1. cp vn Hin nay h thng mng ca VNPT ang pht trin tuy nhin cc bin php bo mt cho n chua uoc u tu nghin cu mt cch thch ng, hu ht cc thit bj vn ch public hoc s dung cc co ch bo mt sn c, ngui dng c th ty s dung ti nguyn m chua gp phi tr ngi no. Chng ta mi chi dng li vic p dung co ch bo mt trn cc access point, ch yu s dung bo mt Wep, WPA personal, v s dung access list trn firewall trung tm m chua c cc bin php bo mt trn ton h thng. Trong phn ny chng ta s i s dung gii php bo mt bng chun 802.1x vi su h tro ca EAP v LEAP. 2. Cc mi e doa vi h thng mng ca VNPT 2.1. Cc mi e doa cho vn bo mt trn WLAN Mi trung khng dy l mt mi trung sng v vy vn bo mt lp vt l l mt vn lm au u bao nh qun l. Bt ky mt mng khng dy no u c th gp phi cc mi e doa sau, nht l Vit Nam, khi m vn bo mt mng khng dy cn chua ch trong th nhiu khi chi mt hnh ng on gin cng em li thit hi to ln. Mt su tn cng c c th gy v hiu ha hoc c th tm cch truy nhp WLAN tri php theo mt vi cch. - Tn cng bj ng ( nghe trm) passive attack - Tn cng ch ng ( kt ni, d cu hnh mng) active attack - Tn cng kiu chn p, Jamming attack - Tn cng theo kiu thu ht, Man-in-the-middle attacks - Tn cng t chi djch vu, DOS a. Tn cng bj ng - Nghe trm c l l phuong php on gin nht, tuy nhin n vn c hiu qu i vi WLAN. Tn cng bj ng nhu mt cuc nghe trm, m khng pht hin uoc su c mt ca ngui nghe trm (hacker) trn hoc gn mng khi hacker khng thuc su kt ni ti AP lng nghe cc gi tin truyn qua phn on mng khng dy. Nhng thit bj phn tch mng hoc nhng ng dung khc uoc s dung ly thng tin ca WLAN t mt khong cch vi mt anten hung tnh. Phuong php ny cho php hacker gi khong cch thun loi khng bj pht hin, nghe v thu nht thng tin qu gi. - Qu trnh ly cha kha WEP. C nhng ng dung c kh nng ly pass t cc Site HTTP, email, cc instant messenger, cc phin FTP, cc phin telnet m uoc gi dui dng text khng uoc m ha. C nhng ng dung khc c th ly pass trn nhng phn on mng khng dy gia Client v Server cho muc ch truy nhp mng. b. Tn cng ch ng - Bng cc tools, cng nhu vic nghe ln thng tin truyn gia Client v AP, cc thit bj phn tch c th ly uoc mt s thng tin nhu ja chi MAC, WEP key, v.v. do nhng thng tin ny thung uoc trao i dui dng Clear text, khi chng c th ng vai tr nhu mt thnh vin hop php, thm nhp vo mng, thay i cc thng s, ly cc thng tin c nhn cng nhu ca cc t chc, v.v. hoc on gin chi l g mt vi spam cha virus. c. Tn cng theo kiu chn p - Trong khi mt hacker s dung phuong php tn cng bj ng, ch ng ly thng tin t vic truy cp ti mng ca bn, tn cng theo kiu chn p, Jamming, l mt k thut s dung on gin "ng mng ca bn. Mng khng dy s dung tn hiu sng truyn trn khng kh, nn chi cn mt thit bj pht tn hiu cng tn s v c cng sut pht ln, l c th lm nhiu, thm ch lm sp hon ton mng khng dy ca bn. i khi vn ny xy ra hon ton v tnh do vn qun l tn s khng tt. d. Tn cng bng cch thu ht - Kiu tn cng ny, Man-in-the-middle Attacks, uoc thuc hin on gin vi mt thit bj khng dy nm trong sut gia Client v AP. - Man-in-the-middle attacks. cc client lin kt vi AP tri php th cng sut ca AP phi cao hon nhiu ca cc AP khc trong khu vuc v i khi phi l nguyn nhn tch cuc cho cc user truy nhp ti. Vic mt kt ni vi AP hop php c th nhu l mt vic tnh c trong qu trnh vo mng, v mt vi client s kt ni ti AP tri php mt cch ngu nhin. Ngui thuc hin man-in-the-middle attack truc tin phi bit SSD m client s dung, v phi bit WEP key ca mng, nu n ang uoc s dung. Kt ni nguoc (hung v pha mng li) t AP tri php uoc iu khin thng qua mt thit bj client nhu l PC card, hoc workgroup bridge. Nhiu khi man-in-the-middle attack uoc sp t s dung mt laptop vi hai PCMCA card. Phn mm AP chy trn mt laptop m mt PC card uoc s dung nhu l mt AP v PC card th hai uoc dng kt ni laptop ti AP hop php. Kiu cu hnh ny lm laptop thnh mt "man-in-the-middle attack vn hnh gia client v AP hop php. Mt hacker theo kiu man-in-the-middle attack c th ly uoc cc thng tin c gi trj bng cch chy mt chuong trnh phn tch mng trn laptop trong trung hop ny. 2.2. Cc mi e doa cho vn bo mt LAN Tuong tu nhu mng WLAN, i vi mng LAN cung gp cc mi e doa tuong tu. a. Vn m rng h thng mng Lan: b. Vn Truy cp tri php ti nguyn: c. Vn ph hy v nh cp ti nguyn: d. Vn tn cng DoS v ly nhim virus 3. Chun bo mt 802.1x & EAP Nhm khc phuc cc nhuoc im trn, nhu cha kha l tnh, mt khu uoc gi dui dng Clear text trn mi trung truyn, qun l cha kha khng tp trung, tn cng gi mo, v.v. chun 802.1x vi kh nng m rng ca EAP v tnh ti uu ca LEAP uoc nghin cu v ua ra s dung. Nu nhu cc chun khc khng c su phn bit cc giao thc truy cp, th chun 802.1x cung cp nhng chi tit k thut cho php iu khin truy nhp cng. Su iu khin truy nhp thng qua nhng cng co bn uoc khi u, v vn ang uoc s dung vi chuyn mch Ethernet. Khi ngui dng th ni ti port mong mun, cng s tm thi trng thi kha v ch oi su xc nhn ngui s dung ca h thng chng thuc. 3.1. Tnh cht - m bo tnh tin cy: Hu ht thng tin trao i trong mng u uoc m ha, k c cc thng tin v mt khu ban u, ngoi ra giao thc ny cn trnh vic gi mo thng qua co ch chng thuc ln nhau gia Client v Server. v.v. (s uoc lm r hon trong phn AAA). Cc phuong php m ha uoc p dung nhu l SSH (Secure Shell), SSL (Secure Sockets Layer) hoc PSec - m bo tnh ton ven: Giao thc s dung cc phuong thc kim tra nhu Checksum, hoc Cyclic Redundancy Checks (CRCs) kim tra tnh ton ven d liu, bn cnh n cng s dung cc thut ton ha MD5 v RC4 m bo su ton ven ny. - m bo tnh sn sng: Chun ny lun lun cp nht vi su pht trin ca thit bj cung nhu lun cp nht cc vn pht sinh mi nht lun m bo sn sng m khng gp phi tr ngi no cng nhu lun tuong thch vi cc thit bj hin c. - Co ch xc thuc: Vi su kt hop gia co ch chng thuc ng v qun l cha kha tp trung, 802.1x khc phuc uoc hu ht cc vn cn tn ti ca cc giao thc khc. Chun 802.1x khc phuc bng m hnh chng thuc tp trung v chng thuc ln nhau thng qua vic s dung - RADUS (Remote Access Dial-n User Service). - Bo v kha key bng cch s dung co ch bt tay mt buc (one-way hashes). - Chnh sch xc thuc nhc li mt cch thung xuyn, to cc cha kha mi cho cc phin xc thuc mi. - Thay i vector khi to (V) trong m ha WEP. 3.2. Qu trnh chng thuc 802.1x-EAP - client mun lin kt vi mt thit bj mng ( switch, AP) trong mng. - 1. Switch hoc AP s chn li tt c cc thng tin ca client cho ti khi client log on vo mng, khi Client yu cu lin kt ti AP - 2. Switch hoc AP p li yu cu lin kt vi mt yu cu nhn dng EAP - 3. Client gi p li yu cu nhn dng EAP cho Switch hoc AP - 4. Thng tin p li yu cu nhn dng EAP ca client uoc chuyn ti Server chng thuc - 5. Server chng thuc gi mt yu cu cho php ti Switch hoc AP - . Switch hoc AP chuyn yu cu cho php ti client - . Client gi tr li su cp php EAP ti Switch hoc AP - 8. Switch hoc AP chuyn su tr li ti Server chng thuc - . Server chng thuc gi mt thng bo thnh cng EAP ti Switch hoc AP - 10. Switch hoc AP chuyn thng bo thnh cng ti client v t cng ca client trong ch forward. 1. Khi h tro khn nng chng thuc ln nhau, th qu trnh trn tip tuc xy ra nhung vi chiu nguoc li. Trong qu trnh xc thuc trn c mt s vn cn xem xt: to cha kha theo phin v qun l cha kha tp trung. Sinh cha kha ng: trnh vic gi mo, mi mt phin kt ni vi mt client s uoc RADUS server cp cho mt key ring, session key. Khi truyn key ny cho Client, trnh vic nghe trm do gi thng tin clear text, Switch hoc AP s m ha session key ny, v client s dng key ca mnh gii m, ly session key cho mnh. Tt c cc session key ny u uoc sinh bi RADUS server thng qua mt thut ton no . C khi mi phin lin kt chi c mt Key, nhung bn cng c th thit lp trn RADUS server to cc chu ky xc thuc theo yu cu ca bn. Theo co ch ny, RADUS s jnh ky xc thuc client, do trnh uoc truy cp mng do v tnh. Qun l cha kha tp trung. Server qun l cha kha m ha tp trung cho php sinh cha kha trn mi gi, mi phin, hoc cc phuong php khc, phu thuc vo su thuc hin ca cc nh sn xut. Vi nhng ci tin ca chun 802.1x, cc client uoc xc jnh thng qua usernames, thay v ja chi MAC nhu cc chun truc . N khng nhng tng cung kh nng bo mt m cn lm cho qu trnh AAA (Authentication, Authoriation, and Accountting) hiu qu hon. Thuc t qu trnh xc thuc xy ra theo 3 pha, pha khi u, pha chng thuc v pha kt thc. Trong pha chng thuc vi su tham gia ca RADUS server cho php h thng phn quyn ngui s dung thng qua cc chnh sch ci t trn server dua trn ti khon ca ngui dng. Nu vic xc thuc thng qua ja chi vt l, MAC, chi l xc thuc v mt thit bj, tc l khng c su phn quyn cho ngui dng, th xc thuc dua trn tn v mt khu cho php chng ta phn quyn ngui dng. Vn cp quyn, Authoriation, ty thuc chnh sch ca ngui qun trj, c th phn quyn theo giao thc, thng qua cng, theo phm vi d liu, hoc theo su phn cp v ngui dng, , mod, member, v.v. Thng qua vic qun l v cp quyn ni trn, ngui qun trj hon ton c th ghi li uoc vt ca ngui s dung, theo di cc trang, thu muc cng nhu ghi li uoc tt c qu trnh truy cp ca ngui dng. 3.3. Mt s phuong php bo mt khc do 802.1x em li Do chun 802.1x dua trn co s iu khin truy cp trn cc port, nn ngoi cc phuong php bo mt chung, 802.1x cn em li mt s phuong php tin tin, nhu co ch loc (Filtering). Ngoi vic thuc hin loc SSD v MAC nhu cc chun bo mt khc, 802.1x cn h tro kh nng loc giao thc. 2. QoS trong mng Trn trang vnpro.org em thy c mt s bi v QoS, em copy ln cc anh chj tham kho TNG QUAN V CHT LNG DCH V QoS Nguyn nhn thnh cng ca giao thc P chnh l su on gin ca n. Moi tnh nng phc tp uoc ci t ti u cui mng cn mng li th on gin. B jnh tuyn trong mng s cn c vo ja chi P v cc nt trong mng tm nt mng k tip uoc nhn gi. - Nu hng oi dnh cho nt mng k tip qu di, thi gian tr ca gi d liu s ln. Nu hng oi y khng cn ch trng gi d liu s bj hy. - Nhu vy, mng P chi cung cp m hnh djch vu "n luc ti a best effort servicec ngha l mng s khai thc ht kh nng trong gii hn cho php, nhung khng m bo tr v mt mt d liu. V vy, khi c nhiu lung luu luong truyn i trong mng v vuot qu kh nng ca mng, djch vu khng bj t chi nhung cht luong djch vu gim: thi gian tr tng, tc gim v mt d liu. Do , mng P khng thch hop vi nhng ng dung yu cu thi gian thuc. Ngoi ra, vi thng tin a im (multicast) ng thi phuc vu hng triu khch hng th hin nay mng P khng thuc hin uoc. Nu c th trin khai tt thng tin qung b c th tch hop pht thanh truyn hnh vo mng P. - Su ra i cc giao thc cht luong djch vu QoS cung cp cho mng cc tnh nng gip mng c th phn bit uoc cc luu luong c i hi thi gian thuc vi cc luu luong c tr, mt mt hay bin ng tr (itter). Bng thng s uoc qun l v s dung hiu qu c th p ng nhng yu cu v cht luong ca cc lung luu luong. Muc tiu ca QoS l cung cp mt s mc du bo v iu khin luu luong. - Trong cc mng s liu, QoS uoc nh gi qua cc tham s chnh sau: sn sng ca djch vu tr bin ng tr Thng luong T l tn tht gi (packet loss rate): t l cc gi bj mt, bj hy, v bj li khi i trong mng. - Hin nay, c hai loi cht luong djch vu co bn: Dnh truc ti nguyn (Resource Reservation) vi m hnh "Tch hop djch vu ntServ (ntergrated Service). Ty theo yu cu ca djch vu v chnh sch qun l bng thng m mng s cung cp ti nguyn phuc vu cho tng ng dung. Su uu tin (Prioritiation) vi m hnh cc "djch vu phn bit ( DiffServ-Differentiated Service). Luu luong vo mng uoc phn loi v uoc cung cp theo chi tiu ca chnh sch qun l bng thng. - Cht luong djch vu uoc p dung cho tng lung d liu ring bit hoc mt nhm lung Lung uoc xc jnh dua vo 5 thng tin: giao thc lp vn chuyn, ja chi P ngun, ja chi P ch, chi s cng ngun, chi s cng ch. NHU CU V QOS V CC M HNH QOS: 1.1. Nhu cu v QoS: Theo truyn thng, khi nhu cu v bng thng tng ln, hin tuong nghn mng c th x y ra. Ta c th gii quyt bng cch tng bng thng kt ni hoc dng thit bj phn cng khc thay th. Nhuoc im cch ny l khng chi ra cch thc uu tin mt loi traffic ny so vi mt traffic khc. QoS l mt cng cu tng th uoc dng bo v, uu tin mt s traffic quan trong hoc cc traffic i hi x l nhanh v thi gian. QoS s m t cch thc packet uoc chuyn mch (forward) nhu th no. Cc ng dung khc nhau s c cc nhu cu khc nhau cho vic truyn d liu. V du web, video, audio Khi mt packets i t host ny n host kia, mt gi tin (packet) c th gp cc vn : Delay: do routers x l tm kim trong bng routing table, thi gian packet truyn trn ung truyn. Jitter: cc packets khng n ng nhu thi gian du jnh. Cc d liu dng audio s bj nh hung nhiu bi vn ny. Loss: mt packets. 1.2. Cc m hnh QoS: BEST-EFFORT DELVER: Mt network chi on thun forward nhng packets m n nhn uoc. Switch v routers chi c gng ht sc (best-effort) forward packets i m khng bn tm n kiu ca traffic hay uu tin ca djch vu. NTEGRATED SERVCE MODEL: Sp xp ung i truc t ngun n ch cho cc d liu uoc uu tin. RSVP (RFC 133) l mt protocol dng ny. RSVP s yu cu truc bng thng v gi (reserve) bw trn c ung i t ngun n ch. Mi thit bj mng trn ung i phi kim tra xem n c th h tro cho yu cu trn hay khng. Khi yu cu ti thiu uoc p ng, ng dung ngun s uoc thng bo xc nhn. Sau , ng dung c th s dung ung truyn. SERVCES MODEL: Gii php ntServ t ra khng hiu qu v khng c kh nng m rng khi nhiu source phi cnh tranh vi nhau v bng thng. Trong gii php differentiated, mi routers v switch s qun l packets ring l. Mi routers s c mt chnh sch ring qun l v s tu quyt jnh cch thc chuyn packet theo cch ring. ntServ s qun l theo kiu per-flow, trong khi Difserv s qun l theo kiu per-hop. Diffserv s quyt jnh chnh sch QoS dua vo cu trc ca gi P. Course switching s tp trung vo Diffserv. DFFSERV QOS: Mi router v switch s kim tra packets quyt jnh s fw packet nhu th no. i vi packets, n chi on thun gn vi thng s vo header. Cc thng s c th l phn loi (classifications, marking)Packet s gi s routers v switch bit cch handle n. Vic phn loi c th din ra Layer-2 hoc Layer-3. Layer2: Thng thung, mt layer frame s khng c trung( field ) no phn loi frame. Tuy nhin, khi frame uoc truyn gia switch v switch, frame c th uoc phn loi dua vo CoS. CoS: uoc dng trn ung trunk switch- switch. Hai kiu trunking s qun l gi trj CoS ny rt khc nhau: SL: 4 bit user-id s uoc dng chi ra gi trj CoS ca frame. Dot1q: user-field s uoc dng chi ra gi trj CoS. Cc frame t native vlan s nhn gi trj CoS mc jnh. 2.1. Class of services: Trn ung trunking, frame uoc thm vo tagging. Dot1q: mi frame uoc thm vo 12-bit vlan-id v mt field gm 3 bit chi ra uu tin. Nhng frame n t nativ e-vlan s uoc cu hnh gi trj mc jnh. SL: c 4 bit trong user-field. Dng 3 bit thp nht gn priority. 2.2. Layer 3 DSCP: Dng Tos trong ip datagram Gi trj DSCP c cng vj tr trong header ging nhu TOS nhung s uoc din djch khc. DSCP Hu ht cc frame hoc cc gi u c cc trung dng cho muc ch nh du (marking). DSCP l mt trong nhng trung nhu vy trong gi tin P. Nhu bn c th bit, trong P header c mt trung c tn l ToS (type of services). RFC1 m t jnh dng ca P header, bao gm mt trung 10byte uoc goi l ToS. Trung ToS ny du jnh uoc dng nhu mt trung nh du mt gi tin cc cng cu QoS c th x l. Gi trj ToS uoc chia ra thnh cc trung con, vi 3 bit cao uoc jnh ngha nhu P Precedence (PP). Danh sch y ca cc gi trj ToS v PP uoc lit k trong bng dui y: Vj tr bit 3 n bit ca ToS bao gm cc trung uoc uoc bt on hay off chi ra mt mc djch vu c bit. Bit cui cng (bit ) khng uoc jnh ngha trong RFC1. Cc c khng uoc dng thung xuyn, v vy muc ch chnh ca ToS l luu gi cc gi trj uu tin ca gi tin P. Mt lot cc RFC uoc goi l Differentiated Services (DiffServ) ra i sau. DiffServ cn nhiu hon 3bit nh du gi tin, v vy DiffServ chun ha mt jnh ngha li ca byte ToS. Byte ToS uoc t tn l trung Differentiated Services (DS) v PP uoc thay th bng mt trung c di bit uoc goi l Differentiated Services Code Point (DSCP). Ni cch khc, DSCP l mt cch din t khc ca chnh octet ToS trong P header ban u. V ngha ny, bn thung thy cc ti liu hay cp n bng chuyn i gia gi trj DSCP v P Precedence. Sau , RFC 318 jnh ngha hai bit th tu thp ca DS dng vi thuc tnh Explicit Congestion Notification (ECN). Hnh dui y m t jnh dng ca gi trj ToS truc v sau khi c jnh ngha DiffServ. Cc cng cu nh du v phn loi (Classification and Marking C&M) thung nh du trung DSCP hoc PP bi v cc gi tin uoc bo ton khi n uoc truyn trn mng. C mt kh nng nh du khc nm bn trong lp 2, c ngha l thng tin nh du ny khng uoc quan tm nu n uoc truyn i bi mt tin trnh L3. Nhu vy, vic nh du mc 2 khng th uoc trin khai nu luu luong i xa hon mt hop. Thit lp cc gi trj DSCP v cc thut ng C vi RFC v DiffServ xut mt vi gi trj uoc dng trong trung DSCP v cc ngha ngm jnh cho nhng gi trj ny. V du RFC258 jnh ngha gi trj DSCP bng 4, vi tn l Expedited Forwarding (EF). Theo RFC , cc gi tin uoc nh du nhu EF s uoc ua vo hng oi uu tin sao cho gi tin s bj tr ti thiu. Nhung gi tin s chju nhng chnh sch sao cho luu luong ca n khng chim ht ung truyn v ngn nga nhng loi luu luong khc uoc truyn khi cng ca router t mc ngung. Nhng gi trj ny v cc trng thi QoS uoc khuyn co tuong ng cho tng trng thi uoc goi l trng thi theo tng chng Per-Hop Behaviors (PHBs) dng DSCP. Trong v du va nu truc y, trng thi uoc goi l EF PHB. Bng dui y lit k cc trung ca CS DSCP, tn, gi trj v cc tn, gi trj tuong ng bn PP. Bn cnh vic jnh ngha tm gi trj DSCP v cc tn ca n, co ch x l theo tng trm CS PHB cng xut mt tp hop ca cc hnh ng QoS nn uoc thuc hin trn cc gi trj CS ny. Co ch ny chi ra rng cc gi tin vi gi trj CS DSCP ln hon phi uoc dng cc hng oi uu tin hon cc gi tin vi gi trj DSCP thp hon. C hai thut ng "CS0 v "Defaultu m chi n gi trj nhj phn 000000 nhung phn ln cc lnh ca Cisco OS chi cho php t kha default i din cho gi trj ny.