28-12-2011, 07:15 AM Trch t Bn Tin Dn C isco s 2 - pht hnh ngy 18/12/2011 I. So snh SSL VPN v IPSEC VPN ?

La chn SSL VPN hay IPSec VPN? u tin, cn phi khng nh SSL VPN v IPSec VPN khng phi l hai cng ngh loi tr ln nhau. Thng thng, hai cng ngh ny ng thi c trin khai trong cng mt cng ty. Vic xem xt cc kha cnh la chn trn lin quan n chi ph/li nhun (cost/benefit) cng nh cc vn cng ngh m hai gii php SSL v IPSec cp gip cho vic la chn trin khai VPN s tr nn d dng hn. Xt v mc bo mt? Giao thc IPSec VPN v SSL VPN th ci no an ton hn?. Tht ra, c hai giao thc bo mt ny u bo mt tt cho h thng. C hng u cung cp mt phng php trao i kha an ton (secure key exchange) v phng php m ha mnh (encrytion). Mc d c hai cng ngh khc nhau v tin hnh thit lp, trin khai trn cc h thng theo cc phng thc khc nhau, th nhng chng u chia s chung mt s c trng c bn l c ch m ha mnh, dng kha phin (session key), kh nng xc thc s dng cc phng php, cng ngh nh: Triple DES, 128-bit RC 4, MD5, SHA1, RADIUS, Active Directory, LDAP, X.509. V ng dng? IPSec VPN h tr tt c cc ng dng trn nn tng IP. Mt khi knh IPSec c thit lp, tt c cc dch v ng dng t cc ng dng truyn thng nh web, th in t, truyn file n cc ng dng khc nh IC MP, VoIP, SQL.v.v cc nh dng a dch v IPTV, MyTV Video Server u cho php i ngang qua knh ny. y l mt u im ca IPSec VPN, nht l IPSec VPN c th cung cp kt ni an ton cho cc ng dng khng da trn nn Web (non Web-based applications). V vy, cc my khch (C lient) dng IPSec thc hin kt ni VPN c gi l FatC lient do kh nng cung ng nhiu dch v v ng dng. C n SSL VPN cung cp cc ng dng trn nn Web (Webbased application), cc ng dng e-mail (POP3/IMAP/SMTP). C c my khch (C lient) ch cn dng trnh duyt (browser) c h tr SSL thc hin kt ni VPN m khng cn ci t phn mm C lient nn c gi l C lientless hoc Thin-C lient, SSL VPN cn h tr c cc ng dng trn nn TC P s dng chng trnh chuyn tip cng (port forwarding applet) nh Terminal Services (RDP protocol) hoc ng dng chia s file C IFS (C ommon Internet File Service), C itrix IC A (cc dng sn phm SSL VPN Succendo ca hng O2SEC URITY u h tr rt tt cho cc ng dng v vi bo mt cao l mt v d). II. C c phng php thc hin chuyn i IPv4 sng IPv6 no ang c p dng nhiu vo thc t hin nay? C huyn i s dng t mng IPv4 sang mng IPv6 khng phi l mt cng vic d dng v khng th thc hin ngay c. Phn ny s gii thiu ba cng ngh chuyn i c s dng ph bin hin nay l : Dual Stack Tunneling NAT PT

Dual Stack : C ho php IPv4 v IPv6 cng hot ng trong mt thit b mng. http://img707.imageshack.us/img707/3100/image001kc.jpg (http://img707.imageshack.us/i/image001kc.jpg/) Tunnelling : C ng ngh ng hm, s dng c s h tng mng IPv4 truyn ti gi tin IPv6, phc v cho kt ni IPv6. C c cng ngh tiu biu Manual Tunnel : Manually configured tunnels (MC T) Generic Routing Encapsulation (GRE) tunnels

http://img43.imageshack.us/img43/1451/image002tk.jpg (http://img43.imageshack.us/i/image002tk.jpg/) C c cng ngh tiu biu Dynamic Tunnel : Intra-Site Automatic Tunnel Addressing Protocol (ISATAP). Automatic 6to4 Tunnel.

http://img202.imageshack.us/img202/8243/image003ww.jpg (http://img202.imageshack.us/i/image003ww.jpg/)

NAT-PT : cho php thit b ch h tr IPv6 c th giao tip vi thit b ch h tr IPv4. http://img812.imageshack.us/img812/9374/image004n.jpg (http://img812.imageshack.us/i/image004n.jpg/) III. So sch gia IKE v1 v IKE v2 ? IKE - Internet Key Exchange, l mt c ch mt bn th ba (thng l nh cung cp chng thc s) cung cp v xc thc nh danh cc bn tham gia vo qu trnh trao i thng tin. C ch ny cng cho php gn cho mi ngi s dng trong h thng mt cp kha public/private. C c qu trnh ny thng c thc hin bi mt phn mm t ti trung tm v cc phn mm phi hp khc ti cc a im ca ngi dng. C ng vic ca IKE l thit lp bo mt cho php hai bn gi d liu mt cch an ton. IKEv1 c gii thiu vo nm 1998 v sau c thay th bi IKEv2 vo khong nm 2005. Nhng im khc nhau c bn ca hai phin bn ny nh sau: IKEv2 IKEv2 IKEv2 IKEv2 IKEv2 khng s dng bng thng nhiu bng IKEv1. h tr EAP, cn IKEv1 th ngc li. h tr Mobike, cn IKEv1 th khng. xy dng NAT Traversal, cn IKEv1 th khng. c th pht hin tunnel cn sng hay khng, cn IKEv1 th khng. Powered by v