Mc lc
A.Tng quan v ti................................................................................................................. 4 B. Cu trc ca ti.................................................................................................................. 5 I.Tng quan v an ninh mng: .................................................................................................... 6 1.Mc tiu an ninh mng ........................................................................................................ 6 2.Cc phng thc tn cng ................................................................................................... 6 2.1 Virus ............................................................................................................................. 6 2.2 Worm ............................................................................................................................ 7 2.3 Trojan horse .................................................................................................................. 7 2.4 T chi dch v. ............................................................................................................ 8 2.5. Distributed Denial-of-Service...................................................................................... 8 2.6. Spyware ....................................................................................................................... 9 2.7. Phishing ....................................................................................................................... 9 2.8. Da vo yu t con ngi ......................................................................................... 10 3. Cc chnh sch an ninh mng ........................................................................................... 10 3.1. Cc chnh sch an ninh vn bn ................................................................................ 10 3.2. Chnh sch qun l truy cp: ..................................................................................... 13 3.3. Chnh sch lc: .......................................................................................................... 13 3.4. Chnh sch nh tuyn: .............................................................................................. 14 3.5. Chnh sch Remote-access/VPN ............................................................................... 14 3.6. Chnh sch gim st / ghi nhn: ................................................................................ 15 3.7. Chnh sch vng DMZ .............................................................................................. 15 3.8. Chnh sch c th p dng thng thng: ................................................................. 16 II. Radius .................................................................................................................................. 17 1. Tng quan v Radius: ....................................................................................................... 17 1.1. AAA: ......................................................................................................................... 17 1.1.1. Xc thc (Authentication) ...................................................................................... 17 1.1.2. y quyn (Authorization)....................................................................................... 17 1.1.3. K ton (Accounting). ............................................................................................ 18 1.2 Cc im chnh ca kin trc AAA: ........................................................................... 18 2. Kin trc RADIUS: .......................................................................................................... 21 2.1. S dng UDP hay TCP:............................................................................................. 21 2.2. nh dng gi tin RADIUS: ...................................................................................... 23 2.2.1. M: .......................................................................................................................... 23 2.2.2. T nh danh:.......................................................................................................... 24 2.2.3. di: .................................................................................................................... 24 2.2.4. B xc thc: ............................................................................................................ 25 2.3. Phn loi gi tin: ........................................................................................................ 25 2.3.1. Access-Request: ..................................................................................................... 25 2.3.2. Access-Accept: ....................................................................................................... 26 2.3.3. Access-Reject: ........................................................................................................ 27 2.3.4. Access-Challenge : ................................................................................................. 28 2.3.5. Accounting-Request: .............................................................................................. 29 2.3.6. Accounting-Response: ............................................................................................ 30 2.4. B mt chia s: ........................................................................................................... 31 2.5. Cc thuc tnh v gi tr:............................................................................................ 32 2.5.1. Cc thuc tnh: ........................................................................................................ 32 2.5.2. Cc gi tr: .............................................................................................................. 35 GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
3. Hot ng: ........................................................................................................................ 36 3.1. Qu trnh truy cp: ..................................................................................................... 36 3.2. Qu trnh k ton: ..................................................................................................... 39 4. RFCs: ................................................................................................................................ 40 4.1. Ngun gc: ................................................................................................................ 40 4.2. Bng RFCs: ............................................................................................................... 40 4.3.2. RFC 2866: .............................................................................................................. 42 4.3.3. RFC 2867: .............................................................................................................. 43 4.3.4. RFC 2868: .............................................................................................................. 44 4.3.5. RFC 2869: .............................................................................................................. 45 III. ASA .................................................................................................................................... 46 1. Lch s ra i. ................................................................................................................... 46 2. Cc sn phm tng la ca Cisco: ................................................................................. 47 3. iu khin truy cp mng (NAC)..................................................................................... 47 3.1. Lc gi (Packet Filtering) .......................................................................................... 47 3.2. Lc ni dung v URL (Content and URL Filtering) ................................................. 50 3.2.1. Content Filtering ..................................................................................................... 50 3.2.2. ActiveX Filtering .................................................................................................... 51 3.3. Chuyn i a ch. .................................................................................................... 51 3.3.1. Network Address Translation (NAT) ..................................................................... 51 3.3.2. Port Address Translation (PAT). ............................................................................ 52 4. Giao thc AAA v dch v h tr ca Cisco ASA ........................................................... 52 4.1. Remote Authentication Dial-In User Service (Radius). ............................................ 53 4.2. nh dng TACACS v cc gi tr tiu ................................................................ 56 4.3. Rsa SecurID (SID) ..................................................................................................... 58 4.4. Win NT ....................................................................................................................... 59 4.5. Kerberos .................................................................................................................... 59 4.6. Lightweight Directory Access Protocol (LDAP) ...................................................... 60 5. Kim tra ng dng ............................................................................................................ 62 6. Kh nng chu li v d phng (failover and redundancy) .............................................. 62 6.1. Kin trc chu li ....................................................................................................... 62 6.2. iu kin kch hot kh nng chu li ....................................................................... 63 6.3. Trng thi chu li ..................................................................................................... 64 7. Cht lng dch v (QoS)................................................................................................. 64 7.1. Traffic Policing .......................................................................................................... 65 7.2. Traffic Prioritization .................................................................................................. 66 8. Pht hin xm nhp (IDS) ................................................................................................ 66 8.1. Network-based intrusion detection systems (NIDS) ................................................. 67 8.1.1. Li th ca Network-Based IDSs ........................................................................... 68 8.1.2. Hn ch ca Network-Based IDSs ......................................................................... 68 8.2. Host-based intrusion detection systems (HIDS)........................................................ 69 8.2.1. Li th ca HIDS .................................................................................................... 70 8.2.2. Hn ch ca HIDS .................................................................................................. 70 IV. M phng ........................................................................................................................... 70 1. Mc tiu ca m phng .................................................................................................... 70 2. M hnh m phng ........................................................................................................... 71 3. Cc cng c cn thit thc hin m phng .................................................................. 71 4. Cc bc m phng .......................................................................................................... 71 5. Kt qu t c ............................................................................................................... 80 GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
Mc lc hnh v
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
A.Tng quan v ti
Mc tiu ca vic nghin cu v Firewall ASA + Vic nghin cu gip cho kh nng t hc ,tm hiu v nghin cu c lp ngy cng tt hn + Nghin cu v h thng firewall ASA. + Trin khai h thng pht hin, ngn chn cc lu lng ra vo ca h thng l s cn thit cho cc doanh nghip c nhu cu v s an ton ca h thng trc nhng hnh vi xm nhp tri php. Trc s pht trin ca internet v s hiu bit ca ngy cng su ca con ngi th vic truy cp v ph hoi h thng mng ca mt doanh nghip ,cng ty no cng theo pht trin ca internet m tng ln rt nhiu. + Vic nghin cu ny p ng cho lnh vc bo mt v an ninh ca h thng. + ASA(Adaptive Security Appliance) l mt thit b tng la mnh tt c trong mt v c a chung nht hin nay ca Cisco.Chnh v vy mc tiu ca ti ny l nhm nghin cu v tm hiu cch thc hot ng,phng php cu hnh v ng dng ca n trong vic bo mt h thng mng.Kt qu t c qua vic nghin cu thit b ny l hiu c cch thc hot ng v c kh nng trin khai thit b ny vo trong mt s h thng mng bt k. +Nghin cu v AAA server. +Nghin cu v cch t chc gim st hot ng ca ngi dng cui nh thi gian bt u hay kt thc ca ngi dng (accounting).Bo mt l vn rt quan trng.Vi mc iu khin, tht d dng ci t bo mt v qun tr mng. c th nh ngha cc vai tr (role) a ra cho user nhng lnh m h cn hon thnh nhim v ca h v theo di nhng thay i trong mng. Vi kh nng log li cc s kin, ta c th c nhng s iu chnh thch hp vi tng yu cu t ra. Tt c nhng thnh phn ny l cn thit duy tr tnh an ton, bo mt cho mng. Vi thng tin thu thp c, c th tin on vic cp nht cn thit theo thi gian. Yu cu bo mt d liu, gia tng bng thng, gim st cc vn trn mng thng AAA server.
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
B. Cu trc ca ti.
ti c chia lm 6 phn. I. Tng quan v an ninh mng Chng ny m t v cc nguy c an ninh mng v cc chnh sch an ninh nhm em li hiu qua cho vic bo mt d liu lm gim nguy c hoc pht hin ra s tn cng. II. Radius Chng ny m t v k thut s dng xc thc,y quyn,thanh ton nhm em li hiu qu cao cho an ninh mng ton vn v trnh tht thot d liu. III. ASA Chng ny gii thiu v tng la cisco asa ,cc k thut c p dng cho tng lu . IV. M phng. Chng ny m t qu trnh hin thc cisco asa vi m hnh mng c th cho thy tnh thc t v kim nghim ng l thuyt ca ti ny.Ch r chi tit qu trnh thc nghim. V. Kt lun chung. Chng ny nu ra nhng kt qu ca ti lm c nhng g v nhng mc hn ch kh khn cha thc hin c ca ti. VI. Hng pht trin ca ti.
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
2.1 Virus
Mt virus my tnh c thit k tn cng mt my tnh v thng ph cc my tnh khc v cc thit b mng. Mt virus thng c th l mt tp tin nh km trong e-mail, v chn cc tp tin nh km c th gy ra cc m thc thi chy v ti to virus. Mt virus phi c thc hin hoc chy trong b nh chy v tm kim cc
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
chng trnh khc hoc my ch ly nhim v nhn rng. Nh tn ca n, virus cn mt my ch nh l mt bng tnh hoc e-mail nh km, ly nhim, v nhn rng. C mt s hiu ng chung ca vi rt. Mt s virus lnh tnh, v ch cn thng bo cho nn nhn ca h rng h b nhim bnh. Cc virus c tnh to ra s hy hoi bng cch xa cc tp tin v nu khng th gy ra li cho cc my tnh b nhim c cha ti sn k thut s, chng hn nh hnh nh, ti liu, mt khu, v cc bn bo co ti chnh.
2.2 Worm
Worm l mt chng trnh ph hoi qut cc im yu hoc l hng bo mt trn cc my tnh khc khai thc cc im yu v nhn rng.Worm c th ti to c lp v rt nhanh chng. Worm khc vi virus trong hai cch chnh: Virus cn mt my ch nh km v thc hin, v su khng yu cu mt my ch.Virus v su thng gy ra cc loi khc nhau ca s hy dit. Virus, mt khi chng ang c tr trong b nh, thng xa v sa i cc tp tin quan trng trn my tnh b nhim bnh. Tuy nhin, Worms c xu hng mng trung tm hn so vi my tnh trung tm. Worms c th ti to mt cch nhanh chng bng cch bt u kt ni mng nhn rng v gi s lng ln d liu. Worms cng c th cha mt hnh khch mang theo, hoc trng ti d liu, m c th giao mt my tnh mc tiu cho cc trng thi ca mt zombie. Zombie l mt my tnh c b xm phm v hin ang c kim sot bi nhng k tn cng mng. Zombies thng c s dng khi ng cc cuc tn cng mng khc. Mt b su tp ln cc zombie di s iu khin ca k tn cng c gi l mt "botnet". Botnets c th pht trin c kh ln. Botnet c xc nh ln hn 100.000 my tnh zombie.
v thng v pht hoc trnh bo v mn hnh, cc Trojan c th bt u cc hot ng gy tn hi nh xa cc tp tin hoc nh dng li mt a cng. Trojan thng khng t sao chp.Nhng k tn cng mng c gng s dng cc ng dng ph bin, chng hn nh iTunes ca Apple, trin khai mt Trojan. V d, mt cuc tn cng mng s gi mt e-mail vi mt lin kt c mc ch ti v mt bi ht iTunes min ph. Trojan ny sau s bt u mt kt ni n mt my ch web bn ngoi v bt u mt cuc tn cng mt khi ngi dng c gng ti v cc bi ht min ph r rng.
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
DDoS tng t nh trong nh ca cuc tn cng DoS, ngoi tr cuc tn cng DDoS to ra nhiu ngun tn cng. Ngoi ra tng lng truy cp mng t nhiu k tn cng phn phi, mt cuc tn cng DDoS cng a ra nhng thch thc ca yu cu bo v mng xc nh v ngn chn mi k tn cng phn phi.
2.6. Spyware
Spyware l mt lp cc ng dng phn mm c th tham gia vo mt cuc tn cng mng. Spyware l mt ng dng ci t v vn cn n trn my tnh hoc my tnh xch tay mc tiu. Mt khi cc ng dng phn mm gin ip c b mt ci t, phn mm gin ip bt thng tin v nhng g ngi dng ang lm vi my tnh ca h. Mt s thng tin b bt bao gm cc trang web truy cp, e-mail gi i, v mt khu s dng. Nhng k tn cng c th s dng cc mt khu v thng tin bt c i vo c mng khi ng mt cuc tn cng mng. Ngoi vic c s dng trc tip tham gia vo mt cuc tn cng mng, phn mm gin ip cng c th c s dng thu thp thng tin c th c bn mt cch b mt. Thng tin ny, mt ln mua, c th c s dng bi mt k tn cng khc l "khai thc d liu" s dng trong vic lp k hoch cho mt cuc tn cng mng khc.
2.7. Phishing
Phishing l mt kiu tn cng mng thng bt u bng cch gi e-mail ngi dng khng nghi ng. Cc e-mail la o c gng trng ging nh mt th in t hp php t mt t chc c bit n v ng tin cy nh l mt trang web ngn hng, thng mi in t. E-mail gi ny c gng thuyt phc ngi dng rng mt vic g xy ra, chng hn nh hot ng ng ng v ti khon ca h, v ngi s dng phi thc hin theo cc lin kt trong e-mail v ng nhp vo trang web xem thng tin ngi dng ca h. Cc lin kt trong e-mail ny thng l mt bn sao gi ca ngn hng hoc trang web thng mi in t thc s v cc tnh nng tng t nhn-v-cm nhn cc trang web thc s. Cc cuc tn cng la o c thit k
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
10
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
11
Mc tiu ca mt chnh sch an ninh l xc nh nhng g cn phi c bo v, nhng ngi c trch nhim bo v, v trong mt s trng hp nh th no bo v s xy ra. Chc nng ny cui cng thng tch ra thnh mt ti liu th tc c lp nh lc ngun, lc ch, hoc qun l truy. Tm li, cc chnh sch bo mt n gin v chnh xc nn vch ra nhng yu cu c th, quy tc, v mc tiu phi c p ng, cung cp mt phng php o lng ca c im an ninh c chng thc ca t chc. gip m bo rng cc chnh sch bo mt s lm c iu ny, suy ngh ca tng la trong iu khon ca cc lp bo mt, vi mi lp c mt lnh vc c th ca hot ng. Hnh 1-1 minh ha cc lp ca tng la. Nh hnh bn di cho thy, cc bc tng la c chia thnh bn thnh phn ring bit.
Ton vn vt l tng la Cu hnh tng la tnh Cu hnh tng la ng Lu lng mng qua tng la
Truy cp vt l Truy cp qun tr Nng cp phn mm Tp tin cu hnh Cc giao thc nh tuyn Truy cp vo mng tng la bo v
Hnh 1-1: Cc lp bo mt tng la. Ti trung tm l cc lp ton vn vt l ca tng la, m ch yu l lin quan ti cc quyn truy cp vt l vo tng la, m bo quyn truy cp vt l vo thit b, chng hn nh thng qua mt kt ni cng l cng console. Lp tip theo l cu hnh tng la tnh, m ch yu l lin quan ti truy cp vo cc phn mm tng la c cu hnh tnh ang chy (v d, cc h iu hnh PIX v cu hnh khi ng). Ti lp ny, chnh sch bo mt cn tp trung vo vic xc nh
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
12
cc hn ch s c yu cu hn ch truy cp qun tr, bao gm c bn cp nht phn mm thc hin v cu hnh tng la. Lp th ba l cu hnh tng la ng, trong b sung cc cu hnh tnh bng vic c lin quan ti cu hnh ng ca tng la thng qua vic s dng cc cng ngh nh giao thc nh tuyn, lnh ARP, giao din v tnh trng thit b, kim ton, nht k, v cc lnh trnh. Mc tiu ca chnh sch an ninh ti im ny l xc nh cc yu cu xung quanh nhng g cc loi cu hnh ng s c cho php. Cui cng l lu lng mng qua tng la, m l thc s nhng g m tng la tn ti bo v ti nguyn. Lp ny l c lin quan ti chc nng nh ACL v thng tin dch v proxy. Cc chnh sch an ninh lp ny c trch nhim xc nh cc yu cu nh chng lin quan n lu lng i qua tng la. nh dng chnh sch an ninh: thc hin cc mc tiu c xc nh trc , hu ht cc chnh sch bo mt tun theo mt nh dng hoc b tr c th v cc chia s yu t thng thng. Ni chung, hu ht cc chnh sch an ninh chia s by phn: Tng quan: Phn tng quan cung cp mt gii thch ngn gn v nhng a ch chnh sch. Mc ch: phn mc ch gii thch ti sao chnh sch l cn thit. Phm vi: Phn phm vi xc nh chnh sch p dng cho nhng g v xc nh ngi chu trch nhim v chnh sch. Chnh sch: phn chnh sch l bn thn chnh sch thc t. Thc thi: Phn thc thi nh ngha cch chnh sch cn c thc thi v cc hu qu ca vic khng theo cc chnh sch. nh ngha: Phn nh ngha bao gm cc nh ngha ca cc t hoc khi nim c s dng trong chnh sch. Xem li lch s: Phn xem li lch s l ni m cc thay i chnh sch c ghi li v theo di. Mi t chc c yu cu an ninh ring bit v do c chnh sch bo mt ring c o ca h. Tuy nhin, hu ht khng phi tt c cc mi trng i hi mt s chnh sch an ninh chung, bao gm:
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
13
Chnh sch qun l truy cp Chnh sch lc Chnh sch nh tuyn Chnh sch Remote-access/VPN Chnh sch gim st / ghi nhn Chnh sch vng phi qun s (DMZ) Chnh sch c th p dng thng thng
14
15
dng (c ngha l, trong xy dng- Microsoft VPN Client, Cisco Secure VPN Client, vv). Cui cng, cc chnh sch remote-access/VPN cn xc nh cc loi truy cp v cc ngun lc s c cung cp kt ni t xa v cc loi kt ni t xa s c cho php.
16
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
17
II. Radius
1. Tng quan v Radius: 1.1. AAA: 1.1.1. Xc thc (Authentication)
Xc thc l qu trnh xc minh danh tnh ca mt ngi (hoc ca my tnh). Hnh thc ph bin nht ca xc thc, bng cch s dng mt s kt hp ca ID ng nhp v mt khu, trong kin thc ca mt khu l mt biu tng m ngi dng c xc thc. Phn phi cc mt khu, tuy nhin, ph hy cc phng php xc thc, trong nhc nh ngi sng to ca cc trang web thng mi in t v kinh doanh giao dch Internet khc yu cu mt b xc thc mnh m hn, ng tin cy hn. Giy chng nhn k thut s l mt trong nhng gii php y, v trong nm n mi nm tip theo n c th l s dng giy chng nhn k thut s nh l mt phn ca c s h tng kho cng khai (PKI) s tr thnh b xc thc c a thch trn Internet. Cc kha cnh quan trng ca chng thc l n cho php hai i tng duy nht hnh thnh mt mi quan h tin cy - c hai u gi nh l ngi dng hp l. S tin tng gia cc h thng cho php cho cc chc nng quan trng nh cc my ch proxy, trong mt h thng chp nhn mt yu cu thay mt cho mt h thng khc v cho php AAA thc thi ni cc mng khng ng nht h tr cc loi my khch v dch v khc nhau. Mi quan h tin tng c th tr nn kh phc tp.
18
cu l hp l. V d, mt my khch quay s kt ni v yu cu nhiu lin kt. Mt my ch AAA chung ch n gin l s t chi ton b yu cu, nhng mt s thc thi thng minh hn s xem xt yu cu, xc nh rng my khch ch c php mt kt ni dial-up, v cp mt knh trong khi t chi cc yu cu khc.
19
khng bao gi hot ng nh cc my khch v ngc li. Mi trng my khch / my ch cho php mt thit k cn bng ti tt, trong tnh sn sng cao v thi gian phn hi rt quan trng. My ch c th c phn phi v phn cp gia cc mng. Tng phn ny vi m hnh mng i din, mt mng ngang hng (P2P). Vi cc mng P2P, tt c cc h thng hin th c tnh ca c hai h thng my khch v my ch, c th gii thiu nhng im nh tr v cha sn sng x l. Mt kh nng proxy l mt bin th nh v iu ny. Mt my ch AAA c th c cu hnh y quyn cho mt yu cu hoc vt qua n cng vi mt my ch AAA, sau s lm cho cc quy nh thch hp hoc vt qua n cng mt ln na. V bn cht, mt chui proxy c to ra, trong cc my ch AAA c nhng yu cu ca c my khch v cc my ch AAA khc. Khi mt my ch proxy server khc, ngi khi to hin th cc c tnh ca my khch. Nh vy, mt mi quan h tin cy c to ra cho mi bc truyn my khch / my ch cho n khi t yu cu thit b quy nh cc ngun lc cn thit. Proxy l mt tnh nng rt hu ch ca m hnh AAA v c li cho doanh nghip v trin khai mng li phn phi, trong mt s thit b AAA c th c cu hnh yu cu lun y quyn cho cc my ti cc a im khc. Mt v d v y quyn tt nht l vi mt tha thun ngi bn li ISP. Thng th mt cng ty mng ln s u t ng k c s h tng mng v cc im din ra s hin din nhiu a im. Trang b mng li phn phi, cng ty sau bn li cho cc ISP nh hn c nhu cu m rng phm vi bo him ca h v tn dng li th ca mt mng li tt hn. i l bn l c cung cp mt s hnh thc kim sot truy cp trn cc ngun ti nguyn hu hnh mi v tr, nhng cc ISP nh hn khng mun chia s thng tin c nhn v ngi dng ca mnh vi cc i l bn l. Trong trng hp ny, mt my AAA proxy c t ti mi im ca i l bn l ca s hin din, v nhng my sau giao tip vi cc thit b NAS thch hp ti cc ISP nh hn. My khch yu cu dch v v ngun ti nguyn t mt my ch AAA (v trong trng hp ny, my khch c th bao gm AAA proxy) c th giao tip vi nhau bng cch s dng hoc l mt giao dch hop-to-hop hoc mt giao dch end-to-end.
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
20
S phn bit l ni m cc mi quan h tin cy nm trong chui giao dch. Xem xt cc trng hp sau y c c mt hnh nh tt hn. Trong mt giao dch hop-to-hop, mt my khch gi mt yu cu ban u cho mt thit b AAA. Ti thi im ny, c mt mi quan h tin cy gia my khch v my ch AAA tuyn u. My xc nh yu cu cn phi c chuyn tip n mt my ch khc mt v tr khc nhau, do , n hot ng nh mt proxy v a ch lin lc mt my ch AAA. By gi cc mi quan h tin tng l vi hai my ch AAA, vi cc my tnh tin tuyn hot ng nh cc my khch v my AAA th hai ng vai tr l my ch. iu quan trng cn lu rng mi quan h tin tng khng phi l vn hiu ngm, c ngha l cc my khch ban u v cc my AAA th hai khng c mt mi quan h tin tng. Hnh 2-1 cho thy s tin tng l tun t v c lp vi nhau.
Yu cu Proxies
Yu cu Proxies
My ch AAA ph duyt
My ch AAA cui
TRUST
My khch
y khng c mi quan h tin tng no gia my khch v my ch AAA trung gian v my ch AAA cui
Khc vi m hnh hop-to-hop l phng php giao dch end-to-end. S khc bit chnh l, mt ln na, ni m cc mi quan h tin cy nm trong m hnh ny, l gia my khch yu cu v my ch AAA m cui cng cho php cc yu cu. Trong
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
21
mt m hnh end-to-end, chui proxy vn cn rt nhiu chc nng nh l m hnh khng c ngha l cc giao dch end-to-end: l mi quan h tin tng. Bi v n l thit k khng ng k truyn thng tin nhy cm trong cc yu cu proxy, mt s c ngha khc ca chng thc mt yu cu v xc nhn tnh ton vn d liu l cn thit khi nhy yu cu ban u thng qua cc bc nhy trong chui proxy. Thng thng nht, giy chng nhn k thut s v PKI xc nhn khc c s dng trong cc tnh hung ny. RFC 2903 v 2905 m t cc yu cu ca vic thc hin an ninh end-to-end, c th hin trong hnh 2-2.
Yu cu Proxies
Yu cu Proxies
My ch AAA ph duyt
My ch AAA cui
TRUST
HNH 2-2:MI QUAN H TIN TNG MY KHCH/MY CH TRONG M HNH END-TO-END 2. Kin trc RADIUS:
22
Truyn thng ca vic s dng 1645 v 1646 tip tc tng thch ngc tr li cho n ngy nay. V l do ny nhiu my ch RADIUS trin khai gim st c hai b cng UDP cho cc yu cu RADIUS. Cc my ch RADIUS Microsoft mc nh 1812 v 1813 nhng mc nh cc thit b Cisco l cng truyn thng1645 v 1646. Cc my ch RADIUS Juniper Networks lng nghe trn c hai cng chnh thc v khng chnh thc 1645, 1812, 1646 v 1813 mc nh nhng c th c cu hnh vi cc cng bt k. i vi yu cu hot ng hon ton, UDP c chn ch yu bi RADIUS c mt vi c tnh c hu l c trng ca UDP: RADIUS yu cu khng truy vn ti mt my ch xc thc chnh c chuyn hng n mt my ch th cp, v lm iu ny, mt bn sao ca yu cu ban u phi tn ti trn tng giao vn trong m hnh OSI. iu ny, c hiu lc, nhim v s dng cc b nh gi pht li. Cc giao thc t cc vo s kin nhn ca ngi dng ch i mt phn ng. N gi nh mt s mt trung bnh gia nhanh nh chp v chm nh mt ng. Cc RFC RADIUS m t l tt nht: "Ti mt mc cao, RADIUS khng i hi mt" p tr" pht hin d liu b mt. Ngi s dng sn sng ch i vi giy cho vic chng thc hon thnh. Pht li TCP thng (da trn trung bnh thi gian i vng) khng c yu cu, cng khng phi l cc chi ph xc nhn ca TCP. mc cao khc, ngi dng khng sn sng ch i vi pht xc thc. Do vic cung cp ng tin cy ca d liu TCP hai pht sau khng hu ch. Vic s dng nhanh hn ca my ch thay th cho php ngi dng truy cp trc khi b cuc." K t khi RADIUS l khng quc tch , UDP c v t nhin, nh UDP cng l khng quc tch. Vi TCP, my v my ch phi c m c bit hoc cch gii quyt hnh chnh gim thiu nhng nh hng ca tn tht in nng, khi ng li, lu lng mng ln, v ngng hot ng ca h thng. UDP ngn nga c vn hc ba ny v n cho php mt phin m v vn m trong sut ton b giao dch. cho php h thng nng n s dng v giao thng trn mt sau, m i khi c th tr hon cc truy vn v tm kim hn 30 giy hoc nhiu hn, n c xc nh rng RADIUS l a lung. UDP cho php RADIUS sn sinh phc v nhiu yu cu
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
23
ti mt thi im, v mi phin y, kh nng giao tip khng c gii hn gia cc thit b mng v my khch. V vy, UDP l ph hp. Nhc im duy nht khi s dng UDP l cc nh pht trin phi t to v qun l gi pht li, kh nng ny c xy dng vo TCP. Tuy nhin, nhm RADIUS cm thy rng y l mt nhc im t nh hng hn so vi s tin li v n gin ca vic s dng UDP. V v th UDP c s dng.
T nh danh (1)
di
(2)
B xc thc
(16)
Cc thuc tnh v gi tr
(Ty bin)
HNH 2-3:MT M T V CU TRC GI TIN D LIU RADIUS Cu trc d liu c chia thnh 5 khu vc ring bit: M T nh danh di B xc thc Cc thuc tnh v cc gi tr
2.2.1. M:
Trng m di mt octet v dng phn bit cc loi tin nhn RADIUS c gi trong gi . Cc gi tin vi cc lnh vc m khng hp l c nm i m khng thng bo. M s hp l l:
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
24
1 - Access-Request 2 - Access-Accept 3 - Access-Reject 4 - Accounting-Request 5 - Accounting-Response 11 - Access-Challenge 12 - Tnh trng my ch 13 - Tnh trng my khch 255 - Dnh ring
2.2.2. T nh danh:
Cc t nh danh l khu vc di 1 octet v c s dng thc hin lung, hoc t ng lin kt cc yu cu ban u v tr li tip theo. My ch RADIUS ni chung c th ngn chn bn sao tin nhn bng cch kim tra cc yu t nh a ch IP ngun, cng UDP ngun, khong thi gian gia cc tin nhn nghi ng, v cc lnh vc nhn dng.
2.2.3. di:
Cc khu vc c chiu di l hai octet v c s dng ch nh di gi tin RADIUS c php. Gi tr trong lnh vc ny c tnh bng cch phn tch m, nhn dng, chiu di, thm nh, v cc lnh vc thuc tnh v vic tm kim tng hp ca chng. Cc lnh vc c kim tra chiu di khi mt my ch RADIUS nhn c mt gi tin m bo ton vn d liu. Gi tr hp l chiu di khong t 20 n 4096. Cc c im k thut RFC i hi nhng hot ng nht nh ca cc my ch RADIUS c lin quan n chiu di d liu khng chnh xc. Nu my ch RADIUS nhn c mt hp vi mt tin nhn di hn so vi lnh vc chiu di, n s b qua tt c cc d liu qua cc im cui c ch nh trong lnh vc chiu di. Ngc li, nu my ch nhn c mt tin nhn ngn hn so vi di lnh vc bo co, my ch s loi b cc tin nhn.
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
25
2.2.4. B xc thc:
Cc khu vc thm nh, thng di 16 octet, l lnh vc m trong s ton vn ca ti trng ca tin nhn c kim tra v xc minh. Trong lnh vc ny, cc octet quan trng nht c truyn trc bt k octet khc mt gi tr c s dng tr li xc thc t my ch RADIUS. Gi tr ny cng c s dng trong c ch che giu mt khu. C hai loi hnh c th ca cc gi tr xc thc: cc gi tr yu cu v p ng. Yu cu cc b xc thc c s dng vi cc gi yu cu xc thc v AccountingRequest. Trong cc gi tr yu cu, lnh vc ny di 16 octet v c to ra trn c s hon ton ngu nhin ngn chn bt k cuc tn cng. Trong khi RADIUS khng lm mt iu khon bo v thng tin lin lc i vi nghe ln v bt gi tin, cc gi tr ngu nhin kt hp vi mt mt khu mnh lm cho tn cng v rnh m kh khn. Vic xc thc p tr c s dng trong gi Access-Accept, Access-Reject, v Access-Challenge . Gi tr c tnh bng cch s dng m bm MD5 mt chiu c to ra t cc gi tr ca m ny, nhn dng, chiu di, v yu cu chng thc cc vng ca tiu gi tin, tip theo l trng ti gi d liu v b mt c chia s.
2.3.1. Access-Request:
Cc gi tin Access-Request c s dng bi ngi tiu dng dch v khi c ngh mt dch v c th t mng. My khch gi mt gi tin yu cu n my ch
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
26
RADIUS vi mt danh sch cc dch v yu cu. Cc yu t quan trng trong vic truyn ny l trng mt m trong tiu gi: n phi c t l 1, gi tr duy nht ca cc gi yu cu. Cc RFC cho thy cc gi tr li phi c gi n tt c cc gi yu cu hp l, tr li l xc thc hay t chi. Cc ti trng ca gi tin Access-Request nn bao gm cc thuc tnh tn ngi dng xc nh nhng ngi c gng truy cp vo cc ti nguyn mng. Trng ti c yu cu phi c cc a ch IP hoc tn tiu chun ca cc thit b mng m t n c yu cu dch v. N cng c cha mt mt khu ngi dng, mt khu da trn mt CHAP, hoc mt nh danh, nhng khng phi c hai loi mt khu. Cc mt khu ngi dng phi c bm bng cch s dng MD5. V c bn, cc gi d liu mi cn phi c to ra bt c khi no thuc tnh c thay i, k t khi xc nh cc thng tin c thay i. Cc thuc tnh vi nhng b mt c chia s, cn phi c o ngc bi cc my ch proxy ( c c nhng thng tin ti trng ban u) v sau m ha mt ln na vi b mt m my ch proxy chia s vi my ch t xa. Cu trc gi tin Access-Request c th hin trong hnh 2-4.
M
(1)
T nh danh
(Duy nht)
di
(Tiu v ti trng)
Cc thuc tnh: username NAS ID hoc name MD5 user password hoc CHAP PWD
(Ty bin)
2.3.2. Access-Accept:
Cc gi tin Access-Accept c gi bi my ch RADIUS ti my khch xc nhn rng yu cu ca my khch c chp nhn. Nu tt c cc yu cu trong cc ti trng Access-Request c chp nhn, sau cc my ch RADIUS phi thit lp trng mt m gi tin tr li l 2. Cc my khch khi nhn c gi chp nhn, ph hp n vi cc gi tin tr li bng cch s dng trng nhn dng. Cc gi khng theo tiu chun ny c b i.
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
27
Tt nhin, m bo rng cc gi tin yu cu v chp nhn ph hp nh ni, m bo cc p tr chp nhn c gi trong cc gi tin tr li yu cu tng ng, trng nh danh trong tiu gi Access-Accept phi c mt gi tr ging ht gi tr ca trng nh danh trong gi Access-Request. Cc gi tin Access-Accept c th cha nhiu hay t thng tin thuc tnh nh l n cn phi bao gm. Nhiu kh nng cc thng tin thuc tnh trong gi ny s m t cc loi hnh dch v c xc thc v y quyn my khch c th t mnh ln s dng cc dch v. Tuy nhin, nu khng c thng tin thuc tnh c bao gm, my khch gi nh rng cc dch v n yu cu l nhng th c chp nhn. Cu trc gi tin Access-Accept c hin th trong hnh 2-5.
M
(2)
T nh danh
(Duy nht mi ln truyn)
di
(Tiu v ti trng)
2.3.3. Access-Reject:
My ch RADIUS c yu cu gi mt gi tin Access-Reject li cho my khch nu n phi t chi bt k dch v c yu cu trong cc gi tin Access-Request. S t chi ny c th c da trn chnh sch h thng, c quyn cha y , hoc bt k cc tiu chun khc - phn ln iu ny l mt chc nng ca cc thc hin c nhn. Gi Access-Reject c th c gi ti bt k thi gian trong mt phin, lm cho chng l tng cho vic thi hnh gii hn thi gian kt ni. Tuy nhin, khng phi tt c thit b h tr nhn c gi Access-Reject trong mt kt ni c thit lp sn. Cc ti trng cho loi gi tin c gii hn trong hai thuc tnh c th: cc thuc tnh tin nhn tr li v thuc tnh trng thi Proxy. Trong khi cc thuc tnh ny c th xut hin nhiu hn mt ln trong ti trng ca gi tin, ngoi tr bt k thuc tnh nh
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
28
cung cp c th, khng c cc thuc tnh khc c cho php, theo cc c im k thut RFC, c bao gm trong gi tin. Cu trc gi tin Access-Reject c th hin trong hnh 2-6.
M
(3)
T nh danh
(Duy nht mi ln truyn)
di
(Tiu v ti trng)
Gii hn: reply-message Proxy message (c hai c th xut hin nhiu ln)
(Ty bin)
2.3.4. Access-Challenge :
Nu mt my ch nhn thng tin tri ngc nhau t ngi s dng, yu cu nhiu thng tin hn, hay n gin l mun lm gim nguy c chng thc gian ln, n c th pht hnh mt gi tin Access-Challenge cho my khch. My khch, khi nhn c gi tin Access-Challenge , sau phi ra mt gi Access-Request mi bao gm cc thng tin thch hp. Cn lu rng mt s my khch khng h tr cc qu trnh th thch / p ng nh th ny, trong trng hp , my khch x l cc gi tin Access-Challenge nh l mt gi tin Access-Reject. Mt s my khch, tuy nhin, h tr th thch, v lc tin nhn c th c trao cho ngi s dng ti my khch yu cu thm thng tin xc thc, n khng cn thit trong tnh hnh t ra mt vng cc gi tin yu cu / p tr khc. Ging nh cc gi tin Access-Reject, ch c hai thuc tnh tiu chun c th c bao gm trong mt gi tin Access-Challenge : thuc tnh trng thi v tin nhn tr li. Bt k cc thuc tnh nh cung cp c th cn thit c th c bao gm l tt. Cc thuc tnh tin nhn tr li c th c bao gm trong gi nhiu ln, nhng cc thuc tnh trng thi c gii hn trong mt trng hp duy nht. Cc thuc tnh trng thi c sao chp khng thay i vo gi Access-Request c tr v cho my ch th thch.
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
29
T nh danh
(Duy nht mi ln truyn)
di
(Tiu v ti trng)
2.3.5. Accounting-Request:
Cc gi Accounting-Request c gi t mt my khch (thng l mt my ch truy cp mng (NAS) hoc proxy ca n) ti mt my ch k ton RADIUS, v truyn t thng tin s dng cung cp k ton cho mt dch v cung cp cho ngi dng. Cc my khch truyn mt gi tin RADIUS vi trng m thit lp l 4 (AccountingRequest). Khi nhn c mt Accounting-Request, my ch phi tr li bng gi Accounting-Response nu n ghi li cc gi tin k ton thnh cng, v khng phi tr li bt k gi no nu n ghi li cc gi tin k ton tht bi. Bt k thuc tnh hp l trong mt gi Access-Request hoc Access-Accept RADIUS l hp l trong mt gi Accounting-Request RADIUS, ngoi tr cc thuc tnh sau y khng phi c mt trong mt Accounting-Request: mt khu ngi dng, mt khu CHAP, tin nhn tr li, trng thi. Hoc a ch IP NAS hoc nhn dng NAS phi c hin din trong mt gi Accounting-Request RADIUS. N nn cha mt thuc tnh cng NAS hoc loi cng NAS hoc c hai tr khi cc dch v khng lin quan n mt cng hoc NAS khng phn bit gia cc cng ca n. Nu cc gi tin Accounting-Request bao gm mt a ch IP khung, thuc tnh phi cha a ch IP ca ngi dng. Nu Access-Accept s dng cc gi tr c bit cho a ch IP khung ni vi NAS chuyn nhng hoc thng lng mt a ch IP cho ngi dng, cc a ch IP khung (nu c) trong Accounting-Request phi c cc a ch IP thc t c giao hoc thng lng.
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
30
M
(4)
T nh danh
(Duy nht)
di
(Tiu v ti trng)
Hnh 2-8: Gi tin Accounting-Request in hnh M: 4 Accounting-Request. nh danh: Cc trng nhn dng phi c thay i bt c khi no ni dung ca trng thuc tnh thay i, v bt c khi no tr li hp l c nhn cho mt yu cu trc . i vi vic truyn li ni m ni dung ging ht nhau, vic phi nhn dng khng thay i. Lu rng nu Acct-Delay-Time c bao gm trong cc thuc tnh ca mt gi tr Accounting-Request sau gi tr Acct-Delay-Time s c cp nht khi gi d liu c truyn li, thay i ni dung ca cc trng thuc tnh v i hi mt nhn dng mi v xc thc yu cu. Xc thc yu cu: Cc xc thc yu cu ca mt Accounting-Request cha mt gi tr mng bm MD5 16 octet tnh theo phng php m t trong "Xc thc yu cu" trn. Thuc tnh: Cc trng thuc tnh thay i trong chiu di, v c mt danh sch cc thuc tnh.
2.3.6. Accounting-Response:
Gi tin Accounting-Response c gi bi my ch k ton RADIUS cho my khch xc nhn rng cc Accounting-Request c nhn v ghi nhn thnh cng. Nu Accounting-Request c ghi li thnh cng sau my ch k ton RADIUS phi chuyn mt gi tin vi cc trng m thit lp l 5 (AccountingResponse). Khi gi tin Accounting-Response c tip nhn bi my khch, trng nhn dng trng khp vi mt Accounting-Request ch x l. Trng phi xc thc phn hi phi cha cc phn hi chnh xc cho cc Accounting-Request ch x l. Gi tin khng hp l c m thm b i.
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
31
M
(5)
T nh danh
(Duy nht)
di
(Tiu v ti trng)
Cc thuc tnh: Cha hoc khng cha danh sch cc thuc tnh (Ty bin)
Hnh 2-9: Gi tin Accounting-Response in hnh M: 5 Accounting-Response. nh danh: Cc trng nhn dng l mt bn sao ca trng nhn dng ca gi Accounting-Request dn n gi Accounting-Response ny. Xc thc phn hi: Cc xc thc phn hi ca mt gi Accounting-Response cha mt gi tr mng bm MD5 16 octet tnh theo phng php m t trong "Xc thc phn hi" trn. Thuc tnh: Cc trng thuc tnh thay i trong chiu di, v c mt danh sch trng hay nhiu thuc tnh.
2.4. B mt chia s:
tng cng an ninh v tng tnh ton vn giao dch, giao thc RADIUS s dng khi nim b mt chia s. B mt chia s l nhng gi tr to ra mt cch ngu nhin m c hai my khch v my ch u bit (v th m gi "chia s"). Nhng b mt chia s c s dng trong tt c cc hot ng c yu cu d liu n v gi tr che giu. Gii hn k thut duy nht l nhng b mt chia s phi c chiu di ln hn 0, nhng RFC khuyn co rng cc b mt t nht l 16 octet. Mt b mt c di l hu nh khng th b vi phng php vt cn. B mt chia s (thng ch gi l "b mt") l duy nht vi mt cp my khch v my ch RADIUS ni ring. V d, nu mt ngi s dng ng k nhiu nh cung cp dch v Internet truy cp quay s, ngi dng ny gin tip to cc yu cu ti nhiu my ch RADIUS. Nhng b mt chia s gia thit b NAS my khch ti
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
32
cc ISP A, B, v C c s dng giao tip vi cc my ch RADIUS tng ng khng ph hp. Trong khi mt s trin khai RADIUS quy m ln hn c th tin rng bo v an ninh giao dch bng cch s dng mt s thay i b mt chia s t ng l mt bc i thn trng, c mt kh khn tim n kh ln: khng c s bo m cc my khch v cc my ch c th ng b ha vi cc b mt chia s mi trong thi gian thch hp nht. V ngay c khi n c chc chn rng cc ng b ha ng thi c th xy ra, nu cn tn ti cc yu cu ti cc my ch RADIUS v my khch ang bn x l (v, do , n b l thi c ng b ha cc b mt mi), sau nhng yu cu cn tn ti s b t chi bi my ch.
Cc thuc tnh Tiu S 1255 di >3 Gi tr Ph thuc vo s thuc tnh Ti trng AVP Gi RADIUS
Hnh 2-10: Mu truyn cc cp gi tr thuc tnh (AVP) tiu chun S thuc tnh: Con s ny biu th cc loi thuc tnh trnh by trong gi. Tn ca thuc tnh khng c thng qua trong gi - ch c s. Ni chung, s thuc tnh c th trong khong 1-255, vi mt s c th phc v nh l mt "ca ng" ca cc loi cho cc nh cung cp cung cp cc thuc tnh c th ca mnh. Chiu di thuc tnh: Trng ny m t chiu di ca trng thuc tnh, m cn phi t 3 tr ln. Trng ny theo cch tng t nh cc lnh vc chiu di ca tiu gi tin RADIUS. Gi tr: Cha c im hoc c tnh ca chnh thuc tnh , trng ny cn thit cho mi thuc tnh trnh by, thm ch nu gi tr bn thn n l bng khng. di ny s thay i da trn bn cht vn c ca cc thuc tnh ca n.
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
33
C cu AVP th hin trong hnh 2-6 bao gm mt tp lin tc cc byte cha t nht ba octet, vi cc octet u tin l loi, th hai l chiu di, v octet cui cng l gi tr ca cc thuc tnh ca chnh n. Cc my ch RADIUS bit y v mt thuc tnh c tn gi chnh thc ca n khng cn c truyn i trong gi. Cc m s (s thuc tnh) l suy ra loi thng tin c truyn i trong gi tr c th . Cc loi thuc tnh: C 6 loi nh c nu trong RFC: S nguyn (INT): l nhng gi tr c cha s nguyn. Mt thuc tnh nh Idle Timeout c th c thit lp gi tr s nguyn l 15. Lit k (ENUM): d liu l ca cc loi lit k bao gm mt s nguyn, nhng gi tr ny da trn mt tp hp cu hnh ngi s dng ca dy nhiu gi tr v nhiu ngha. C th gp phi cc gi tr lit k c gi l gi tr s nguyn theo ng ngha, trong khi khng theo ng ngha gi tr nguyn ch n gin l loi s nguyn. a ch IP (IPADDR): loi d liu ny l mt s 32-bit c thit k thng qua mt a ch IP chnh xc. Trong khi RADIUS theo mc nh s xem xt mt a ch IP theo gi tr, mt s trin khai thc hin c th c cu hnh x l n vi mt gi tr nh sn, chng hn nh mt subnet mask ring. Ngoi ra, mt phn m rng gn y cc giao thc RADIUS cho php cc a ch IPv6 c s dng trong loi ny. Chui k t (STRING): Chui k t thng c xc nh l chui in UTF-8 c th c c theo gi tr. D liu c truyn di dng mt dy k t c th b chn hay khng b chn, bt c ci no l thch hp. Ngy thng (DATE): l mt con s khng du 32-bit i din cho giy tri qua k t ngy 1 thng 1 nm 1970. Nh phn (BINARY): Thng ring bit vi mt s thc thi, cc gi tr nh phn ("0" hoc "1") c c theo gi tr. Cc thuc tnh nh cung cp c th: Nh vi hu ht cc giao thc RADIUS, c nhiu s linh hot i vi cc loi thuc tnh nh cung cp c th xy ra trong nhiu thc hin khc nhau. Phn ln thuc tnh ny to ra l trc tip h tr cc tnh nng c bit, cc c trng khng chun
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
34
hoc gia tng gi tr m mt s thit b my khch RADIUS c bit c kh nng cung cp. Tt nhin, c l bi v trong thc t l mt tiu chun, mt s nh cung cp - c bit l Robotics/3Com Hoa K - khng theo c t RFC. Cc giao thc RADIUS nh ngha mt AVP c th nh l mt "ca ng" AVP trong cc thuc tnh nh cung cp c th, hoc VSAs, c th c ng gi. VSA c thc hin ti trng gi tr ca AVP tiu chun 26, c gi l nh cung cp c th. Hnh 2-11 cho thy AVP tiu chun v lm th no thng tin c thc hin trong VSA.
S 26 di X Gi tr ID 262 S 47 di X Gi tr
Hnh 2-11: S truyn i ca 1 VAS bn trong 1 AVP tiu chun. ID nh cung cp Phn ny ca VSA gm bn octet m i din cho nh pht trin / thit k / ch s hu ca VSA. Nhng m s tiu chun c quy nh trong ti liu RFC 1700 l "Cc s c gn. C th hn, cc nh cung cp c nhn c m ho vi con s duy nht c gi l m doanh nghip t nhn qun l mng hoc NMPECs. Th t ca cc ni dung trng ID nh cung cp c da trn mt tiu chun nghim ngt, vi byte cao nht gi tr 4 octet c thit lp v 0, v sau 3 byte cui cng t vo m NMPEC. Loi nh cung cp Trng loi nh cung cp, di mt octet, chc nng hnh x theo cch tng t nh s thuc tnh trong mt AVP tiu chun. Cc loi nh cung cp l nhng gi tr vi phm vi t 1 n 255, v tm quan trng v ngha ca tng gi tr c bit n bn trong cc my ch RADIUS. Chiu di
Ti trng gi RADIUS
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
35
Trng ny l mt con s mt octet cho bit chiu di ca ton b VSA, vi chiu di ti thiu ca ton b VSA l 7. Mt ln na, hot ng ca trng ny l tng t nh lnh vc chiu di trong mt tiu chun, RFC nh ngha AVP. Gi tr Cc trng gi tr c yu cu phi di t nht mt octet v cha d liu c c th cho cc chnh VSA . Hu ht cc gi tr ny c c, hiu, v phn tch bi my khch v my ch RADIUS trn u thu nhn thc ca cc tnh nng c bit v kh nng phi tiu chun m trin khai thc hin c th ca chng c h tr.
2.5.2. Cc gi tr:
Tt c cc thuc tnh phi c gi tr, thm ch nu gi tr ca thuc tnh ny l v gi tr. Gi tr i din cho cc thng tin m mi thuc tnh ring bit c thit k chuyn ti. Chng mang theo "phn ct li" ca thng tin. Gi tr phi ph hp vi cc quy tc loi thuc tnh. Bng 2-8 cho thy v d ca tng loi thuc tnh v trng gi tr d kin ti trng cho tng loi. Loi thuc tnh S nguyn (INT) Chiu di (Octet) Kch thc / Phm vi 6 4 32 bit Khng du 256 2432 65536 3 = Callback-Login Lit (ENUM) k 4 32 bit Khng du 4 = Callback-Framed 13 = FramedV d ti trng
1-253
Ty bin
"Long" "206.229.254.2"
36
"google.com" 0xFFFFFE a ch IP (IPADDR) 4 32 bit 0xC0A80102 0x1954FF8E 0x00000A 0xC0A80102 Ngy thng (DATE) Nh phn 4 32 bit Khng du 0xFFFFFE 0x00000A 0x1954FF8E 1 1 bit 0 1
37
Mt khi cc my ch RADIUS nhn c yu cu, n xc nhn hp l ca my khch gi. Mt yu cu t my khch m cc my ch RADIUS khng c mt b mt c chia s phi c m thm b i. Nu my khch l hp l, my ch RADIUS tra cu mt c s d liu ca ngi dng tm ngi s dng c tn ph hp vi yu cu. Mc ngi s dng trong c s d liu cha mt danh sch cc yu cu phi c p ng cho php ngi s dng truy cp. iu ny lun lun bao gm xc minh mt khu, nhng cng c th ch nh cc my khch hoc cng m ngi dng c php truy cp. My ch RADIUS c th lm cho yu cu ca cc my ch khc p ng cc yu cu, trong trng hp n hot ng nh mt my khch. Nu bt k thuc tnh Proxy-State c a ratrong cc Access-Request, chng phi c sao chp cha sa i v t vo cc gi tin tr li. Cc thuc tnh khc c th c t trc, sau, hoc thm ch gia cc thuc tnh Proxy-State. Nu iu kin no khng c p ng, my ch RADIUS gi mt phn hi "Access-Reject" cho bit yu cu ngi s dng ny khng hp l. Nu mun, cc my ch c th bao gm cc tin nhn vn bn trong Access-Reject c th c hin th bi cc my khch cho ngi dng. Khng c thuc tnh khc (tr Proxy-State) c php trong mt Access-Reject. Nu tt c cc iu kin c p ng v cc my ch RADIUS mun ra mt thch thc m ngi dng phi p ng, cc my ch RADIUS gi mt phn hi "Access-Challenge". N c th bao gm cc tin nhn vn bn c hin th bi cc my khch cho ngi s dng phn hi cho thch thc ny, v c th bao gm mt thuc tnh trng thi. Nu my khch nhn c mt Access-Challenge v h tr thch thc / phn ng n c th hin th cc tin nhn vn bn, nu c, cho ngi s dng, v sau nhc nh ngi dng v mt phn hi. My khch sau np li bn gc Access-Request ca n vi mt ID yu cu mi, vi cc thuc tnh ngi dng mt khu thay th bng cc phn hi ( m ha), v bao gm c cc thuc tnh trng thi t cc AccessChallenge, nu c. Ch c 0 hoc 1 th hin ca thuc tnh trng thi c mt trong yu
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
38
cu. My ch c th p ng vi Access-Request mi ny vi mt Access-Accept, mt Access-Reject, hoc mt Access-Challenge khc. Nu c iu kin, danh sch cc gi tr cu hnh cho ngi s dng c t vo mt phn hi "Access-Accept". Nhng gi tr ny bao gm cc loi hnh dch v (v d: SLIP, PPP, ngi dng ng nhp) v tt c cc gi tr cn thit cung cp cc dch v mong mun. i vi SLIP v PPP, iu ny c th bao gm gi tr nh a ch IP, subnet mask, MTU, nn mong mun, v nhn dng lc gi mong mun. i vi nhng ngi dng ch k t, iu ny c th bao gm gi tr nh giao thc v my ch mong mun. Trong xc thc thch thc / phn hi, ngi s dng c cho mt s khng th on trc v thch thc m ha n v tr li kt qu. Ngi c y quyn u c trang b cc thit b c bit nh th thng minh hoc cc phn mm to thun li cho tnh ton ca cc phn hi chnh xc mt cch d dng. Ngi s dng tri php, thiu thit b thch hp hoc phn mm v khng bit kha b mt cn thit cnh tranh nh mt thit b hoc phn mm, ch c th on phn hi. Cc gi tin Access-Challenge thng c cha mt tin nhn tr li bao gm mt thch thc c hin th cho ngi dng, chng hn nh mt gi tr s khng bao gi c lp li. Ngi s dng sau i vo cc thch thc trong thit b ca mnh (hoc phn mm) v tnh ton mt phn hi, ngi dng nhp vo my khch ri my chuyn tip n ti my ch RADIUS thng qua mt Access-Request th hai. Nu phn hi trng khp vi phn hi mong mun my ch RADIUS tr li vi mt Access-Accept, nu khng mt Access-Reject s c tr v my khch.
1 2 3 6 4 5
Ngi dng
ASA
My ch Radius ACS
Hnh 2-12: Qu trnh xc thc RADIUS n gin. 1) Ngi dng c gng truy cp vo Cisco ASA.
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
39
2) Cisco ASA yu cu ngi dng nhp tn v mt khu. 3) Ngi dng nhp vo thng s ca mnh v gi cho cisco ASA. 4) Cisco ASA gi gi Access-Request ti my ch RADIUS. 5) Nu thng s ngi dng nhp c trong c s d liu ti my ch RADIUS, my ch RADIUS s gi gi Access-Accept v cho Cisco ASA, nu thng s ngi dng nhp khng c th my ch RADIUS s gi gi Access-Reject v cho cisco ASA. 6) Cisco ASA s phn hi v cho my khch bit c php hay khng c php truy cp vo 1 dch v c th.
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
40
Nu my ch k ton RADIUS khng th thnh cng ghi li cc gi tin k ton, n khng phi gi mt xc nhn Accounting-Response cho my khch.
Tiu Microsoft Vendor-specific RADIUS Attributes 9 Remote Authentication Dial In User Service (RADIUS) 0
Ngy 3/199
6/200
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
41
RFC 2866 RFC 2867 RFC 2868 RFC 2869 RFC 3162 RFC 3579 RFC 5080 RFC 5997
RADIUS Accounting 0 RADIUS Accounting Modifications for Tunnel Protocol Support RADIUS Attributes for Tunnel Protocol Support 0 RADIUS Extensions 0 RADIUS and IPv6 1 RADIUS Support for EAP 3 Common RADIUS Implementation Issues and Suggested Fixes Use of Status-Server Packets in the RADIUS Protocol 0 07 0
6/200
6/200
6/200
6/200
8/200
9/200
12/20
8/201
42
Danh sch cp nht cc thuc tnh c th c bao gm trong AccessChallenge ph hp vi cc bng thuc tnh. User-Name cp n cc nhn dng truy cp mng. User-Name by gi c th c gi trong Access-Accept s dng vi k ton v ng nhp t xa. Gi tr them vo cho Service-Type, Login-Service, Framed-Protocol, FramedCompression, v NAS-Port-Type. NAS-Port c th s dng tt c 32 bit. Cc v d hin nay bao gm hin th h thp lc phn ca cc gi d liu. Cng UDP ngun phi c s dng kt hp vi b nhn dng yu cu khi xc nh cc bn sao. Nhiu thuc tnh phc c th c cho php trong thuc tnh Vendor-Specific. Mt Access-Request by gi yu cu cha NAS-IP-Address hoc NASIdentifier (hoc c th cha c hai). Thm ghi ch di "Operations" vi nhiu thng tin hn v proxy, truyn li, v duy tr kt ni. Nu nhiu thuc tnh vi cc loi tng t c mt ng thi, th t cc thuc tnh cng loi phi c duy tr bi bt k proxy no. Lm r Proxy-State. Lm r cc thuc tnh khng phi ph thuc vo v tr trong gi tin, min l thuc tnh ca cc loi tng t ang c gi theo th t. Thm vo phn li khuyn ca IANA. Cp nht phn "Proxy" trong "Operations". Framed-MTU c th c gi trong Access-Request nh l mt gi . Cp nht li khuyn bo mt. Cc chui vn bn xc nh nh l mt tp hp con ca chui, lm r vic s dng UTF-8.
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
43
RFC 2866 - RADIUS Accounting: m t v qu trnh k ton cho my ch RADIUSv l bn cp nht cho RFC 2865. Cng nh RFC 2865, RFC 2866 cng gii thiu v cc gi tin c dng trong qu trnh k ton v cc thuc tnh trong cc gi tin v cng m t v qu trnh k ton c din ra khi c yu cu thc hin k ton. Mt s thay i so vi RFC 2139: Thay th US-ASCII bng UTF-8. Thm ghi ch trong Proxy. Framed-IP-Address nn cha a ch IP thc t ca ngi s dng. Nu Acct-Session-ID c gi trong mt Access-Request, n phi c s dng trong Accounting-Request cho phin giao dch . Cc gi tr mi c thm vo Acct-Status-Type. Thm vo phn li khuyn ca IANA. Cp nht ti liu tham kho. Cc chui vn bn xc nh nh l mt tp hp con ca chui, lm r vic s dng UTF-8.
44
RADIUS Accounting. Vic s dng RADIUS Accounting cho php d liu s dng quay s c thu thp ti mt v tr trung tm, hn l c lu tr ti mi NAS. thu thp d liu s dng v ng hm, thuc tnh RADIUS mi l cn thit, ti liu ny xc nh nhng thuc tnh ny. Ngoi ra, mt s gi tr mi cho cc thuc tnh Acct-Status-Type c xut. Kin ngh c th v v d v vic p dng cc thuc tnh ny cho giao thc L2TP c m t trong RFC 2809. Cc gi tr Acct-Status-Type mi: Tunnel-Start: gi tr l 9, dng nh du vic to mt ng hm mi vi nt khc. Tunnel-Stop: gi tr l 10, , dng nh du vic hy mt ng hm t hoc ti nt khc. Tunnel-Reject: gi tr l 11, , dng nh du vic t chi to mt ng hm vi nt khc. Tunnel-Link-Start: gi tr l 12, dng nh du s to thnh ca mt lin kt ng hm. Tunnel-Link-Stop: gi tr l 13, dng nh du s ph hy mt lien kt ng hm. Tunnel-Link-Reject: gi tr l 14, dng nh du vic t chi to nn mt lin kt mi trong mt ng hm ang tn ti. V 2 thuc tnh mi: Acct-Tunnel-Connection: Thuc tnh ny c th c s dng cung cp mt phng tin nhn din ra mt phin ng hm cho mc ch kim ton. Acct-Tunnel-Packets-Lost: Thuc tnh ny ch ra s gi d liu b mt trn mt lin kt c a.
45
Cc thuc tnh mi: Tunnel-Type: Thuc tnh ny ch ra giao thc ng hm s c s dng hoc cc giao thc ng hm ang c s dng. Tunnel-Medium-Type: Thuc tnh ny ch ra phng tin c s dng to ng hm theo cc giao thc (nh l L2TP), iu ny c th c tc dng trn nhiu phng tin vn chuyn. Tunnel-Client-Endpoint: Thuc tnh ny cha a ch ca ngi khi xng cui ca ng hm. Tunnel-Server-Endpoint: Thuc tnh ny cha a ch ca my ch cui ca ng hm. Tunnel-Password: Thuc tnh ny cha mt khu dng xc thc ti my ch truy cp t xa. Tunnel-Private-Group-ID: Thuc tnh ny ch ra ID nhm cho mt phin hm c th. Tunnel-Assignment-ID: Thuc tnh ny c s dng ch ra ngi khi xng ng hm mt ng hm c th phn cng mt phin. Tunnel-Preference: Khi my ch RADIUS gi tr nhiu hn mt b thuc tnh ng hm v cho ngi khi xng ng hm, thuc tnh ny c gn vo trong mi b thuc tnh ng hm thit lp u tin cho mi ng hm. Tunnel-Client-Auth-ID: Thuc tnh ny ghi r tn ngi khi xng ng hm s dng trong giai on xc nhn khi to ng hm. Tunnel-Server-Auth-ID: Thuc tnh ny ghi r tn ngi tn cng ng hm s dng trong giai on xc nhn khi to ng hm.
46
Extensible Authentication Protocol (EAP) l mt phn m rng PPP cung cp h tr cho cc phng php xc thc b sung bn trong PPP. RFC ny m t cch m thuc tnh EAP-Message v Message-Authenticator c s dng cung cp EAP h tr bn trong RADIUS. Tt c cc thuc tnh c bao gm chiu di bin Type-Length-Value 3-tuples. Gi tr thuc tnh mi c th c thm vo m khng lo ngi lm xo trn trin khai hin c ca giao thc.
III. ASA
1. Lch s ra i.
Thit b phn cng m nhn vai tr bo v h tng mng bn trong,trc y thng hiu PIX Firewall ca hng Cisco Systems ginh c mt trong nhng v tr hng u ca lnh vc ny.Tuy nhin,theo pht trin ca cng ngh v xu hng tch hp a chc nng trn cc kin trc phn cng hin nay (gi l Appliance) hng Cisco Systems cng nhanh chng tung ra dng sn phm bo mt a nng Cisco ASA (Adaptive Security Appliance).Dng thit b ny ngoi vic tha hng cc nh nng u im ca cng ngh dng trn Cisco PIX Firewall,Cisco IPS 4200 v Cisco VPN 3000 Concentrator, cn c tch hp ng thi 3 nhm chc nng chnh cho mt h tng bo v l Firewall, IPS v VPN.Thng qua vic tch hp nhng tnh nng nh trn,Cisco ASA s chuyn giao mt gii php hiu qu trong vic bo mt ho cc giao tip kt ni mng,nhm c th ch ng i ph trn din rng i vi cc hnh thc tn cng qua mng hoc cc him ha m t chc,doanh nghip thng phi ng u. c tnh ni bt ca thit b ASA l: + y cc c im ca Firewall,IPS,anti-X v cng ngh VPN IPSec/SSL . + C kh nng m rng thch nghi nhn dng v kin trc Mitigation Services. + Gim thiu chi ph vn hnh v pht trin.
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
47
48
Kim tra thng tin giao thc layer 4: port TCP/UDP ngun v ch . Khi mt ACL c cu hnh ng, c th p dng vo interface lc lu lng. Cc thit b an ninh c th lc cc gi tin theo hng i vo(inbound) v i ra(outbound) t interface. Khi mt ACL c p dng i vo interface, cc thit b an ninh kim tra cc gi chng li cc ACE sau khi nhn c hoc trc khi truyn i. Nu mt gi c cho php i vo, cc thit b an ninh tip tc qu trnh ny bng cch gi n qua cc cu hnh khc. Nu mt gi tin b t chi bi cc ACL, cc thit b an ninh loi b cc gi d liu v to ra mt thng ip syslog ch ra rng nh mt s kin xy ra. Trong hnh 3-1, ngi qun tr thit b an ninh c p dng cho outside interface mt inbound ACL ch cho php lu lng HTTP ti 20.0.0.1. Tt c cc lu lng khc s b b ti interface ca cc thit b an ninh.
209.165.201.1 1
20.0. 0.0/ 8
1 209.165.200.224/27
Bn ngoi
Internet My A
Hnh 3-1:M t qu trnh lc gi ca tng la Nu mt outbound ACL c p dng trn mt interface, cc thit b an ninh x l cc gi d liu bng cch gi cc packet thng qua cc qu trnh khc nhau (NAT, QoS, v VPN) v sau p dng cc cu hnh ACE trc khi truyn cc gi d liu ny. Cc thit b an ninh truyn cc gi d liu ch khi chng c php i ra ngoi. Nu cc gi d liu b t chi bi mt trong cc ACE, cc thit b an ninh loi b cc gi d liu v to ra mt thng ip syslog ch ra rng nh mt s kin xy ra. Trong hnh 3-1, ngi qun tr thit b an ninh c p dng outbound ACL cho inside interface ch cho php lu lng HTTP ti 20.0.0.1.Tt c cc lu lng khc s b b ti interface ca cc thit b an ninh.
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
49
Cc loi Access Control List: C nm loi ACL khc nhau cung cp mt cch linh hot v kh nng m rng lc cc gi tri php bao gm: + Standard ACL + Extended ACL + IPV6 ACL + Ethertype ACL + WebVPN ACL Standard ACL: Chun Standard ACL c s dng xc nh cc gi d liu da trn a ch IP ch.Cc ACL y c th c s dng phn chia cc lung lu thng trong truy cp t xa VPN v phn phi li cc lung ny bng s nh tuyn.Chun Standard ACL ch c th c s dng lc cc gi khi v ch khi cc thit b bo mng hot ng ch nh tuyn,ngn truy cp t mng con ny n mng con khc. Extended ACL:Chun Extended l mt chun ph bit nht,c th phn loi cc gi d liu da trn cc c tnh sau: a ch ngun v a ch ch. Giao thc lp 3. a ch ngun hoc a ch ca cng TCP v UDP. im n ICMP dnh cho cc gi ICMP. Mt chun ACL m rng c th c s dng cho qu trnh lc gi,phn loi cc gi QoS,nhn dng cc gi cho c ch NAT v m ha VPN. IPV6 ACL:Mt IPV6 ACL c chc nng tng t nh chun Extended ACL.Tuy nhin ch nhn bit cc lu lng l a ch IPV6 lu thng qua thit b bo mt ch nh tuyn. Ethertype ACL: Chun Ethertype c th c s dng lc IP hoc lc gi tin bng cch kim tra on m trong trng Ethernet phn u lp 2.Mt Ethertype ACL ch c th c cu hnh ch khi cc thit b bo mt ang chy ch trong sut ( transparent ). Lu rng chun ny cc thit b bo mt khng cho php dng IPV6 lu thng qua,ngay c khi c php i qua IPV6 Ethertype ACL.
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
50
WebVPN ACL: Mt WebVPN ACL cho php ngi qun tr h thng hn ch lu lng truy cp n t lung WebVPN.Trong trng hp c mt ACL WebVPN c xc nh nhng khng ph hp mt gi tin no ,mc nh gi tin s b loi b.Mc khc,nu khng c ACL xc nh,cc thit b bo mt s cho php lu thng qua n.ACL xc nh lu lng truy cp bng cch cho php hoc loi b gi tin khi n c gng i qua thit b bo mt.Mt ACE n gin l cho php tt c cc a ch IP truy cp t mt mng ny n mng khc,phc tp hn l n cho php lu thng t mt a ch IP c th mt cng ring bit n mt cng khc a ch ch.Mt ACE c thit k bng cch s dng cc lnh iu khin truy cp thit lp cho thit b bo mt.
51
Cisco ASA c th phn bit gia cc applet tin cy v applet khng tin cy. Nu mt trang web ng tin cy gi Java hoc ActiveX applet, cc thit b bo mt c th chuyn n cc my ch yu cu kt ni. Nu cc applet c gi t cc my ch web khng tin cy, thit b bo mt c th sa i ni dung v loi b cc nh km t cc gi tin. Bng cch ny, ngi dng cui khng phi l quyt nh n cc applet c chp nhn hoc t chi. H c th ti v bt k applet m khng phi lo lng.
52
NAT gip cho cc home user v cc doanh nghip nh c th to kt ni vi internet mt cch d dng v hiu qu cng nh gip tit kim vn u t.
53
ngi dng m c s d liu ca ngi dng c th c t trn ASA hoc n c th c lu tr trn mt my ch RADIUS hoc TACACS +. Accounting (K ton): Qu trnh thu thp v gi thng tin ngi dng n mt my ch AAA c ghi li theo di cc ln ng nhp (khi ngi dng ng nhp v ng xut) v cc dch v m ngi dng truy cp. Thng tin ny c th c s dng thanh ton, kim tra, v mc ch bo co. Cisco ASA c th c cu hnh duy tr mt c s d liu ngi dng ni b hoc s dng mt my ch bn ngoi xc thc.
Hnh 3-2: M t kin trc c bn cho NAS/RADIUS/TACACS+/AAA Sau y l cc giao thc chng thc AAA v cc my ch c lu tr c s d liu nm bn ngoi: Remote Authentication Dial-In User Service (Radius). Terminal Access Controller Access-Control System (Tacacs+). Rsa SecurID(SID). Win NT. Kerberos. Lightweight Directory Access Protocol (LDAP).
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
54
RADIUS l mt giao thc xc thc s dng rng ri c nh ngha trong RFC 2865. "Remote Authentication Dial-In User Service (RADIUS)." RADIUS hot ng trong mt m hnh khch hng / my ch. Mt khch hng RADIUS thng c gi l mt my ch truy cp mng (network access server :NAS).mt my NAS c trch nhim truyn thng tin ngi dng ti my ch RADIUS. Cisco ASA hot ng nh l mt NAS v xc thc ngi dng da trn phn ng ca my ch RADIUS. Cisco ASA h tr mt vi my ch RADIUS sau: CiscoSecure ACS Cisco Access Registrar. Livingston. Merit. Funk Steel Belted. Microsoft Internet Authentication Server. i vi mng xc thc, mt kha b mt c trao i gia cc my ch AAA/RADIUS v khch hng AAA. Cc kha b mt c chia s l khng bao gi c gi qua lin kt thit b m bo tnh ton vn. Khi RADIUS xc thc ngi s dng, phng php xc thc c th c s dng rt nhiu, RADIUS h tr xc thc qua Point-to-Point Protocol Challenge Handshake Authentication Protocol (PPP CHAP) v PPP Password Authentication Protocol (PAP),RADIUS l mt giao thc m rng cho php cc nh cung cp kh nng thm gi tr thuc tnh mi m khng to ra mt vn i vi cc thuc tnh gi tr hin ti. Mt khc bit ln gia TACACS v RADIUS l RADIUS khng xc thc v y quyn ring bit. RADIUS cng cung cp cho k ton tt hn. RADIUS hot ng theo giao thc UDP. RADIUS s dng cc cng 1645 v 1812 xc thc v 1646 v 1813 cho k ton. Cc cng 1812 v 1813 c to ra trong vic trin khai RADIUS mi hn. Vic s dng cc cng RADIUS 1645 trong lc trin khai gy ra xung t vi cc dch v "datametrics". Do , cng chnh thc l 1812.Giao thc RADIUS c xem l mt dch v kt ni. Cc vn lin quan n my ch sn sng, pht li, v ht gi c x l trn thit b ch khng phi l giao
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
55
thc truyn ti. Chc nng ny khc vi TACACS + tin cy trong giao thc ph thuc vo giao thc TCP. Hot ng RADIUS Sau y l qu trnh hot ng RADIUS qun l ng nhp: Bc 1. Mt thng tin ng nhp ngi dng to ra mt truy vn (Access-Request) t AAA khch hng n my ch RADIUS. Bc 2. Mt phn ng cho php hoc loi b(Access-Accept hoc Access-Reject) c tr v t my ch. Cc gi tin Access-Request cha tn ngi dng, mt khu m ha, a ch IP ca khch hng AAA, v cng nh dng gi tin RADIUS:
Code
Identifier
Length
Request Authenticator Attributes Hnh 3-3 nh dng gi tin Radius Mi gi tin RADIUS gm cc thng tin sau y: + Code: 1 octet, nh ngha loi packet + Identifier: 1 octet, Kim tra yu cu, tr li v pht hin trng lp yu cu t RADIUS server. + Length: 2 octet, xc nh di ca ton b gi. + Request Authenticator: 16 octet, Cc octet quan trng nht c truyn i u tin, n xc nhn tr li t my ch RADIUS. Hai loi authenticators nh sau: -Request-Authenticator c sn trong gi Access-Request v Accounting-Request -Response-Authenticator c sn trong cc gi Access-Accept, Access-Reject, Access-Challenge, Accounting-Response. + Attributes: Thuc tnh b sung vo RADIUS h tr nh cung cp c th. Cc my ch RADIUS nhn c yu cu xc thc ngi dng v sau tr v thng tin cu hnh cn thit cho khch hng h tr cc dch v c th cho ngi
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
56
dng. Cc my ch RADIUS thc hin iu ny bng cch gi Internet Engineering Task Force (IETF) hoc cc thuc tnh nh cung cp c th. (Cc thuc tnh RADIUS chng thc c nh ngha trong RFC 2865.) Cisco ASA hot ng nh l mt NAS v my ch RADIUS l mt Cisco Secure Access Control Server (ACS). Ngi dng c gng kt ni vi Cisco ASA ( qun tr,vpn,thc hin tnh nng cut-though proxy). Cc Cisco ASA nhc nh ngi dng, yu cu tn ngi dng v mt khu ca mnh. Ngi s dng gi thng tin ca mnh cho ASA Cisco. Cc Cisco ASA gi yu cu xc thc (Access-Request) n my ch RADIUS. Cc my ch RADIUS gi mt message Access-Accept nu ngi dng l xc thc thnh cng hoc mt Access-Reject nu ngi dng khng xc thc thnh cng. Cisco ASA p ng cho ngi s dng v cho php truy cp vo cc dch v c th. Lu : Cc my ch RADIUS cng c th gi cc thuc tnh nh cung cp c th cho Cisco ASA ty thuc vo vic thc hin v cc dch v s dng. Nhng thuc tnh ny c th cha thng tin nh a ch IP gn cc thng tin khch hng v y quyn. RADIUS server xc thc v y quyn kt hp cc giai on thnh mt yu cu duy nht v chu k lin kt p ng.
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
57
8 Major_ver sion Minor_ver sion Session_id Length Hnh 3-4: nh dng gi tin Type
78 Seq_no
78 Flags
Major_version y l s phin bn chnh ca TACACS. gi tr xut hin trong tiu nh TAC_PLUS_MAJOR_VER = 0xc. Minor_version:cung cp s serial cho giao thc TACACS. N cng cung cp cho kh nng tng thch ca giao thc. Mt gi tr mc nh, cng nh phin bn mt, c nh ngha cho mt s lnh. Nhng gi tr ny xut hin trong tiu TACACS nh TAC_PLUS_MINOR_VER_DEFAULT = 0x0 TAC_PLUS_MINOR_VER_ONE = 0x1. Nu mt my ch AAA chy TACACS nhn c mt gi TACACS xc nh mt phin bn nh hn khc phin bn hin ti, n s gi mt trng thi li tr li v yu cu cc minor_version vi phin bn gn nht c h tr. Loi ny phn bit cc loi gi tin. Ch c mt s loi l hp php. Cc loi gi hp php nh sau: - TAC_PLUS_AUTHEN = 0x01 y l loi gi ngha xc thc. - TAC_PLUS_AUTHOR-0x02 y l loi gi tin m ngha y quyn. - TAC_PLUS_ACCT = 0x03 y l loi gi tin m ngha k ton. Seq_no : xc nh s th t cho cc phin lm vic. TACACS c th khi to mt hoc nhiu phin TACACS cho mi khch hng AAA. Flags:c 2 c +TAC_PLUS_UNENCRYPTED_FLAG :xc nh m ha cagi TACACS. Gi tr 1 l cha m ha, gi tr 0 l gi tin c m ha. +TAC_PLUS_SINGLE_CONNECT_FLAG:Xc nh ghp hoc khng ghp cc phin tacacs trn mt kt ni tcp.
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
58
Session_id y l mt gi tr ngu nhin ch nh cc phin hin ti gia khch hng v my ch AAA chy TACACS. Gi tr ny vn gi nguyn trong sut thi gian ca phin lm vic Lengh: tng chiu di ca gi TACACS, khng bao gm tiu 12-byte. Khi nim xc thc TACACS + cng tng t nh RADIUS. NAS s gi mt yu cu chng thc vi TACACS + server .Cc my ch cui cng s gi bt k thng ip sau y tr v NAS: ACCEPT - Ngi dng c xc thc thnh cng v cc dch v yu cu s c cho php. Nu nh c ch cp quyn c yu cu,tin trnh cp quyn s c thc thi. REJECT - xc thc ngi dng b t chi. Ngi s dng c th c nhc th li chng thc ty thuc vo TACACS + server v NAS. ERROR - Mt s li xy ra trong qu trnh xc thc. Nguyn nhn gy ra li c th vn kt ni hoc vi phm c ch bo mt. CONTINUE - Ngi dng c nhc nh cung cp thng tin xc thc hn. Sau khi qu trnh xc thc hon tt, nu u quyn c yu cu TACACS + server vi s x l giai on k tip nu xc thc thnh cng.
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
59
SDI c th c cu hnh yu cu ngi dng nhp vo s bin mi khi ang xc thc. C ch xc thc c th hin hnh 3-5:
1 2 3 6 7 4 5 8
Hnh 3-5: C ch xc thc 1.Ngi dng thc hin kt ni vi thit b bo mt Cisco ASA. 2.Cisco ASA bt u thc hin c ch xc thc. 3.Ngi s dng cung cp thng tin Username and Password. 4.Cisco ASA chuyn tip cc yu cu xc thc n my ch SDI. 5.Nu nh m bin mi c chp thun,my ch SDI xc thc ngi dung v yu cu mt Pin mi s dng khi ti mt phin xc thc ngi dung k tip. 6.Cisco ASA yu cu ngi dng cp mt Pin mi. 7.Ngi dng nhp vo Pin mi. 8.Cisco ASA gi thng tin Pin mi n my ch SDI.
4.4. Win NT
Cisco ASA h tr Windown NT xc thc cc kt ni truy cp t xa VPN.N giao tip vi my ch Windown NT s dng TCP cng 139.Ging nh SDI,c th s dng mt my ch Radius/Tacacs+,v cng ging nh CiscoSecure ACS c th y quyn xc thc n Windown NT cho cc dch v c h tr bi Cisco ASA.
4.5. Kerberos
L mt giao thc c xy dng nng cao an ton khi xc thc trong mi trng mng phn tn.Cisco ASA c th xc thc ngi dng VPN thng qua cc th mc Windown bn ngoi,m s dng Kerberos xc thc.C th s dng h iu hnh Unix hoc Linux chy my ch xc thc Kerberos.c h tr xc thc
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
60
cc my khch VPN.Cisco ASA giao tip vi th mc tch cc v,hoc my ch Kerberos s dng UDP cng 88.
61
client cng bng mt thng ip LDAP. V d: khi LDAP client mun tm kim trn th mc, client to LDAP tm kim v gi thng ip cho server. Sever tm trong c s d liu v gi kt qu cho client trong mt thng ip LDAP. Qu trnh kt ni gia LDAP server v client: LDAP client v server thc hin theo cc bc sau: Client m mt kt ni TCP n LDAP server v thc hin mt thao tc bind. Thao tc bind bao gm tn ca mt directory entry v u nhim th s c s dng trong qu trnh xc thc, u nhim th thng thng l pasword nhng cng c th l chng ch in t dng xc thc client. Sau khi th mc c c s xc nh ca thao tc bind, kt qu ca thao tc bind c tr v cho client.
6. Kt thc phin lm vic 7.Thao tc unbind 8. ng kt ni Hnh 3-6: Qu trnh kt ni gia Client v Server
62
3. Client pht ra cc yu cu tm kim. 4. Server thc hin x l v tr v kt qu 1 cho client. 5. Server tr v kt qu 2 cho client. 6. Server gi thng ip kt thc vic tm kim. 7. Client pht ra yu cu unbind, vi yu cu ny server bit rng client mun hu b kt ni. 8. Server ng kt ni
6. Kh nng chu li v d phng (failover and redundancy) 6.1. Kin trc chu li
Khi hai ASA c thit lp trong ch failover, mt trong Cisco ASA c gi l cc ch ng (active ) c trch nhim to ra trng thi v chuyn i a ch, chuyn giao cc gi d liu, v gim st cc hot ng khc,mt ASA khc gi l ch ch(standby),c trch nhim theo di tnh trng ch ch ng. Ch ch ng v ch ch trao i thng tin chu li vi nhau thng qua mt ng link kt ni ny c bit nh l mt link chu li (link failover).Khi c s c xy ra trn ch ch ng th ch ch s thc hin vai tr ca ch ch ng cho n khi ch ch ng khi phc li trng thi. ng chu li gia hai ASA trao i cc thng tin: Trng thi ch ng hoc trng thi ch
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
63
Lin kt chu li
64
Kim tra s hot ng ca h thng nu sau nm giy m khng nhn c bt k gi tin no s chuyn sang ch chu li bt u. Kim tra s hot ng ca h thng bng cch gi gi ARP sau nm giy khng nhn c tn hiu tr li xem nh cng b li v x l qu trnh chu li. Kim tra s hot ng ca h thng bng cch ping broadcast th nghim nu sau nm giy khng nhn c tn hiu tr li xem nh cng b li v x l qu trnh chu li..
65
Traffic prioritization Traffic shaping Traffic marking Tuy nhin cisco ASA ch h tr hai loi l traffic policing,traffic prioritization
Xp xp u tin
Hnh 3-8: Minh ha cch mt gi c x l trong cc thit b an ninh khi i qua cc cng c QoS. Khi ri khi c ch QoS gi tin s c chuyn n interface cho vic chuyn i d liu.Thit b an ninh thc hin QoS cho mi gi mc khc nhau m bo cho vic truyn nhn m ni tin khng c trong danh sch u tin.Qu trnh x l gi tin
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
66
da vo su ca hng i u tin thp v cc iu kin ca vng truyn.Vng truyn s c khng gian b m c thit b an ninh s dng gi cc gi tin trc khi truyn chng cho cc cp iu khin.Nu c tc nghn xy ra th cc gi tin trong hng i c chuyn xung hng i u tin thp cho ti khi gi tin hng i u tin cao trng,nu hng i u tin cao c lu lng truy cp th s c phc v trc.Thng qua vic gii hn lu lng thit b an ninh thc hin mt c ch nh git khi gi tin khng ph hp vi thng tin cu hnh QoS.Cisco ASA ghi lai s kin ny thng qua my ch lu tr syslog hoc ti trn thit b.
67
phi duy tr mc bo v. Thn trng,an ton, trnh ri ro v gim chi ph thit hi v s gin on ca h thng thit b tng la asa ca cisco h tr hai loi khc nhau ca h thng pht hin xm nhp: Network-based intrusion detection systems (NIDS). Host-based intrusion detection systems(HIDS).
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
68
69
khng pht hin cc hot ng xm nhp nu b cm bin khng th sp xp li nhng gi thng tin mt cch chnh xc.
70
- Mc s dng CPU. - Kim tra tnh ton vn v truy cp trn h thng file. - Mt vi thng s khc. Cc thng s ny khi vt qua mt ngng nh trc hoc nhng thay i kh nghi trn h thng file s gy ra bo ng.
8.2.1. Li th ca HIDS
- C kh nng xc inh user lin quan ti mt s kin (event). - HIDS c kh nng pht hin cc cuc tn cng din ra trn mt my, NIDS khng c kh nng ny. - C th phn tch cc d liu m ho. - Cung cp cc thng tin v host trong lc cuc tn cng din ra trn host ny.
8.2.2. Hn ch ca HIDS
- Thng tin t HIDS l khng ng tin cy ngay khi s tn cng vo asa thnh cng. - Khi tng la asa b "h" do tn cng, ng thi HIDS cng b "h". - HIDS phi c thit lp trn tng host cn gim st . - HIDS khng c kh nng pht hin cc cuc d qut mng (Nmap, Netcat). - HIDS cn ti nguyn trn host hot ng. - HIDS c th khng hiu qu khi b DOS.
IV. M phng
1. Mc tiu ca m phng
M phng gip thy c tnh nng v thy r c nguyn l hot ng cng nh cc bc cu hnh AAA server . Thc hin tnh nng remote t xa thng qua vpn trn ASA chng thc vi giao thc Radius.
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
71
2. M hnh m phng
4. Cc bc m phng
1. Chy phn mm ACS 4.2 Chn Network Configuration bn tri , bm vo Add Entry trong phn aaa client.
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
72
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
73
nh du vo 2 mc
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
74
75
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
76
Cu hnh trn ASA cho php vpn chng thc vi AAA(Radius) Server. Bc 1:t dy ip cho php ngi dung t xa kt ni vo h thng ip local pool mypool 172.16.1.100-172.16.1.200 mask 255.255.255.0 ! Bc 2: To mt ACL cho php dy ip ngi dng t xa kt ni vo h thng access-list vpnclientgroup standard permit 192.168.1.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0 nat (inside) 0 access-list inside_nat0_outbound Bc 3: Thit lp chng thc user group ti my ch bn trong aaa-server vpnclientgroup protocol radius aaa-server vpnclientgroup host 192.168.1.2 key 123456 Bc 4:Thit lp chnh sch i vi ngi dng t xa group-policy vpnclientgroup internal group-policy vpnclientgroup attributes dns-server value 192.168.1.2 vpn-tunnel-protocol IPSec split-tunnel-policy tunnelspecified split-tunnel-network-list value vpnclientgroup default-domain value da.com Bc 5:To mt ng hm cho php kt ni vi chnh sch dnh cho ngi dng v phng thc chng thc v kha chia s tunnel-group vpnclientgroup type ipsec-ra tunnel-group vpnclientgroup general-attributes address-pool mypool authentication-server-group vpnclientgroup default-group-policy vpnclientgroup tunnel-group vpnclientgroup ipsec-attributes pre-shared-key 123456
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
77
Bc 6: Xc nh phng thc m ha v chng thc chuyn i d liu c m ha v chng thc thng qua ng truyn crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto dynamic-map outside_dyn_map 20 set pfs crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 Cu hnh my khch Tip theo cu hnh khch remote access ti ASA vo truy cp my ch web,ftp trong ni b . M phn mn Ugent VPN ca cisco v in thng tin group v pre share key kt ni
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
78
M wireshark ln bt gi radius
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
79
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
80
5. Kt qu t c
Thng qua qu trnh m phng hiu r hn v qu trnh xc thc radius ging nh m t trong l thuyt. Nm r v hot ng cng nh cc tnh nng ca tng la cisco asa. Gi lp c firewall asa trn nn gns3. Qun l gim st c ngi dng truy cp vo h thng thng qua c ch vpn. p ng an ton thng tin d liu di v bo v ca firewall vi cc c ch m ha,xc thc,quyn hn truy cp.
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
81
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
82
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079
83
Ti liu tham kho: RFC 2865: Remote Authentication Dial In User Service (RADIUS) Link: http://www.ietf.org/rfc/rfc2865.txt RFC 2866: RADIUS Accounting Link: http://www.ietf.org/rfc/rfc2866.txt Firewall Fundamentals by Wes Noonan, Ido Dubrawsky Publisher: Cisco Press - 2/6/2006 RADIUS by Jonathan Hassell Publisher: OReilly 10/2002 Cisco ASA and PIX Firewall Handbook by Dave Hucaby Publisher: Cisco Press 7/1/2005 Cisco ASA: All-in-one Firewall, IPS and VPN Adaptive Security Appliance by Jazib Frahim, Omar Santos Publisher: Cisco Press 21/10/2005 Cisco ASA: All-in-one Firewall, IPS, Anti-X and VPN Adaptive Security Appliance (Second Edition) by Jazib Frahim, Omar Santos Publisher: Cisco Press 21/10/2005 Cisco Access Control Security: AAA Administrative Services by Brandon Carroll Publisher: Cisco Press 27/5/2004
GVHD: THS Nguyn c Quang SVTH:Nguyn c Nguyn Long MSSV:106102078 L Hong Long MSSV:106102079