AAA Server

1
Mc lc
A.Tng quan v ti................................................................................................................. 4 B. Cu trc ca ti.................................................................................................................. 5 I.Tng quan v an ninh mng: .................................................................................................... 6 1.Mc tiu an ninh mng ........................................................................................................ 6 2.Cc phng thc tn cng ................................................................................................... 6 2.1 Virus ............................................................................................................................. 6 2.2 Worm ............................................................................................................................ 7 2.3 Trojan horse .................................................................................................................. 7 2.4 T chi dch v. ............................................................................................................ 8 2.5. Distributed Denial-of-Service...................................................................................... 8 2.6. Spyware ....................................................................................................................... 9 2.7. Phishing ....................................................................................................................... 9 2.8. Da vo yu t con ngi ......................................................................................... 10 3. Cc chnh sch an ninh mng ........................................................................................... 10 3.1. Cc chnh sch an ninh vn bn ................................................................................ 10 3.2. Chnh sch qun l truy cp: ..................................................................................... 13 3.3. Chnh sch lc: .......................................................................................................... 13 3.4. Chnh sch nh tuyn: .............................................................................................. 14 3.5. Chnh sch Remote-access/VPN ............................................................................... 14 3.6. Chnh sch gim st / ghi nhn: ................................................................................ 15 3.7. Chnh sch vng DMZ .............................................................................................. 15 3.8. Chnh sch c th p dng thng thng: ................................................................. 16 II. Radius .................................................................................................................................. 17 1. Tng quan v Radius: ....................................................................................................... 17 1.1. AAA: ......................................................................................................................... 17 1.1.1. Xc thc (Authentication) ...................................................................................... 17 1.1.2. y quyn (Authorization)....................................................................................... 17 1.1.3. K ton (Accounting). ............................................................................................ 18 1.2 Cc im chnh ca kin trc AAA: ........................................................................... 18 2. Kin trc RADIUS: .......................................................................................................... 21 2.1. S dng UDP hay TCP:............................................................................................. 21 2.2. nh dng gi tin RADIUS: ...................................................................................... 23 2.2.1. M: .......................................................................................................................... 23 2.2.2. T nh danh:.......................................................................................................... 24 2.2.3. di: .................................................................................................................... 24 2.2.4. B xc thc: ............................................................................................................ 25 2.3. Phn loi gi tin: ........................................................................................................ 25 2.3.1. Access-Request: ..................................................................................................... 25 2.3.2. Access-Accept: ....................................................................................................... 26 2.3.3. Access-Reject: ........................................................................................................ 27 2.3.4. Access-Challenge : ................................................................................................. 28 2.3.5. Accounting-Request: .............................................................................................. 29 2.3.6. Accounting-Response: ............................................................................................ 30 2.4. B mt chia s: ........................................................................................................... 31 2.5. Cc thuc tnh v gi tr:............................................................................................ 32 2.5.1. Cc thuc tnh: ........................................................................................................ 32 2.5.2. Cc gi tr: .............................................................................................................. 35 GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
3. Hot ng: ........................................................................................................................ 36 3.1. Qu trnh truy cp: ..................................................................................................... 36 3.2. Qu trnh k ton: ..................................................................................................... 39 4. RFCs: ................................................................................................................................ 40 4.1. Ngun gc: ................................................................................................................ 40 4.2. Bng RFCs: ............................................................................................................... 40 4.3.2. RFC 2866: .............................................................................................................. 42 4.3.3. RFC 2867: .............................................................................................................. 43 4.3.4. RFC 2868: .............................................................................................................. 44 4.3.5. RFC 2869: .............................................................................................................. 45 III. ASA .................................................................................................................................... 46 1. Lch s ra i. ................................................................................................................... 46 2. Cc sn phm tng la ca Cisco: ................................................................................. 47 3. iu khin truy cp mng (NAC)..................................................................................... 47 3.1. Lc gi (Packet Filtering) .......................................................................................... 47 3.2. Lc ni dung v URL (Content and URL Filtering) ................................................. 50 3.2.1. Content Filtering ..................................................................................................... 50 3.2.2. ActiveX Filtering .................................................................................................... 51 3.3. Chuyn i a ch. .................................................................................................... 51 3.3.1. Network Address Translation (NAT) ..................................................................... 51 3.3.2. Port Address Translation (PAT). ............................................................................ 52 4. Giao thc AAA v dch v h tr ca Cisco ASA ........................................................... 52 4.1. Remote Authentication Dial-In User Service (Radius). ............................................ 53 4.2. nh dng TACACS v cc gi tr tiu ................................................................ 56 4.3. Rsa SecurID (SID) ..................................................................................................... 58 4.4. Win NT ....................................................................................................................... 59 4.5. Kerberos .................................................................................................................... 59 4.6. Lightweight Directory Access Protocol (LDAP) ...................................................... 60 5. Kim tra ng dng ............................................................................................................ 62 6. Kh nng chu li v d phng (failover and redundancy) .............................................. 62 6.1. Kin trc chu li ....................................................................................................... 62 6.2. iu kin kch hot kh nng chu li ....................................................................... 63 6.3. Trng thi chu li ..................................................................................................... 64 7. Cht lng dch v (QoS)................................................................................................. 64 7.1. Traffic Policing .......................................................................................................... 65 7.2. Traffic Prioritization .................................................................................................. 66 8. Pht hin xm nhp (IDS) ................................................................................................ 66 8.1. Network-based intrusion detection systems (NIDS) ................................................. 67 8.1.1. Li th ca Network-Based IDSs ........................................................................... 68 8.1.2. Hn ch ca Network-Based IDSs ......................................................................... 68 8.2. Host-based intrusion detection systems (HIDS)........................................................ 69 8.2.1. Li th ca HIDS .................................................................................................... 70 8.2.2. Hn ch ca HIDS .................................................................................................. 70 IV. M phng ........................................................................................................................... 70 1. Mc tiu ca m phng .................................................................................................... 70 2. M hnh m phng ........................................................................................................... 71 3. Cc cng c cn thit thc hin m phng .................................................................. 71 4. Cc bc m phng .......................................................................................................... 71 5. Kt qu t c ............................................................................................................... 80 GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
V.KT LUN CHUNG ........................................................................................................... 81 VI.HNG PHT TRIN CA TI ............................................................................... 82
Mc lc hnh v
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
A.Tng quan v ti
Mc tiu ca vic nghin cu v Firewall ASA + Vic nghin cu gip cho kh nng t hc ,tm hiu v nghin cu c lp ngy cng tt hn + Nghin cu v h thng firewall ASA. + Trin khai h thng pht hin, ngn chn cc lu lng ra vo ca h thng l s cn thit cho cc doanh nghip c nhu cu v s an ton ca h thng trc nhng hnh vi xm nhp tri php. Trc s pht trin ca internet v s hiu bit ca ngy cng su ca con ngi th vic truy cp v ph hoi h thng mng ca mt doanh nghip ,cng ty no cng theo pht trin ca internet m tng ln rt nhiu. + Vic nghin cu ny p ng cho lnh vc bo mt v an ninh ca h thng. + ASA(Adaptive Security Appliance) l mt thit b tng la mnh tt c trong mt v c a chung nht hin nay ca Cisco.Chnh v vy mc tiu ca ti ny l nhm nghin cu v tm hiu cch thc hot ng,phng php cu hnh v ng dng ca n trong vic bo mt h thng mng.Kt qu t c qua vic nghin cu thit b ny l hiu c cch thc hot ng v c kh nng trin khai thit b ny vo trong mt s h thng mng bt k. +Nghin cu v AAA server. +Nghin cu v cch t chc gim st hot ng ca ngi dng cui nh thi gian bt u hay kt thc ca ngi dng (accounting).Bo mt l vn rt quan trng.Vi mc iu khin, tht d dng ci t bo mt v qun tr mng. c th nh ngha cc vai tr (role) a ra cho user nhng lnh m h cn hon thnh nhim v ca h v theo di nhng thay i trong mng. Vi kh nng log li cc s kin, ta c th c nhng s iu chnh thch hp vi tng yu cu t ra. Tt c nhng thnh phn ny l cn thit duy tr tnh an ton, bo mt cho mng. Vi thng tin thu thp c, c th tin on vic cp nht cn thit theo thi gian. Yu cu bo mt d liu, gia tng bng thng, gim st cc vn trn mng thng AAA server.
B. Cu trc ca ti.
ti c chia lm 6 phn. I. Tng quan v an ninh mng Chng ny m t v cc nguy c an ninh mng v cc chnh sch an ninh nhm em li hiu qua cho vic bo mt d liu lm gim nguy c hoc pht hin ra s tn cng. II. Radius Chng ny m t v k thut s dng xc thc,y quyn,thanh ton nhm em li hiu qu cao cho an ninh mng ton vn v trnh tht thot d liu. III. ASA Chng ny gii thiu v tng la cisco asa ,cc k thut c p dng cho tng lu . IV. M phng. Chng ny m t qu trnh hin thc cisco asa vi m hnh mng c th cho thy tnh thc t v kim nghim ng l thuyt ca ti ny.Ch r chi tit qu trnh thc nghim. V. Kt lun chung. Chng ny nu ra nhng kt qu ca ti lm c nhng g v nhng mc hn ch kh khn cha thc hin c ca ti. VI. Hng pht trin ca ti.
I.Tng quan v an ninh mng:

1.Mc tiu an ninh mng
Vic pht trin ngy cng tng ca mng internet do s thun tin m n em li cho con ngi tuy nhin cng ko theo nhiu mi nguy him rnh rp ca nhng hacker mng. m bo cho ngi dng c an ton khi lm vic trn mng l mc tiu hng u ca an ninh mng: Bo m mng ni b khng b xm nhp tri php. Cc ti liu v thng tin quan trng khng b r r v b mt. Cc dch v c thc hin nhanh chng khng b tr tr hoc khng c thc hin. Cc cuc mua bn trn mng din ra ng vi yu cu ngi dng. Ngi dng lm vic trn mng khng b mo danh, la o.
2.Cc phng thc tn cng

Virus Worm Trojan T chi dch v Phn phi t chi dch v Zombies Spyware Phishing Da vo yu t con ngi
2.1 Virus
Mt virus my tnh c thit k tn cng mt my tnh v thng ph cc my tnh khc v cc thit b mng. Mt virus thng c th l mt tp tin nh km trong e-mail, v chn cc tp tin nh km c th gy ra cc m thc thi chy v ti to virus. Mt virus phi c thc hin hoc chy trong b nh chy v tm kim cc
chng trnh khc hoc my ch ly nhim v nhn rng. Nh tn ca n, virus cn mt my ch nh l mt bng tnh hoc e-mail nh km, ly nhim, v nhn rng. C mt s hiu ng chung ca vi rt. Mt s virus lnh tnh, v ch cn thng bo cho nn nhn ca h rng h b nhim bnh. Cc virus c tnh to ra s hy hoi bng cch xa cc tp tin v nu khng th gy ra li cho cc my tnh b nhim c cha ti sn k thut s, chng hn nh hnh nh, ti liu, mt khu, v cc bn bo co ti chnh.
2.2 Worm
Worm l mt chng trnh ph hoi qut cc im yu hoc l hng bo mt trn cc my tnh khc khai thc cc im yu v nhn rng.Worm c th ti to c lp v rt nhanh chng. Worm khc vi virus trong hai cch chnh: Virus cn mt my ch nh km v thc hin, v su khng yu cu mt my ch.Virus v su thng gy ra cc loi khc nhau ca s hy dit. Virus, mt khi chng ang c tr trong b nh, thng xa v sa i cc tp tin quan trng trn my tnh b nhim bnh. Tuy nhin, Worms c xu hng mng trung tm hn so vi my tnh trung tm. Worms c th ti to mt cch nhanh chng bng cch bt u kt ni mng nhn rng v gi s lng ln d liu. Worms cng c th cha mt hnh khch mang theo, hoc trng ti d liu, m c th giao mt my tnh mc tiu cho cc trng thi ca mt zombie. Zombie l mt my tnh c b xm phm v hin ang c kim sot bi nhng k tn cng mng. Zombies thng c s dng khi ng cc cuc tn cng mng khc. Mt b su tp ln cc zombie di s iu khin ca k tn cng c gi l mt "botnet". Botnets c th pht trin c kh ln. Botnet c xc nh ln hn 100.000 my tnh zombie.
2.3 Trojan horse

Mt con nga Trojan, hoc Trojan, l phn mm nguy hi tm cch ngy trang chnh n nh l mt ng dng ng tin cy nh l mt tr chi hoc trnh bo v mn hnh. Mt khi ngi dng tin cy c gng truy cp nhng g c v l mt tr chi
v thng v pht hoc trnh bo v mn hnh, cc Trojan c th bt u cc hot ng gy tn hi nh xa cc tp tin hoc nh dng li mt a cng. Trojan thng khng t sao chp.Nhng k tn cng mng c gng s dng cc ng dng ph bin, chng hn nh iTunes ca Apple, trin khai mt Trojan. V d, mt cuc tn cng mng s gi mt e-mail vi mt lin kt c mc ch ti v mt bi ht iTunes min ph. Trojan ny sau s bt u mt kt ni n mt my ch web bn ngoi v bt u mt cuc tn cng mt khi ngi dng c gng ti v cc bi ht min ph r rng.
2.4 T chi dch v.

Mt cuc tn cng t chi dch v (DoS) l mt cuc tn cng mng c kt qu trong vic t chi dch v bng mt ng dng yu cu nh l mt my ch web. C mt vi c ch to ra mt cuc tn cng DoS. Cc phng php n gin nht l to ra mt lng ln nhng g xut hin c giao thng mng hp l. y l loi tn cng DoS mng c gng lm nghn cc ng dn lu lng truy cp mng s dng hp l khng th c c thng qua kt ni mng. Tuy nhin, loi DoS thng thng cn phi c phn phi bi v n thng i hi nhiu hn mt ngun to ra cc cuc tn cng.Mt cuc tn cng DoS li dng thc t l h thng mc tiu nh cc my ch phi duy tr thng tin trng thi v c th c kch thc b m v d kin ni dung gi tin mng cho cc ng dng c th. Mt cuc tn cng DoS c th khai thc l hng ny bng cch gi cc gi c gi tr kch c v d liu m khng nh mong i ca cc ng dng nhn c.Mt s loi tn cng DoS tn ti, bao gm cc cuc tn cng Teardrop v Ping of Death, m gi cc gi th cng mng khc nhau t nhng ng dng d kin v c th gy ra sp cc ng dng v my ch. Nhng cuc tn cng DoS trn mt my ch khng c bo v, chng hn nh mt my ch thng mi in t, c th gy ra cc my ch b li v ngn chn ngi dng b sung thm hng vo gi mua sm ca h.
2.5. Distributed Denial-of-Service
DDoS tng t nh trong nh ca cuc tn cng DoS, ngoi tr cuc tn cng DDoS to ra nhiu ngun tn cng. Ngoi ra tng lng truy cp mng t nhiu k tn cng phn phi, mt cuc tn cng DDoS cng a ra nhng thch thc ca yu cu bo v mng xc nh v ngn chn mi k tn cng phn phi.
2.6. Spyware
Spyware l mt lp cc ng dng phn mm c th tham gia vo mt cuc tn cng mng. Spyware l mt ng dng ci t v vn cn n trn my tnh hoc my tnh xch tay mc tiu. Mt khi cc ng dng phn mm gin ip c b mt ci t, phn mm gin ip bt thng tin v nhng g ngi dng ang lm vi my tnh ca h. Mt s thng tin b bt bao gm cc trang web truy cp, e-mail gi i, v mt khu s dng. Nhng k tn cng c th s dng cc mt khu v thng tin bt c i vo c mng khi ng mt cuc tn cng mng. Ngoi vic c s dng trc tip tham gia vo mt cuc tn cng mng, phn mm gin ip cng c th c s dng thu thp thng tin c th c bn mt cch b mt. Thng tin ny, mt ln mua, c th c s dng bi mt k tn cng khc l "khai thc d liu" s dng trong vic lp k hoch cho mt cuc tn cng mng khc.
2.7. Phishing
Phishing l mt kiu tn cng mng thng bt u bng cch gi e-mail ngi dng khng nghi ng. Cc e-mail la o c gng trng ging nh mt th in t hp php t mt t chc c bit n v ng tin cy nh l mt trang web ngn hng, thng mi in t. E-mail gi ny c gng thuyt phc ngi dng rng mt vic g xy ra, chng hn nh hot ng ng ng v ti khon ca h, v ngi s dng phi thc hin theo cc lin kt trong e-mail v ng nhp vo trang web xem thng tin ngi dng ca h. Cc lin kt trong e-mail ny thng l mt bn sao gi ca ngn hng hoc trang web thng mi in t thc s v cc tnh nng tng t nhn-v-cm nhn cc trang web thc s. Cc cuc tn cng la o c thit k
10
la ngi dng cung cp thng tin c gi tr nh tn ngi dng v mt khu ca h.
2.8. Da vo yu t con ngi

K tn cng c th lin lc vi mt ngi qun tr h thng, gi lm mt ngi s dng yu cu thay i mt khu, thay i quyn truy nhp ca mnh i vi h thng, hoc thm ch thay i mt s cu hnh ca h thng thc hin cc phng php tn cng khc.Vi kiu tn cng ny khng mt thit b no c th ngn chn mt cch hu hiu, v ch c mt cch gio dc ngi s dng mng ni b v nhng yu cu bo mt cao cnh gic vi nhng hin tng ng nghi.Ni chung yu t con ngi l mt im yu trong bt k mt h thng bo v no, v ch c s gio dc cng vi tinh thn hp tc t pha ngi s dng c th nng cao c an ton ca h thng bo v
3. Cc chnh sch an ninh mng

Hai hnh thc chnh sch bo mt c lin quan n bc tng la: Cc chnh sch an ninh vn bn (i khi c gi l cc chnh sch an ninh thng tin) xc nh nhng mc tiu an ninh cho cc t chc (bao gm c tng la ca h) Cc chnh sch qun l v lc ngun v ch (i khi c gi l chnh sch tng la hoc thit lp quy tc tng la) xc nh cu hnh thc t ca thit b.
3.1. Cc chnh sch an ninh vn bn

Chnh sch an ninh vn bn tn ti cung cp mt l trnh cp cao v nhng g cn phi c thc hin m bo rng t chc ny c mt chin lc an ninh c xc nh tt v ngoi sc tng tng. l mt quan nim sai lm ph bin m mt t chc c mt chnh sch an ninh. Trong thc t, chnh sch bo mt tng th ca mt t chc thng bao gm nhiu chnh sch bo mt c nhn, m c ghi vo a ch mc tiu c th, thit b, hoc cc sn phm.
11
Mc tiu ca mt chnh sch an ninh l xc nh nhng g cn phi c bo v, nhng ngi c trch nhim bo v, v trong mt s trng hp nh th no bo v s xy ra. Chc nng ny cui cng thng tch ra thnh mt ti liu th tc c lp nh lc ngun, lc ch, hoc qun l truy. Tm li, cc chnh sch bo mt n gin v chnh xc nn vch ra nhng yu cu c th, quy tc, v mc tiu phi c p ng, cung cp mt phng php o lng ca c im an ninh c chng thc ca t chc. gip m bo rng cc chnh sch bo mt s lm c iu ny, suy ngh ca tng la trong iu khon ca cc lp bo mt, vi mi lp c mt lnh vc c th ca hot ng. Hnh 1-1 minh ha cc lp ca tng la. Nh hnh bn di cho thy, cc bc tng la c chia thnh bn thnh phn ring bit.
Ton vn vt l tng la Cu hnh tng la tnh Cu hnh tng la ng Lu lng mng qua tng la
Truy cp vt l Truy cp qun tr Nng cp phn mm Tp tin cu hnh Cc giao thc nh tuyn Truy cp vo mng tng la bo v
Hnh 1-1: Cc lp bo mt tng la. Ti trung tm l cc lp ton vn vt l ca tng la, m ch yu l lin quan ti cc quyn truy cp vt l vo tng la, m bo quyn truy cp vt l vo thit b, chng hn nh thng qua mt kt ni cng l cng console. Lp tip theo l cu hnh tng la tnh, m ch yu l lin quan ti truy cp vo cc phn mm tng la c cu hnh tnh ang chy (v d, cc h iu hnh PIX v cu hnh khi ng). Ti lp ny, chnh sch bo mt cn tp trung vo vic xc nh
12
cc hn ch s c yu cu hn ch truy cp qun tr, bao gm c bn cp nht phn mm thc hin v cu hnh tng la. Lp th ba l cu hnh tng la ng, trong b sung cc cu hnh tnh bng vic c lin quan ti cu hnh ng ca tng la thng qua vic s dng cc cng ngh nh giao thc nh tuyn, lnh ARP, giao din v tnh trng thit b, kim ton, nht k, v cc lnh trnh. Mc tiu ca chnh sch an ninh ti im ny l xc nh cc yu cu xung quanh nhng g cc loi cu hnh ng s c cho php. Cui cng l lu lng mng qua tng la, m l thc s nhng g m tng la tn ti bo v ti nguyn. Lp ny l c lin quan ti chc nng nh ACL v thng tin dch v proxy. Cc chnh sch an ninh lp ny c trch nhim xc nh cc yu cu nh chng lin quan n lu lng i qua tng la. nh dng chnh sch an ninh: thc hin cc mc tiu c xc nh trc , hu ht cc chnh sch bo mt tun theo mt nh dng hoc b tr c th v cc chia s yu t thng thng. Ni chung, hu ht cc chnh sch an ninh chia s by phn: Tng quan: Phn tng quan cung cp mt gii thch ngn gn v nhng a ch chnh sch. Mc ch: phn mc ch gii thch ti sao chnh sch l cn thit. Phm vi: Phn phm vi xc nh chnh sch p dng cho nhng g v xc nh ngi chu trch nhim v chnh sch. Chnh sch: phn chnh sch l bn thn chnh sch thc t. Thc thi: Phn thc thi nh ngha cch chnh sch cn c thc thi v cc hu qu ca vic khng theo cc chnh sch. nh ngha: Phn nh ngha bao gm cc nh ngha ca cc t hoc khi nim c s dng trong chnh sch. Xem li lch s: Phn xem li lch s l ni m cc thay i chnh sch c ghi li v theo di. Mi t chc c yu cu an ninh ring bit v do c chnh sch bo mt ring c o ca h. Tuy nhin, hu ht khng phi tt c cc mi trng i hi mt s chnh sch an ninh chung, bao gm:
13
Chnh sch qun l truy cp Chnh sch lc Chnh sch nh tuyn Chnh sch Remote-access/VPN Chnh sch gim st / ghi nhn Chnh sch vng phi qun s (DMZ) Chnh sch c th p dng thng thng
3.2. Chnh sch qun l truy cp:

Chnh sch qun l truy cp tn ti xc nh cc phng php cho php v cch truy cp qun l tng la. Chnh sch ny c xu hng gii quyt s ton vn vt l tng la v lp bo mt cu hnh tng la tnh. Cc chnh sch qun l truy cp cn phi nh ngha cho c hai giao thc qun l t xa v cc b s c cho php, cng nh ngi dng c th kt ni vi tng la v c quyn truy cp thc hin nhng tc v. Ngoi ra, cc chnh sch qun l truy cp cn xc nh cc yu cu i vi cc giao thc qun l nh Network Time Protocol (NTP), syslog, TFTP, FTP, Simple Network Management Protocol (SNMP), v bt k giao thc khc c th c s dng qun l v duy tr thit b.
3.3. Chnh sch lc:

Thay v nh ngha b quy tc thc t tng la s s dng, cc chnh sch lc cn phi ch v xc nh chnh xc cc loi lc m phi c s dng v ni lc c p dng. Chnh sch ny c xu hng gii quyt cu hnh tng la tnh v chi tit trong lp lu lng mng qua tng la. V d, mt chnh sch lc tt cn phi yu cu c hai li vo v i ra b lc c thc hin vi cc bc tng la. Cc chnh sch lc cng cn xc nh cc yu cu chung trong vic kt ni mng cp bo mt v ngun khc nhau. V d, vi mt DMZ, ty thuc vo hng ca lu lng, cc yu cu lc khc nhau c th cn thit, v n l vai tr ca cc chnh sch lc xc nh nhng yu cu.
14
3.4. Chnh sch nh tuyn:

Cc chnh sch nh tuyn thng khng phi l mt ti liu tng la trung tm. Tuy nhin, vi thit k chu vi phc tp hn cng nh s dng ngy cng tng ca cc bc tng la trong mng ni b, tng la c th d dng tr thnh mt phn ca c s h tng nh tuyn. Cc chnh sch nh tuyn cn phi c mt phn c quy nh c th bao gm mt tng la trong cc c s h tng nh tuyn v nh ngha cc phng thc trong cc nh tuyn s xy ra. Chnh sch ny c xu hng gii quyt cc lp cu hnh tng tnh la v cu hnh ng tng la. Trong hu ht trng hp, cc chnh sch nh tuyn nn ngn cm firewall mt cch r rng t vic chia s bng nh tuyn mng ni b vi bt k ngun bn ngoi. Tng t nh vy, cc chnh sch nh tuyn cn xc nh cc trng hp trong cc giao thc nh tuyn ng v tuyn ng tnh l ph hp. Cc chnh sch cng nn xc nh bt k c ch bo mt giao thc c th cn phi c cu hnh, (v d, vic s dng thut ton bm m bo ch cc nt c chng thc c th vt qua d liu nh tuyn).
3.5. Chnh sch Remote-access/VPN

Trong lnh vc hi t hin nay, s khc bit gia tng la v b tp trung VPN ngy cng tr nn m nht. Hu ht cc th trng tng la ln c th phc v nh l im kt thc cho VPN, v do chnh sch remote-access/VPN cn thit xc nh cc yu cu v mc m ha v xc thc rng mt kt ni VPN s yu cu. Trong nhiu trng hp, cc chnh sch VPN kt hp vi chnh sch m ha ca t chc xc nh phng php VPN tng th s c s dng. Chnh sch ny c xu hng gii quyt cc lp cu hnh tng la tnh v lu lng mng qua tng la. Cc chnh sch remote-access/VPN cng cn xc nh cc giao thc s c s dng: IP Security (IPsec), Layer 2 Tunneling Protocol (L2TP), hoc Point-to-Point Tunneling Protocol (PPTP). Trong hu ht trng hp, IPsec c s dng ring bit. Gi s IPsec, chnh sch remote-access/VPN cn phi yu cu s dng ca cc preshared keys, chng thc m rng, vi vic s dng giy chng nhn, mt khu mt ln, v Public Key Infrastructure (PKI) cho mi trng an ton nht. Tng t nh vy, cc chnh sch remote-access/VPN nn xc nh nhng khch hng s c s
15
dng (c ngha l, trong xy dng- Microsoft VPN Client, Cisco Secure VPN Client, vv). Cui cng, cc chnh sch remote-access/VPN cn xc nh cc loi truy cp v cc ngun lc s c cung cp kt ni t xa v cc loi kt ni t xa s c cho php.
3.6. Chnh sch gim st / ghi nhn:

Mt trong nhng yu t quan trng nht m bo rng mt tng la cung cp mc bo mt c mong i l thc hin mt h thng gim st tng la. Chnh sch gim st / ghi nhn xc nh cc phng php v mc gim st s c thc hin. Ti thiu, cc chnh sch gim st / ghi nhn cn cung cp mt c ch theo di hiu sut ca tng la cng nh s xut hin ca tt c cc s kin lin quan n an ninh v cc mc ng nhp. Chnh sch ny c xu hng gii quyt cc lp cu hnh tng la tnh. Chnh sch gim st / ghi nhn cng nn xc nh cch cc thng tin phi c thu thp, duy tr, v bo co. Trong nhiu trng hp, thng tin ny c th c s dng xc nh cc yu cu qun l ca bn th ba v cc ng dng theo di nh CiscoWorks, NetIQ Security Manager, hoc Kiwi Syslog Daemon.
3.7. Chnh sch vng DMZ:

Cc chnh sch DMZ l mt vn bn din rng xc nh tt c cc yu t ca khng ch chnh DMZ m cn cc thit b trong DMZ. Mc tiu ca chnh sch DMZ l xc nh cc tiu chun v yu cu ca tt c cc thit b v kt ni v lu lng giao thng v n lin quan n DMZ. Chnh sch ny c xu hng gii quyt cc lp cu hnh tng la tnh v lu lng mng qua tng la. Do s phc tp ca mi trng DMZ in hnh, cc chnh sch DMZ l c kh nng s l mt ti liu ln nhiu trang. gip m bo rng cc chnh sch DMZ thit thc v hiu qu, in hnh l ba tiu chun cn c xc nh rng ri cho tt c cc thit b lin quan n DMZ, kt ni, v lu lng giao thng: Trch nhim quyn s hu Yu cu cu hnh an ton
16
Yu cu hot ng v kim sot thay i
3.8. Chnh sch c th p dng thng thng:

Ngoi cc chnh sch tng la c th, c nhiu chnh sch c th p dng thng thng, mc d khng phi l tng la c th ( ng dng trn nhiu thit b, khng ch l tng la) d sao cng nn c p dng i vi tng la. Chng bao gm nhng iu sau y: Chnh sch mt khu: chnh sch mt khu ca cng ty nn c cp n khng ch xc nh truy cp qun tr tng la, m cn s dng trong vic to ra preshared secrets, bng bm, v cc chui cng ng. Chnh sch m ha: chnh sch m ha ca cng ty nn c cp n xc nh tt c cc hnh thc truy cp m ha, bao gm Hypertext Transfer Protocol, Secure (HTTPS), Secure Sockets Layer (SSL), Secure Shell (SSH), v truy cp IPsec / VPN. Chnh sch kim nh: chnh sch kim nh ca cng ty phi c cp xc nh cc yu cu kim nh ca tng la. Chnh sch nh gi ri ro: chnh sch nh gi ri ro ca cng ty cn c cp xc nh phng php s c s dng xc nh cc ri ro lin quan vi h thng tt c thm, di chuyn, v thay i v n lin quan n tng la v chu vi mng trong ton th. Di y l mt s cng vic cn thit cho ngi qun tr mng: Ghi nhn v xem li nht k tng la thng xuyn. To ACL i vo tht chi tit, c th. Bo v vng DMZ v nhiu pha. Thn trng vi lu lng ICMP. Gi mi lu lng qun l firewall c bo mt. Xem li cc quy tc tng la nh k.
17
II. Radius
1. Tng quan v Radius: 1.1. AAA: 1.1.1. Xc thc (Authentication)
Xc thc l qu trnh xc minh danh tnh ca mt ngi (hoc ca my tnh). Hnh thc ph bin nht ca xc thc, bng cch s dng mt s kt hp ca ID ng nhp v mt khu, trong kin thc ca mt khu l mt biu tng m ngi dng c xc thc. Phn phi cc mt khu, tuy nhin, ph hy cc phng php xc thc, trong nhc nh ngi sng to ca cc trang web thng mi in t v kinh doanh giao dch Internet khc yu cu mt b xc thc mnh m hn, ng tin cy hn. Giy chng nhn k thut s l mt trong nhng gii php y, v trong nm n mi nm tip theo n c th l s dng giy chng nhn k thut s nh l mt phn ca c s h tng kho cng khai (PKI) s tr thnh b xc thc c a thch trn Internet. Cc kha cnh quan trng ca chng thc l n cho php hai i tng duy nht hnh thnh mt mi quan h tin cy - c hai u gi nh l ngi dng hp l. S tin tng gia cc h thng cho php cho cc chc nng quan trng nh cc my ch proxy, trong mt h thng chp nhn mt yu cu thay mt cho mt h thng khc v cho php AAA thc thi ni cc mng khng ng nht h tr cc loi my khch v dch v khc nhau. Mi quan h tin tng c th tr nn kh phc tp.
1.1.2. y quyn (Authorization)

y quyn lin quan n vic s dng mt b quy tc hoc cc mu quyt nh nhng g mt ngi s dng chng thc c th lm trn h thng. V d, trong trng hp ca mt nh cung cp dch v Internet, n c th quyt nh liu mt a ch IP tnh c cho l tri ngc vi mt a ch DHCP c giao. Cc qun tr h thng nh ngha nhng quy tc ny. Ci gi l "trin khai thng minh" ca cc my ch AAA c logic rng s phn tch yu cu v cp quyn truy cp bt c iu g c th, c hoc khng phi l ton b yu
18
cu l hp l. V d, mt my khch quay s kt ni v yu cu nhiu lin kt. Mt my ch AAA chung ch n gin l s t chi ton b yu cu, nhng mt s thc thi thng minh hn s xem xt yu cu, xc nh rng my khch ch c php mt kt ni dial-up, v cp mt knh trong khi t chi cc yu cu khc.
1.1.3. K ton (Accounting).

Lm trn cc khun kh AAA l k ton, m cc ti nguyn gii hn v vn bn ngi dng tn dng trong qu trnh truy cp. iu ny c th bao gm s lng thi gian h thng hoc s lng d liu ngi dng gi v/hoc nhn c trong phin. K ton c thc hin bi ghi nhn thng k ca phin v thng tin s dng v c s dng kim sot y quyn, thanh ton, phn tch xu hng, s dng ti nguyn, v nng lc lp k hoch hot ng. D liu k ton s dng nhiu. Mt qun tr vin c th phn tch cc yu cu thnh cng xc nh nng lc v d bo ph ti h thng trong tng lai. Mt ch doanh nghip c th theo di thi gian dnh cho cc dch v nht nh v ha n cho ph hp. Mt phn tch bo mt c th xem xt cc yu cu t chi, xem nu mt mu xut hin, v c th trnh mt hacker hoc ngi ti min ph. Cc d liu k ton l cc tin ch tuyt vi cho mt qun tr vin my ch AAA.
1.2 Cc im chnh ca kin trc AAA:

Cc kin trc AAA n gin l mt c gng vch ra mt thit k nh th no mi phn AAA ph hp vi nhau. AAA trin khai thc hin c th n gin hay phc tp nh n cn, ch yu l do s n lc ca nhm chuyn nghin cu Internet (IRTF) lm vic theo nhm kin trc AAA thc hin mt m hnh nh ng dng trung lp nh c th. Ni cch khc, m hnh AAA c thit k lm vic trong mi trng c yu cu ngi s dng khc nhau v u thay i thit k mng. C mt s thuc tnh quan trng ca m hnh lm n c th thc hin c. Trc tin, m hnh AAA ph thuc vo s tng tc my khch / my ch, trong mt h thng my khch yu cu cc dch v hoc ti nguyn ca mt h thng my ch. Trong trin khai thc hin n gin, nhng vai tr ny thng kt - my ch
19
khng bao gi hot ng nh cc my khch v ngc li. Mi trng my khch / my ch cho php mt thit k cn bng ti tt, trong tnh sn sng cao v thi gian phn hi rt quan trng. My ch c th c phn phi v phn cp gia cc mng. Tng phn ny vi m hnh mng i din, mt mng ngang hng (P2P). Vi cc mng P2P, tt c cc h thng hin th c tnh ca c hai h thng my khch v my ch, c th gii thiu nhng im nh tr v cha sn sng x l. Mt kh nng proxy l mt bin th nh v iu ny. Mt my ch AAA c th c cu hnh y quyn cho mt yu cu hoc vt qua n cng vi mt my ch AAA, sau s lm cho cc quy nh thch hp hoc vt qua n cng mt ln na. V bn cht, mt chui proxy c to ra, trong cc my ch AAA c nhng yu cu ca c my khch v cc my ch AAA khc. Khi mt my ch proxy server khc, ngi khi to hin th cc c tnh ca my khch. Nh vy, mt mi quan h tin cy c to ra cho mi bc truyn my khch / my ch cho n khi t yu cu thit b quy nh cc ngun lc cn thit. Proxy l mt tnh nng rt hu ch ca m hnh AAA v c li cho doanh nghip v trin khai mng li phn phi, trong mt s thit b AAA c th c cu hnh yu cu lun y quyn cho cc my ti cc a im khc. Mt v d v y quyn tt nht l vi mt tha thun ngi bn li ISP. Thng th mt cng ty mng ln s u t ng k c s h tng mng v cc im din ra s hin din nhiu a im. Trang b mng li phn phi, cng ty sau bn li cho cc ISP nh hn c nhu cu m rng phm vi bo him ca h v tn dng li th ca mt mng li tt hn. i l bn l c cung cp mt s hnh thc kim sot truy cp trn cc ngun ti nguyn hu hnh mi v tr, nhng cc ISP nh hn khng mun chia s thng tin c nhn v ngi dng ca mnh vi cc i l bn l. Trong trng hp ny, mt my AAA proxy c t ti mi im ca i l bn l ca s hin din, v nhng my sau giao tip vi cc thit b NAS thch hp ti cc ISP nh hn. My khch yu cu dch v v ngun ti nguyn t mt my ch AAA (v trong trng hp ny, my khch c th bao gm AAA proxy) c th giao tip vi nhau bng cch s dng hoc l mt giao dch hop-to-hop hoc mt giao dch end-to-end.
20
S phn bit l ni m cc mi quan h tin cy nm trong chui giao dch. Xem xt cc trng hp sau y c c mt hnh nh tt hn. Trong mt giao dch hop-to-hop, mt my khch gi mt yu cu ban u cho mt thit b AAA. Ti thi im ny, c mt mi quan h tin cy gia my khch v my ch AAA tuyn u. My xc nh yu cu cn phi c chuyn tip n mt my ch khc mt v tr khc nhau, do , n hot ng nh mt proxy v a ch lin lc mt my ch AAA. By gi cc mi quan h tin tng l vi hai my ch AAA, vi cc my tnh tin tuyn hot ng nh cc my khch v my AAA th hai ng vai tr l my ch. iu quan trng cn lu rng mi quan h tin tng khng phi l vn hiu ngm, c ngha l cc my khch ban u v cc my AAA th hai khng c mt mi quan h tin tng. Hnh 2-1 cho thy s tin tng l tun t v c lp vi nhau.
Mi quan h tin tng
Mi quan h tin tng
Yu cu Proxies
Yu cu Proxies
Mi quan h tin tng
My ch AAA ph duyt
My ch AAA trung gian

TRUST
My ch AAA cui
TRUST
My khch
y khng c mi quan h tin tng no gia my khch v my ch AAA trung gian v my ch AAA cui
HNH 2-1:MI QUAN H TIN TNG C LP TRONG MT GIAO DCH HOP-TOHOP
Khc vi m hnh hop-to-hop l phng php giao dch end-to-end. S khc bit chnh l, mt ln na, ni m cc mi quan h tin cy nm trong m hnh ny, l gia my khch yu cu v my ch AAA m cui cng cho php cc yu cu. Trong
21
mt m hnh end-to-end, chui proxy vn cn rt nhiu chc nng nh l m hnh khng c ngha l cc giao dch end-to-end: l mi quan h tin tng. Bi v n l thit k khng ng k truyn thng tin nhy cm trong cc yu cu proxy, mt s c ngha khc ca chng thc mt yu cu v xc nhn tnh ton vn d liu l cn thit khi nhy yu cu ban u thng qua cc bc nhy trong chui proxy. Thng thng nht, giy chng nhn k thut s v PKI xc nhn khc c s dng trong cc tnh hung ny. RFC 2903 v 2905 m t cc yu cu ca vic thc hin an ninh end-to-end, c th hin trong hnh 2-2.
Yu cu Proxies
Yu cu Proxies
My ch AAA ph duyt
My ch AAA trung gian

TRUST
My ch AAA cui
TRUST
Khng c mi quan h tin tng no gia cc my ch Proxy
Mi quan h tin tng My khch
HNH 2-2:MI QUAN H TIN TNG MY KHCH/MY CH TRONG M HNH END-TO-END 2. Kin trc RADIUS:
2.1. S dng UDP hay TCP:

RADIUS chnh thc c giao cng UDP 1812 cho RADIUS Authentication v 1813 cho RADIUS Accounting bi Internet Assigned Numbers Authority (IANA). Tuy nhin, trc khi IANA phn b cc cng 1812 v 1813, cng 1645 v 1646 (xc thc v k ton tng ng) c s dng khng chnh thc v tr thnh cc cng mc nh do nhiu my ch v my khch RADIUS trin khai trong thi gian ny.
22
Truyn thng ca vic s dng 1645 v 1646 tip tc tng thch ngc tr li cho n ngy nay. V l do ny nhiu my ch RADIUS trin khai gim st c hai b cng UDP cho cc yu cu RADIUS. Cc my ch RADIUS Microsoft mc nh 1812 v 1813 nhng mc nh cc thit b Cisco l cng truyn thng1645 v 1646. Cc my ch RADIUS Juniper Networks lng nghe trn c hai cng chnh thc v khng chnh thc 1645, 1812, 1646 v 1813 mc nh nhng c th c cu hnh vi cc cng bt k. i vi yu cu hot ng hon ton, UDP c chn ch yu bi RADIUS c mt vi c tnh c hu l c trng ca UDP: RADIUS yu cu khng truy vn ti mt my ch xc thc chnh c chuyn hng n mt my ch th cp, v lm iu ny, mt bn sao ca yu cu ban u phi tn ti trn tng giao vn trong m hnh OSI. iu ny, c hiu lc, nhim v s dng cc b nh gi pht li. Cc giao thc t cc vo s kin nhn ca ngi dng ch i mt phn ng. N gi nh mt s mt trung bnh gia nhanh nh chp v chm nh mt ng. Cc RFC RADIUS m t l tt nht: "Ti mt mc cao, RADIUS khng i hi mt" p tr" pht hin d liu b mt. Ngi s dng sn sng ch i vi giy cho vic chng thc hon thnh. Pht li TCP thng (da trn trung bnh thi gian i vng) khng c yu cu, cng khng phi l cc chi ph xc nhn ca TCP. mc cao khc, ngi dng khng sn sng ch i vi pht xc thc. Do vic cung cp ng tin cy ca d liu TCP hai pht sau khng hu ch. Vic s dng nhanh hn ca my ch thay th cho php ngi dng truy cp trc khi b cuc." K t khi RADIUS l khng quc tch , UDP c v t nhin, nh UDP cng l khng quc tch. Vi TCP, my v my ch phi c m c bit hoc cch gii quyt hnh chnh gim thiu nhng nh hng ca tn tht in nng, khi ng li, lu lng mng ln, v ngng hot ng ca h thng. UDP ngn nga c vn hc ba ny v n cho php mt phin m v vn m trong sut ton b giao dch. cho php h thng nng n s dng v giao thng trn mt sau, m i khi c th tr hon cc truy vn v tm kim hn 30 giy hoc nhiu hn, n c xc nh rng RADIUS l a lung. UDP cho php RADIUS sn sinh phc v nhiu yu cu
23
ti mt thi im, v mi phin y, kh nng giao tip khng c gii hn gia cc thit b mng v my khch. V vy, UDP l ph hp. Nhc im duy nht khi s dng UDP l cc nh pht trin phi t to v qun l gi pht li, kh nng ny c xy dng vo TCP. Tuy nhin, nhm RADIUS cm thy rng y l mt nhc im t nh hng hn so vi s tin li v n gin ca vic s dng UDP. V v th UDP c s dng.
2.2. nh dng gi tin RADIUS:

Cc giao thc RADIUS s dng gi tin UDP vt qua c truyn i gia my trm v my ch. Giao thc giao tip trn cng 1812, l mt thay i t ti liu gc RFC RADIUS. Cc phin bn u tin xc nh rng truyn thng RADIUS din ra trn cng 1645, nhng sau ny pht hin xung t vi dch v "Datametrics". RADIUS s dng mt cu trc gi tin c th on trc giao tip, c th hin trong hnh 2-3.
M
(1)
T nh danh (1)
di
(2)
B xc thc
(16)
Cc thuc tnh v gi tr
(Ty bin)
HNH 2-3:MT M T V CU TRC GI TIN D LIU RADIUS Cu trc d liu c chia thnh 5 khu vc ring bit: M T nh danh di B xc thc Cc thuc tnh v cc gi tr
2.2.1. M:
Trng m di mt octet v dng phn bit cc loi tin nhn RADIUS c gi trong gi . Cc gi tin vi cc lnh vc m khng hp l c nm i m khng thng bo. M s hp l l:
24
1 - Access-Request 2 - Access-Accept 3 - Access-Reject 4 - Accounting-Request 5 - Accounting-Response 11 - Access-Challenge 12 - Tnh trng my ch 13 - Tnh trng my khch 255 - Dnh ring
2.2.2. T nh danh:
Cc t nh danh l khu vc di 1 octet v c s dng thc hin lung, hoc t ng lin kt cc yu cu ban u v tr li tip theo. My ch RADIUS ni chung c th ngn chn bn sao tin nhn bng cch kim tra cc yu t nh a ch IP ngun, cng UDP ngun, khong thi gian gia cc tin nhn nghi ng, v cc lnh vc nhn dng.
2.2.3. di:
Cc khu vc c chiu di l hai octet v c s dng ch nh di gi tin RADIUS c php. Gi tr trong lnh vc ny c tnh bng cch phn tch m, nhn dng, chiu di, thm nh, v cc lnh vc thuc tnh v vic tm kim tng hp ca chng. Cc lnh vc c kim tra chiu di khi mt my ch RADIUS nhn c mt gi tin m bo ton vn d liu. Gi tr hp l chiu di khong t 20 n 4096. Cc c im k thut RFC i hi nhng hot ng nht nh ca cc my ch RADIUS c lin quan n chiu di d liu khng chnh xc. Nu my ch RADIUS nhn c mt hp vi mt tin nhn di hn so vi lnh vc chiu di, n s b qua tt c cc d liu qua cc im cui c ch nh trong lnh vc chiu di. Ngc li, nu my ch nhn c mt tin nhn ngn hn so vi di lnh vc bo co, my ch s loi b cc tin nhn.
25
2.2.4. B xc thc:
Cc khu vc thm nh, thng di 16 octet, l lnh vc m trong s ton vn ca ti trng ca tin nhn c kim tra v xc minh. Trong lnh vc ny, cc octet quan trng nht c truyn trc bt k octet khc mt gi tr c s dng tr li xc thc t my ch RADIUS. Gi tr ny cng c s dng trong c ch che giu mt khu. C hai loi hnh c th ca cc gi tr xc thc: cc gi tr yu cu v p ng. Yu cu cc b xc thc c s dng vi cc gi yu cu xc thc v AccountingRequest. Trong cc gi tr yu cu, lnh vc ny di 16 octet v c to ra trn c s hon ton ngu nhin ngn chn bt k cuc tn cng. Trong khi RADIUS khng lm mt iu khon bo v thng tin lin lc i vi nghe ln v bt gi tin, cc gi tr ngu nhin kt hp vi mt mt khu mnh lm cho tn cng v rnh m kh khn. Vic xc thc p tr c s dng trong gi Access-Accept, Access-Reject, v Access-Challenge . Gi tr c tnh bng cch s dng m bm MD5 mt chiu c to ra t cc gi tr ca m ny, nhn dng, chiu di, v yu cu chng thc cc vng ca tiu gi tin, tip theo l trng ti gi d liu v b mt c chia s.
2.3. Phn loi gi tin:

C bn loi gi tin RADIUS c lin quan n cc giai on thm nh v y quyn ca cc giao dch AAA v hai gi tin lin quan ti qu trnh k ton: Access-Request Access-Accept Access-Reject Access-Challenge Accounting-Request Accounting-Response
2.3.1. Access-Request:
Cc gi tin Access-Request c s dng bi ngi tiu dng dch v khi c ngh mt dch v c th t mng. My khch gi mt gi tin yu cu n my ch
26
RADIUS vi mt danh sch cc dch v yu cu. Cc yu t quan trng trong vic truyn ny l trng mt m trong tiu gi: n phi c t l 1, gi tr duy nht ca cc gi yu cu. Cc RFC cho thy cc gi tr li phi c gi n tt c cc gi yu cu hp l, tr li l xc thc hay t chi. Cc ti trng ca gi tin Access-Request nn bao gm cc thuc tnh tn ngi dng xc nh nhng ngi c gng truy cp vo cc ti nguyn mng. Trng ti c yu cu phi c cc a ch IP hoc tn tiu chun ca cc thit b mng m t n c yu cu dch v. N cng c cha mt mt khu ngi dng, mt khu da trn mt CHAP, hoc mt nh danh, nhng khng phi c hai loi mt khu. Cc mt khu ngi dng phi c bm bng cch s dng MD5. V c bn, cc gi d liu mi cn phi c to ra bt c khi no thuc tnh c thay i, k t khi xc nh cc thng tin c thay i. Cc thuc tnh vi nhng b mt c chia s, cn phi c o ngc bi cc my ch proxy ( c c nhng thng tin ti trng ban u) v sau m ha mt ln na vi b mt m my ch proxy chia s vi my ch t xa. Cu trc gi tin Access-Request c th hin trong hnh 2-4.
M
(1)
T nh danh
(Duy nht)
di
(Tiu v ti trng)
B xc thc (Yu cu)

(Ngu nhin)
Cc thuc tnh: username NAS ID hoc name MD5 user password hoc CHAP PWD
(Ty bin)
Hnh 2-4: Mt gi tin Access-Request in hnh
2.3.2. Access-Accept:
Cc gi tin Access-Accept c gi bi my ch RADIUS ti my khch xc nhn rng yu cu ca my khch c chp nhn. Nu tt c cc yu cu trong cc ti trng Access-Request c chp nhn, sau cc my ch RADIUS phi thit lp trng mt m gi tin tr li l 2. Cc my khch khi nhn c gi chp nhn, ph hp n vi cc gi tin tr li bng cch s dng trng nhn dng. Cc gi khng theo tiu chun ny c b i.
27
Tt nhin, m bo rng cc gi tin yu cu v chp nhn ph hp nh ni, m bo cc p tr chp nhn c gi trong cc gi tin tr li yu cu tng ng, trng nh danh trong tiu gi Access-Accept phi c mt gi tr ging ht gi tr ca trng nh danh trong gi Access-Request. Cc gi tin Access-Accept c th cha nhiu hay t thng tin thuc tnh nh l n cn phi bao gm. Nhiu kh nng cc thng tin thuc tnh trong gi ny s m t cc loi hnh dch v c xc thc v y quyn my khch c th t mnh ln s dng cc dch v. Tuy nhin, nu khng c thng tin thuc tnh c bao gm, my khch gi nh rng cc dch v n yu cu l nhng th c chp nhn. Cu trc gi tin Access-Accept c hin th trong hnh 2-5.
M
(2)
T nh danh
(Duy nht mi ln truyn)
di
(Tiu v ti trng)
B xc thc (Phn hi)

= M + ID + di + b xc thc yu cu + thuc tnh v kha b mt
Cc thuc tnh: Hon ton khng bt buc Cc dch v y quyn

(Ty bin)
Hnh 2-5: Gi tin Access-Accept in hnh
2.3.3. Access-Reject:
My ch RADIUS c yu cu gi mt gi tin Access-Reject li cho my khch nu n phi t chi bt k dch v c yu cu trong cc gi tin Access-Request. S t chi ny c th c da trn chnh sch h thng, c quyn cha y , hoc bt k cc tiu chun khc - phn ln iu ny l mt chc nng ca cc thc hin c nhn. Gi Access-Reject c th c gi ti bt k thi gian trong mt phin, lm cho chng l tng cho vic thi hnh gii hn thi gian kt ni. Tuy nhin, khng phi tt c thit b h tr nhn c gi Access-Reject trong mt kt ni c thit lp sn. Cc ti trng cho loi gi tin c gii hn trong hai thuc tnh c th: cc thuc tnh tin nhn tr li v thuc tnh trng thi Proxy. Trong khi cc thuc tnh ny c th xut hin nhiu hn mt ln trong ti trng ca gi tin, ngoi tr bt k thuc tnh nh
28
cung cp c th, khng c cc thuc tnh khc c cho php, theo cc c im k thut RFC, c bao gm trong gi tin. Cu trc gi tin Access-Reject c th hin trong hnh 2-6.
M
(3)
T nh danh
di
(Tiu v ti trng)
B xc thc (Phn hi)

= MD5(M + ID + di + b xc thc yu cu + thuc tnh v kha b mt)
Cc thuc tnh: Khng bt buc
Gii hn: reply-message Proxy message (c hai c th xut hin nhiu ln)
(Ty bin)
Hnh 2-6: Gi tin Access-Reject in hnh
2.3.4. Access-Challenge :
Nu mt my ch nhn thng tin tri ngc nhau t ngi s dng, yu cu nhiu thng tin hn, hay n gin l mun lm gim nguy c chng thc gian ln, n c th pht hnh mt gi tin Access-Challenge cho my khch. My khch, khi nhn c gi tin Access-Challenge , sau phi ra mt gi Access-Request mi bao gm cc thng tin thch hp. Cn lu rng mt s my khch khng h tr cc qu trnh th thch / p ng nh th ny, trong trng hp , my khch x l cc gi tin Access-Challenge nh l mt gi tin Access-Reject. Mt s my khch, tuy nhin, h tr th thch, v lc tin nhn c th c trao cho ngi s dng ti my khch yu cu thm thng tin xc thc, n khng cn thit trong tnh hnh t ra mt vng cc gi tin yu cu / p tr khc. Ging nh cc gi tin Access-Reject, ch c hai thuc tnh tiu chun c th c bao gm trong mt gi tin Access-Challenge : thuc tnh trng thi v tin nhn tr li. Bt k cc thuc tnh nh cung cp c th cn thit c th c bao gm l tt. Cc thuc tnh tin nhn tr li c th c bao gm trong gi nhiu ln, nhng cc thuc tnh trng thi c gii hn trong mt trng hp duy nht. Cc thuc tnh trng thi c sao chp khng thay i vo gi Access-Request c tr v cho my ch th thch.
29
Cu trc gi tin Access-Challenge c th hin trong hnh 2-7.

M
(11)
T nh danh
di
(Tiu v ti trng)
B xc thc (Phn hi)
Cc thuc tnh: Khng bt buc
Gii hn: state Reply-message (c hai c th gn nhiu ln)

(Ty bin)
Hnh 2-7: Gi tin Access-Challenge in hnh
2.3.5. Accounting-Request:
Cc gi Accounting-Request c gi t mt my khch (thng l mt my ch truy cp mng (NAS) hoc proxy ca n) ti mt my ch k ton RADIUS, v truyn t thng tin s dng cung cp k ton cho mt dch v cung cp cho ngi dng. Cc my khch truyn mt gi tin RADIUS vi trng m thit lp l 4 (AccountingRequest). Khi nhn c mt Accounting-Request, my ch phi tr li bng gi Accounting-Response nu n ghi li cc gi tin k ton thnh cng, v khng phi tr li bt k gi no nu n ghi li cc gi tin k ton tht bi. Bt k thuc tnh hp l trong mt gi Access-Request hoc Access-Accept RADIUS l hp l trong mt gi Accounting-Request RADIUS, ngoi tr cc thuc tnh sau y khng phi c mt trong mt Accounting-Request: mt khu ngi dng, mt khu CHAP, tin nhn tr li, trng thi. Hoc a ch IP NAS hoc nhn dng NAS phi c hin din trong mt gi Accounting-Request RADIUS. N nn cha mt thuc tnh cng NAS hoc loi cng NAS hoc c hai tr khi cc dch v khng lin quan n mt cng hoc NAS khng phn bit gia cc cng ca n. Nu cc gi tin Accounting-Request bao gm mt a ch IP khung, thuc tnh phi cha a ch IP ca ngi dng. Nu Access-Accept s dng cc gi tr c bit cho a ch IP khung ni vi NAS chuyn nhng hoc thng lng mt a ch IP cho ngi dng, cc a ch IP khung (nu c) trong Accounting-Request phi c cc a ch IP thc t c giao hoc thng lng.
30
M
(4)
T nh danh
(Duy nht)
di
(Tiu v ti trng)
B xc thc (Yu cu)
Cc thuc tnh: Cha danh sch cc thuc tnh (Ty bin)
Hnh 2-8: Gi tin Accounting-Request in hnh M: 4 Accounting-Request. nh danh: Cc trng nhn dng phi c thay i bt c khi no ni dung ca trng thuc tnh thay i, v bt c khi no tr li hp l c nhn cho mt yu cu trc . i vi vic truyn li ni m ni dung ging ht nhau, vic phi nhn dng khng thay i. Lu rng nu Acct-Delay-Time c bao gm trong cc thuc tnh ca mt gi tr Accounting-Request sau gi tr Acct-Delay-Time s c cp nht khi gi d liu c truyn li, thay i ni dung ca cc trng thuc tnh v i hi mt nhn dng mi v xc thc yu cu. Xc thc yu cu: Cc xc thc yu cu ca mt Accounting-Request cha mt gi tr mng bm MD5 16 octet tnh theo phng php m t trong "Xc thc yu cu" trn. Thuc tnh: Cc trng thuc tnh thay i trong chiu di, v c mt danh sch cc thuc tnh.
2.3.6. Accounting-Response:
Gi tin Accounting-Response c gi bi my ch k ton RADIUS cho my khch xc nhn rng cc Accounting-Request c nhn v ghi nhn thnh cng. Nu Accounting-Request c ghi li thnh cng sau my ch k ton RADIUS phi chuyn mt gi tin vi cc trng m thit lp l 5 (AccountingResponse). Khi gi tin Accounting-Response c tip nhn bi my khch, trng nhn dng trng khp vi mt Accounting-Request ch x l. Trng phi xc thc phn hi phi cha cc phn hi chnh xc cho cc Accounting-Request ch x l. Gi tin khng hp l c m thm b i.
31
Mt gi Accounting-Response RADIUS khng bt buc phi c nhng thuc tnh trong .
M
(5)
T nh danh
(Duy nht)
di
(Tiu v ti trng)
B xc thc (Phn hi)
Cc thuc tnh: Cha hoc khng cha danh sch cc thuc tnh (Ty bin)
Hnh 2-9: Gi tin Accounting-Response in hnh M: 5 Accounting-Response. nh danh: Cc trng nhn dng l mt bn sao ca trng nhn dng ca gi Accounting-Request dn n gi Accounting-Response ny. Xc thc phn hi: Cc xc thc phn hi ca mt gi Accounting-Response cha mt gi tr mng bm MD5 16 octet tnh theo phng php m t trong "Xc thc phn hi" trn. Thuc tnh: Cc trng thuc tnh thay i trong chiu di, v c mt danh sch trng hay nhiu thuc tnh.
2.4. B mt chia s:
tng cng an ninh v tng tnh ton vn giao dch, giao thc RADIUS s dng khi nim b mt chia s. B mt chia s l nhng gi tr to ra mt cch ngu nhin m c hai my khch v my ch u bit (v th m gi "chia s"). Nhng b mt chia s c s dng trong tt c cc hot ng c yu cu d liu n v gi tr che giu. Gii hn k thut duy nht l nhng b mt chia s phi c chiu di ln hn 0, nhng RFC khuyn co rng cc b mt t nht l 16 octet. Mt b mt c di l hu nh khng th b vi phng php vt cn. B mt chia s (thng ch gi l "b mt") l duy nht vi mt cp my khch v my ch RADIUS ni ring. V d, nu mt ngi s dng ng k nhiu nh cung cp dch v Internet truy cp quay s, ngi dng ny gin tip to cc yu cu ti nhiu my ch RADIUS. Nhng b mt chia s gia thit b NAS my khch ti
32
cc ISP A, B, v C c s dng giao tip vi cc my ch RADIUS tng ng khng ph hp. Trong khi mt s trin khai RADIUS quy m ln hn c th tin rng bo v an ninh giao dch bng cch s dng mt s thay i b mt chia s t ng l mt bc i thn trng, c mt kh khn tim n kh ln: khng c s bo m cc my khch v cc my ch c th ng b ha vi cc b mt chia s mi trong thi gian thch hp nht. V ngay c khi n c chc chn rng cc ng b ha ng thi c th xy ra, nu cn tn ti cc yu cu ti cc my ch RADIUS v my khch ang bn x l (v, do , n b l thi c ng b ha cc b mt mi), sau nhng yu cu cn tn ti s b t chi bi my ch.
2.5. Cc thuc tnh v gi tr: 2.5.1. Cc thuc tnh:
Cc thuc tnh Tiu S 1255 di >3 Gi tr Ph thuc vo s thuc tnh Ti trng AVP Gi RADIUS
Hnh 2-10: Mu truyn cc cp gi tr thuc tnh (AVP) tiu chun S thuc tnh: Con s ny biu th cc loi thuc tnh trnh by trong gi. Tn ca thuc tnh khng c thng qua trong gi - ch c s. Ni chung, s thuc tnh c th trong khong 1-255, vi mt s c th phc v nh l mt "ca ng" ca cc loi cho cc nh cung cp cung cp cc thuc tnh c th ca mnh. Chiu di thuc tnh: Trng ny m t chiu di ca trng thuc tnh, m cn phi t 3 tr ln. Trng ny theo cch tng t nh cc lnh vc chiu di ca tiu gi tin RADIUS. Gi tr: Cha c im hoc c tnh ca chnh thuc tnh , trng ny cn thit cho mi thuc tnh trnh by, thm ch nu gi tr bn thn n l bng khng. di ny s thay i da trn bn cht vn c ca cc thuc tnh ca n.
33
C cu AVP th hin trong hnh 2-6 bao gm mt tp lin tc cc byte cha t nht ba octet, vi cc octet u tin l loi, th hai l chiu di, v octet cui cng l gi tr ca cc thuc tnh ca chnh n. Cc my ch RADIUS bit y v mt thuc tnh c tn gi chnh thc ca n khng cn c truyn i trong gi. Cc m s (s thuc tnh) l suy ra loi thng tin c truyn i trong gi tr c th . Cc loi thuc tnh: C 6 loi nh c nu trong RFC: S nguyn (INT): l nhng gi tr c cha s nguyn. Mt thuc tnh nh Idle Timeout c th c thit lp gi tr s nguyn l 15. Lit k (ENUM): d liu l ca cc loi lit k bao gm mt s nguyn, nhng gi tr ny da trn mt tp hp cu hnh ngi s dng ca dy nhiu gi tr v nhiu ngha. C th gp phi cc gi tr lit k c gi l gi tr s nguyn theo ng ngha, trong khi khng theo ng ngha gi tr nguyn ch n gin l loi s nguyn. a ch IP (IPADDR): loi d liu ny l mt s 32-bit c thit k thng qua mt a ch IP chnh xc. Trong khi RADIUS theo mc nh s xem xt mt a ch IP theo gi tr, mt s trin khai thc hin c th c cu hnh x l n vi mt gi tr nh sn, chng hn nh mt subnet mask ring. Ngoi ra, mt phn m rng gn y cc giao thc RADIUS cho php cc a ch IPv6 c s dng trong loi ny. Chui k t (STRING): Chui k t thng c xc nh l chui in UTF-8 c th c c theo gi tr. D liu c truyn di dng mt dy k t c th b chn hay khng b chn, bt c ci no l thch hp. Ngy thng (DATE): l mt con s khng du 32-bit i din cho giy tri qua k t ngy 1 thng 1 nm 1970. Nh phn (BINARY): Thng ring bit vi mt s thc thi, cc gi tr nh phn ("0" hoc "1") c c theo gi tr. Cc thuc tnh nh cung cp c th: Nh vi hu ht cc giao thc RADIUS, c nhiu s linh hot i vi cc loi thuc tnh nh cung cp c th xy ra trong nhiu thc hin khc nhau. Phn ln thuc tnh ny to ra l trc tip h tr cc tnh nng c bit, cc c trng khng chun
34
hoc gia tng gi tr m mt s thit b my khch RADIUS c bit c kh nng cung cp. Tt nhin, c l bi v trong thc t l mt tiu chun, mt s nh cung cp - c bit l Robotics/3Com Hoa K - khng theo c t RFC. Cc giao thc RADIUS nh ngha mt AVP c th nh l mt "ca ng" AVP trong cc thuc tnh nh cung cp c th, hoc VSAs, c th c ng gi. VSA c thc hin ti trng gi tr ca AVP tiu chun 26, c gi l nh cung cp c th. Hnh 2-11 cho thy AVP tiu chun v lm th no thng tin c thc hin trong VSA.
S 26 di X Gi tr ID 262 S 47 di X Gi tr
VAS bn trong ti trng
Hnh 2-11: S truyn i ca 1 VAS bn trong 1 AVP tiu chun. ID nh cung cp Phn ny ca VSA gm bn octet m i din cho nh pht trin / thit k / ch s hu ca VSA. Nhng m s tiu chun c quy nh trong ti liu RFC 1700 l "Cc s c gn. C th hn, cc nh cung cp c nhn c m ho vi con s duy nht c gi l m doanh nghip t nhn qun l mng hoc NMPECs. Th t ca cc ni dung trng ID nh cung cp c da trn mt tiu chun nghim ngt, vi byte cao nht gi tr 4 octet c thit lp v 0, v sau 3 byte cui cng t vo m NMPEC. Loi nh cung cp Trng loi nh cung cp, di mt octet, chc nng hnh x theo cch tng t nh s thuc tnh trong mt AVP tiu chun. Cc loi nh cung cp l nhng gi tr vi phm vi t 1 n 255, v tm quan trng v ngha ca tng gi tr c bit n bn trong cc my ch RADIUS. Chiu di
Ti trng gi RADIUS
35
Trng ny l mt con s mt octet cho bit chiu di ca ton b VSA, vi chiu di ti thiu ca ton b VSA l 7. Mt ln na, hot ng ca trng ny l tng t nh lnh vc chiu di trong mt tiu chun, RFC nh ngha AVP. Gi tr Cc trng gi tr c yu cu phi di t nht mt octet v cha d liu c c th cho cc chnh VSA . Hu ht cc gi tr ny c c, hiu, v phn tch bi my khch v my ch RADIUS trn u thu nhn thc ca cc tnh nng c bit v kh nng phi tiu chun m trin khai thc hin c th ca chng c h tr.
2.5.2. Cc gi tr:
Tt c cc thuc tnh phi c gi tr, thm ch nu gi tr ca thuc tnh ny l v gi tr. Gi tr i din cho cc thng tin m mi thuc tnh ring bit c thit k chuyn ti. Chng mang theo "phn ct li" ca thng tin. Gi tr phi ph hp vi cc quy tc loi thuc tnh. Bng 2-8 cho thy v d ca tng loi thuc tnh v trng gi tr d kin ti trng cho tng loi. Loi thuc tnh S nguyn (INT) Chiu di (Octet) Kch thc / Phm vi 6 4 32 bit Khng du 256 2432 65536 3 = Callback-Login Lit (ENUM) k 4 32 bit Khng du 4 = Callback-Framed 13 = FramedV d ti trng
Compression 26 = Vendor-Specific "HUTECH" Chui (String)

1-253
Ty bin
"Long" "206.229.254.2"
36
"google.com" 0xFFFFFE a ch IP (IPADDR) 4 32 bit 0xC0A80102 0x1954FF8E 0x00000A 0xC0A80102 Ngy thng (DATE) Nh phn 4 32 bit Khng du 0xFFFFFE 0x00000A 0x1954FF8E 1 1 bit 0 1
(BINARY) Mi thuc tnh gi tr c lit k trong RFC RADIUS.
3. Hot ng: 3.1. Qu trnh truy cp:

Khi mt my khch c cu hnh s dng RADIUS, bt k ngi s dng ca my khch a ra thng tin xc thc cho my khch. iu ny c th c ty bin vi mt ng nhp nhanh chng, ni ngi dng s nhp tn ngi dng v mt khu ca h. My khch to ra mt "Access-Request" c cha cc thuc tnh nh tn ca ngi dng, mt khu ca ngi dng, cc ID ca my khch v ID cng m ngi dng ang truy cp. Khi c mt khu, n c n bng cch s dng mt phng php da trn MD5. Cc Access-Request c gi ti my ch RADIUS qua mng. Nu khng c phn hi c tr v trong mt khong thi gian, yu cu c gi li mt s ln. Cc my khch cng c th chuyn tip yu cu ti mt my ch thay th hoc cc my ch trong trng hp my ch chnh b ngng hot ng hoc khng th truy cp. Mt my ch thay th c th c s dng hoc sau khi mt s c gng truy cp ti cc my ch chnh b li, hoc trong mt kiu vn hnh ln lt.
37
Mt khi cc my ch RADIUS nhn c yu cu, n xc nhn hp l ca my khch gi. Mt yu cu t my khch m cc my ch RADIUS khng c mt b mt c chia s phi c m thm b i. Nu my khch l hp l, my ch RADIUS tra cu mt c s d liu ca ngi dng tm ngi s dng c tn ph hp vi yu cu. Mc ngi s dng trong c s d liu cha mt danh sch cc yu cu phi c p ng cho php ngi s dng truy cp. iu ny lun lun bao gm xc minh mt khu, nhng cng c th ch nh cc my khch hoc cng m ngi dng c php truy cp. My ch RADIUS c th lm cho yu cu ca cc my ch khc p ng cc yu cu, trong trng hp n hot ng nh mt my khch. Nu bt k thuc tnh Proxy-State c a ratrong cc Access-Request, chng phi c sao chp cha sa i v t vo cc gi tin tr li. Cc thuc tnh khc c th c t trc, sau, hoc thm ch gia cc thuc tnh Proxy-State. Nu iu kin no khng c p ng, my ch RADIUS gi mt phn hi "Access-Reject" cho bit yu cu ngi s dng ny khng hp l. Nu mun, cc my ch c th bao gm cc tin nhn vn bn trong Access-Reject c th c hin th bi cc my khch cho ngi dng. Khng c thuc tnh khc (tr Proxy-State) c php trong mt Access-Reject. Nu tt c cc iu kin c p ng v cc my ch RADIUS mun ra mt thch thc m ngi dng phi p ng, cc my ch RADIUS gi mt phn hi "Access-Challenge". N c th bao gm cc tin nhn vn bn c hin th bi cc my khch cho ngi s dng phn hi cho thch thc ny, v c th bao gm mt thuc tnh trng thi. Nu my khch nhn c mt Access-Challenge v h tr thch thc / phn ng n c th hin th cc tin nhn vn bn, nu c, cho ngi s dng, v sau nhc nh ngi dng v mt phn hi. My khch sau np li bn gc Access-Request ca n vi mt ID yu cu mi, vi cc thuc tnh ngi dng mt khu thay th bng cc phn hi ( m ha), v bao gm c cc thuc tnh trng thi t cc AccessChallenge, nu c. Ch c 0 hoc 1 th hin ca thuc tnh trng thi c mt trong yu
38
cu. My ch c th p ng vi Access-Request mi ny vi mt Access-Accept, mt Access-Reject, hoc mt Access-Challenge khc. Nu c iu kin, danh sch cc gi tr cu hnh cho ngi s dng c t vo mt phn hi "Access-Accept". Nhng gi tr ny bao gm cc loi hnh dch v (v d: SLIP, PPP, ngi dng ng nhp) v tt c cc gi tr cn thit cung cp cc dch v mong mun. i vi SLIP v PPP, iu ny c th bao gm gi tr nh a ch IP, subnet mask, MTU, nn mong mun, v nhn dng lc gi mong mun. i vi nhng ngi dng ch k t, iu ny c th bao gm gi tr nh giao thc v my ch mong mun. Trong xc thc thch thc / phn hi, ngi s dng c cho mt s khng th on trc v thch thc m ha n v tr li kt qu. Ngi c y quyn u c trang b cc thit b c bit nh th thng minh hoc cc phn mm to thun li cho tnh ton ca cc phn hi chnh xc mt cch d dng. Ngi s dng tri php, thiu thit b thch hp hoc phn mm v khng bit kha b mt cn thit cnh tranh nh mt thit b hoc phn mm, ch c th on phn hi. Cc gi tin Access-Challenge thng c cha mt tin nhn tr li bao gm mt thch thc c hin th cho ngi dng, chng hn nh mt gi tr s khng bao gi c lp li. Ngi s dng sau i vo cc thch thc trong thit b ca mnh (hoc phn mm) v tnh ton mt phn hi, ngi dng nhp vo my khch ri my chuyn tip n ti my ch RADIUS thng qua mt Access-Request th hai. Nu phn hi trng khp vi phn hi mong mun my ch RADIUS tr li vi mt Access-Accept, nu khng mt Access-Reject s c tr v my khch.
1 2 3 6 4 5
Ngi dng
ASA
My ch Radius ACS
Hnh 2-12: Qu trnh xc thc RADIUS n gin. 1) Ngi dng c gng truy cp vo Cisco ASA.
39
2) Cisco ASA yu cu ngi dng nhp tn v mt khu. 3) Ngi dng nhp vo thng s ca mnh v gi cho cisco ASA. 4) Cisco ASA gi gi Access-Request ti my ch RADIUS. 5) Nu thng s ngi dng nhp c trong c s d liu ti my ch RADIUS, my ch RADIUS s gi gi Access-Accept v cho Cisco ASA, nu thng s ngi dng nhp khng c th my ch RADIUS s gi gi Access-Reject v cho cisco ASA. 6) Cisco ASA s phn hi v cho my khch bit c php hay khng c php truy cp vo 1 dch v c th.
3.2. Qu trnh k ton:

Khi mt my khch c cu hnh s dng RADIUS k ton, khi bt u cung cp dch v n s to ra mt gi tin bt u k ton m t cc loi hnh dch v c cung cp v ngi s dng n ang c chuyn ti, v s gi ti my ch k ton RADIUS, trong s gi li mt xc nhn rng gi tin c nhn. Khi kt thc cung cp dch v my khch s to ra mt gi kt thc k ton m t cc loi hnh dch v c giao v thng s ty nh l thi gian tri qua, octet vo v ra, hoc cc gi d liu vo v ra. N s gi ti my ch k ton RADIUS, v s gi phn hi mt xc nhn rng gi tin c nhn. Accounting-Request (d cho bt u hoc kt thc) c gi ti my ch k ton RADIUS qua mng. N khuyn co cc khch hng tip tc c gng gi gi tin Accounting-Request cho n khi nhn c mt xc nhn, bng cch s dng mt s hnh thc ch truyn. Nu khng c phn hi c tr v trong mt khong thi gian, yu cu c gi li mt s ln. My khch cng c th chuyn tip yu cu ti mt my ch thay th hoc cc my ch trong trng hp my ch chnh ngng hot ng hoc khng th truy cp. Mt my ch thay th c th c s dng hoc sau khi mt s c gng n cc my ch chnh b li, hoc trong mt kiu vn hnh ln lt. My ch k ton RADIUS c th lm cho yu cu ca cc my ch khc p ng cc yu cu, trong trng hp n hot ng nh mt my khch.
40
Nu my ch k ton RADIUS khng th thnh cng ghi li cc gi tin k ton, n khng phi gi mt xc nhn Accounting-Response cho my khch.
4. RFCs: 4.1. Ngun gc:

RADIUS ban u c quy nh trong mt RFI bi Merit Network vo nm 1991 kim sot truy cp quay s ti NSFNET. Livingston Enterprises tr li cho RFI vi m t ca mt my ch RADIUS. Merit Network quyt nh lin h vi Livingston Enterprises giao hng lot PortMaster ca cc Network Access Server v my ch RADIUS ban u cho Merit. RADIUS sau (1997) c xut bn nh RFC 2058 v RFC 2059 (phin bn hin ti l RFC 2865 v RFC 2866). By gi, tn ti mt s my ch RADIUS thng mi v m ngun m. Cc tnh nng c th khc nhau, nhng hu ht c th thy s dng trong cc tp tin vn bn, my ch LDAP, c s d liu khc nhau... Ti liu k ton c th c ghi vo tp tin vn bn, c s d liu khc nhau, chuyn tip n my ch bn ngoi... SNMP thng c s dng gim st t xa v kim tra xem mt my ch RADIUS cn hot ng hay khng. Cc my ch RADIUS proxy c s dng tp trung qun l v c th vit li cc gi tin RADIUS (i vi l do bo mt, hoc Chuyn i gia cc nh cung cp). Cc giao thc Diameter l k hoch thay th cho RADIUS. Diameter s dng SCTP hoc TCP trong khi RADIUS s dng UDP l lp vn chuyn.
4.2. Bng RFCs:
RFC RFC 2548 RFC 2865
Tiu Microsoft Vendor-specific RADIUS Attributes 9 Remote Authentication Dial In User Service (RADIUS) 0
Ngy 3/199
6/200
41
RFC 2866 RFC 2867 RFC 2868 RFC 2869 RFC 3162 RFC 3579 RFC 5080 RFC 5997
RADIUS Accounting 0 RADIUS Accounting Modifications for Tunnel Protocol Support RADIUS Attributes for Tunnel Protocol Support 0 RADIUS Extensions 0 RADIUS and IPv6 1 RADIUS Support for EAP 3 Common RADIUS Implementation Issues and Suggested Fixes Use of Status-Server Packets in the RADIUS Protocol 0 07 0
6/200
6/200
6/200
6/200
8/200
9/200
12/20
8/201
4.3. S lc v RADIUS RFCs: 4.3.1. RFC 2865:

RFC 2865 Remote Authentication Dial In User Service: ch yu m t v c ch xc thc v y quyn khi ngi dng mun truy cp. Trong RFC c gii thiu cu trc cc gi tin cn dng thc hin xc thc v y quyn cho ngi dng truy cp v cc thuc tnh dng m t trong cc gi tin. ng thi cng trnh by v c ch hot ng v cc trng hp xy ra khi ngi dng mun truy cp. Mt s thay i so vi bn RFC 2138 trc : Strings nn s dng UTF-8 thay v US-ASCII v nn c x l nh l d liu 8-bit. Integers v dates by gi c xc nh l gi tr 32 bit khng du.
42
Danh sch cp nht cc thuc tnh c th c bao gm trong AccessChallenge ph hp vi cc bng thuc tnh. User-Name cp n cc nhn dng truy cp mng. User-Name by gi c th c gi trong Access-Accept s dng vi k ton v ng nhp t xa. Gi tr them vo cho Service-Type, Login-Service, Framed-Protocol, FramedCompression, v NAS-Port-Type. NAS-Port c th s dng tt c 32 bit. Cc v d hin nay bao gm hin th h thp lc phn ca cc gi d liu. Cng UDP ngun phi c s dng kt hp vi b nhn dng yu cu khi xc nh cc bn sao. Nhiu thuc tnh phc c th c cho php trong thuc tnh Vendor-Specific. Mt Access-Request by gi yu cu cha NAS-IP-Address hoc NASIdentifier (hoc c th cha c hai). Thm ghi ch di "Operations" vi nhiu thng tin hn v proxy, truyn li, v duy tr kt ni. Nu nhiu thuc tnh vi cc loi tng t c mt ng thi, th t cc thuc tnh cng loi phi c duy tr bi bt k proxy no. Lm r Proxy-State. Lm r cc thuc tnh khng phi ph thuc vo v tr trong gi tin, min l thuc tnh ca cc loi tng t ang c gi theo th t. Thm vo phn li khuyn ca IANA. Cp nht phn "Proxy" trong "Operations". Framed-MTU c th c gi trong Access-Request nh l mt gi . Cp nht li khuyn bo mt. Cc chui vn bn xc nh nh l mt tp hp con ca chui, lm r vic s dng UTF-8.
4.3.2. RFC 2866:
43
RFC 2866 - RADIUS Accounting: m t v qu trnh k ton cho my ch RADIUSv l bn cp nht cho RFC 2865. Cng nh RFC 2865, RFC 2866 cng gii thiu v cc gi tin c dng trong qu trnh k ton v cc thuc tnh trong cc gi tin v cng m t v qu trnh k ton c din ra khi c yu cu thc hin k ton. Mt s thay i so vi RFC 2139: Thay th US-ASCII bng UTF-8. Thm ghi ch trong Proxy. Framed-IP-Address nn cha a ch IP thc t ca ngi s dng. Nu Acct-Session-ID c gi trong mt Access-Request, n phi c s dng trong Accounting-Request cho phin giao dch . Cc gi tr mi c thm vo Acct-Status-Type. Thm vo phn li khuyn ca IANA. Cp nht ti liu tham kho. Cc chui vn bn xc nh nh l mt tp hp con ca chui, lm r vic s dng UTF-8.
4.3.3. RFC 2867:

RFC 2867 - RADIUS Accounting Modifications for Tunnel Protocol Support: m t v vic ci bin c ch RADIUS Accounting h tr cho giao thc ng hm, cp nht thm cho RFC 2866. Nhiu ng dng giao thc ng hm nh l PPTP v L2TP bao hm truy cp mng quay s. Mt s, nh l vic cung cp truy cp an ton cho mng ni b cng ty thng qua mng Internet, c c trng bi ng hm ch ng: ng hm c to ra theo yu cu ca ngi s dng cho mt mc ch c th. Cc ng dng khc gm cc ng hm bt buc: ng hm c to ra m khng c bt k hnh ng t ngi s dng v khng c bt k s la chn cho php ngi dng trong vn ny, nh mt dch v ca nh cung cp dch v Internet (ISP). Thng thng, cc ISP cung cp mt dch v mun thu thp d liu v thanh ton, quy hoch mng... Mt cch thu thp d liu s dng trong cc mng quay s l dng phng tin
44
RADIUS Accounting. Vic s dng RADIUS Accounting cho php d liu s dng quay s c thu thp ti mt v tr trung tm, hn l c lu tr ti mi NAS. thu thp d liu s dng v ng hm, thuc tnh RADIUS mi l cn thit, ti liu ny xc nh nhng thuc tnh ny. Ngoi ra, mt s gi tr mi cho cc thuc tnh Acct-Status-Type c xut. Kin ngh c th v v d v vic p dng cc thuc tnh ny cho giao thc L2TP c m t trong RFC 2809. Cc gi tr Acct-Status-Type mi: Tunnel-Start: gi tr l 9, dng nh du vic to mt ng hm mi vi nt khc. Tunnel-Stop: gi tr l 10, , dng nh du vic hy mt ng hm t hoc ti nt khc. Tunnel-Reject: gi tr l 11, , dng nh du vic t chi to mt ng hm vi nt khc. Tunnel-Link-Start: gi tr l 12, dng nh du s to thnh ca mt lin kt ng hm. Tunnel-Link-Stop: gi tr l 13, dng nh du s ph hy mt lien kt ng hm. Tunnel-Link-Reject: gi tr l 14, dng nh du vic t chi to nn mt lin kt mi trong mt ng hm ang tn ti. V 2 thuc tnh mi: Acct-Tunnel-Connection: Thuc tnh ny c th c s dng cung cp mt phng tin nhn din ra mt phin ng hm cho mc ch kim ton. Acct-Tunnel-Packets-Lost: Thuc tnh ny ch ra s gi d liu b mt trn mt lin kt c a.
4.3.4. RFC 2868:

RFC 2868 - RADIUS Attributes for Tunnel Protocol Support: m t cc thuc tnh RADIUS h tr cho giao thc ng ng, cp nht them cho RFC 2865. Cc thuc tnh RADIUS mi l cn thit chuyn cc thng tin ng hm t my ch RADIUS ti im cui ca ng hm.
45
Cc thuc tnh mi: Tunnel-Type: Thuc tnh ny ch ra giao thc ng hm s c s dng hoc cc giao thc ng hm ang c s dng. Tunnel-Medium-Type: Thuc tnh ny ch ra phng tin c s dng to ng hm theo cc giao thc (nh l L2TP), iu ny c th c tc dng trn nhiu phng tin vn chuyn. Tunnel-Client-Endpoint: Thuc tnh ny cha a ch ca ngi khi xng cui ca ng hm. Tunnel-Server-Endpoint: Thuc tnh ny cha a ch ca my ch cui ca ng hm. Tunnel-Password: Thuc tnh ny cha mt khu dng xc thc ti my ch truy cp t xa. Tunnel-Private-Group-ID: Thuc tnh ny ch ra ID nhm cho mt phin hm c th. Tunnel-Assignment-ID: Thuc tnh ny c s dng ch ra ngi khi xng ng hm mt ng hm c th phn cng mt phin. Tunnel-Preference: Khi my ch RADIUS gi tr nhiu hn mt b thuc tnh ng hm v cho ngi khi xng ng hm, thuc tnh ny c gn vo trong mi b thuc tnh ng hm thit lp u tin cho mi ng hm. Tunnel-Client-Auth-ID: Thuc tnh ny ghi r tn ngi khi xng ng hm s dng trong giai on xc nhn khi to ng hm. Tunnel-Server-Auth-ID: Thuc tnh ny ghi r tn ngi tn cng ng hm s dng trong giai on xc nhn khi to ng hm.
4.3.5. RFC 2869:

RFC 2869 RADIUS Extensions: a ra gi v mt s thuc tnh b sung c th c thm vo RADIUS thc hin nhiu chc nng hu ch khc nhau. Nhng thuc tnh khng c trng m rng tri qua trc c nu ra v do b coi l th nghim.
46
Extensible Authentication Protocol (EAP) l mt phn m rng PPP cung cp h tr cho cc phng php xc thc b sung bn trong PPP. RFC ny m t cch m thuc tnh EAP-Message v Message-Authenticator c s dng cung cp EAP h tr bn trong RADIUS. Tt c cc thuc tnh c bao gm chiu di bin Type-Length-Value 3-tuples. Gi tr thuc tnh mi c th c thm vo m khng lo ngi lm xo trn trin khai hin c ca giao thc.
III. ASA
1. Lch s ra i.
Thit b phn cng m nhn vai tr bo v h tng mng bn trong,trc y thng hiu PIX Firewall ca hng Cisco Systems ginh c mt trong nhng v tr hng u ca lnh vc ny.Tuy nhin,theo pht trin ca cng ngh v xu hng tch hp a chc nng trn cc kin trc phn cng hin nay (gi l Appliance) hng Cisco Systems cng nhanh chng tung ra dng sn phm bo mt a nng Cisco ASA (Adaptive Security Appliance).Dng thit b ny ngoi vic tha hng cc nh nng u im ca cng ngh dng trn Cisco PIX Firewall,Cisco IPS 4200 v Cisco VPN 3000 Concentrator, cn c tch hp ng thi 3 nhm chc nng chnh cho mt h tng bo v l Firewall, IPS v VPN.Thng qua vic tch hp nhng tnh nng nh trn,Cisco ASA s chuyn giao mt gii php hiu qu trong vic bo mt ho cc giao tip kt ni mng,nhm c th ch ng i ph trn din rng i vi cc hnh thc tn cng qua mng hoc cc him ha m t chc,doanh nghip thng phi ng u. c tnh ni bt ca thit b ASA l: + y cc c im ca Firewall,IPS,anti-X v cng ngh VPN IPSec/SSL . + C kh nng m rng thch nghi nhn dng v kin trc Mitigation Services. + Gim thiu chi ph vn hnh v pht trin.
47
2. Cc sn phm tng la ca Cisco:

Cisco PIX Firewalls lun lun ng vai tr quan trng trong chin lc bo mt ca Cisco.Cc m hnh tng la khc nhau ca Cisco cung cp cc gii php bo mt cho cc doanh nghip va v nh. Cc sn phm tng la trc y ca Cisco bao gm: + Cisco PIX Firewalls. + Cisco FWSM(Firewall Service Module) + Cisco IOS Firewall.
3. iu khin truy cp mng (NAC)

Cisco Adaptive Security Appliances (ASA) c th gip bo v mt hoc nhiu mng t nhng k xm nhp v tn cng. Kt ni gia cc mng ny c th c kim sot v theo di bng cch s dng cc tnh nng mnh m m Cisco ASA cung cp.c th m bo rng tt c lu lng truy cp t cc mng tin cy cho dn mng khng tin cy(v ngc li) i qua cc tng la da trn chnh sch an ninh ca t chc.
3.1. Lc gi (Packet Filtering)

Cisco ASA c th bo v mng bn trong(inside), cc khu phi qun s (DMZs) v mng bn ngoi(outside) bng cch kim tra tt c lu lng i qua n. C th xc nh chnh sch v quy tc cho nhng lu lng c cho php hoc khng cho php i qua interface. Cc thit b bo mt s dng access control lists (ACL) gim lu lng truy cp khng mong mun hoc khng bit khi n c gng vo mng ng tin cy. Mt ACL l danh sch cc quy tc an ninh, chnh sch nhm li vi nhau cho php hoc t chi cc gi tin sau khi nhn vo cc tiu gi(packet headers) v cc thuc tnh khc. Mi pht biu cho php hoc t chi trong ACL c gi l mt access control entry (ACE). Cc ACE c th phn loi cc gi d liu bng cch kim tra layer 2,layer 3 v Layer 4 trong m hnh OSI bao gm: Kim tra thng tin giao thc layer 2: ethertypes. Kim tra thng tin giao thc layer 3:ICMP, TCP, or UDP,kim tra a ch IP ngun v ch .
48
Kim tra thng tin giao thc layer 4: port TCP/UDP ngun v ch . Khi mt ACL c cu hnh ng, c th p dng vo interface lc lu lng. Cc thit b an ninh c th lc cc gi tin theo hng i vo(inbound) v i ra(outbound) t interface. Khi mt ACL c p dng i vo interface, cc thit b an ninh kim tra cc gi chng li cc ACE sau khi nhn c hoc trc khi truyn i. Nu mt gi c cho php i vo, cc thit b an ninh tip tc qu trnh ny bng cch gi n qua cc cu hnh khc. Nu mt gi tin b t chi bi cc ACL, cc thit b an ninh loi b cc gi d liu v to ra mt thng ip syslog ch ra rng nh mt s kin xy ra. Trong hnh 3-1, ngi qun tr thit b an ninh c p dng cho outside interface mt inbound ACL ch cho php lu lng HTTP ti 20.0.0.1. Tt c cc lu lng khc s b b ti interface ca cc thit b an ninh.
209.165.201.1 1
20.0. 0.0/ 8
1 209.165.200.224/27
Bn trong My ch Web Tng la ASA
Bn ngoi
Internet My A
Cho php lu lng truy cp ti 20.0.0.1 nh rt tt c nhng lu lng khc
Hnh 3-1:M t qu trnh lc gi ca tng la Nu mt outbound ACL c p dng trn mt interface, cc thit b an ninh x l cc gi d liu bng cch gi cc packet thng qua cc qu trnh khc nhau (NAT, QoS, v VPN) v sau p dng cc cu hnh ACE trc khi truyn cc gi d liu ny. Cc thit b an ninh truyn cc gi d liu ch khi chng c php i ra ngoi. Nu cc gi d liu b t chi bi mt trong cc ACE, cc thit b an ninh loi b cc gi d liu v to ra mt thng ip syslog ch ra rng nh mt s kin xy ra. Trong hnh 3-1, ngi qun tr thit b an ninh c p dng outbound ACL cho inside interface ch cho php lu lng HTTP ti 20.0.0.1.Tt c cc lu lng khc s b b ti interface ca cc thit b an ninh.
49
Cc loi Access Control List: C nm loi ACL khc nhau cung cp mt cch linh hot v kh nng m rng lc cc gi tri php bao gm: + Standard ACL + Extended ACL + IPV6 ACL + Ethertype ACL + WebVPN ACL Standard ACL: Chun Standard ACL c s dng xc nh cc gi d liu da trn a ch IP ch.Cc ACL y c th c s dng phn chia cc lung lu thng trong truy cp t xa VPN v phn phi li cc lung ny bng s nh tuyn.Chun Standard ACL ch c th c s dng lc cc gi khi v ch khi cc thit b bo mng hot ng ch nh tuyn,ngn truy cp t mng con ny n mng con khc. Extended ACL:Chun Extended l mt chun ph bit nht,c th phn loi cc gi d liu da trn cc c tnh sau: a ch ngun v a ch ch. Giao thc lp 3. a ch ngun hoc a ch ca cng TCP v UDP. im n ICMP dnh cho cc gi ICMP. Mt chun ACL m rng c th c s dng cho qu trnh lc gi,phn loi cc gi QoS,nhn dng cc gi cho c ch NAT v m ha VPN. IPV6 ACL:Mt IPV6 ACL c chc nng tng t nh chun Extended ACL.Tuy nhin ch nhn bit cc lu lng l a ch IPV6 lu thng qua thit b bo mt ch nh tuyn. Ethertype ACL: Chun Ethertype c th c s dng lc IP hoc lc gi tin bng cch kim tra on m trong trng Ethernet phn u lp 2.Mt Ethertype ACL ch c th c cu hnh ch khi cc thit b bo mt ang chy ch trong sut ( transparent ). Lu rng chun ny cc thit b bo mt khng cho php dng IPV6 lu thng qua,ngay c khi c php i qua IPV6 Ethertype ACL.
50
WebVPN ACL: Mt WebVPN ACL cho php ngi qun tr h thng hn ch lu lng truy cp n t lung WebVPN.Trong trng hp c mt ACL WebVPN c xc nh nhng khng ph hp mt gi tin no ,mc nh gi tin s b loi b.Mc khc,nu khng c ACL xc nh,cc thit b bo mt s cho php lu thng qua n.ACL xc nh lu lng truy cp bng cch cho php hoc loi b gi tin khi n c gng i qua thit b bo mt.Mt ACE n gin l cho php tt c cc a ch IP truy cp t mt mng ny n mng khc,phc tp hn l n cho php lu thng t mt a ch IP c th mt cng ring bit n mt cng khc a ch ch.Mt ACE c thit k bng cch s dng cc lnh iu khin truy cp thit lp cho thit b bo mt.
3.2. Lc ni dung v URL (Content and URL Filtering)

Theo truyn thng firewall chn cc gi d liu bng cch kim tra thng tin gi layer 3 hoc Layer 4. Cisco ASA c th nng cao chc nng ny bng cch kim tra ni dung thng tin mt vi giao thc layer 7 nh HTTP, HTTPS, v FTP. Cn c vo chnh sch bo mt ca mt t chc, cc thit b an ninh c th cho php hoc chn cc packet cha ni dng khng cho php. Cisco ASA h tr hai loi lp ng dng lc: Content Filtering URL Filtering
3.2.1. Content Filtering

Vic kch hot Java hoc ActiveX trong mi trng lm vic c th khin ngi dng ngy th ti v tp tin thc thi c hi c th gy ra mt mt cc tp tin hoc h hi cc tp tin trong mi trng s dng. Mt chuyn gia an ninh mng c th v hiu ho Java v x l ActiveX trong trnh duyt, nhng iu ny khng phi l mt gii php tt nht. C th chn mt cch khc l s dng mt thit b mng nh Cisco ASA loi b cc ni dung c hi t cc gi tin. S dng tnh nng lc ni dung cc b, cc thit b an ninh c th kim tra cc tiu HTTP v lc ra cc ActiveX v Java applet khi cc gi d liu c gng i qua thng qua t my khng tin cy.
51
Cisco ASA c th phn bit gia cc applet tin cy v applet khng tin cy. Nu mt trang web ng tin cy gi Java hoc ActiveX applet, cc thit b bo mt c th chuyn n cc my ch yu cu kt ni. Nu cc applet c gi t cc my ch web khng tin cy, thit b bo mt c th sa i ni dung v loi b cc nh km t cc gi tin. Bng cch ny, ngi dng cui khng phi l quyt nh n cc applet c chp nhn hoc t chi. H c th ti v bt k applet m khng phi lo lng.
3.2.2. ActiveX Filtering

ActiveX c th gy ra vn tim nng nguy hi trn cc thit b mng nu m c ActiveX c ti v trn my. Cc m ActiveX c a vo cc trang web bng cch s dng th HTML <OBJECT> v </ OBJECT>. Cc thit b an ninh tm kim cc th cho lu lng c ngun gc trn mt cng cu hnh sn. Nu cc thit b an ninh pht hin cc th ny, n thay th chng bng cc th ch thch . Khi trnh duyt nhn c cc gi d liu HTTP vi , n b qua cc ni dung thc t bng cch gi s rng ni dung l kin ca tc gi. Lu Cc thit b an ninh khng th nhn xt ra cc th HTML nu chng c phn chia gia nhiu gi mng.
3.3. Chuyn i a ch. 3.3.1. Network Address Translation (NAT)

NAT hay cn gi l Network Address Translation l mt k thut c pht minh lc khi u dng gii quyt vn IP shortage, nhng dn dn n chng t nhiu u im m lc pht minh ra n ngi ta khng ngh ti, mt trong nhng li im ca NAT ngy nay c ng dng nhiu nht l NAT cho php: Chia s kt ni internet vi nhiu my bn trong LAN vi mt a ch IP ca WAN Firewall, n gip du tt c IP bn trong LAN vi th gii bn ngoi, trnh s dm ng ca hackers. Tnh linh hot v s d dng trong vic qun l
52
NAT gip cho cc home user v cc doanh nghip nh c th to kt ni vi internet mt cch d dng v hiu qu cng nh gip tit kim vn u t.
3.3.2. Port Address Translation (PAT).

y l dng NAT ph thng m thng gp v s dng ngy nay trong cc thit b phn cng hay phn mm routing nh router hay cc phn mm chia s internet nh ISA, ICS hay NAT server m lt na y chng ta s c dp tm hiu cch thit lp n.Dng NAT ny hay cn c gi vi mt ci tn dynamic nat. Vi dng NAT ny tt c cc IP trong mng LAN c du di mt a ch NAT-IP, cc kt ni ra bn ngoi u c to ra gi to ti NAT trc khi n n c a ch internet.NAT rule: Gi trang internet IP address 138.201 s dng a ch NAT router Mi packets c gi ra ngoi IP ngun s c thay th bng NAT-IP l 195.112 v port ngun c thay th bng mt cng no cha c dng NAT, thng thng l cc cng ln hn 1204. Nu mt packet c gi n a ch ca router v port ca destination nm trong khong port dng masquerading th NAT s kim tra a ch IP ny v port vi masquerading table ca NAT nu l gi cho mt host bn trong LAN th gi tin ny s c NAT gn vo a ch IP v port ca host v s chuyn n n host .
4. Giao thc AAA v dch v h tr ca Cisco ASA

AAA l t vit tt: Authentication, Authorization, Accounting. AAA cung cp cc gii php khc nhau iu khin kim sot truy cp n cc thit b mng. Cc dch v sau y c bao gm trong kin trc AAA l: Authentication (Xc thc): Qu trnh xc thc ngi dng da trn c tnh ca h v cc thng tin c xc nh trc, chng hn nh mt khu v cc c ch khc nh giy chng nhn k thut s. Authorization (y quyn): L phng php m mt thit b mng tp hp mt tp cc thuc tnh iu chnh ng vi nhim m ngi s dng c y quyn thc hin. Nhng thuc tnh thit lp nn quyn hn m ngi s dng c php hoc khng cho php . Cc kt qu c tr li cho cc thit b mng xc nh quyn hn ca
53
ngi dng m c s d liu ca ngi dng c th c t trn ASA hoc n c th c lu tr trn mt my ch RADIUS hoc TACACS +. Accounting (K ton): Qu trnh thu thp v gi thng tin ngi dng n mt my ch AAA c ghi li theo di cc ln ng nhp (khi ngi dng ng nhp v ng xut) v cc dch v m ngi dng truy cp. Thng tin ny c th c s dng thanh ton, kim tra, v mc ch bo co. Cisco ASA c th c cu hnh duy tr mt c s d liu ngi dng ni b hoc s dng mt my ch bn ngoi xc thc.
Hnh 3-2: M t kin trc c bn cho NAS/RADIUS/TACACS+/AAA Sau y l cc giao thc chng thc AAA v cc my ch c lu tr c s d liu nm bn ngoi: Remote Authentication Dial-In User Service (Radius). Terminal Access Controller Access-Control System (Tacacs+). Rsa SecurID(SID). Win NT. Kerberos. Lightweight Directory Access Protocol (LDAP).
4.1. Remote Authentication Dial-In User Service (Radius).
54
RADIUS l mt giao thc xc thc s dng rng ri c nh ngha trong RFC 2865. "Remote Authentication Dial-In User Service (RADIUS)." RADIUS hot ng trong mt m hnh khch hng / my ch. Mt khch hng RADIUS thng c gi l mt my ch truy cp mng (network access server :NAS).mt my NAS c trch nhim truyn thng tin ngi dng ti my ch RADIUS. Cisco ASA hot ng nh l mt NAS v xc thc ngi dng da trn phn ng ca my ch RADIUS. Cisco ASA h tr mt vi my ch RADIUS sau: CiscoSecure ACS Cisco Access Registrar. Livingston. Merit. Funk Steel Belted. Microsoft Internet Authentication Server. i vi mng xc thc, mt kha b mt c trao i gia cc my ch AAA/RADIUS v khch hng AAA. Cc kha b mt c chia s l khng bao gi c gi qua lin kt thit b m bo tnh ton vn. Khi RADIUS xc thc ngi s dng, phng php xc thc c th c s dng rt nhiu, RADIUS h tr xc thc qua Point-to-Point Protocol Challenge Handshake Authentication Protocol (PPP CHAP) v PPP Password Authentication Protocol (PAP),RADIUS l mt giao thc m rng cho php cc nh cung cp kh nng thm gi tr thuc tnh mi m khng to ra mt vn i vi cc thuc tnh gi tr hin ti. Mt khc bit ln gia TACACS v RADIUS l RADIUS khng xc thc v y quyn ring bit. RADIUS cng cung cp cho k ton tt hn. RADIUS hot ng theo giao thc UDP. RADIUS s dng cc cng 1645 v 1812 xc thc v 1646 v 1813 cho k ton. Cc cng 1812 v 1813 c to ra trong vic trin khai RADIUS mi hn. Vic s dng cc cng RADIUS 1645 trong lc trin khai gy ra xung t vi cc dch v "datametrics". Do , cng chnh thc l 1812.Giao thc RADIUS c xem l mt dch v kt ni. Cc vn lin quan n my ch sn sng, pht li, v ht gi c x l trn thit b ch khng phi l giao
55
thc truyn ti. Chc nng ny khc vi TACACS + tin cy trong giao thc ph thuc vo giao thc TCP. Hot ng RADIUS Sau y l qu trnh hot ng RADIUS qun l ng nhp: Bc 1. Mt thng tin ng nhp ngi dng to ra mt truy vn (Access-Request) t AAA khch hng n my ch RADIUS. Bc 2. Mt phn ng cho php hoc loi b(Access-Accept hoc Access-Reject) c tr v t my ch. Cc gi tin Access-Request cha tn ngi dng, mt khu m ha, a ch IP ca khch hng AAA, v cng nh dng gi tin RADIUS:
Code
Identifier
Length
Request Authenticator Attributes Hnh 3-3 nh dng gi tin Radius Mi gi tin RADIUS gm cc thng tin sau y: + Code: 1 octet, nh ngha loi packet + Identifier: 1 octet, Kim tra yu cu, tr li v pht hin trng lp yu cu t RADIUS server. + Length: 2 octet, xc nh di ca ton b gi. + Request Authenticator: 16 octet, Cc octet quan trng nht c truyn i u tin, n xc nhn tr li t my ch RADIUS. Hai loi authenticators nh sau: -Request-Authenticator c sn trong gi Access-Request v Accounting-Request -Response-Authenticator c sn trong cc gi Access-Accept, Access-Reject, Access-Challenge, Accounting-Response. + Attributes: Thuc tnh b sung vo RADIUS h tr nh cung cp c th. Cc my ch RADIUS nhn c yu cu xc thc ngi dng v sau tr v thng tin cu hnh cn thit cho khch hng h tr cc dch v c th cho ngi
56
dng. Cc my ch RADIUS thc hin iu ny bng cch gi Internet Engineering Task Force (IETF) hoc cc thuc tnh nh cung cp c th. (Cc thuc tnh RADIUS chng thc c nh ngha trong RFC 2865.) Cisco ASA hot ng nh l mt NAS v my ch RADIUS l mt Cisco Secure Access Control Server (ACS). Ngi dng c gng kt ni vi Cisco ASA ( qun tr,vpn,thc hin tnh nng cut-though proxy). Cc Cisco ASA nhc nh ngi dng, yu cu tn ngi dng v mt khu ca mnh. Ngi s dng gi thng tin ca mnh cho ASA Cisco. Cc Cisco ASA gi yu cu xc thc (Access-Request) n my ch RADIUS. Cc my ch RADIUS gi mt message Access-Accept nu ngi dng l xc thc thnh cng hoc mt Access-Reject nu ngi dng khng xc thc thnh cng. Cisco ASA p ng cho ngi s dng v cho php truy cp vo cc dch v c th. Lu : Cc my ch RADIUS cng c th gi cc thuc tnh nh cung cp c th cho Cisco ASA ty thuc vo vic thc hin v cc dch v s dng. Nhng thuc tnh ny c th cha thng tin nh a ch IP gn cc thng tin khch hng v y quyn. RADIUS server xc thc v y quyn kt hp cc giai on thnh mt yu cu duy nht v chu k lin kt p ng.
4.2. Terminal Access Controller Access-Control System (Tacacs+)

TACACS + l mt giao thc bo mt AAA cung cp xc thc tp trung ca ngi dng ang c gng truy cp vo NAS, giao thc TACACS + h tr cho AAA mt cch linh hot hn. TACACS + s dng cng 49 v chy trn nn UDP hoc TCP. Cisco ASA s dng giao thc TCP giao tip TACACS+ .
4.2. nh dng TACACS v cc gi tr tiu

Cc ID TACACS nh ngha mt tiu 12-byte xut hin trong tt c cc gi TACACS. tiu ny lun lun c gi nh dng vn bn r rng. 12345678 1234567 123456 123456
57
8 Major_ver sion Minor_ver sion Session_id Length Hnh 3-4: nh dng gi tin Type
78 Seq_no
78 Flags
Major_version y l s phin bn chnh ca TACACS. gi tr xut hin trong tiu nh TAC_PLUS_MAJOR_VER = 0xc. Minor_version:cung cp s serial cho giao thc TACACS. N cng cung cp cho kh nng tng thch ca giao thc. Mt gi tr mc nh, cng nh phin bn mt, c nh ngha cho mt s lnh. Nhng gi tr ny xut hin trong tiu TACACS nh TAC_PLUS_MINOR_VER_DEFAULT = 0x0 TAC_PLUS_MINOR_VER_ONE = 0x1. Nu mt my ch AAA chy TACACS nhn c mt gi TACACS xc nh mt phin bn nh hn khc phin bn hin ti, n s gi mt trng thi li tr li v yu cu cc minor_version vi phin bn gn nht c h tr. Loi ny phn bit cc loi gi tin. Ch c mt s loi l hp php. Cc loi gi hp php nh sau: - TAC_PLUS_AUTHEN = 0x01 y l loi gi ngha xc thc. - TAC_PLUS_AUTHOR-0x02 y l loi gi tin m ngha y quyn. - TAC_PLUS_ACCT = 0x03 y l loi gi tin m ngha k ton. Seq_no : xc nh s th t cho cc phin lm vic. TACACS c th khi to mt hoc nhiu phin TACACS cho mi khch hng AAA. Flags:c 2 c +TAC_PLUS_UNENCRYPTED_FLAG :xc nh m ha cagi TACACS. Gi tr 1 l cha m ha, gi tr 0 l gi tin c m ha. +TAC_PLUS_SINGLE_CONNECT_FLAG:Xc nh ghp hoc khng ghp cc phin tacacs trn mt kt ni tcp.
58
Session_id y l mt gi tr ngu nhin ch nh cc phin hin ti gia khch hng v my ch AAA chy TACACS. Gi tr ny vn gi nguyn trong sut thi gian ca phin lm vic Lengh: tng chiu di ca gi TACACS, khng bao gm tiu 12-byte. Khi nim xc thc TACACS + cng tng t nh RADIUS. NAS s gi mt yu cu chng thc vi TACACS + server .Cc my ch cui cng s gi bt k thng ip sau y tr v NAS: ACCEPT - Ngi dng c xc thc thnh cng v cc dch v yu cu s c cho php. Nu nh c ch cp quyn c yu cu,tin trnh cp quyn s c thc thi. REJECT - xc thc ngi dng b t chi. Ngi s dng c th c nhc th li chng thc ty thuc vo TACACS + server v NAS. ERROR - Mt s li xy ra trong qu trnh xc thc. Nguyn nhn gy ra li c th vn kt ni hoc vi phm c ch bo mt. CONTINUE - Ngi dng c nhc nh cung cp thng tin xc thc hn. Sau khi qu trnh xc thc hon tt, nu u quyn c yu cu TACACS + server vi s x l giai on k tip nu xc thc thnh cng.
4.3. Rsa SecurID (SID)

RSA SecurID (SID) l mt gii php bo mt c cung cp bi cng ty bo mt RSA. RSA ACE/Server l thnh phn qun tr ca gii php SID. N cung cp mt khu trong thi gian nht nh. Cisco ASA h tr xc thc SDI m ch dnh cho xc thc ngi dng VPN. Tuy nhin nu SDI s dng mt my ch xc thc, th khi ging nh dng CiscoSecure ACS dnh cho Windown NT, my ch c th s dng xc thc bn ngoi i vi dch v SID v proxy m bo cc yu cu xc thc i vi tt c cc dch c h tr bi Cisco ASA. Cisco ASA v SDI s dng UDP cng 5500 cho qu trnh truyn thng.Gii php SDI cung cp mt khu cho ngi dng mi 60 giy theo c ch vng trn. Cc mt khu c to ra khi ngi dng nhp vo s pin v c ng b ha vi my ch cung cp c ch xc thc. My ch
59
SDI c th c cu hnh yu cu ngi dng nhp vo s bin mi khi ang xc thc. C ch xc thc c th hin hnh 3-5:
1 2 3 6 7 4 5 8
Hnh 3-5: C ch xc thc 1.Ngi dng thc hin kt ni vi thit b bo mt Cisco ASA. 2.Cisco ASA bt u thc hin c ch xc thc. 3.Ngi s dng cung cp thng tin Username and Password. 4.Cisco ASA chuyn tip cc yu cu xc thc n my ch SDI. 5.Nu nh m bin mi c chp thun,my ch SDI xc thc ngi dung v yu cu mt Pin mi s dng khi ti mt phin xc thc ngi dung k tip. 6.Cisco ASA yu cu ngi dng cp mt Pin mi. 7.Ngi dng nhp vo Pin mi. 8.Cisco ASA gi thng tin Pin mi n my ch SDI.
4.4. Win NT
Cisco ASA h tr Windown NT xc thc cc kt ni truy cp t xa VPN.N giao tip vi my ch Windown NT s dng TCP cng 139.Ging nh SDI,c th s dng mt my ch Radius/Tacacs+,v cng ging nh CiscoSecure ACS c th y quyn xc thc n Windown NT cho cc dch v c h tr bi Cisco ASA.
4.5. Kerberos
L mt giao thc c xy dng nng cao an ton khi xc thc trong mi trng mng phn tn.Cisco ASA c th xc thc ngi dng VPN thng qua cc th mc Windown bn ngoi,m s dng Kerberos xc thc.C th s dng h iu hnh Unix hoc Linux chy my ch xc thc Kerberos.c h tr xc thc
60
cc my khch VPN.Cisco ASA giao tip vi th mc tch cc v,hoc my ch Kerberos s dng UDP cng 88.
4.6. Lightweight Directory Access Protocol (LDAP)

Cisco ASA h tr giao thc LDAP y quyn kt ni truy cp t xa VPN.Giao thc xc thc LDAP c r trong RFC 3377 v RFC 3771.LDAP cung cp cc dch v y quyn khi truy cp n c s d liu ca ngi dng vi thng tin cy th mc.Cisco ASA giao tip vi my ch LDAP thng qua TCP cng 389. LDAP ch cung cp cc dch v y quyn.V vy mt giao thc ring bit no cn phi xc thc dch v. LDAP l mt chun giao thc truy cp th mc n gin, hay l mt ngn ng client v severs s dng giao tip vi nhau.LDAP l mt giao thc lightweight c ngha l y l mt giao thc c tnh hiu qu, n gin v d dng ci t. trong khi chng s dng cc hm mc cao. iu ny tri ngc vi giao thc heavyweight nh l giao thc truy cp th mc X.500 (DAP) s dng cc phng thc m ho qu phc tp. LDAP s dng cc tp cc phng thc n gin v l mt giao thc thuc tng ng dng. Phng thc hot ng ca LDAP M hnh LDAP client/server: u tin xem xt LDAP nh l giao thc giao tip client/server. Giao thc client/sever: l mt m hnh giao thc gia mt chng trnh client chy trn mt my tnh gi mt yu cu qua mng n cho mt my tnh khc ang chy mt chng trnh sever (phc v), chng trnh ny nhn ly yu cu v thc hin sau tr li kt qu cho chng trnh client. tng c bn ca giao thc client/server l cng vic c gn cho nhng my tnh c ti u ho lm thc hin cng vic .V d tiu biu cho mt my server LDAP c rt nhiu RAM(b nh) dng lu tr ni dung cc th mc cho cc thao tc thc thi nhanh v my ny cng cn a cng v cc b vi x l tc . LDAP L mt giao thc hng thng ip.Do client v sever giao tip thng qua cc thng ip, Client to mt thng ip (LDAP message) cha yu cu v gi n cho server. Server nhn c thng ip v s l yu cu ca client sau gi tr cho
61
client cng bng mt thng ip LDAP. V d: khi LDAP client mun tm kim trn th mc, client to LDAP tm kim v gi thng ip cho server. Sever tm trong c s d liu v gi kt qu cho client trong mt thng ip LDAP. Qu trnh kt ni gia LDAP server v client: LDAP client v server thc hin theo cc bc sau: Client m mt kt ni TCP n LDAP server v thc hin mt thao tc bind. Thao tc bind bao gm tn ca mt directory entry v u nhim th s c s dng trong qu trnh xc thc, u nhim th thng thng l pasword nhng cng c th l chng ch in t dng xc thc client. Sau khi th mc c c s xc nh ca thao tc bind, kt qu ca thao tc bind c tr v cho client.
1. M kt ni v bind ti server 2. Kt qu ca thao tc bind 3. Hot ng tm kim 4. Tr v kt qu 1 5. Tr v kt qu 2

LDAP Client LDAP Server
6. Kt thc phin lm vic 7.Thao tc unbind 8. ng kt ni Hnh 3-6: Qu trnh kt ni gia Client v Server
M hnh kt ni gia Client / Server 1. M kt ni v bind ti server. 2. Client nhn kt qu bind.

62
3. Client pht ra cc yu cu tm kim. 4. Server thc hin x l v tr v kt qu 1 cho client. 5. Server tr v kt qu 2 cho client. 6. Server gi thng ip kt thc vic tm kim. 7. Client pht ra yu cu unbind, vi yu cu ny server bit rng client mun hu b kt ni. 8. Server ng kt ni
5. Kim tra ng dng

C ch kim tra ng dng ca Cisco s dng kim tra an ninh ca cc ng dng v dch v trong h thng. Cc cng c kim tra trng thi thng tin v mi kt ni i qua cc interface ca thit b an ninh v m bo chng l hp l. Trng thi ng dng kim tra xem xt khng ch cc tiu gi tin m cn lc ni dung ca gi tin thng qua tng ng dng. Mt s ng dng yu cu x l c bit i vi cc gi d liu khi chng i qua thit b Layer 3. Bao gm cc ng dng v giao thc c nhng vo a ch IP trong qu trnh truyn ti d liu ca gi tin hoc m ra mt knh th hai cho php
6. Kh nng chu li v d phng (failover and redundancy) 6.1. Kin trc chu li
Khi hai ASA c thit lp trong ch failover, mt trong Cisco ASA c gi l cc ch ng (active ) c trch nhim to ra trng thi v chuyn i a ch, chuyn giao cc gi d liu, v gim st cc hot ng khc,mt ASA khc gi l ch ch(standby),c trch nhim theo di tnh trng ch ch ng. Ch ch ng v ch ch trao i thng tin chu li vi nhau thng qua mt ng link kt ni ny c bit nh l mt link chu li (link failover).Khi c s c xy ra trn ch ch ng th ch ch s thc hin vai tr ca ch ch ng cho n khi ch ch ng khi phc li trng thi. ng chu li gia hai ASA trao i cc thng tin: Trng thi ch ng hoc trng thi ch
63
Trng thi lin kt mng Thng ip hello Trao i a ch MAC Cu hnh ng b ha
Lin kt chu li
Hnh 3-7:minh ha lin kt chu li
6.2. iu kin kch hot kh nng chu li

Kh nng chu li xy ra Khi ngi qun tr thit lp chuyn i t ch ch ng sang ch ch Khi ASA ang m nhim ch ch khng nhn c gi tin keepalive t ch ch ng, sau hai ln khng thy lin lc t ch ch ng th ch ch xem ch ch ng b li v chuyn sang ng vai tr nh ch ch ng cho n khi ch ch ng hot ng tr li. Khi mt lin kt trn mt cng nhn c lnh down . Kim tra trng thi ca cng chu li bit c trng thi chu li thng qua lin kt gia ch ch ng v ch ch trao i thng ip hello c mi 15 giy.Thng dip hello bao gm cc trng thi hot ng ca cc lin kt c cu hnh.Trc khi chuyn sang t ch ch sang ch ng ASA kim tra bn trng thi sau : Kim tra trng thi up/down trn tng cng nu khng hot ng s x l qu trnh chu li.
64
Kim tra s hot ng ca h thng nu sau nm giy m khng nhn c bt k gi tin no s chuyn sang ch chu li bt u. Kim tra s hot ng ca h thng bng cch gi gi ARP sau nm giy khng nhn c tn hiu tr li xem nh cng b li v x l qu trnh chu li. Kim tra s hot ng ca h thng bng cch ping broadcast th nghim nu sau nm giy khng nhn c tn hiu tr li xem nh cng b li v x l qu trnh chu li..
6.3. Trng thi chu li

Khi kt ni c thit lp thng qua cisco ASA ,cisco ASA s cp nht bng kt ni.Trong mc kt ni bao gm:a ch ngun,a ch ch,giao thc,trng thi kt ni,gn vi interface no v s byte truyn. Ty thuc vo cu hnh failover, Cisco ASA c mt trong nhng trng thi sau y: Stateless failover:Duy tr kt ni nhng khng ng b vi trn thi ch.Trong trng hp ny trng thi hot ng s khng gi cc bng cp nht trng thi cho ch ch.Khi trng thi hot ng b li thi trng thi ch s c kch hot v phi thit lp li cc kt ni,tt c cc lu lng u b ph v Stateful failover:Duy tr kt ni v ng b vi ch ch . trng hp ny cc trng thi kt ni u c ng b t trng thi hot ng sang trng thi ch v khi trng thi ch c kch hot s khng phi thit lp di cc bng kt ni v tn ti trong c s d liu ca n.
7. Cht lng dch v (QoS)

Trong mt mng IP chun, tt c cc gi d liu c x l ging nhau theo mt cch tt nht. Cc thit b mng thng b qua tm quan trng v thi gian ca cc d liu c truyn qua mng. u tin cho cc gi d liu quan trong hay p ng c thi gian thc ca gi thoi v video p dng chnh sch qun l cht lng dch v cho tng loi gi .C nhiu c ch qun l dch v khc nhau m c sn trong cc thit b ca cisco nh: Traffic policing
65
Traffic prioritization Traffic shaping Traffic marking Tuy nhin cisco ASA ch h tr hai loi l traffic policing,traffic prioritization
7.1. Traffic Policing

Chnh sch lu lng c bit nh l s gii hn lu lng cho php kim sot tc ti a iu kin i qua interface .Cc lu lng no nm trong cu hnh qui nh th c php thng qua v cc lu lng vt ngng gii hn u b nh rt ht.Trong cisco ASA khi mt lu lng khng c nh ngha u tin s c x l thng qua nh gi gii hn gi tin nu ph hp vi mc cu hnh QoS th cho php truyn,nu khng mc cho php gi tin s ch b sung hoc iu chnh chnh sch cho php thp xung nu ph hp vi cu hnh gi tin s c a vo hang i khng u tin nonpriority.
Xp xp u tin
u tin Khng u tin nh gi gii hn interface
Khng u tin Khng ph hp X
Hnh 3-8: Minh ha cch mt gi c x l trong cc thit b an ninh khi i qua cc cng c QoS. Khi ri khi c ch QoS gi tin s c chuyn n interface cho vic chuyn i d liu.Thit b an ninh thc hin QoS cho mi gi mc khc nhau m bo cho vic truyn nhn m ni tin khng c trong danh sch u tin.Qu trnh x l gi tin
66
da vo su ca hng i u tin thp v cc iu kin ca vng truyn.Vng truyn s c khng gian b m c thit b an ninh s dng gi cc gi tin trc khi truyn chng cho cc cp iu khin.Nu c tc nghn xy ra th cc gi tin trong hng i c chuyn xung hng i u tin thp cho ti khi gi tin hng i u tin cao trng,nu hng i u tin cao c lu lng truy cp th s c phc v trc.Thng qua vic gii hn lu lng thit b an ninh thc hin mt c ch nh git khi gi tin khng ph hp vi thng tin cu hnh QoS.Cisco ASA ghi lai s kin ny thng qua my ch lu tr syslog hoc ti trn thit b.
7.2. Traffic Prioritization

Lu lng u tin cn c gi l lp dch v hoc l hng i c tr thp ,c s dng cung cp cho u tin cho gi tin quan trng c php truyn i trc ,n gn mc u tin cho mi loi gi khc nhau c u tin khc nhau .bt li cho nhng gi c mc u tin thp d b tc nghn.Trn thit b an ninh cisco ASA hai loi u tin c h tr l priority v nonpriority.Priority c ngha l gi tin c u tin trong lu lng truy cp thng xuyn, trong khi QoS nonpriority c ngha l cc gi d liu c x l bi cc gii hn tc , Khi giao thng c phn loi l u tin, n s c nhanh chng chuyn tip m khng thng qua cc gii hn v tc . Giao thng sau c gn c v chuyn vo nhng hng i u tin truyn ra ngoi khi thit b an ninh. m bo vic chuyn tip lu lng c u tin cc interface,thit b an ninh s nh c trn mi hng i u tin v gi chng ra truyn trc tip nu c tc nghn cc lu lng a vo trong hng i u tin cao v c truyn i ngay khi vng truyn sn sang. .
8. Pht hin xm nhp (IDS)

i vi an ninh, h thng pht hin xm nhp (IDS) l thit b c gng pht hin ra k tn cng truy cp tri php vo mng hay mt my ch to ra s c rt mng hoc n cp thng tin. IDS cng pht hin tn cng DDoS, su, v t bng pht virus. S lng v s phc tp ca cc mi e da an ninh tng vt trong nhng nm gn y. t c hiu qu an ninh mng chng xm nhp rt quan trng cn
67
phi duy tr mc bo v. Thn trng,an ton, trnh ri ro v gim chi ph thit hi v s gin on ca h thng thit b tng la asa ca cisco h tr hai loi khc nhau ca h thng pht hin xm nhp: Network-based intrusion detection systems (NIDS). Host-based intrusion detection systems(HIDS).
8.1. Network-based intrusion detection systems (NIDS)

i h thng mng cc h thng pht hin xm nhp c thit k xc nh chnh xc, phn loi, v bo v chng li mi e da v cha bit nhm mc tiu mt h thng. Nhng mi e da bao gm su, tn cng DoS, v pht hin bt k l hng khc Mt s phng php pht hin c trin khai rng ri vi cc c dim sau: Trng thi v ghi li mu trng thi Phn tch giao thc Phn tch da trn s bnh thng Phn tch da trn s bt thng H thng IDS da trn mng s dng b d v b b cm bin ci t trn ton mng. Nhng b d ny theo di trn mng nhm tm kim nhng lu lng trng vi nhng m t s lc c nh ngha hay l nhng du hiu. Nhng b b cm bin thu nhn v phn tch lu lng trong thi gian thc. Khi ghi nhn c mt mu lu lng hay du hiu, b cm bin gi tn hiu cnh bo n trm qun tr v c th c cu hnh nhm tm ra bin php ngn chn nhng xm nhp xa hn. NIDS l tp nhiu sensor c t ton mng theo di nhng gi tin trong mng so snh vi vi mu c nh ngha pht hin l tn cng hay khng. c t gia kt ni h thng mng bn trong v mng bn ngoi gim st ton b lu lng vo ra. C th l mt thit b phn cng ring bit c thit lp sn hay phn mm ci t trn my tnh. Ch yu dng o lu lng mng c s dng. Tuy nhin c th xy ra hin tng nghn c chai khi lu lng mng hot ng mc cao.
68
8.1.1. Li th ca Network-Based IDSs

Qun l c c mt network segment (gm nhiu host) "Trong sut" vi ngi s dng ln k tn cng - Ci t v bo tr n gin, khng nh hng ti mng - Trnh DOS nh hng ti mt host no . - C kh nng xc nh li tng Network (trong m hnh OSI) - c lp vi OS
8.1.2. Hn ch ca Network-Based IDSs

C th xy ra trng hp bo ng gi (false positive), tc khng c intrusion m NIDS bo l c intrusion. Khng th phn tch cc traffic c encrypt (vd: SSL, SSH, IPSec) NIDS i hi phi c cp nht cc signature mi nht thc s an ton - C tr gia thi im b attack vi thi im pht bo ng. Khi bo ng c pht ra, h thng c th b tn hi. Khng cho bit vic attack c thnh cng hay khng. Mt trong nhng hn ch l gii hn bng thng. Nhng b d mng phi nhn tt c cc lu lng mng, sp xp li nhng lu lng cng nh phn tch chng. Khi tc mng tng ln th kh nng ca u d cng vy. Mt gii php l bo m cho mng c thit k chnh xc cho php s sp t ca nhiu u d. Khi m mng pht trin, th cng nhiu u d c lp thm vo bo m truyn thng v bo mt tt nht. Mt cch m cc k xm nhp c gng nhm che y cho hot ng ca h khi gp h thng IDS da trn mng l phn mnh nhng gi thng tin ca h. Mi giao thc c mt kch c gi d liu gii hn, nu d liu truyn qua mng ln hn kch c ny th gi d liu s c phn mnh. Phn mnh n gin ch l qu trnh chia nh d liu ra nhng mu nh. Th t ca vic sp xp li khng thnh vn min l khng xut hin hin tng chng cho. Nu c hin tng phn mnh chng cho, b cm bin phi bit qu trnh ti hp li cho ng. Nhiu hacker c gng ngn chn pht hin bng cch gi nhiu gi d liu phn mnh chng cho. Mt b cm bin s
69
khng pht hin cc hot ng xm nhp nu b cm bin khng th sp xp li nhng gi thng tin mt cch chnh xc.
8.2. Host-based intrusion detection systems (HIDS)

Bng cch ci t mt phn mm trn tt c cc my tnh ch, IDS da trn my ch quan st tt c nhng hot ng h thng, nh cc file log v nhng lu lng mng thu thp c. H thng da trn my ch cng theo di OS, nhng cuc gi h thng, lch s s sch (audit log) v nhng thng ip bo li trn h thng my ch. Trong khi nhng u d ca mng c th pht hin mt cuc tn cng, th ch c h thng da trn my ch mi c th xc nh xem cuc tn cng c thnh cng hay khng. Thm na l, h thng da trn my ch c th ghi nhn nhng vic m ngi tn cng lm trn my ch b tn cng (compromised host). Khng phi tt c cc cuc tn cng c thc hin qua mng. Bng cch ginh quyn truy cp mc vt l (physical access) vo mt h thng my tnh, k xm nhp c th tn cng mt h thng hay d liu m khng cn phi to ra bt c lu lng mng (network traffic) no c. H thng da trn my ch c th pht hin cc cuc tn cng m khng i qua ng cng cng hay mng c theo di, hay thc hin t cng iu khin (console), nhng vi mt k xm nhp c hiu bit, c kin thc v h IDS th hn c th nhanh chng tt tt c cc phn mm pht hin khi c quyn truy cp vt l. Mt u im khc ca IDS da trn my ch l n c th ngn chn cc kiu tn cng dng s phn mnh hoc TTL. V mt host phi nhn v ti hp cc phn mnh khi x l lu lng nn IDS da trn host c th gim st chuyn ny. HIDS thng c ci t trn mt my tnh nht inh. Thay v gim st hot ng ca mt network segment, HIDS ch gim st cc hot ng trn mt my tnh. HIDS thng c t trn cc host xung yu ca t chc, v cc server trong vng DMZ thng l mc tiu b tn cng u tin. Nhim v chnh ca HIDS l gim st cc thay i trn h thng, bao gm (not all): - Cc tin trnh. - Cc mc ca Registry.
70
- Mc s dng CPU. - Kim tra tnh ton vn v truy cp trn h thng file. - Mt vi thng s khc. Cc thng s ny khi vt qua mt ngng nh trc hoc nhng thay i kh nghi trn h thng file s gy ra bo ng.
8.2.1. Li th ca HIDS
- C kh nng xc inh user lin quan ti mt s kin (event). - HIDS c kh nng pht hin cc cuc tn cng din ra trn mt my, NIDS khng c kh nng ny. - C th phn tch cc d liu m ho. - Cung cp cc thng tin v host trong lc cuc tn cng din ra trn host ny.
8.2.2. Hn ch ca HIDS
- Thng tin t HIDS l khng ng tin cy ngay khi s tn cng vo asa thnh cng. - Khi tng la asa b "h" do tn cng, ng thi HIDS cng b "h". - HIDS phi c thit lp trn tng host cn gim st . - HIDS khng c kh nng pht hin cc cuc d qut mng (Nmap, Netcat). - HIDS cn ti nguyn trn host hot ng. - HIDS c th khng hiu qu khi b DOS.
IV. M phng
1. Mc tiu ca m phng
M phng gip thy c tnh nng v thy r c nguyn l hot ng cng nh cc bc cu hnh AAA server . Thc hin tnh nng remote t xa thng qua vpn trn ASA chng thc vi giao thc Radius.
71
2. M hnh m phng
3. Cc cng c cn thit thc hin m phng

H diu hnh window xp v window 2003 server ci AD. Phn mm gi lp GNS3.Fidder Tool ASDM,VPN client ca cisco. My PC phi ci gi java h tr cho ASDM. Ci phn mm ACS 4.2
4. Cc bc m phng
1. Chy phn mm ACS 4.2 Chn Network Configuration bn tri , bm vo Add Entry trong phn aaa client.
72
To thm aaa server
1. Chn menu interface configuration=>Adcance options
73
nh du vo 2 mc
2. Chn menu share profile components=>Downloadable IP ACLs
74
nh ngha cho php khch vpn ti mng lan bn trong
To mt acl cho php khch truy cp h thng
3. To ra group :vpnclientgroup v cho php group ti acl nh ngha
4. To user v cho php user ti acl nh ngha.

75
User c th to mi hoc ly trong database window
5. Chn finish. 6. Vo user=dial-in chn allow.
76
Cu hnh trn ASA cho php vpn chng thc vi AAA(Radius) Server. Bc 1:t dy ip cho php ngi dung t xa kt ni vo h thng ip local pool mypool 172.16.1.100-172.16.1.200 mask 255.255.255.0 ! Bc 2: To mt ACL cho php dy ip ngi dng t xa kt ni vo h thng access-list vpnclientgroup standard permit 192.168.1.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0 nat (inside) 0 access-list inside_nat0_outbound Bc 3: Thit lp chng thc user group ti my ch bn trong aaa-server vpnclientgroup protocol radius aaa-server vpnclientgroup host 192.168.1.2 key 123456 Bc 4:Thit lp chnh sch i vi ngi dng t xa group-policy vpnclientgroup internal group-policy vpnclientgroup attributes dns-server value 192.168.1.2 vpn-tunnel-protocol IPSec split-tunnel-policy tunnelspecified split-tunnel-network-list value vpnclientgroup default-domain value da.com Bc 5:To mt ng hm cho php kt ni vi chnh sch dnh cho ngi dng v phng thc chng thc v kha chia s tunnel-group vpnclientgroup type ipsec-ra tunnel-group vpnclientgroup general-attributes address-pool mypool authentication-server-group vpnclientgroup default-group-policy vpnclientgroup tunnel-group vpnclientgroup ipsec-attributes pre-shared-key 123456
77
Bc 6: Xc nh phng thc m ha v chng thc chuyn i d liu c m ha v chng thc thng qua ng truyn crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto dynamic-map outside_dyn_map 20 set pfs crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 Cu hnh my khch Tip theo cu hnh khch remote access ti ASA vo truy cp my ch web,ftp trong ni b . M phn mn Ugent VPN ca cisco v in thng tin group v pre share key kt ni
78
Hin ln thng bo yu cu cung cp username v password truy cp vo mng ni b
M wireshark ln bt gi radius
79
M ACS vo menu reports and activity chn Radius accouting xem
80
5. Kt qu t c
Thng qua qu trnh m phng hiu r hn v qu trnh xc thc radius ging nh m t trong l thuyt. Nm r v hot ng cng nh cc tnh nng ca tng la cisco asa. Gi lp c firewall asa trn nn gns3. Qun l gim st c ngi dng truy cp vo h thng thng qua c ch vpn. p ng an ton thng tin d liu di v bo v ca firewall vi cc c ch m ha,xc thc,quyn hn truy cp.
81
V.KT LUN CHUNG

Radius l mt giao thc chng thc ngi dng u cui nhm m bo cho s an ton thng tin tuy nhin n vn cha phi l mt giao thc hon ho vi mt s l hng sau: Cho php k tn cng tha hip giao dch Thut ton m ha user/password khng an ton C th b tn cng theo cch yu cu chng thc gi tin Radius. o Lp i lp li yu cu xc thc v thuc tnh ngi dng-mt khu o Chia s kha b mt. Tng la cisco asa l mt thit b m bo an ton thng tin ,bo mt h thng tuy nhin vn cn mc phi mt s h hng ,khng c g l an ton tuyt i tuy nhin khc phc hn ch ri ro nn thng xuyn cp nht cc bn v li cng nh cc phin bn mi t trang ch cisco. Do thi gian hn hp v ngun nhn lc c hn nn ti khng trnh khi thiu st mong l trong thi gian ti s khc phc n c hon chnh hn.
82
VI.HNG PHT TRIN CA TI

Tip nhn kin ca gio vin hng dn ,hi ng phn bin v cc kin ca bn b b sung chnh sa khc li n nhng ch cha hay ,sai st hoc pht huy th mnh ca n Tm hiu v trin khai phng thc xc thc an ton hn. Cp nht khc phc li ca tng la cisco asa. Tip cn mi trng thc t,hin thc m phng trn mi trng thit b tht. Trin khai m hnh mng hon chnh v thc t p ng nhu cu ca cng ty doanh nghip.
83
Ti liu tham kho: RFC 2865: Remote Authentication Dial In User Service (RADIUS) Link: http://www.ietf.org/rfc/rfc2865.txt RFC 2866: RADIUS Accounting Link: http://www.ietf.org/rfc/rfc2866.txt Firewall Fundamentals by Wes Noonan, Ido Dubrawsky Publisher: Cisco Press - 2/6/2006 RADIUS by Jonathan Hassell Publisher: OReilly 10/2002 Cisco ASA and PIX Firewall Handbook by Dave Hucaby Publisher: Cisco Press 7/1/2005 Cisco ASA: All-in-one Firewall, IPS and VPN Adaptive Security Appliance by Jazib Frahim, Omar Santos Publisher: Cisco Press 21/10/2005 Cisco ASA: All-in-one Firewall, IPS, Anti-X and VPN Adaptive Security Appliance (Second Edition) by Jazib Frahim, Omar Santos Publisher: Cisco Press 21/10/2005 Cisco Access Control Security: AAA Administrative Services by Brandon Carroll Publisher: Cisco Press 27/5/2004

AAA Server

Diunggah oleh

Informasi Dokumen

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

AAA Server

Diunggah oleh

Hak Cipta:

Format Tersedia

1

V.KT LUN CHUNG ........................................................................................................... 81 VI.HNG PHT TRIN CA TI ............................................................................... 82

I.Tng quan v an ninh mng:

2.Cc phng thc tn cng

2.3 Trojan horse

2.4 T chi dch v.

2.5. Distributed Denial-of-Service

la ngi dng cung cp thng tin c gi tr nh tn ngi dng v mt khu ca h.

2.8. Da vo yu t con ngi

3. Cc chnh sch an ninh mng

3.1. Cc chnh sch an ninh vn bn

3.2. Chnh sch qun l truy cp:

3.3. Chnh sch lc:

3.4. Chnh sch nh tuyn:

3.5. Chnh sch Remote-access/VPN

3.6. Chnh sch gim st / ghi nhn:

3.7. Chnh sch vng DMZ:

Yu cu hot ng v kim sot thay i

3.8. Chnh sch c th p dng thng thng:

1.1.2. y quyn (Authorization)

1.1.3. K ton (Accounting).

1.2 Cc im chnh ca kin trc AAA:

Mi quan h tin tng

Mi quan h tin tng

Mi quan h tin tng

My ch AAA trung gian

HNH 2-1:MI QUAN H TIN TNG C LP TRONG MT GIAO DCH HOP-TOHOP

My ch AAA trung gian

Khng c mi quan h tin tng no gia cc my ch Proxy

Mi quan h tin tng My khch

2.1. S dng UDP hay TCP:

2.2. nh dng gi tin RADIUS:

2.3. Phn loi gi tin:

B xc thc (Yu cu)

Hnh 2-4: Mt gi tin Access-Request in hnh

B xc thc (Phn hi)

Cc thuc tnh: Hon ton khng bt buc Cc dch v y quyn

Hnh 2-5: Gi tin Access-Accept in hnh

B xc thc (Phn hi)

Cc thuc tnh: Khng bt buc

Hnh 2-6: Gi tin Access-Reject in hnh

Cu trc gi tin Access-Challenge c th hin trong hnh 2-7.

B xc thc (Phn hi)

Cc thuc tnh: Khng bt buc

Gii hn: state Reply-message (c hai c th gn nhiu ln)

Hnh 2-7: Gi tin Access-Challenge in hnh

B xc thc (Yu cu)

Cc thuc tnh: Cha danh sch cc thuc tnh (Ty bin)

Mt gi Accounting-Response RADIUS khng bt buc phi c nhng thuc tnh trong .

B xc thc (Phn hi)

2.5. Cc thuc tnh v gi tr: 2.5.1. Cc thuc tnh:

VAS bn trong ti trng

Compression 26 = Vendor-Specific "HUTECH" Chui (String)

(BINARY) Mi thuc tnh gi tr c lit k trong RFC RADIUS.

3. Hot ng: 3.1. Qu trnh truy cp:

3.2. Qu trnh k ton:

4. RFCs: 4.1. Ngun gc:

4.2. Bng RFCs:

RFC RFC 2548 RFC 2865

4.3. S lc v RADIUS RFCs: 4.3.1. RFC 2865:

4.3.2. RFC 2866:

4.3.3. RFC 2867:

4.3.4. RFC 2868:

4.3.5. RFC 2869: