hptc vi rt nhiu cc giao thc khc,phi i mt vi mt m hnh mng m(open end networktopology) v tnh tng thch vi cc giao thc mng sc xy dng trong tng lai.


31/59


t c sn gin theo Bruce Schneier v Neil Ferguson nn loi b giao AH v transportmode .Rt nhiu nh pht trin IPSEC cho rng giao thc AH nn b biv iu ny c th xyra trong phin bn tip theo ca IPSEC.Tuy nhin c mt s kin i lp cho rng c mt sgiao thc i hi s dng AH v iu ny chng li kin phi loi b giao thc ny.Tip theokhi gii hn tt c cc SA v tunnel mode, hai ng xut nn s dng mt header phc hpno gip tit kim kch thc gi thm vo khi s dng tunnel mode nu chng khng thts cn thit.Cc tc gi th nhn rng h khng phi l cc chuyn gia v mng my tnh.Nhngchuyn gia lm vic trong lnh vc ny kin quyt bo v rng vic bao gm c transport modev tunnel mode l do s tt yu ca kin mng my tnh.

Bruce Schneier v Neil Ferguson khng hi lng vi trnh t x l ca giao thc ESP.Hai ngcho rng gi tin i ra ngoi cn c xc thc trc khi m ha.Trnh tny c la chn mtcch c ch gip gi tin inbound nu khng xc thc ng s khng cn phi tri qua vic giim tn thi gian,chi ph.Cc tc gi dn ra mt tnh hung khi cc qu tnh xc thc v m hakha cha hon thnh,do mt gi tin sau khi c xc thc ng cha chc m bo sc gi m ng. gii quyt vn ny m khng lm thay i trnh t ca vic x lESP,hai ng cho rng nn xc thc c kha gii m v cc d liu cn dng trong m ha cngvi d liu ca gi tin.Vpha i lp ,cc chuyn gia mt m (nhng ngi tham gia v qutrnh xy dng IPSEC) hi lng vi trnh t ny v cho rng khng cn thit phi xc thc thmmt s d liu nh trn.Ngoi ra ,khi IKE tha thun v kha vic xc thc v m ha kha caESP l mt thnh phn ca c qu trnh tng th.

Cc tc gi cho rng vic s dng cc SA khng nh hng l mt iu khng thc s cnthit,c thlm tng kch thc ca SAD.H xut mt SA c hai hng,cch lm ny c thlm gim kch thc ca SAD.Tuy nhin mt entry SAD n l khng th cho php mt pha cth la chn cho n gi tr SPI inbound.Mt entry kp.mi ci vi mt SPI ring ca n c thlm cho kch thc SAD ln trli.Ngoi ra IPSEC cn c s dng trong tnh hung cctruyn thng chc thc hin theo mt hng(trong multicast).

4.9:L do s dng hai tiu bo v:

Ta c th d dng nhn thy rng ESP cung cp s xc thc nh AH ngoi ra cn cung cp thmc vic bo vtnh ring t .Vy vic s dng hai tiu ring bit c tht s cn thit?

Cu tr li cho cu hi ny lin quan n lch s v chnh tr.Mt s quc gia cm xut khu ccphn mm thc hin hoc h trvic m ha.Phin bn u ca RFC tch bit phn c th xut

khu c l AH vi phn lin quan n vn v v kh chin tranh (ESP header)( v mt squc gia cho rng cc phn mm m ha l mt v kh chin tranh).Trong dng nguyn thy can,ESP header ch cung cp vic m ha nu vic xc thc c yu cu th chai tiu cs dng.Bi v mt gi tin c m ha m cha c xc thc to l hng cho mt s loitn cng sa i d liu ( modification attack).Mi gi tin c m ha cn phi xcthc,vic ny yu cu hai SA ring bit v phn chia cng bng cc x l khng cn thit chomi gi tin bo v.Do trong bn th hai ca RFC(RFC 2402 v RFC 2406),tnh xc thc


32/59


c a vo ESP header.Ty ESP header lun cung cp vic m ha cn vic xc thc lmt ty chn.Vic nh ngha null encycrypt algorithm l mt thut ton m ha cho php ESPcung cp s xc thc m khng cung cp s m ha.

C th khng nh rng AH bo vcc tiu khng c cung cp bi ESP,c thl a chngun v a chch.Tuy nhin vic xc thc ca qu trnh trao i kha gn a ch ca cc

bn tham gia vi kha ,iu ny l cung cp s bo va ch ngun v a chch.Ngaira qu trnh x l vi AH phi i mt vi nhiu vn phc tp nh l vic phn bit gia ccloi d liu immutable v mutable a vo hm bm,iu ny phc tp hn so viESP.Vic gi li giao thc AH l do cc l do v chnh tr,cng nh trnh vic thng xuyn thayi giao thc IP ,mt giao thc v ang s dng.Tuy nhin sn mt thi im giao thcAH s b loi b hoc chuyn thnh mt thnh phn ty chn trong IPSEC

5. Qun l kha vi IKE:

5.1 Tng quan v qun l kha:

BIPSec a ra 3 khnng chnh l : tnh xc nhn v tnh ton vn d liu( dataauthentication and integrity) cng s cn mt c cung cp bi hai giao thc chnh trong bgiao thc IPSec l AH v ESP. IPSec dng mt giao thc th ba Internet Exchange Key (IKE)thc hin tnh nng th ba l qun l kha tha thun cc giao thc bo mt v cc thut tonm ha trc v tron sut qu trnh giao dch.

IKE SA l qu trnh hai chiu v cung cp mt knh giao tip bo mt gia hai bn. IKE SAc nhn ra bi cc cookies ca bn khi to, c theo sau bi cc cookies ca tr li pha itc. Th tcc cookies c thit lp bi phase1 s tip tc ch ra IKE SA, bt chp chiu can. Chc nng ch yu ca IKE l thit lp v duy tr cc SA. Cc thuc tnh sau y l mc tithiu phi c thng nht gia hai bn nh l mt phn ca ISAKMP SA:

- Thut ton m ha.

- Thut gii bm c s dng.

- Phng thc xc thc s dng.

- Thng tin v nhm v gii thut DH.

IKE lm g ? N thc hin qu trnh d tm , qu trnh xc thc, qun l v trao i kha. IKE s

d tm ra mt hp ng gia hai u cui IPSec v sau SA s theo di tt c cc thnh phnca mt phin lm vic IPSec. Sau khi d tm thnh cng, cc thng s SA hp l sc lutrtrong c sd liu ca SA.

5.2 IKE Phases :


33/59


IKE c giai on lm vic l : giai on 1 v giai on 2 c mt sc im chung nh hnhminh ha bn di

Trong mt phin lm vic ca IKE, n gi s c mt knh bo mt c thit lp sn. Knhbo mt ny phi c thit lp trc khi c bt k tha thun no xy ra.

5.2.1 Giai on 1 :

- u tin, xc nhn cc im thng tin , sau thit lp mt knh bo mt cho s thit lp SA.

Tip cc thng tin tha thun mt ISAKMP SA ng ln nhau, bao gm cc thut ton mha, hm bm , cc phng php xc nhn bo v m kha.

- Sau khi c ch m ha v hm bm c ng trn, mt kha s b mt pht sinh. Theosau l nhng thng tin c dng pht sinh kha b mt: gi tr Diffie-Hellman, SPI caISAKMP SA dng cookies, s ngu nhin known as nonces (dng k xc nhn)

- Nu hai bn ng s dng phng php xc nhn da trn public key , chng cng cn traoi IDs. Sau khi trao i thng tin cn thit, c hai bn pht sinh nhng kha rin ca chnh mnhs dng chng chia s b mt. Theo cch ny, nhng kha m ha c pht sinh m khngcn thc strao i bt k kha no thng qua mng.

5.2.2Giai on 2:

- Trong khi giai on 1 tha thun thit lp SA cho ISAKMP , giai on 2 gii quyt bng victhit lp SAs cho IPSec. Trong giai on ny SAs dng nhiu dch v khc nhau tha thun. Cch xc nhn, hm bm, v thut ton m ha bo v gi d liu IPSec tip theo (s dng AH vESP) di hnh thc mt phn ca giai on SA.

- S tha thun ca giai on xy ra thng xuyn hn giai on 1. in hnh s tha thun cth lp li sau 4- 5 pht. Sthay i thng xuyn cc m kha ngn cn cc hacker b gynhng kha ny v sau l n i dung ca gi d liu.

- Tng qut mt phin lm vic giai on 2 tng ng vi mt phin lm vic n ca giaion 1. Tuy nhin, nhiu sthay i giai on 2 cng c thc h trbi mt trng hpn giai on 1. iu ny lm cho qu trnh giao dch chm chp c vnhanh hn.

5.3 IKE Modes


34/59


Oakley l mt trong s cc giao thc ca IKE. Oakley ln lt nh ngha 4 ch IKE ph bin: ch chnh (Main mode), ch linh hot ( Aggressive mode), ch nhanh (Quick mode),ch nhm mi (Neu Group mode)

* Main mode:

- Main mode xc nhn v bo vtnh ng nht ca cc bn c lin quan trong qu trnh giaodch. Trong chny c 6 thng ip c trao i gia cc im:

+ Hai thng ip u tin dng tha thun chnh sch bo mt cho sthay i.

+ Hai thng ip k tip phc vthay i cc kha Diffie-Hellman v nonces. Nhng khasau ny thc hin mt vai tr quan trng trong c ch m ha.

+ Hai thng ip cui cng ca chny dng xc nhn cc bn giao dch vi sgip ca ch k, cc hm bm, v ty chn vi chng nhn.

* Aggressive mode :

- V bn cht ging Main mode. Ch khc nhau thay v main mode c 6 thng ip th chny chc 3 thng ip c trao i. Do , Aggressive mode nhanh hn Main mode. Ccthng ip bao gm:

+ Thng ip u tin dng a ra chnh sch bo mt , pass data cho kha chnh v trao i

nonces cho vic k v xc minh tip theo.

+ Thng ip k tip hi p li cho thng ip u tin. N xc thc ngi nhn v hon thnhchnh sch bo mt bng cc kha.

+ Thng ip cui cng dng xc nhn ngi gi ( hoc b khi to ca phin lm vic)


35/59


CMain mode v Aggressive mode u thuc giai on 1.

* Quick mode:

- Ch ny nm giai on 2. N dng tha thun SA cho cc dch v bo mt IPSec.Ngoi ra, Quick mode cng c th pht sinh kha chnh mi. Nu chnh sch ca PerfectForward Secrecy (PFS) c tha thun trong giai on 1, mt sthay i hon ton Diffie-Hellman key c khi to. Mt khc, kha mi c pht sinh bng cc gi trbm.

* New group mode :

- c dng tha thun mt private group mi nhm to iu kin trao i Diffie-Hellmankey c d dng.


36/59


Mc d chny c thc hin sau giai on 1 nhng n khng thuc giai on 2.

* Ngoi 4 ch ph bin trn cn c thm Information mode. Ch ny kt hp vi qu trnhthay i ca giai on 2 v SAs. Ch ny cung cp cho cc bn c lin quan mt s thng tinthm, xut pht t nhng tht bi trong qu trnh tha thun. V d, nu vic gii m tht bi tingi nhn hoc chk khng c xc minh thnh cng, Informational mode c dng

thng bo cho cc bn khc bit.

6:PF key trong IPSEC:

6.1:Gii thiu:

Khnng tng tc khc nhau ca IPSec v IKE l mt vn hin thc quan trng c thtrin khai rng ri IPSec. Liu c th thc thi IPSec v IKE 2 my khc nhau trong cng 1host?? iu ph thuc vo nh dng, ni dung, v trnh t cc tin nhn trao i gia mythc thi IPSec v my thc thi IKE. PF_Key c to ra nh l mt n lc nhm tiu chun havic lin lc cc b, thc y khnng tng tc IPSec-IKE.

Trong hnh thc chung nht, PF_Key l mt giao din trnh ng dng (API: ApplicationProgramming Interface) gia 1 ng dng trao i SA, chng hn nh l IKE, v mc h thngthng hay to v truy cp vo C sd liu SA.

Trong thc t, 1 quy trnh IPSec thng thng th hin 2 chc nng khc nhau:

_To ra v duy tr SAD.

_ng dng 1 SA c thtrn ng truyn vo-ra.

Vic to ra v duy tr SAD bao gm: thm IPSec SAs vo SAD, nhn SAs t SAD v xa ccSAs ht hn ra khi SAD.

PF_Key RFC s dng thi hn key engine m t, nh r cc IPSec thng to ra v duy trSAD. Mc d IKE ng ra c gi l mt ng dng hay chng trnh trao i SA, nhng dothng dng hn nn n c gi l ng dng hay chng trnh trao i kha.


37/59


6.2. Cu to:

a.PF_Key API bao gm 10 tin nhn:

1.SADB_Register: IKE gi 2 tin nhn SADB_Register n IPSec nhm thng bo rng IKE lcny c ththng lng, trao i c 2 loi IPSec SAs: AH v ESP.

2.SADB_Acquire: Khi 1 trnh ng dng truyn ra ngoi vi si hi bo v ca IPSec, nhngSA th khng c SA thch hp, lc IPSec gi 1 SADB_Acquire ti tt c trnh ng dng ng k, bao gm lun c IKE.

3.SADB_GetSPI: trao i 1 IPSec SA, IKE u tin phi to ra 1 SPI bn trong. SPI l mtloi kh c nht dng truy cp v nhn bit SA. SPI c gi trong tin Quick Mode th nhthay th hai vi IPSec SA d kin. chc rng 1 SPI l duy nht v thch hp vi mi rngbuc cc b, tt nht l IPSec to tt ccc SPI. l chc nng ca SADB_GetSPI gi nIPSec. Mt gi tr ca IPSec SPI phi ln hn 255.

4.SADB_Update: Mi mt IKE tha mn, vic trao i IPSec SA hon thnh, larval (1 phnIPSec SA) bn trong IPSec SA s truyn n SAD. IKE gi 1 SADB_Update ti IPSec , baogm tt c cc thng s IPSec SA c m phn.

5.SADB_Add: Mt PF_Key SADB_Add c dng n khi 1 SA c thm vo SAD, vi y hnh thc ca n. Mt tin nhn SADB_Add, tri kha b mt, sau c tr v t IPSecti tt c trnh ng dng ng k.

6.SADB_Get: Ta c 1 v dnh sau, mt nh qun tr mng mun kim tra nh k ton bSAD hoc mt sSA c bit no trong SAD, lc , mt SADB_Get c thc gi t 1

trnh ng dng c quyn n IPSec nhm yu cu thng tin v 1 SA c thno .7.SADB_Dumb: Ging nh cch thc vic s dng SADB_Get, SADB_Dumb c dng hin th tt c cc SA trong SAD, hoc l cc SA c thno . Mt ng dng c quyn gin IPSec 1 SADB_Dump, IPSec sau s gi s th t ca SADB_Dump, c cha thng tinca mi SA, trv cc trnh ng dng pht ra SADB_Dump .

8.SADB_Expire: Khi thi gian s dng sp ht, IPSec s gi 1 SADB_Expire n IKE nhmgi rng IKE nn bt u m phn 1 SA mi. Mt tin nhn SADB_Dump bao gm thi gians dng hin ti ca SA, thgian dng, gi gi

9.SADB_Delete: Khi mt IPSec SA ht hn hay cn c xa (do vi phm li h thng hayvn bo mt), IKE s gi 1 SADB_Delete ti IPSec. Mt SA tng ng sc b trtrong SAD, ph hp vi a ch ngun, a chch v SPI. IPSec xa SA v gi thng boSADB_Delete ti cc trnh ng dng ng k.

10.SADB_Flush: Cng nh SADB_Dump l mt tng qut ca SADB_Get, SADB_Flush cngl mt hnh thc mrng ca SADB_Delete. i khi n l cn thit khi ng li SAD bng


38/59


cch xa tt c cc SA c thno , cng nh tt c cc IPSec SA, hoc tt c cc SA trongSAD, hoc bt k loi g. Mt chng trnh ng dng c quyn hoc chng trnh trao i khac thdng SADB_Flush thc hin chc nng ny. Mi khi IPSec xa tt c cc SA c linquan, n s thng bo SADB_Flush li tt c cc trnh ng dng ng k.

b.Kt cu ca 1 PF_Key message:

Mi PF_Key cha cc thnh phn bt bin, tiu tin nhn nn tng, bao gm cc thng tin diy:

.PF_Key message type: loi PF_Key message, chng hn nh SADB_Register, SADB_Flush

.PF_Key sequence number: gi trny c to ra bi IPSec trong SADB_Acquire nhm btu mt dy sc bit ca PF_Key v c bao gm trong cc phn tip theo ca qu trnh toSA v m phn.

.Key management program process ID: N bng khng nu vic trao i tin nhn c khito bi IPSec. Nu thng ip trao i (chng hn nh SADB_GetSPI) c khi to bichng trnh qun l kha v thng bo li bi IPSec, n s cha PID ca chng trnh trao ikha khi to.

Nhm bsung cho cc tiu tin nhn c bn, hu ht PF_Key cha mt hoc nhiu tiu mrng. Vi mi PF_Key loi ny, tiu mrng c yu cu v ty chn. Chng gm ccthnh phn sau:

_Security Association: s kt hp an ton

_Lifetime: thi gian sng

_Address: a ch

_Key: kha

_Identify: nhn dng

_Proposal: xut

_Algorithms Supported: thut ton h tr

_SPI Range: dy SPI.

7Mc ch v u khuyt im khi dng IPSEC

a.Mc ch s dng IPSEC:


39/59


c dng bo mt d liu cho cc chuyn giao thng tin qua mng. Ngi qun tr chnhsch ny bao gm b lc ch r loi lu lng no i hi phi m ha ( encryption ) , xc nhn(digital signing) hoc chai. Sau mi gi my tnh gi i c n nh t nhn thy liuc ph hp vi iu kin ca chnh sch. Tin trnh ny trong sut vi ngi dng.

b.u im khi dng IPSEC:

Thun li chnh khi dng IPSEC l cung cp c gii php m ha cho tt c cc giao thc hotng ti lp 3 Network Layer (OSI model), v c cc giao thc lp cao hn.

N c khnng cung cp :

-Chng thc hai chiu trc v trong sut qu trnh giao tip.

-S tin cy qua vic m ha v xc nhn s cc gi. IPSEC c hai ch (ESP) cung cp c chm ha dng nhiu thut ton khc nhau, v AH xc nhn cc thng tin chuyn giao m khngm ha.

-Ton vn lu lng IP bng cch loi blu lng c thay i. CESP v AH u cdng xc nhn tnh ton vn ca tt clu lng IP. Nu gi c thay i th ch k sskhng nh km v gi s b hy.

-Ngn chn tn cng replay. IPSEC dng k thut nh s lin tip (sequence numbers ) cho ccgi d liu ca mnh nhm lm cho attacker khng th s dng c cc d liu chn c vi bt hp php. Vic dng Sequencer numbers cn gip bo v dng nhng thng tin ly cbng cch chn v nh cp d liu truy cp bt hp php vo lc khc.

V d v s dng IPSEC : Nh ta bit, vic truyn thng tin qua mng l thun tin nhng i

km theo l nhng nguy c ng e ngi c th gy thit hi cho hot ng ca cc t chc. Do, mi mt t chc cn trang b v xy dng cho mnh nhng h thng bo mt cht ch ccthng tin quan trng nh d liu thng tin nhn vin hay bo co ti chnh, k hochmarketing Trong trng hp nn s dng IPSEC m bo an ton ca truyn thng mng.C th to cc IPSEC policies cho cc computer kt ni vi Server (nm gi nhng d liu quantrng). IPSEC policy s bo v d liu ca t chc khi nhng mi e da t bn ngoi.

c.Khuyt im khi dng IPSEC:

Khi ng dng IPSEC vo VPN ta c IPSEC VPN v khi dng SSL (cng l mt giao thc bo

mt ang c hng n do mt stnh nng d chu m n mang li) trong VPN ta cSSL/VPN. S so snh gia IPSEC VPN v SSL VPN s cho thy c nhng khuyt im caIPSEC khi ng dng vo mt trng hp c th l mng ring o VPN.


40/59


Kha cnh IPSEC VPN IPSEC SSL

Kiu kt ni, kiutruy cp

Site to site, kiu kt niyu cu bng thng rng,hiu sut cao, d liu ln,kt ni lin tc, cnh.

Di ng, tm thi. Truycp ti nguyn tp trungt cc v tr phn b rirc khp ni.

Phn mm yu cu Yu cu phi c phn mmclient ci t ti cc mytnh bn hoc my tnhxch tay => lm hn chtnh linh ng ca ngidng v khng kt ni VPNc nu khng c phnmm IPSEC client cnp.

=>lm tng chi ph quntr, cu hnh.

Ch cn hiu hnh ctch hp mt trnh duyt(browser) bt k h trSSL l c th thc hinkt ni.

Tng thch firewall,NAT

Khng tng thch Tng thch

M ha RC5,DES,3DES RC4,DES,3DES

Xc thc RADIUS, ActiveDirectory, RSA SecureID

RADIUS, Active

Directory, RSA SecureID

ng dng Tt c cc ng dng trn IP Cc ng dng trn nnWeb.

Mt sng dng nhemail, Terminal services,

CIFS

bo mt Nh nhau Nh nhau

Kim sot truy cp

(Access Control)

Khng chi tit Chi tit ( granular access

control)

8.Trin khai IPSEC:

8.1.Cc tc ng bo mt:


41/59


IPSEC ca Microsoft h trbn tc ng bo mt, cc tc ng ny gip h thng c th thitlp nhng cuc trao i thng tin gia cc my c an ton.

- Block: C chc nng ngn chn nhng gi d liu c truyn.

-Encrypt: C chc nng m ha nhng gi d liu c truyn. IPSEC s dng giao thc ESP

m ha d liu.

-Sign: C chc nng k tn vo cc gi d liu truyn. IPSEC cho php lm iu ny bng mtgiao thc AH.

-Permit: C chc nng cho php d liu c truyn qua, chng dng to ra cc qui tc hnch mt siu.

8.2.Cc phng php chng thc c Microsoft h tr:

- Kerberos: Ch p dng c gia cc my trong cng mt min Active Directory

-Certificate: Cho php s dng cc chng chPKI ( public key infrastructure ) nhn din mtmy.

-Agreed-upon key: Dng cha kha chia strc khi cho php dng mt chui k t thngthng lm cha kha .

8.3.IPSEC policy:

- Trin khai IPSEC bng cch thit lp policy. Mi policy cha mt vi quy tc v mt phngphp chng thc no . Mi quy tc gm mt hay nhiu b lc v mt hay nhiu tc ng bomt. Ti mt thi im th ch c mt chnh sch IPSEC c hot ng.

- Cc Policy mc nh:

+ Client ( Respond Only ): chnh sch quy nh my tnh ca bn khng chng dng IPSECtr khi nhn c yu cu dng IPSEC tmy i tc. Policy ny c 1 rule c gi l DefaultResponse. Rule ny cho php host p ng i hi ESP cng nh host trong Active Directorydomains tin cy.

+ Server ( Request Security ): chnh sch ny quy nh my server ca bn chng c gngkhi to IPSEC mi khi thit lp kt ni vi cc my tnh khc, nhung nu client khng th dng

IPSEC th server vn chp nhn kt ni.

Chnh sch ny c 3 rule :

Default Response.

All ICMP Traffic: l giao thc duy tr trong TCP/IP, thng bo li v cho php kt ni ngin.


42/59


All IP Traffic: i hi ESP cho tt clu lng IP.

+ Secure Server ( Require Security ): chnh sch ny qui nh khng cho php bt c cuc traoi d liu vi server hin ti m khng dng IPSEC.

8.4.IPSEC lm vic nh th no :

C th cu hnh IPSEC thng qua Local policy hoc trin khai trn din rng dng ActiveDirectory Group Policy ( GPO).

-Gi s c hai my : A v B, IPSECpolicy c cu hnh trn 2 computer ny. Sau khi ccu hnh IPSEC policy s bo cho IPSEC Driver cch lm thno vn hnh v xc nh cclin kt bo mt gia 2 my khi kt ni c thit lp.

Cc lin kt bo mt nh hng n nhng giao thc m ha sc s dng cho nhng loithng tin giao tip no v nhng phng thc xc thc no sc em ra thng lng.

-Lin kt bo mt mang tnh cht thng lng IKE s c trch nhim thng lng to linkt bo mt. IKE kt hp t 2 giao thc : Internet Security Association and Key ManagementProtocol ( ISAKMP) v Oakley Key Determination Protocol . Nu my A yu cu xc thcthng tin qua Certificate v my B yu cu dng giao thc Kerberos th IKE s khng th thit


43/59


lp lin kt bo mt gia hai my. Nu dng Network Monitor theo di hot ng, s khngthy bt c gi AH hoc ESP no, v giao tip IPSEC cha c thit lp, chng ta ch quan stc cc gi ISAKMP .

-Nu nh lin kt bo mt c thit lp gia hai my IPSEC Driver s quan st tt c IP traffic ,so snh cc traffic c nh ngha trong cc Filter, nu c hng i tip cc traffic ny s

c m ha hoc xc nhn s.

III-Trin khai h thng IPSec/VPN trn windows server 2003

1.M hnh :

Trong m hnh ny ta s dng 3 my: 1 my lm DC(domain controler), 1 my lm VPN server, 1 mylm VPN client. Ta s cu hnh IPSec trn my DC v my VPN client khi 2 my ny thc hinphng thc truyn thng th d liu sc m ha .

2.Cc bc thc hin:

- My 1 ci windows server 2003, sau nng cp ln DC

- My 2 ci windows server 2003, sau join DC v cu hnh VPN server

- My 3 ci windows xp, sau to kt ni VPN ti DC

- Ci Network Monitor Tool trn VPN server bt gi

- Cu hnh IPSec trn DC v VPN client, tng t nhau

* Nng cp my ln Domain Controller ( DC ) thc hin trn my 1

- Start > run nhp dcpromo


44/59


- Tip theo hp thoi Active Directory Installation Wizard xut hin bn n Next > hp thoi OperatingSystem Compatibility n Next

- Hp thoi Domain Controller Type

- Hp thoi Create New Domain


45/59


- Hp thoi New Domain Name

- Cc hp thoi cn li mc nh

* Join VPN server vo DC thc hin trn my 2

- Click phi chut ln My Computer > Properties > Tab Computer Name > Change > Check vo

Domain


46/59


- Server yu cu xc thc vi ti khon ngi dng cp min c quyn qun tr

- Sau Restart li my

* Cu hnh VPN server: trn my 2 mRouting and Remote Access

- Start > Programs > Adminstrative Tool > Routing and Remote Access


47/59


- Kch hot VPN Server bng cch nhp phi chut ln tn server v chn Configure and Enable Routingand Remote Access

- nh du chn vo mc Custom configuration

- Check vo VPN access > Next > Finish


48/59


- Cu hnh cp IP cho VPN Client khi kt ni

Click phi ln DC2 > Properties

Qua tab IP > static address pool > add

Qua tab Security > check vo Allow custom IPSec policy for L2TP connection


49/59


* Cu hnh VPN client

- Click phi My Network Places > Properties > Create a new connection > Next

- Hp thoi Network Connection Type

- Hp thoi Network Connection

- Hp thoi Connection Name > VPN

- Hp thoi VPN Server Selection


50/59


- Sau Next > Finish

- Hp thoi Connect VPN : in ti khon m my DC cho php truy cp bng VPN

- Hp thoi VPN Properties:

Tab Security > click vo nt IPSec setting


51/59


Tab Networking > Type of VPN > L2TP IPSec VPN

* Ci Network Monitor Tool trn VPN server

Start > Settings > Control panel > Add/Remove Program > Add/Remove Windows Component > checkManagement and Monitoring Tools > Details > check Network Monitor Tools > OK > Next


52/59


* Cu hnh IPSec trn DC v VPN Client tng t nhau

- Trn my DC : Start > Programs > Administrative Tools > Domain Controller Security Settings

- Click phi chut IP Security Policies.. > Create IP Security Policy > Next

- Hp thoi IP Security Policy Name


53/59


- Hp thoi Request for Secure Communication > b checkmc Activate the default response rule

- Hp thoi Test Properties > add


54/59


- Ca s Wellcome n Next > ca s Tunnel Endpoint chn This rule does not specify a tunnel > Next

- Hp thoi Network Type


55/59


- Hp thoi IP Filter List

- Hp thoi Filter Action


56/59


- Hp thoi Authentication Method

-Trn my Client: Start > run >mmc > trong ca s Console1 > menu File > Add/Remove Stap-in > Add> chn IP Security Policy Management > Add >Finish


57/59


Sau thc hin li cc bc tng tnh trn my DC

*My DC v VPN Client assign policy Test

* Thc hin vic bt gi

- My VPN Server mchng trnh Network Monitor > Capture > start

- My VPN Client dng lnh ping a ch my DC: start > run >cmd > ping 192.168.1.1


58/59


- My VPN Server quay li chng trnh Network Monitor

Captere > Stop and View > double click ln dng c Protocol l ESP > ESP

Ta thy d liu trn ng truyn c m ha

IV Ti liu tham kho:

-Sch Demistifying the ipsec puzzle tc gi Sheila Frankel


59/59

-Slide bi ging ca thy L Phc.

tailieutonghop.com---do an bao mat thong tin ipsec va trien khai he thong ipsecvpn tren windows...

Documents