1.

Vn bo mt h thng mng WLAN & LAN

1. cp vn
Hin nay h thng mng ca VNPT ang pht trin tuy nhin cc bin php bo mt cho n
chua uoc u tu nghin cu mt cch thch ng, hu ht cc thit bj vn ch
public hoc s dung cc co ch bo mt sn c, ngui dng c th ty s dung ti nguyn
m chua gp phi tr ngi no.
Chng ta mi chi dng li vic p dung co ch bo mt trn cc access point, ch yu s
dung bo mt Wep, WPA personal, v s dung access list trn firewall trung tm m chua c
cc bin php bo mt trn ton h thng. Trong phn ny chng ta s i s dung gii php
bo mt bng chun 802.1x vi su h tro ca EAP v LEAP.
2. Cc mi e doa vi h thng mng ca VNPT
2.1. Cc mi e doa cho vn bo mt trn WLAN
Mi trung khng dy l mt mi trung sng v vy vn bo mt lp vt l l mt vn
lm au u bao nh qun l. Bt ky mt mng khng dy no u c th gp phi cc mi
e doa sau, nht l Vit Nam, khi m vn bo mt mng khng dy cn chua ch trong
th nhiu khi chi mt hnh ng on gin cng em li thit hi to ln. Mt su tn cng c
c th gy v hiu ha hoc c th tm cch truy nhp WLAN tri php theo mt vi cch.
- Tn cng bj ng ( nghe trm) passive attack
- Tn cng ch ng ( kt ni, d cu hnh mng) active attack
- Tn cng kiu chn p, Jamming attack
- Tn cng theo kiu thu ht, Man-in-the-middle attacks
- Tn cng t chi djch vu, DOS
a. Tn cng bj ng
- Nghe trm c l l phuong php on gin nht, tuy nhin n vn c hiu qu i vi
WLAN. Tn cng bj ng nhu mt cuc nghe trm, m khng pht hin uoc su c mt ca
ngui nghe trm (hacker) trn hoc gn mng khi hacker khng thuc su kt ni ti AP
lng nghe cc gi tin truyn qua phn on mng khng dy. Nhng thit bj phn tch mng
hoc nhng ng dung khc uoc s dung ly thng tin ca WLAN t mt khong cch
vi mt anten hung tnh. Phuong php ny cho php hacker gi khong cch thun loi
khng bj pht hin, nghe v thu nht thng tin qu gi.
- Qu trnh ly cha kha WEP. C nhng ng dung c kh nng ly pass t cc Site HTTP,
email, cc instant messenger, cc phin FTP, cc phin telnet m uoc gi dui dng text
khng uoc m ha. C nhng ng dung khc c th ly pass trn nhng phn on mng
khng dy gia Client v Server cho muc ch truy nhp mng.
b. Tn cng ch ng
- Bng cc tools, cng nhu vic nghe ln thng tin truyn gia Client v AP, cc thit bj phn
tch c th ly uoc mt s thng tin nhu ja chi MAC, WEP key, v.v. do nhng thng tin ny
thung uoc trao i dui dng Clear text, khi chng c th ng vai tr nhu mt thnh
vin hop php, thm nhp vo mng, thay i cc thng s, ly cc thng tin c nhn cng
nhu ca cc t chc, v.v. hoc on gin chi l g mt vi spam cha virus.
c. Tn cng theo kiu chn p
- Trong khi mt hacker s dung phuong php tn cng bj ng, ch ng ly thng tin t
vic truy cp ti mng ca bn, tn cng theo kiu chn p, Jamming, l mt k thut s
dung on gin "ng mng ca bn. Mng khng dy s dung tn hiu sng truyn trn
khng kh, nn chi cn mt thit bj pht tn hiu cng tn s v c cng sut pht ln, l
c th lm nhiu, thm ch lm sp hon ton mng khng dy ca bn. i khi vn ny
xy ra hon ton v tnh do vn qun l tn s khng tt.
d. Tn cng bng cch thu ht
- Kiu tn cng ny, Man-in-the-middle Attacks, uoc thuc hin on gin vi mt thit bj
khng dy nm trong sut gia Client v AP.
- Man-in-the-middle attacks. cc client lin kt vi AP tri php th cng sut ca AP
phi cao hon nhiu ca cc AP khc trong khu vuc v i khi phi l nguyn nhn tch cuc
cho cc user truy nhp ti. Vic mt kt ni vi AP hop php c th nhu l mt vic tnh c
trong qu trnh vo mng, v mt vi client s kt ni ti AP tri php mt cch ngu nhin.
Ngui thuc hin man-in-the-middle attack truc tin phi bit SSD m client s dung, v
phi bit WEP key ca mng, nu n ang uoc s dung. Kt ni nguoc (hung v pha
mng li) t AP tri php uoc iu khin thng qua mt thit bj client nhu l PC card, hoc
workgroup bridge. Nhiu khi man-in-the-middle attack uoc sp t s dung mt laptop vi
hai PCMCA card. Phn mm AP chy trn mt laptop m mt PC card uoc s dung
nhu l mt AP v PC card th hai uoc dng kt ni laptop ti AP hop php. Kiu cu
hnh ny lm laptop thnh mt "man-in-the-middle attack vn hnh gia client v AP hop
php. Mt hacker theo kiu man-in-the-middle attack c th ly uoc cc thng tin c gi trj
bng cch chy mt chuong trnh phn tch mng trn laptop trong trung hop ny.
2.2. Cc mi e doa cho vn bo mt LAN
Tuong tu nhu mng WLAN, i vi mng LAN cung gp cc mi e doa tuong tu.
a. Vn m rng h thng mng Lan:
b. Vn Truy cp tri php ti nguyn:
c. Vn ph hy v nh cp ti nguyn:
d. Vn tn cng DoS v ly nhim virus
3. Chun bo mt 802.1x & EAP
Nhm khc phuc cc nhuoc im trn, nhu cha kha l tnh, mt khu uoc gi dui dng
Clear text trn mi trung truyn, qun l cha kha khng tp trung, tn cng gi mo, v.v.
chun 802.1x vi kh nng m rng ca EAP v tnh ti uu ca LEAP uoc nghin cu
v ua ra s dung.
Nu nhu cc chun khc khng c su phn bit cc giao thc truy cp, th chun 802.1x
cung cp nhng chi tit k thut cho php iu khin truy nhp cng. Su iu khin truy nhp
thng qua nhng cng co bn uoc khi u, v vn ang uoc s dung vi chuyn mch
Ethernet. Khi ngui dng th ni ti port mong mun, cng s tm thi trng thi kha
v ch oi su xc nhn ngui s dung ca h thng chng thuc.
3.1. Tnh cht
- m bo tnh tin cy: Hu ht thng tin trao i trong mng u uoc m ha, k c cc
thng tin v mt khu ban u, ngoi ra giao thc ny cn trnh vic gi mo thng qua co
ch chng thuc ln nhau gia Client v Server. v.v. (s uoc lm r hon trong phn AAA).
Cc phuong php m ha uoc p dung nhu l SSH (Secure Shell), SSL (Secure Sockets
Layer) hoc PSec
- m bo tnh ton ven: Giao thc s dung cc phuong thc kim tra nhu Checksum, hoc
Cyclic Redundancy Checks (CRCs) kim tra tnh ton ven d liu, bn cnh n cng
s dung cc thut ton ha MD5 v RC4 m bo su ton ven ny.
- m bo tnh sn sng: Chun ny lun lun cp nht vi su pht trin ca thit bj cung
nhu lun cp nht cc vn pht sinh mi nht lun m bo sn sng m khng gp
phi tr ngi no cng nhu lun tuong thch vi cc thit bj hin c.
- Co ch xc thuc: Vi su kt hop gia co ch chng thuc ng v qun l cha kha tp
trung, 802.1x khc phuc uoc hu ht cc vn cn tn ti ca cc giao thc khc.
Chun 802.1x khc phuc bng m hnh chng thuc tp trung v chng thuc ln nhau
thng qua vic s dung
- RADUS (Remote Access Dial-n User Service).
- Bo v kha key bng cch s dung co ch bt tay mt buc (one-way hashes).
- Chnh sch xc thuc nhc li mt cch thung xuyn, to cc cha kha mi cho cc phin
xc thuc mi.
- Thay i vector khi to (V) trong m ha WEP.
3.2. Qu trnh chng thuc 802.1x-EAP
- client mun lin kt vi mt thit bj mng ( switch, AP) trong mng.
- 1. Switch hoc AP s chn li tt c cc thng tin ca client cho ti khi client log on vo
mng, khi Client yu cu lin kt ti AP
- 2. Switch hoc AP p li yu cu lin kt vi mt yu cu nhn dng EAP
- 3. Client gi p li yu cu nhn dng EAP cho Switch hoc AP
- 4. Thng tin p li yu cu nhn dng EAP ca client uoc chuyn ti Server chng thuc
- 5. Server chng thuc gi mt yu cu cho php ti Switch hoc AP
- . Switch hoc AP chuyn yu cu cho php ti client
- . Client gi tr li su cp php EAP ti Switch hoc AP
- 8. Switch hoc AP chuyn su tr li ti Server chng thuc
- . Server chng thuc gi mt thng bo thnh cng EAP ti Switch hoc AP
- 10. Switch hoc AP chuyn thng bo thnh cng ti client v t cng ca client trong ch
forward.
1. Khi h tro khn nng chng thuc ln nhau, th qu trnh trn tip tuc xy ra
nhung vi chiu nguoc li. Trong qu trnh xc thuc trn c mt s vn cn
xem xt: to cha kha theo phin v qun l cha kha tp trung.
Sinh cha kha ng: trnh vic gi mo, mi mt phin kt ni vi mt
client s uoc RADUS server cp cho mt key ring, session key. Khi truyn
key ny cho Client, trnh vic nghe trm do gi thng tin clear text, Switch
hoc AP s m ha session key ny, v client s dng key ca mnh gii
m, ly session key cho mnh. Tt c cc session key ny u uoc sinh bi
RADUS server thng qua mt thut ton no . C khi mi phin lin kt chi
c mt Key, nhung bn cng c th thit lp trn RADUS server to cc
chu ky xc thuc theo yu cu ca bn. Theo co ch ny, RADUS s jnh ky
xc thuc client, do trnh uoc truy cp mng do v tnh.
Qun l cha kha tp trung. Server qun l cha kha m ha tp trung cho
php sinh cha kha trn mi gi, mi phin, hoc cc phuong php khc, phu
thuc vo su thuc hin ca cc nh sn xut. Vi nhng ci tin ca chun
802.1x, cc client uoc xc jnh thng qua usernames, thay v ja chi MAC
nhu cc chun truc . N khng nhng tng cung kh nng bo mt m
cn lm cho qu trnh AAA (Authentication, Authoriation, and Accountting)
hiu qu hon.
Thuc t qu trnh xc thuc xy ra theo 3 pha, pha khi u, pha chng thuc v
pha kt thc. Trong pha chng thuc vi su tham gia ca RADUS server
cho php h thng phn quyn ngui s dung thng qua cc chnh sch ci
t trn server dua trn ti khon ca ngui dng. Nu vic xc thuc thng
qua ja chi vt l, MAC, chi l xc thuc v mt thit bj, tc l khng c su phn
quyn cho ngui dng, th xc thuc dua trn tn v mt khu cho php chng
ta phn quyn ngui dng. Vn cp quyn, Authoriation, ty thuc chnh
sch ca ngui qun trj, c th phn quyn theo giao thc, thng qua cng,
theo phm vi d liu, hoc theo su phn cp v ngui dng, , mod,
member, v.v. Thng qua vic qun l v cp quyn ni trn, ngui qun trj
hon ton c th ghi li uoc vt ca ngui s dung, theo di cc trang, thu
muc cng nhu ghi li uoc tt c qu trnh truy cp ca ngui dng.
3.3. Mt s phuong php bo mt khc do 802.1x em li
Do chun 802.1x dua trn co s iu khin truy cp trn cc port, nn ngoi
cc phuong php bo mt chung, 802.1x cn em li mt s phuong php tin
tin, nhu co ch loc (Filtering).
Ngoi vic thuc hin loc SSD v MAC nhu cc chun bo mt khc, 802.1x
cn h tro kh nng loc giao thc.
2. QoS trong mng
Trn trang vnpro.org em thy c mt s bi v QoS, em copy ln cc anh chj tham kho
TNG QUAN V CHT LNG DCH V QoS
Nguyn nhn thnh cng ca giao thc P chnh l su on gin ca n. Moi tnh nng phc
tp uoc ci t ti u cui mng cn mng li th on gin. B jnh tuyn trong mng s
cn c vo ja chi P v cc nt trong mng tm nt mng k tip uoc nhn gi.
- Nu hng oi dnh cho nt mng k tip qu di, thi gian tr ca gi d liu s ln. Nu
hng oi y khng cn ch trng gi d liu s bj hy.
- Nhu vy, mng P chi cung cp m hnh djch vu "n luc ti a best effort servicec ngha
l mng s khai thc ht kh nng trong gii hn cho php, nhung khng m bo tr v
mt mt d liu. V vy, khi c nhiu lung luu luong truyn i trong mng v vuot qu kh
nng ca mng, djch vu khng bj t chi nhung cht luong djch vu gim: thi gian tr tng,
tc gim v mt d liu. Do , mng P khng thch hop vi nhng ng dung yu cu
thi gian thuc. Ngoi ra, vi thng tin a im (multicast) ng thi phuc vu hng triu khch
hng th hin nay mng P khng thuc hin uoc. Nu c th trin khai tt thng tin qung b
c th tch hop pht thanh truyn hnh vo mng P.
- Su ra i cc giao thc cht luong djch vu QoS cung cp cho mng cc tnh nng gip
mng c th phn bit uoc cc luu luong c i hi thi gian thuc vi cc luu luong c
tr, mt mt hay bin ng tr (itter). Bng thng s uoc qun l v s dung hiu qu
c th p ng nhng yu cu v cht luong ca cc lung luu luong. Muc tiu ca QoS l
cung cp mt s mc du bo v iu khin luu luong.
- Trong cc mng s liu, QoS uoc nh gi qua cc tham s chnh sau:
sn sng ca djch vu
tr
bin ng tr
Thng luong
T l tn tht gi (packet loss rate): t l cc gi bj mt, bj hy, v bj li khi i trong mng.
- Hin nay, c hai loi cht luong djch vu co bn:
Dnh truc ti nguyn (Resource Reservation) vi m hnh "Tch hop djch vu ntServ
(ntergrated Service). Ty theo yu cu ca djch vu v chnh sch qun l bng thng m
mng s cung cp ti nguyn phuc vu cho tng ng dung.
Su uu tin (Prioritiation) vi m hnh cc "djch vu phn bit ( DiffServ-Differentiated
Service). Luu luong vo mng uoc phn loi v uoc cung cp theo chi tiu ca chnh
sch qun l bng thng.
- Cht luong djch vu uoc p dung cho tng lung d liu ring bit hoc mt nhm lung
Lung uoc xc jnh dua vo 5 thng tin: giao thc lp vn chuyn, ja chi P ngun, ja chi
P ch, chi s cng ngun, chi s cng ch.
NHU CU V QOS V CC M HNH QOS:
1.1. Nhu cu v QoS:
Theo truyn thng, khi nhu cu v bng thng tng ln, hin tuong nghn mng c th x y
ra. Ta c th gii quyt bng cch tng bng thng kt ni hoc dng thit bj phn cng khc
thay th. Nhuoc im cch ny l khng chi ra cch thc uu tin mt loi traffic ny so
vi mt traffic khc. QoS l mt cng cu tng th uoc dng bo v, uu tin mt s traffic
quan trong hoc cc traffic i hi x l nhanh v thi gian. QoS s m t cch thc packet
uoc chuyn mch (forward) nhu th no. Cc ng dung khc nhau s c cc nhu cu khc
nhau cho vic truyn d liu. V du web, video, audio Khi mt packets i t host ny n
host kia, mt gi tin (packet) c th gp cc vn :
Delay: do routers x l tm kim trong bng routing table, thi gian packet truyn trn ung
truyn.
Jitter: cc packets khng n ng nhu thi gian du jnh. Cc d liu dng audio s bj nh
hung nhiu bi vn ny.
Loss: mt packets.
1.2. Cc m hnh QoS:
BEST-EFFORT DELVER:
Mt network chi on thun forward nhng packets m n nhn uoc. Switch v routers chi
c gng ht sc (best-effort) forward packets i m khng bn tm n kiu ca traffic hay
uu tin ca djch vu.
NTEGRATED SERVCE MODEL:
Sp xp ung i truc t ngun n ch cho cc d liu uoc uu tin. RSVP (RFC 133)
l mt protocol dng ny. RSVP s yu cu truc bng thng v gi (reserve) bw trn c
ung i t ngun n ch. Mi thit bj mng trn ung i phi kim tra xem n c th h
tro cho yu cu trn hay khng. Khi yu cu ti thiu uoc p ng, ng dung ngun s
uoc thng bo xc nhn. Sau , ng dung c th s dung ung truyn.
SERVCES MODEL:
Gii php ntServ t ra khng hiu qu v khng c kh nng m rng khi nhiu source phi
cnh tranh vi nhau v bng thng. Trong gii php differentiated, mi routers v switch s
qun l packets ring l. Mi routers s c mt chnh sch ring qun l v s tu quyt
jnh cch thc chuyn packet theo cch ring. ntServ s qun l theo kiu per-flow, trong khi
Difserv s qun l theo kiu per-hop. Diffserv s quyt jnh chnh sch QoS dua vo cu trc
ca gi P. Course switching s tp trung vo Diffserv.
DFFSERV QOS:
Mi router v switch s kim tra packets quyt jnh s fw packet nhu th no. i vi
packets, n chi on thun gn vi thng s vo header. Cc thng s c th l phn loi
(classifications, marking)Packet s gi s routers v switch bit cch handle n. Vic phn
loi c th din ra Layer-2 hoc Layer-3. Layer2: Thng thung, mt layer frame s khng
c trung( field ) no phn loi frame. Tuy nhin, khi frame uoc truyn gia switch v
switch, frame c th uoc phn loi dua vo CoS. CoS: uoc dng trn ung trunk switch-
switch. Hai kiu trunking s qun l gi trj CoS ny rt khc nhau:
SL: 4 bit user-id s uoc dng chi ra gi trj CoS ca frame.
Dot1q: user-field s uoc dng chi ra gi trj CoS. Cc frame t native vlan s nhn gi trj
CoS mc jnh.
2.1. Class of services:
Trn ung trunking, frame uoc thm vo tagging.
Dot1q: mi frame uoc thm vo 12-bit vlan-id v mt field gm 3 bit chi ra uu tin.
Nhng frame n t nativ
e-vlan s uoc cu hnh gi trj mc jnh.
SL: c 4 bit trong user-field. Dng 3 bit thp nht gn priority.
2.2. Layer 3 DSCP:
Dng Tos trong ip datagram
Gi trj DSCP c cng vj tr trong header ging nhu TOS nhung s uoc din djch khc.
DSCP
Hu ht cc frame hoc cc gi u c cc trung dng cho muc ch nh du (marking).
DSCP l mt trong nhng trung nhu vy trong gi tin P.
Nhu bn c th bit, trong P header c mt trung c tn l ToS (type of services).
RFC1 m t jnh dng ca P header, bao gm mt trung 10byte uoc goi l ToS.
Trung ToS ny du jnh uoc dng nhu mt trung nh du mt gi tin cc cng cu
QoS c th x l. Gi trj ToS uoc chia ra thnh cc trung con, vi 3 bit cao uoc jnh
ngha nhu P Precedence (PP). Danh sch y ca cc gi trj ToS v PP uoc lit k
trong bng dui y:
Vj tr bit 3 n bit ca ToS bao gm cc trung uoc uoc bt on hay off chi ra mt
mc djch vu c bit. Bit cui cng (bit ) khng uoc jnh ngha trong RFC1. Cc c
khng uoc dng thung xuyn, v vy muc ch chnh ca ToS l luu gi cc gi trj
uu tin ca gi tin P.
Mt lot cc RFC uoc goi l Differentiated Services (DiffServ) ra i sau. DiffServ cn nhiu
hon 3bit nh du gi tin, v vy DiffServ chun ha mt jnh ngha li ca byte ToS. Byte
ToS uoc t tn l trung Differentiated Services (DS) v PP uoc thay th bng mt
trung c di bit uoc goi l Differentiated Services Code Point (DSCP). Ni cch khc,
DSCP l mt cch din t khc ca chnh octet ToS trong P header ban u. V ngha
ny, bn thung thy cc ti liu hay cp n bng chuyn i gia gi trj DSCP v P
Precedence.
Sau , RFC 318 jnh ngha hai bit th tu thp ca DS dng vi thuc tnh Explicit
Congestion Notification (ECN). Hnh dui y m t jnh dng ca gi trj ToS truc v sau
khi c jnh ngha DiffServ.
Cc cng cu nh du v phn loi (Classification and Marking C&M) thung nh du
trung DSCP hoc PP bi v cc gi tin uoc bo ton khi n uoc truyn trn mng. C
mt kh nng nh du khc nm bn trong lp 2, c ngha l thng tin nh du ny khng
uoc quan tm nu n uoc truyn i bi mt tin trnh L3. Nhu vy, vic nh du mc 2
khng th uoc trin khai nu luu luong i xa hon mt hop.
Thit lp cc gi trj DSCP v cc thut ng
C vi RFC v DiffServ xut mt vi gi trj uoc dng trong trung DSCP v cc ngha
ngm jnh cho nhng gi trj ny. V du RFC258 jnh ngha gi trj DSCP bng 4, vi tn l
Expedited Forwarding (EF). Theo RFC , cc gi tin uoc nh du nhu EF s uoc ua
vo hng oi uu tin sao cho gi tin s bj tr ti thiu. Nhung gi tin s chju nhng chnh
sch sao cho luu luong ca n khng chim ht ung truyn v ngn nga nhng loi luu
luong khc uoc truyn khi cng ca router t mc ngung. Nhng gi trj ny v cc trng
thi QoS uoc khuyn co tuong ng cho tng trng thi uoc goi l trng thi theo tng
chng Per-Hop Behaviors (PHBs) dng DSCP. Trong v du va nu truc y, trng thi
uoc goi l EF PHB.
Bng dui y lit k cc trung ca CS DSCP, tn, gi trj v cc tn, gi trj tuong ng bn
PP.
Bn cnh vic jnh ngha tm gi trj DSCP v cc tn ca n, co ch x l theo tng trm
CS PHB cng xut mt tp hop ca cc hnh ng QoS nn uoc thuc hin trn cc gi
trj CS ny. Co ch ny chi ra rng cc gi tin vi gi trj CS DSCP ln hon phi uoc dng
cc hng oi uu tin hon cc gi tin vi gi trj DSCP thp hon. C hai thut ng "CS0 v
"Defaultu m chi n gi trj nhj phn 000000 nhung phn ln cc lnh ca Cisco OS chi
cho php t kha default i din cho gi trj ny.