C4u Hinh IPSEC/VPN Trén Thiet Bi Cisco I. Téng Quan Vé VPN: Trong thai dai ngay nay, Internet di phét trién man vé mat m6 hinh cho nghé, dép img cde nhu cau ciia ngwdi sit dung, Internet da due thiét ké dé két ndi mang khéc nhau va cho phép thdng tin chuyén dén ngudi sir dung mot céch tw do varnhanh chéng ma khéng xem xét dén méy va mang ma nguii sir dung 46 dang ding. Dé lam duge digu nay nguéi ta sir dung m6t may tinh dic bigt goi 1a router dé Két noi cae LAN va WAN véi nhau. Cac may tinh két ndi vio Internet théng qua nha cung cp dich vu (ISP-Internet Service Provider), cin mt giao thie chung 1a TCP/IP. Diéu ma ky thuat cdn tiép tue phai gidi quyét 1a nang luc truyén théng cila cdc mang vién thong céng céng. Véi Internet, nhing dich vu nhw gido duc tir xa, mua hang tre tuyén, tw van y té, va rat nhiéu diéu khéc da tre thanh hién thyc.Tuy nhién, do Internet cé pham vi toan cdu va khéng mét té chitc, chinh phi cu thé ndo quan ly nén rat khé khan trongviée bao mat va an toan dit ligu cting nhw trong vige quan ly cdc dich vu. Tir d6 ngudi ta a dua ra mt m6 hinh mang méi nham tho man nhimg yéu cu trén ma van 6 thé tan dung lai nhimg co sé ha tang hién cé ciia Internet, dé chinh 14 m6 hinh mang riéng 40 (Virtual Private Network - VPN). Véi m6 hinh méi nay, ngudi ta Khong phai diu tw thém nhiéu vé co sé ha tang ma cdc tinh nang nhw bao mat, dé tin céy van dam bao, déng thoi 6 thé quan ly riéng duge sw hoat déng ciia mang nay. VPN cho phép ngudi sit dung lam viée tai nha, wén dug di hay cdc van phdng chi nhénh ©6 thé két noi an toan dén méy chi ciia t6 chire minh bang co sé ha ting duge cung cap béi mang céng cng. (5] N6 cé thé dam bao an toan thong tin gid cdc dai IY, ngudi cung cp, va cde d6i tac kinh doanh v6i nhau trong méi trudng uuyén thong rong lon. Trong nhieu trudng hop VPN ciing giéng nhu WAN (Wide Area Network), tuy nhién dic tinh quyét dinh cia VPN 1a chting cé thé ding mang cOng céng nhu Internet ma dim bao tinh riéng tw va tiét kiém hon nhidu. VPN duge hiéu don gian nhu 1a su mé rong cia m9t mang riéng (private network) théng qua cdc mang céng céng. Vé cin ban, moi VPN 1a mét mang riéng ré str dung, ‘mét mang chung (thuéng Ia internet) dé két néi cing véi céc site (cdc mang riéng lé) hay nhieu nguéi sir dung tir xa. Thay cho vige sir dung béi mét két ndi thuc, chuyén dung nhw durong leased line, méi VPN sit dung céc két néi ao duge dan during qua Internet tit mang riéng cita cdc céng ty t6i cdc site hay cdc nhan vign Ur xa. Dé c6 thé giti va nhén di ligu thong qua mang cong céng ma van bao dam tinh an tdan va bao mat VPN cung cap céc co ché ma héa dit ligu wren durong truyén tao ra mat during dng bao mat gidta noi nhgn va noi giri (Tunnel) giéng nhu mét két néi point-to-point trén mang riéng. Dé cé thé tao ra mét dudng dng bao mat dé, dit ligu phai dugc ma héa hay che gidu di chi cung cép phan dau géi dit ligu (header) 1a thong tin vé dung di cho phép né 6 thé di dén dich théng qua mang cong céng mét céch nhanh chong. Dit liéu duc ma hha mot cfch cén thin do d6 néu céc packet bi bat Iai trén dung truyén cong cong ciing khong thé doc due noi dung vi khong c6 Kin6a dé gidi ma, Lign két voi dir ligu dugc ma héa va déng g6i duge goi la két ndi VPN. Cac durong két néi VPN tinting duge goi 1a duong éng VPN (VPN Tunnel).Business periner with Clee router Remote office wih Cisco router Feewal # = z Mobile worker Regional oftee ‘with PIX Firewall wats Cleo Bacar VPN Cot erence ISDNIDSL router VPN cung cp nhiéu dac tinh hon so véi nhimg mang truyén thong va nhiing mang ‘mang leased-line.Nhimng loi {ch dau tién bao gom: © Chi phf thap hon nhiing mang riéng: VPN cé thé gidm chi phf khi truyén toi 20- 40% so véi nhimg mang thuéc mang leased-line va gidm viée chi phi truy cép tir xa tir 60-80%. * Tinh linh hoat cho kha ning kinh té trén Internet: VPN von da 6 tinh linh hoat va 6 thé leo thang nhimg kién tric mang hon Ja nhimg mang cé dién, bang cach dé n6é cé thé hoat déng kinh doanh nhanh chéng va chi phf mt cdch higu qua cho viée két ndi ma rong. Theo cach ny VPN c6 thé dé dang két ndi hodc ngit ket noi tir xa cua ning nhiing vi trf ngoai quéc ténhimg ngwoi truyén thong, nhing ngudi din dign thoai di dong, nhimg ngudi hoat dong kinh doanh bén ngodi nh nhing yéu cau kinh doanh da di héi. * Don gin héa nhimg génh nang. # Nhiing cdu tric mang dng, vi thé gidm viée quan ly nhimg génh mét giao thire Internet backbone loai trir nhiing PVC tinh hop véi két ndi hung nhimg giao thire nhw 1a Frame Rely va ATM. ‘Tang tinh bao mat: cdc dit ligu quan trong Khdng cé quyén truy cp va cho phép truy cap di cap. duge che giéu déi véi nhimg ngudi véi nhiing ngudi ding ¢6 quyén truyHé trg cae giao thite man théng dung nhat hién nay nhu TCP/IP * Bao mit dia chi IP: bai vi thong tin duge gui di trén VPN da duge ma héa do d6 c4c dia chi bén trong mang riéng duge che gidu va chi sir dung céc dia chi bén ngoai Internet. 3. Cc thanh phan cén thiét dé tao két noi VPN: - User Authentication: cung cap co ché chiing thyre nguoi ding, chi cho phép ngudi dang hop 1é két néi va truy cap hé - Address Management: cung cp dia chi IP hgp 1é cho ngwai dung sau khi gia nhap hé théng VPN dé cé thé truy cp tai nguyén trén mang néi b6. - Data Encryption: cung cap giai phap ma hod dit ligu trong qué trinh truayén nham bio dam tinh rigng tr va ton ven dit ligu. - Key Management: cung cap giai phap quan ly cdc khod ding cho qué trinh ma hoa va gidi ma dit ligu. 4, Cac thanh phin chinh tao nén VPN Cisco: a. Cisco VPN Router: sit dung phan mém Cisco 10S, IPSec hé tre cho vige bao mat trong VPN. VPN t61 wu héa cdc router nu 1a don bay dang tén tal sur dau tur ca Cisco. Hiéu qua nhat trong cdc mang WAN hén hop. b. Cisco Secure PIX FIREWALL: dua ra su Iya chon khée cia céng két néI VPN khi bdo mat nhém “riéng tw” trong VPN. ¢. Cisco VPN Concentrator series: Dua ra nhiing tinh nang manh trong viée diéu khién truy cap tir xa va tong thich vol dang site-to-site VPN. Cé giao dién quan ly dé sir dung va mét VPN client d. Cisco Secure VPN Client : router Cisco va Pix Firewalls Window VPN client cho phép bao mat viée truy cp tir xa t61 né 1a m6t chuong tinh chay wén hé diéu hanh e, Cisco Secure Intrusion Detection System(CSIDS) va Cisco Secure Scanner thudng duc sit dung dé gidm sét va kiém tra céc van dé bao mat trong VPN. f, Cisco Secure Policy Manager and Cisco Works 2000 cung cap viée quan Iy hé théng VPN réng I6n,5. Cc giao thire VPN: Céc giao thite dé tao nén co ché dudng dng bio mat cho VPN la L2TP, Cisco GRE va IPSec. a. L2TP: - Trude khii xudt hign chuan L2TP (thang 8 nam 1999), Cisco sit dung Layer 2 Forwarding (L2F) nhur Ia giao thite chuan dé tao két noi VPN. L2TP ra di sau véi nhiing (inh nang duge tich hop tir L2F. - L2TP Ja dang két hgp ciia Cisco L2F va Mircosoft Point-to-Point Tunneling Protocol (PPTP). Microsoft hé try chudn PPTP va L2TP trong céc phién ban WindowNT va 2000 - L2TP duge sit dung dé tao két ndi dc lap, da giao thite cho mang riéng ao quay sé (Virtual Private Dail-up Network). L2TP cho phép nguoi ding c6 thé két noi thong qua céc chinh sch bao mat cua cdng ty (security policies) dé tao VPN hay VPDN nin 1a su mé rong cia mang ndi b6 cOng Ly. - L2TP khéng cung cp ma héa. new IP header LOTP message header PPP header onginal IP header message payload HOST with LoTP . L27TP Chent Corporate Network "Tay Server - L2TP a sur két hop cia PPP(giao thite Point-to-Point) véi giao thite L2F(Layer 2 Forwarding) ciia Cisco do d6 rat higu qua trong két néi mang dial, ADSL, va cde mang truy cép tir xa khdc. Giao thite mé réng nay sir dung PPP dé cho phép truy cép VPN bai nhimg ngudl str dung tir xa.b. GRE: - Day la da giao thie truyén thong déng géi IP, CLNP va tat ca c4 géi dit ligu bén. trong duéng dng IP (IP tunnel) - Voi GRE Tunnel, Cisco router sé déng géi cho mdi vi uf m6t giao thire dc tung chi dinh trong g6i IP header, tao mét durdng két néi do (virtual point-to-point) t6i Cisco router can dén, Va khi g6i dit ligu dén dich IP header sé duge mé ra - Bang viéc két ndi nhiéu mang con véi cdc giao thitc khéc nhau trong méi truéng 6 mot giao thire chinh. GRE tunneling cho phép céc giao thite khdc ¢6 thé thuan loi trong viée dinh tuyén cho g6i IP. c. IPSec: IPSec Client to IPSec Server Tunnel Endpoint 10.0.0.1 Interot Pablo 1 Pubic IP = Tos 1007 |S SS terre enconint o.100.11 see | 255 288265.256 IPseo Client Server vom SD 10.0.8 - IPSec 1a sw Iya chon cho viée bao mat trén VPN. IPSec 14 mét khung bao gdm bao mat dit ligu (data confidentiality), tinh toan ven cia dit ligu (integrity) va vige chimg thye dit ligu. - IPSec cung cAp dich vu bio mat sir dung KDE cho phép théa thudn céc giao thite va thuat (an trén nén chinh sch cue bd (group policy) va sinh ra céc khéa bdo ma héa va chimg thure durge sir dung trong IPSec. 4, Point to Point Tunneling Protocol (PPTP): - Duge str dung tén cdc may client chay HDH Microsoft for NT4.0 va Windows 95+. Giao thite nay duoc sit dung dé ma héa dit ligu Iu thong trén Mang LAN. Giéngnhur giao thite NETBEUI va IPX trong mét packet gitl Ién Internet. PPTP dura trén chuin RSA RC4 va hé tro bal sur ma héa 40-bit hoc 128-bit. Remote Corporate Users Intranets, Internet Sve Provider Access Server Front-Ends iP, IPE, oF - N6 khéng duoc phat trién trén dang két nél LAN-to-LAN va gidi han 255 két néi 16 1 server chi cé mét dong ham VPN trén mét két ndi, Né khong cung cap su ma héa cho céc cOng vige 16n nhumg né dé cai dat va trién khai va 1a mot gial php truy c@p tir xa chi c6 thé 1am duc trén mang MS. Giao thite nay thi duoc ding tét wong Window 2000. Layer 2 Tunneling Protocol thuéc vé IPSec. 6, Thiét lap mét két ndi VPN: a, May VPN can két ndi (VPN client) tao két nét VPN (VPN Connection) téi may chit cung cap dich va VPN (VPN Server) théng qua két néi Internet. b. May chit cung cap dich vu VPN tra li két ndi téiClient to Server VPN - Router essa Tee eat] QD SS a55'7551258 25 Fever ‘wit VPN VPN cc. May cht cung cap dich vu VPN chimg thu cho két néi va cap phép cho két noi 100.03 d, Bat dau trao déi dit ligu gitra may can két ndi VPN va mang céng ty 7. Cée dang két néi VPN: a, Remote Access VPNs : Remote Access VPNs cho phép truy cp bat cir lic nao bang Remote, mobile, va 4c thiét bj truyén thong cia nhan vién céc chi nhanh két ndi dén (ai nguyén mang cia 16 chite. Remote Access VPN mé ta viée cdc ngudi ding 6 xa sir dung céc phn mém VPN dé truy cp vao mang Intranet cita céng ty thong qua gateway hodc VPN concentrator (ban chat la mét server). Vi ly do may, gidi php nay thurdng duge goi 1a client/server. Trong giai phap nay, cdc nguai ding thudmg thudng sir dung céc cong nghé WAN truyén théng dé tao lai cdc tunnel vé mang HO cia ho. M6t huéng phét trign khé méi trong remote access VPN la ding wireless VPN, trong dé mt nhan vign c6 thé truy cp vé mang cia ho thong qua két néi Khong day Trong thiét ké nay, céc két n6i Khong day cén phai két ndi vé mét tram wireless (wireless terminal) va sau dé vé mang ctia céng ty. Trong ca hai truong hop, phan mém client én may PC déu cho phép khdi (ao cdc két néi bdo mat, cdn duge goi 1a tunnel, M6t phan quan trong ctia thiét ké nay 1a viée thiét ké qué trinh xéc thyc ban dau nhim dé dim bao a yéu cu duge xuat phat tir mot nguén tin cy. Thuong thi giai doan ban dau nay da trén cing mét chinh séch vé bao mat cia cong ty. Chinh séch nay baogdm: qui trinh (procedure), ky thuat, server (such as Remote Authentication Dial-In User Service [RADIUS], Terminal Access Controller Access Control System Plus [TACACS}}...) Mét sé thanh phan cl - Remote Access Server (RAS) : duge dat tai trung tam ¢6 nhiém vu xéc nhan va chimg nhan céc yéu cau giti i. - Quay s6 két néi dén trung tam, diéu nay sé lim gidm chi phf cho mét sé yéu cau 6 kid xa so véi trung tam. - Hé wo cho nhiing ngudi cé nhiém vu cdu hin, bao tr va quan ly RAS vahé uo truy cép tir xa boi ngudi ding. Figure 1-2: The non-VPN remote access setup. - Bing vige trién khai Remote Access VPNs, nhiing nguii ding tir xa hod 4c chi nhnh van phong chi can cai dat mét két ni cuc bé dén nha cung cap dich vu ISP hoac ISP’s POP va két néi dén ti nguyén thong qua Internet. Thong tin Remote Access Setup durge m6 ta béi hinh vé sau :Figure 1-3: The Remote Access VPN setup Nhu ban cé thé suy ra tir hinh 1-3, thugn lgi chinh cia Remote Access VPNs : ~ Surcan thiét cia RAS va viée két hop voi modem duge loai tri, ~ Sw cdn thiét hd tro cho ngudi dung cA nhan durge loai trir béi vi két ndi tit xa da duge tao diéu kién thuan loi boi ISP - Viée quay sé tir nhimg khoang cach xa duoc Loai trir , thay vao dé, nhiing két ndi véi khong céch xa sé dugc thay thé bi céc két ndi cuc b6. - Giam gid thanh chi phf cho céc két néi vi khoang céch xa. ~ Do day 14 m6t két ndi mang tinh cuc bd, do vay t6c d6 néi két sé cao hon so véi két néi true tiép dén nhiing khoang céch xa. ~ VPNs cung cfip kha ning truy cp dén trung tm tt hon béi vi n6 hé tra dich vu twuy cfip 6 mite d6 (6 thigu nat cho dit c6 sw ting nhanh chéng cc ét n6i dong thi dén mang. Ngoai nhing thu4n lgi trén, VPNs cing ton tai mdt sé bat Igi khac nhu : - Remote Access VPNs cing khong bao dim duge chat long phue vu.- Kha nding mat dit Tigu 1a rat cao, thém néfa Ia céc phan doan cia géi dit ligu c6 thé di ra ngoai va bj that thoat. - Do dé phite tap cia thudt toan ma hod, protocol overhead tang ding ké, diéu nay gay kh khiin cho qué trinh xéc nin, Thém vao 46, vige nén dit ligu IP va PPP-based dign ra vo cing chdm chap va ti - Do phai truyén di ligu théng qua Internet, nén khi trao d6i céc dit ligu én nhw cde g6i dit igu truyén th6ng, phim anh, am thanh sé rat chém, b. Site - To - Site (Lan - To - Lan): - Site-to-site VPN(Lan-to-Lan VPN):duge ap dung dé cai dit mang tir mot vi tf nay két nl 161 mang cita mot vj trf Khée théng qua VPN. Trong hoan cinh nay thi vige chimg thuc ban dau gitta cdc thiét bj mang dugc giao cho ngudi str dung. Noi ma c6 mét két ndl VPN duc thiét lap gitta chting. Khi dé céc thiét bj nay déng vai trd nhur la mét gateway, va dim bao ring viée Iau théng da duge dy tinh trude cho cdc site khée: Céc router va Firewall twong thich vél VPN, va céc b6 tap trung VPN chuyén dung déu cung cap chitc nang nay. Site-to-Site VPN ‘Branch OMice 1 vs 2400 with IP See VPN Client 3 e (Branch Office VPN Reuter) Branch omnee2 |g Pico VPN Tunnel Bronch office n - Lan-to-Lan VPN cé thé duge xem nhur Ia intranet VPN hoic extranet VPN(xem xét vé mat chinh séch quan lf). Néu chting ta xem xét duél géc d6 chimg thuc né cé thé duge xem niur 1a mét intranet VPN, ngugc lal chting dugc xem nhw 1a mét extranet VPN. Tinh chat ché trong viéc truy cap gitta cdc site c6 thé duge diéu khién boi ca hai(intranet va extranet VPN) theo céc site twong img ciia chting. Gidi phap Site to siteVPN Kh6ng 18 m6t remote access VPN nhung né duge thém vao day vi tinh chat hoan thign cia n6, - Su phan biét gitta remote access VPN va Lan to Lan VPN chi don thuan mang tinh chat tugng trumg va xa hon 1a né dirge cung cdp cho muc dich thao Iugn, Vi du nur la cdc thiét bi VPN dua trén phan cimg méI(Router cisco 3002 chang han) & day dé phan loal duge, ching ta phal 4p dung ca hai céch, bél vi harware-based client ¢6 thé xuat hién néu mét thiét bi dang truy cp vao mang. Mac di. m6t mang cé thé cé nhiéu thiét bi VPN dang van hanh, Mét vi du khéc nhu Ia ché 46 mé rong ciia gial phdp Ez VPN bang cach ding router 806 va 17xx. - Lan-to-Lan VPN Ia su két nor ai mang riéng lé théng qua mt duéng ham bao mat. duémg him bao mat nay c6 thé sir dung cae giao thire PPTP, L2TP, hoi IPSec, ue dich ctia Lan-to-Lan VPN Ia két nél hai mang kh6ng c6 dong nol lal vél nhau, kh6ng cé viée théa hiép tich hop, chimg thuc, su cn mat cia dit liéu, ban co thé thiét lap mt Lan-to-Lan VPN théng qua su két hop ciia cée thiét bi VPN Concentrators, Routers, and Firewalls, - Kat nél Lan-to-Lan duge thidt ké d& tao mét két nT mang truc tiép, higu qua bat chap khoang céch vat ly gitta ching. C6 thé két n6I nay luan chuyén théng qua internet hodc mét mang khéng dugc tin cay.Ban phal dim bao van dé bao mit bing cach sit dung su ma héa dit ligu trén tat ca cdc g6i dit ligu dang luan chuyén giita cée mang dé. 1. Intranet VPNs: omer Naw! 2 = PORES eS Headquarters Backbone WAN Remsto olSithe WY Figure 1-4: The intranet setup using WAN backbone- Intranet VPNs dug sit dung dé két néi dén cdc chi nhdnh vin phdng cia t6 chire dén Corperate Intranet (backbone router) sit dung campus router, xem hinh bén dudi : - Theo mé hinh bén trén sé rat tn chi phi do phai sir dung 2 router dé thiét lip duge mang, thém vao dé, viéc trién khai, bao tri va quan ly mang Intranet Backbone sé rat tn kém cdn ty thude vao luong Iuu thong trén mang di trén né va pham vi dia ly cia toan b6 mang Intranet, - Dé gidi quyét van dé trén, sy ton kém cia WAN backbone durgc thay thé bai cdc két néi Internet véi chi phi thap, diéu nay c6 thé mt lugng chi phi dang ké cut viée trién khai mang Intranet, xem hinh bén dudi : SS) hee ltt ES EB VPN. moe 5 veN Gateway unre Sy Ce Internet Tunnel Acne uae Figure 1-5: The intranet setup based on VPN. Nhimg thu§n Igi chinh cia Intranet setup dya trén VPN theo hinh 1-5: - Higu qua chi phi hon do giam sé wong router duge stt dung theo mé hinh WAN backbone - Gidm thiéu ding ké s6 wong hé tg yéu cau ngudi ding c4 nhan qua toan cau, cdc tram & mét s6 remote site khéc nhau._ ~ Béi vi Internet hoat déng nhu mét két néi trung gian, né dé dang cung cap nhimg két néi méi ngang hang. - Két néi nhanh hon va t6t hon do vé ban chat i dén nha cung cap dich vu, loai bé van dé vé khoang céch xa va thém nifa gitip t6 chite gidm thiéu chi phf cho viée thire hign Intranet. Nhimng bat Igi chinh két hop véi cach gidi quyét : - Boi vi dit ligu van cn tunnel trong suét qué trinh chia sé én mang céng cOng- Internet-va nhimg nguy co tan céng, nhur tan cng bing tir chéi dich vu (denial-of- service), van cdn 1a mt méi de doa an toan théng tin, - Kha nang mit dit ligu trong lic di chuyén théng tin ciing vin rit cao. - Trong mét sé trrdng hop, nhat 1a khi dir iéu 1a loai high-end, nhw céc tap tin multimedia, vige trao d6i dit ligu sé rat cham chap do durge truyén thOng qua Internet. - Do la két néi diya trén Internet, nén tinh higu qua khéng lién tuc, thudng xuyén, va QoS ciing khing duge dim bao. 2. Extranet VPNs: - Khong gidng nhw Intranet va Remote Access-based, Extranet khong hoan toan ch Ii tir bén ngoai (outer-world), Extranet cho phép truy cp nlhtig tai nguyén mang cn thiét ciia cée d6i téc kinh doank, chang han nhu khich hang, nha cung cp, d6i tic hig ngudi gitt vai tr quan trong =e 6 coe of ‘Notwork Case} ee L ce) Coon) Comes) ) WA Figure 1-6: The traditional extranet setup.- Nhw hinh trén, mang Extranet rat tn kém do c6 nhiéu doan mang riéng biét trén Intranet két hop lai voi nhau dé tao ra mét Extranet. Diéu nay 1am cho khé trién khai va quan If do cé nhiéu mang, ddng thdi ciing khé kivin cho c4 nhan Iam céng viée bio ti va quan tri. Thém nita 1a mang Extranet sé dé mo réng do diéu nay sé lam réi tung toan b6 mang Intranet va cé thé anh huéng dén cac két ndi bén ngoai mang. Sé cé nhiing van dé ban gap phai bat thinh linh khi két n6i m6t Intranet vao mét mang Extranet. Trién Khai va thiét ké m6t mang Extranet c6 thé 1A mt con 4c m6ng cila cdc nha thiét ké va quan tri mang. Corporate ‘Natwork Figure 1-7; The Extranet VPN setup M6t sé thuan loi cia Extranet : - Do hoat d6ng trén méi trudng Internet, ban cé thé Ia chon nha phan phéi khi la chon va dua ra phuong phap giai quyét tuy theo nhu cau ctta td chitc.- Bai vi mét phan Internet-connectivity dugc bao tri boi nha cung cp (ISP) nén cing giam chi phi bao ti khi thué nhan vién bao t.- Dé dang trién khai, quan If va chinh sita thong tin. Mét sé bat loi cia Extranet - Su de doa vé tinh an toan, nhur bj tan cong bang tr chéi dich vu van cdn tOn tai, - Tang thém nguy hiém su x4m nhap déi v6i t6 chtre wén Extranet. - Do dura trén Internet nén khi dit ligu 1A cdc loai high-end data thi viée trao déi dién ra chim chap.- Do dya trén Internet, QoS (Quality of Service) ciing khéng duge bio dam thudng xuyén, II. Tim Hiéu Vé Giao Thite IPSec: ~ Thuat ngtt IPSec 1a mot tr vidt tt ciia thuat Internet Protocol Security. N6 6 quan hé t6i mét s6 b6 giao thite (AH, ESP, FIP-140-1, va mét s6 chuan khéc) durge phat trign béi Internet Engineering Task Force (IETF). Mye dich chnh cia vige phat trién IPSec 1a cung cp mot co edu bao mat 6 ting 3 (Network layer) ciia m6 hinh OSI, niu hinh 6-1, Application Layer Presentation Layer Session Layer Transport Layer Network Layer Data Link Layer Physical Layer Figure 6-1: The position of IPSec in the OSI model. ~ Moi giao tiép trong mét mang trén co sé IP déu dua trén céc giao thite IP. Do dé, khi m6t co ché bao mat cao duge tich hop véi giao thite IP, toan b§ mang duge bao mit boi vi céc giao tiép déu di qua tang 3. (Dé la ly do tai sao IPSec durge phat trién 6 giao thirc ting 3 thay vi ting 2). - IPSec VPN ding céc dich vu duge dinh nghia trong IPSec d& dam bao tinh toan ven dit ligu, tinh nhat qudn, tinh bi mat va xdc thu ciia truyén dit liu trén mot ha tang mang céng c6ng.- Ngoai ra,véi IPSec tat ca cdc tng dung dang chay 6 tang ing dung cla m6 hinh OSI déu déc lap én tang 3 khi dinh tuyén dit liéu tir nguén dén dich. Bdi vi IPSec dugc tich hop chat ché véi IP, nén nhimng img dung 6 thé ding cdc dich vu ké thira tinh ning bio mat ma khong cin phai c6 sw thay ddi lén lao ndo. Cing gidng IP, IPSec trong suét véi ngudi diing cudi, 18 nguoi ma kitdng can quan tm dén co‘ ché bao mat mé rong lién tuc ding sau mGt chudi cdc hoat déng - IPSec hoat déng dura trén m6 hinh ngang hang (peer-to-peer) hon la m6 hinh client/server. Security Association (SA) 1A mét qui wée gitta hai bén trong dé thie dy céc trao déi giita hai bén giao tiép. Méi bén giao tiép (c6 thé 1a thiét bi, phan mém) phi 4c chnh sch hodc céc qui tic bing cach sé dd tim céc chinh sch nay véi d6i téc tim nang cia n6. Cé hai kiéu SA: ISAKMP SA (cdn duge biét dén v6i tén goi la IKE SAs) va IPSec SA. - Security Associations (SAs) 14 m6t khéi nigm co ban cita b6 giao thite IPSec. SA 1a mét két ndi lun ly theo mét phuong hung duy nhat gitta hai thyc thé sir dung cde dich vu IPSec. * Céc giao thite xée nhén, céc khéa, va cdc thudt tosn + Phuong thite va cdc khéa cho céc thuat toan xde nhén durge ding béi cdc giao thire Authentication Header (AH) hay Encapsulation Security Payload (ESP) ciia b6 IPSec. © Thuat ton ma héa va giai ma va céc khéa. * Thong tin lién quan khéa, nh khoang thai gian thay di hay khoang thoi gian lam tuoi ctia céc khéa, © Thong tin lién quan dén chinh ban than SA bao gém dia chi nguén SA va Khoang thoi gian Iam tuoi. * — Cach ding va kich thud ctta bat ky sw déng bé ma héa ding, néu c6, Destination | Secu SPL | Te Rarese | Prownoet Figure 6-2: A generic representation of the three fields of an IPSec SA.Nhu hinh 6-2, IPSec SA gém c6 3 trudng : - SPI (Security Parameter Index). Day 1A m6t trudng 32 bit ding nhan dang giao tite bao mat, duge dinh nghia bai trudng Security protocol, trong b6 IPSec dang ding. SPI duge mang theo nhw 1A mét phan dau cia giao thire bio mat va thung duge chon béi hé théng dich trong suét qué trinh théa thudn cla SA. - Destination IP address. Day 1A dia chi IP ciia mit dich, Mac dii né c6 thé 1a dia chi broadcast, unicast, hay multicast, nhung co ché quan ly hign tai cia SA chi duge dink nghia cho hé théng unicast. - Security protocol. Phin nay mé ta giao thire bao mat IPSec, cé thé Ia AH hoac ESP. - Chi thich : * Broadcasts c6 nghia cho tat cd hé thong thude cing m6t mang hodc mang, con. Cdn multicasts giri dén nhiéu (nhung khng phai tat ca) mit ciia m6t mang hose cho sin, Unicast c6 nghia cho 1 nut dich don duy nhat. Béi vi ban chat theo duy nhat cia SA, cho nén 2 SA phai drgc dinh nghia cho hai bén thong tin , mot cho méi huéng. Ngoai ra, SA cé thé cung cép céc dich vu béo mat cho mét phién VPN dugc bio vé boi AH hode ESP. Do vay, néu mot phién can bao vé kép ca hai AH va ESP, 2 SA phai duge dinh nghia cho méi huéng. Vie thiét lap nay ca SA duge goi la SA bundle. * M6t IPSec SA ding 2 co sé dit ligu. Security Association Database (SAD) nam git théng tin lién quan dén méi SA. Théng tin nay bao gém thuat ton khéa, thoi gian séng cia SA, va chudi sé tun tw. Co sé dir ligu thire hai cla IPSec SA, Security Policy Database (SPD), nam gitr théng tin vé cdc dich vu bao mat kém theo véi mét danh s4ch thir ty chinh sch céc diém vao va ra, Gidng nhu firewall rules va packet filters, nhiing diém truy cp nay dinh nghia luu Iugng ndo duge xit ly va luu lugng nao bj tir chdi theo tig chudn cita IPSec. BQ IPSec dua ra 3 kha ning chinh bao gdm : - Tinh xe nh§n va Tinh nguyén ven dir ligu (Authentication and data integrity). IPSec cung cp m6t co ché manh mé dé xe nhan tinh chat xdc thre cia ngudi gti va kiém chimg bat ky su sita d0i khOng duge bio vé trade d6 ciia ndi dung 961 dit ligu béi ngudi nhan. Céc giao thitc IPSec dura ra kha ning bao vé manh dé chong lai céc dang tan céng gid mao, dan hoi va tir chéi dich vu. cdn mt (Confidentiality). Cac giao thitc IPSec ma héa dit ligu bing céch sit dung ky thuat ma héa cao cp, gitip ngin cén ngudi chwra chimg thye truy cap dit liéutrén dudng di ciia né. IPSec cing ding co ché tao ham dé an dia chi IP cia nét nguén (ngudi giri) va mit dich (ngudi nhan) tir nhing ké nghe Ién. - Quan lf khéa (Key management), IPSec dang m9t giao thitc thir ba, Internet Key Exchange (IKE), dé théa thuan céc giao thire bao mat va céc thuat toan ma héa trudc va trong sudt phién giao dich. M6t phan quan trong nita, IPSec phan phéi va kiém tra cdc khéa ma va cép nhat nhiing khéa dé khi duge yéu cau. - Hai tinh nang dau tién ciia b6 IPSec, authentication and data integrity, va confidentiality, doe cung cép béi hai giao thirc chinh cia trong bé giao thite IPSec. Nhimg giao thir nay bao gdm Authentication Header (AH) va Encapsulating Security Payload (ESP). - Tinh nang thir ba, key management, nim trong b@ giao thite khdc, durgc b6 IPSec chap nhin bdi né 1a mét dich vu quan If kha manh, Giao thite nay 18 IKE, - SAs trong IPSec hién tai duge trién khai bing 2 ché d6 d6 1a ché d6 Transport ché d6 Tunnel durge m6 ta 6 hinh 6-7. Ca AH va ESP 6 thé lam vige voi mot trong hai ché d6 nay, Gm Sender spall co een é BF Se ‘Secur ‘seaurt tay aie) Redefont Figure 6-7: The two IPSec modes. ‘Transport Mode : - Transport mode bao vé giao thitc tang trén va céc img dung. Trong Transport mode, phan IPSec header duge chen vao gitta phan IP header va phan header ciia giao thite ting trén, nhw hinh mé ta bén dudi, AH va ESP sé duge dit sau IP header nguyén thiy. Vi vay chi cé tai (IP payload) 1a duge ma héa va IP header ban dau 1a durge gitt nguyén ven, Transport mode c6 thé durge ding khi ca hai host hé trg IPSec. Ché d6 transport nay cé thuan loi Ia chi thém vao vai bytes cho méi packets va né cing cho phép cdc thiét bi trén mang thy duge dia chi dich cudi cing cia géi. Kha nang nay chophép céc tae vu xir IY dic biét trén cae mang trung gian da trén cdc thong tin trong IP header. Tuy nhién céc thong tin Layer 4 sé bj ma héa, lam gidi han kha nding kiém tra ctia géi. IP Header Peylose Datagram with 1PS90 (AH or ESP) in Transport mode [IP Heuder[AH or ESP Header] Payloud [ESP Teller ESP Authentication] i eee eee er I Taree wD Figure 6-8: IPSec Transport mode—a generic representation. Original [Original Phe |i Header) TO?) Oma A Transport Orginal Mode Pabet| iS Headoe| AM | TOP Data Figure 6: : AH Transport mode, sce tom EsPTranscor Orginal | ESP ide Packet? Head | Meader] TO Figure 6-1 ): ESP Transport mode.- Transport mode thiéu mat qué tinh xir 1f phan dau, do 46 né nhanh hon. Tuy nhién, né khong higu qua trong tring hop ESP cé kha nang khdng xéc nhan ma cing Khéng ma héa phan dau IP. Tunnel Mode : Khdng gidng Transport mode, Tunnel mode bao vé toan b6 géi dit ligu. Toan b6 g6i dir ligu IP duge déng géi trong mat géi dit ligu IP khéc va mot IPSec header dugc chén vao gitra phan dau nguyén ban va phan dau mdi cia IP.Toan bé géi IP ban dau sé bi dong g6i béi AH hodc ESP va mét IP header mdi sé duge bao boc xung quanh g6i dit ligu, Toan b6 céc géi IP sé duge ma héa va tré thanh dit ligu moi ciia g6i IP méi. Ché d6 nay cho phép nhiing thiét bi mang, chang han nhw router, hoat déng nhu mét IPSec proxy thyc hign chite ning ma héa thay cho host. Router nguén sé ma héa céc packets ‘huyén chting doc theo tunnel, Router dich sé giai ma géi IP ban dau va chuyén n6é é théng cudi. Vi vay header mdi sé cé dia chi nguén chinh la gateway. - V6i tunnel hoat déng gitta hai security gateway, dia chi nguén va dich cé thé duge ma héa, Tunnel mode durge ding khi m6t trong hai dau ciia két ndi IPSec 1a security gateway va dia chi dich that sw phia sau cdc gateway khong cé hé trg IPSec Original detagram ie sic Payload Tunneled datagram le Nein] Preesor | Paces Datagram with IPSec (AH or ESP) In Tunnel mode Fe hezaa Pg] Pout [ESP Tab] ESP Acero ' : ae aa Figure 6-11: IPSec Tunnel mode—a generic representation. - Trong AH Tunnel mode, phan diu mi (AH) duge chén vao gitta phan header méi va phan header nguyén ban, nlur hinh bén dui Oiginal | Original achat IP Header] TCP | Date AH Tunnel | Now Original ode Pacet|ipHeader| AM |iStHesaer 7° |eFigure 6-12: AH Tunnel mode. a(S [reo Esp tunne! esp [Opionai es oe Pane ier Traler Anerson Figure 6-13: ESP Tunnel mode. - IKE SA [a qué trinh hai chiéu va cung cap mét kénh giao tiép bao mat gitta hai bén. Thuat ngir ‘hai chiéu’ 6 nghia 1a khi da duoc thiét lap, mdi bén cé thé khéi tao ché 46 QuickMode, Informational va NewGroupMode. IKE SA duge nhan ra béi cée cookies ciia bén khdi tao, durgc theo sau béi céc cookies cila tra di cla phfa déi tac. Thr tr cdc cookies dugc thiét lap boi phase 1 sé tiép tuc chi ra IKE SA, bat chap chiéu cia n6, Chite nang chi yéu cita IKE 1a thiét lap va duy tri cdc SA. Cée thude tfnh sau day 1a mite t6i thiéu phai duge théng nhat gitta hai bén nur 1A mét phan ca ISAKMP (Internet Security Association and Key Management Protocol) SA + Thuat giai ma héa * Thuat giai bam duge ding + Phuong thite xéc thye sé ding * Thong tin vé nhém va giai thuat DH - IKE thye hién qué trinh dd tim, qué tinh xéc thuc, quan ly va trao déi khéa. IKE sé dd tim ra duoc mét hop déng giita hai du cudi IPSec va sau dé SA sé theo dai tat ca ce thanh phan ciia m6t phién lam viée IPSec. Sau khi da dd tim thanh c6ng, cée thong sé SA hop lé sé durge lau trit trong co sé dit ligu cia SA. - Thuan loi chinh ctia IKE bao gém: + IKE khéng phai 1a m6t cong nghé dc lap, do dé né 06 thé ding véi bat ky co ché bio mat nao. * Co ché IKE, mac di khong nhanh, nhung higu qua cao bé vi mat hrgng lon nhiing hiép hi bao mat théa thugn véi nhau véi mot vai thong diép kha it. IKE Phases - Giai dos trinh bay mot T va TT 1& hai giai doan tao nén phién lam vigc dita trén IKE, hinh 6-14 lac diém chung ciia hai giai doan, Trong mot phién lam vige IKE, négid si di cé mGt kénh bdo mat durge thiét lap sin. Kénh bao mat nay phai duge thiét lép trade khi o6 bat ky théa thudn nao xay ra, Phase | Phase i sown | nega oS] Sa SHER" | el i Sender Recpient Figure 6-14: The wo IKE phases—Phase I and Phase II. Giai dogn I cia IKE ~ Giai doan I cita IKE dau tién xéc nhfn cde diém thdng tin, va sau dé thiét lap mot kénh bio mat cho sw thiét lap SA. Tiép d6, cdc bén thong tin théa thudn mot ISAKMP SA déng ¥ lin nhau, bao gém céc thuat toan ma héa, ham bam, va cdc phuong phap xéc nhan bao vé ma khéa, - Sau khi co ché ma héa va ham bam da dugc déng ¥ 6 uén, mat khéa chi sé bf mat duge phat sinh. Theo sau la nhig théng tin duge ding dé phat sinh khéa bf mat : © Gid tri Diffie-Hellman * SPI ciia ISAKMP SA 6 dang cookies * S6 ngau nhién known as nonces (used for signing purposes) - Néu hai bén ding ¥ sir dung phuong php xéc nhén dya trén public key, ching ciing cn trao d6i IDs. Sau khi trao déi cdc thong tin can thiét, ca hai bén phat sinh nhimg key riéng cita chfnh minh str dung chting dé chia sé bi mat. Theo céch nay, nhimg khéa ma héa dugc phat sinh ma khéng can thyc su trao d5i bat ky khéa nao thong qua mang. Giai doan II cia IKE - Trong khi giai doan I théa thudn thigt lap SA cho ISAKMP, giai doan II gidi quyét bang vigc thiét lap SAs cho IPSec. Trong giai doan nay, SAs ding nhiéu dich vw khéc nhau théa thudn, Co ché xéc nhén, ham bam, va thuat toan ma héa bio vé g6i dit ligu IPSec tiép theo (sir dung AH va ESP) dudi hinh thitc mét phan ctia giai doan SA.- Su théa thudn cia giai doan xay ra thudng xuyén hon giai doan I. Dién hinh, sur théa thudn cé thé lap lai sau 4-5 pit. Su thay d6i thuéng xuyén cdc ma khéa ngan can c4c hacker bé gay nhiing khéa nay va sau dé 1A ndi dung cia g6i di ligu, ~ Téng quat, mét phién lam vigc 6 giai doan II twong duvong véi mét phién lamvige don cia giai doan I. Tuy nhién, nhiéu sw thay d6i 6 giai doan II cling e6 thé duoc hé tro bai mét trudng hgp don & giai doan I. Digu nay 1am qua trinh giao dich chém chap cia IKE t6 ra tuong d6i nhanh hon. - Oakley 18 m6t trong s6 cdc giao thite cia IKE. Oakley is one of the protocols on which IKE is based. Oakley lin lugt dinh nghia 4 ché 46 phé bién IKE. IKE Modes 4 ché d6 IKE phé bién thuong dugc trién khai : © Ché dé chinh (Main mode) © Ché dé linh hoat (Aggressive mode) © Ché dé nhanh (Quick mode) © Ché d6 nhém méi (New Group mode) Main Mode - Main mode xée nhiin va bao vé tinh dng nhat ca céc bén c6 lién quan trong qua trinh giao dich, Trong ché d6 nay, 6 thong diép durge trao déi gitta cae diém: © 2 thong digp dau tién ding dé théa thudn chinh sdch bao mat cho su thay doi. © 2théng digp ké tiép phuc vu dé thay déi cdc khéa Diffie-Hellman va nonces. Nhiing khéa sau nay thyc hign mét vai tro quan trong trong co ché ma héa. + Hai thong digp cudi cing ciia ché d6 nay ding dé xéc nhan cdc bén giao dich véi su gitp 46 ciia chit ky, céc ham bam, va tuy chon véi chimg nhan, Hinh 6-15 mo ta qué trinh giao dich trong ché d6 IKE.Aggressive Mode — net E> SEs +S) rE» [ea]. [eo] 5] - Aggressive mode vé ban chat giéng Main mode. Chi kiiéc nhau thay vi main mode cé 6 thang digp thi chét d6 nay chi c6 3 thong diép durgc trao déi. Do a6, Aggressive mode nhanh hon mai mode. Cac thong digp 46 bao gém : + Théng dip dau tién ding dé dua ra chinh sch bao mat, pass data cho khéa chinh, va trao déi nonces cho viée ky va xdc minh tiép theo. * Théng diép ké tiép hdi dp lai cho théng tin dau tien. N6 xéc thyre ngudi nhn va hoan thanh chit inh sach bao mat bang cdc khéa. # Thong diép cudi cing ding dé xéc nhan ngudi gi (hoa bé khéi tao cia % % phién lam vigc) ‘Sender Rociplent [Oud Nonee, [IKE]] SA [Header] —p> st — [Feases [5a [Ke] Nove, Tou] (een Siar ‘ieee | Header] nd an A ce cmp eu node tear a ae cea omer Se 155 Spee pons ernst Seems carpiye esos tre mon PenFigure 6-16: Message exchange in IKE Aggressive mode. Ca Main mode va Aggressive mode déu thuéc giai doan I. Quick Mode - Ché d6 th ba ciia IKE, Quick mode, 18 ché 46 trong giai doan II. Né ding 48 théa thuan SA cho cdc dich vu bao mat IPSec. Ngoai ra, Quick mode ciing cé thé phat sinh khéa chinh méi. Néu chinh séch cia Perfect Forward Secrecy (PFS) durgc théa thuan trong giai doan I, m6t sir thay déi hoan toan Diffie-Hellman key dirgc khdi tao. Mat khéc, khéa moi durgc phat sinh bing céc gid tri bam. Sender Reepiont ul] t— [Fender [Hash] 64 | Noneo, [RET] 00.1 10.0) fasts] Header] —t> Hondo an ISAKMP nease:cerrasperng to he uted mode ‘Ske napoli Secatty Associion Nona mom roma et npg KE kay wncharge dala fe Dite-Helimay hoy exchige age output ofa hash function over pected pays data [De omty pyioad vais tander end wr areca Pha Figure 6-17: Message exchange in IKE Quick mode, which belongs to Phase IL New Group Mode - New Group mode duge ding dé théa thudin mét private group méi nhim tao diéu kign trao déi Diffie-Hellman key duge dé dang. Hinh 6-18 m6 té New Group mode. Mac dit ché d6 nay duoc thuc hign sau giai doan I, nhung né khéng thuéc giai doan Il. % % ‘Sender Recipient (SA [ras [Feat] —> <+_fine a oar: a ISAKMP naar corresponding the uted mde 5k tn negotateg Securty Azsocuton ig spt ot @ nah incon ovr spectind prions eaFigure 6-18: Message exchange in IKE New Group mode, ~ Ngoai 4 ché dé IKE phé bién trén, cdn c6 thém Informational mode. Ché d6 nay két hop voi qua trinh thay dé ctia giai doan II va SAs. Ché d6 nay cung ep cho céc bén c6 lién quan m6t sé théng tin thém, xuat phat tir nhimg that bai trong qué trinh thea thuan. Vi du, néu viée gidi ma that bai tai ngudi nhan hod chit ky khong duge xdc minh thanh céng, Informational mode dugc ding dé théng béo cho céc bén khée biét II. Tong Quan Hé Dieu Hanh Cisco 10S: 1. Kién tric hé thong: - Gidng nhu la 1 méy tinh, router c6 1 CPU c6 kha nang xir ly cdc cau lénh da trén nén ting cita router. Hai vi du vé bé xit ly ma Cisco ding la Motorola 68030 va Orion/R4600. Phan mém Cisco IOS chay trén Router ddi hoi CPU hay 6 vi xir ly dé giai quyét viée dinh tuyén va bac cau, quan ly bang dinh tuyén va mét vai chire nang khéc ciia hé théng. CPU phai truy cép vao dit ligu trong b6 nhé dé giai quyét cde van a& hay ly cdc cau lénh. - C6 4 loai b6 nhé thong ding trén mét Router cia Cisco 1 - ROM : 18 b6 nho téng quat én mét con chip hodc nhiéu con. N6 cdn cé thé nim tén bang mach b6 vi xir lf cita router. N6 chi doc nghia 1A dit ligu khéng thé ghi Jén trén nd, Phan mém dau tién chay trén mt router Cisco duge goi la bootstrap software va thuong dugc luu trong ROM. Bootstrap software duge goi khi router khéi dong. Flash : b6 nhé Flash nam trén bang mach SIMM nhung né cé thé duge mo rong bang cach sir dung thé PCMCIA (cé thé théo roi). B6 nhé flash hau hét duge sir dung dé luu tit mét hay nhiéu ban sao cia phan mém Cisco IOS. Céc file céu hinh hay théng tin hé théng ciing cé thé duge sao chép lén flash. © vai hé théng gan day, b6 nho flash cdn duge sir dung dé gitt bootstrap software. - Flash memory chita Cisco IOS software image. Doi véi mot sé loai, Flash memory cé thé chira céc file cau hinh hay boot image. Tuy theo loai ma Flash memory c6 thé 1a EPROM, single in-line memory (SIMM) module hay Flash memory card: = Internal Flash memory o Internal Flash memory thug chita system image. © M6t s6 loai router o6 tir 2 Flash memory tré 1én duéi dang single in-line memory modules (SIMM). Néu nh SIMM cé 2 bank thi duoc goi la dual-bank Flash memory. Céc bank nay cé thé duge phan thanh nhiéu phan logic nho.- Bootflash: © Bootflash thudng chifa boot image. 0 Bootflash déi khi chtta ROM Monitor. - Flash memory PC card hay PCMCIA card: - Flash memory card diing dé gin vao Personal Computer Memory Card - International Association (PCMCTA) slot. Card nay ding dé chita system image, boot image va file céu hinh. - Cac loai router sau c6 PCMCIA slot: 0 Cisco 1600 series router: 01 PCMCIA slot. © Cisco 3600 series router: 02 PCMCIA slots. 0 Cisco 7200 series Network Processing Engine (NPE): 02 PCMCIA slots 0 Cisco 7000 RSP700 card va 7500 series Route Switch Processor (RSP) card chita 02 PCMCIA slots. - RAM : 1a b6 nho rat nhanh nhung né 1am mit théng tin khi hé théng khéi d6ng lai. N6 duge sir dung trong may PC dé uu céc tmg dung dang chay va dit ligu. Trén router, RAM duoc sir dé gitt cdc bing cia hé diéu hanh TOS va lam b6 dém. RAM 146 nhé co ban duge sit dung cho nhu cau lu trit céc hé digu hanh . - ROM monitor, cung cap giao dién cho ngudi sit dung khi router khéng tim thy cdc file image khong phi hop. ~ Boot image, gitip router boot khi khong tim thay IOS image hop Ié trén flash memory. - NVRAM:: Trén router, NVRAM duge sir dung dé hu trit cu hinh khéi dng. Day a file cdu hinh ma IOS doc khi router khoi déng. N6 1a b6 nhé eye ky nhanh va lién tue khi khéi d6ng lai. - Mac di CPU va bé nhé ddi hoi m6t s6 thanh phan dé chay hé diéu hanh IOS, router can phai cé cdc interface khéc nhau cho phép chuyén tiép cdc packet. Céc interface nhan vao va xuat ra cdc két ni dén router mang theo dit liéu can thiét dén router hay switch, Céc loai interface thurdng ding la Ethernet va Serial. Tuong ty nh 1a, cdc phan mém driver trén may tinh véi céng parallel va cong USB, IOS cting c6 cée driver cia thiét bi dé hd tro cho céc loai interface khéc nhau.- Tat ca c&e router ctia Cisco c6 mét céng console cung cap mt két ndi serial khong ding b6 BIA/TIA-232. Céng console 6 thé durge Két nOi ti méy tinh thong qua két noi serial dé lam ting truy cp dau cu6i t6i router. Hau hét cfc router déu c6 cong auxiliary, né twong (y nhu cong console nhung dic trung hon, duge dling cho két noi modem dé quan ly router ti xa. - VD: xem man hinh console ciia m6t router 3640 da Khoi dong. Chi § bd xir ly, interface va thong tin b6 nhé duge ligt ke Cisco 3640 Router Console Output at Startup System Bootstrap, Version 11.1(20)AA2, EARLY DEPLOYMENT RELEASE SOFTWARE (fel) Copyright (c) 1999 by Cisco Systems, Inc, C3600 processor with 98304 Kbytes of main memory Main memory is configured to 64 bit mode with parity disabled program load complete, entry point: 0x80008000, size: Oxa8d168 Self decompressing the image : tt ai Ht tt Ht tt “HEARERS ARTA AR A Ea a [OOK | Restricted Rights Legend Use, duplication, or disclosure by the Government is subject to restrictions as set forth in subparagraph, (©) of the Commercial Computer Software — Restricted Rights clause at FAR sec, 52.227-19 and subparagraph (c) (1) (ii) of the Rights in Technical Data and Computer Software clause at DFARS sec, 252.227-7013. Cisco Systems, Inc. 170 West Tasman Drive San Jose, California 95134-1706 Cisco Internetwork Operating System SoftwareIOS (tm) 3600 Software (C3640-IS-M), Version 12.2(10), RELEASE SOFTWARE (fe2) Copyright (c) 1986-2002 by Cisco Systems, Inc Compiled Mon 06-May-02 23:23 by pwade Image text-base: 0x60008930, data-base: 0x610D2000 cisco 3640 (R4700) processor (revision 0x00) with 94208K/4096K bytes of memory. Processor board ID 17746964 R4700 CPU at 100Mhz, Implementation 33, Rev 1.0 Bridging software. X.25 software, Version SuperLAT software (copyright 1990 by Meridian Technology Corp). 5 Ethemet/IEEE 802.3 interface(s) 1 Serial network interface(s) DRAM configuration is 64 bits wide with parity disabled. 125K bytes of non-volatile configuration memory. 8192K bytes of processor board System flash (Read/Write) 16384K bytes of processor board PCMCIA Slot0 flash (Read/Write) --- System Configuration Dialog --- Would you like to enter the initial configuration dialog? [yes/no]: - Khi mét router méi khoi dng Lin dau, IOS sé chay tién trinh tw déng cai dat va ngudi str dung dugc nhac tra 1di 1 vai cdu héi. Sau dé IOS sé cau hinh hé théng dua trén nhiing théng tin nhan duge. Sau khi hoan tat viée cai dat, cdu hinh thudng str dung nhat duoc chinh stra bang cach ding giao dién cau Iénh (CLI). Cdn c6 mét sé céch khéc 8 cu hinh router bao gm HTTP va céc img dung quan tri mang.2. Cisco IOS CLI: - Cisco cé 3 mode lénh, vdi timg mode sé c6 quyén truy cap ti nhimg bé lénh khée nhau - User mode: Diy 18 mode dau tién ma ngudi str dung truy cp vao sau khi ding nhap vao router. User mode cé thé duge nhan ra béi ky higu > ngay sau tén router. Mode nay cho phép ngudi diing chi thye thi duge mot s6 cau Iénh co ban ching han nhu xem trang thai ciia hé théng. Hé théng khdng thé duge cau hinh hay khoi déng lai 6 mode nay. - Privileged mode: mode nay cho phép ngudi ding xem cu hinh cua hé théng, Khoi ddng lai hé théng va di vao mode cau hinh. Né cing cho phép thuc thi tat ca cdc cu lénh 6 user mode. Privileged mode ¢6 thé dugc nhan ra béi ky higu # ngay sau ten router. Ngudi sit dung sé g6 cau lénh enable 48 cho IOS biét 1a ho muén di vao Privileged mode tir User mode. Néu enable password hay enabel secret password duge cai dat, ngudi sit dung cdn phai g6 vao ding mat khdu thi méi cé quyén truy cép vao privileged mode, Enable secret password sir dung phuong tite ma hoa manh hon khi 16 duge luu trit trong céu hinh, do vay né an ton hon, Privileged mode cho phép ngudi str dung lam bt cif gi trén router, vi vay nén sir dung can than. Dé thodt khéi privileged mode, ngudi sir dung thye thi cau Iénh disable. - Configuration mode: mode nay cho phép ngudi sir dung chinh stra céu hinh dang chay. Dé di vao configuration mode, g6 cau lénh configure terminal tir privileged mode, Configuration mode cé nhiéu mode nhé khéc nhau, bat dau véi global configuration mode, né 6 thé duge nhin ra béi ky hiéu (config)# ngay sau tén router. C&c mode nhé trong configuration mode thay déi tuy thuéc vao ban muén céu hinh céi gi, tir bén trong ngoiic sé thay doi. Chang han khi ban muén vao mode interface, ky higu s@ thay di thanh (config-if)¥ ngay sau tén router, Bé thost khdi configuration mode, ngudi sii dung ¢6 thé g6 end hay nhdn t6 hop phim Cul-Z - Chui ¥ 6 céc mode, tuy vao tinh hudng cu thé ma cau lénh ? tai cdc vi trf s® hién thi Ién cae cau lénh 6 thé c6 & cing mite. Ky higu ? cing 6 thé sir dung 6 gitta cau Iénh dé xem céc tuy chon phite tap cia cau lénh. Example 4-2 hién thi céch str dung cu Iénh ? véi timg mode - VD: Using Context-Sensitive Help Router>? Exec commands access-enable Create a temporary Access-List entryaccess-profile Apply user-profile to interface clear Reset functions - Buse tiép theo sé huéng dan ban sir dung cau lénh thay doi mode, xem cau hinh hé théng va céu hinh password. Man hinh CLI ciia mét router 3640 dang chay hé diéu hanh Cisco IOS duge hién thi. ~ Buéc 1: Vao enable mode bing cach gé enable va nhan phim Enter Router> enable Routertt ~ Bude 2: Dé xem phién ban cia hé digu hanh IOS dang chay, go Iénh show version Router# show version Cisco Internetwork Operating System Software IOS (tm) 3600 Software (C3640-IS-M), Version 12.2(10), RELEASE SOFTWARE (fe2) Copyright (c) 1986-2002 by Cisco Systems, Inc Compiled Mon 06-May-02 23:23 by pwade Image text-base: 0x60008930, data-base: 0x610D2000 ROM: System Bootstrap, Version 11.1(20)AA2, EARLY DEPLOYMENT. RELEASE SOFTWARE, (fel) Router uptime is 47 minutes System retuned to ROM by reload System image file is "slot0:c3640-is-mz,122-10.bin" cisco 3640 (R4700) processor (revision 0x00) with 94208K/4096K bytes of memory. Processor board ID 17746964R4700 CPU at 100Mhz, Implementation 33, Rev 1.0 Bridging software. X.25 software, Version 3.0.0. SuperLAT software (copyright 1990 by Meridian Technology Corp). 5 Ethernet/IEEE 802.3 interface(s) 1 Serial network interface(s) DRAM configuration is 64 bits wide with parity disabled. 125K bytes of non-volatile configuration memory. 8192K byles of processor board System flash (Read/Write) 16384K bytes of processor board PCMCIA Slot0 flash (Read/Write) Configuration register is 0x2002 - Tir man hinh hién thi tn cho ta thay, router nay dang chay hé diéu hanh Cisco 10S phién ban 12.2(10) va ban sao cia né duge luu trong thé nhé Flash PCMCIA trong slot 0 ___ + Buéc 3: Tiép theo, céu hinh tén router thanh IOS, Vao configuration mode bing cdch go lénh configure terminal Router# configure terminal Enter configuration commands, one per line. End with CNTLIZ. Router(config)# hostname IOS 1OS(config)# - Chi ¥ ing ky higu sé chuyén ngay thanh IOS sau khi ban g6 cau lénh hostname. ca céc thay cdu hinh trong Cisco IOS sé thu thi ngay lap tire - Buéc 4: Tiép theo, ban cin dat enable password va enable secret password. Enable secret password duge liu tri bang cach ding thudt toan ma hod rat manh va dug ghi dé én enable password néu né da duge cau hinh 10S(config)# enable password cisco IOS(config)# enable secret san-fran10S(configy# exit los# - Dé vao enable mode ban can g6 mat khau la san-fran. Cau lénh exit sé dua ban quay lai 1 mite trong cau hinh hay thoat khoi mode con hién tai ~ Bude 5: Sau khi céu hinh tén router va cai dat password, ban c6 thé xem céu hinh dang chay 10S# show running-config Building configuration... Current configuration ; 743 bytes version 12,2 service timestamps debug uptime service timestamps log uptime no service password-encryption hostname IOS ! enable secret 5 $1$IP7aSHCINetI. hpRdox84d.F YU. enable password cisco ip subnet-zerocall rsvp-syne ! interface Ethernet0/0 no ip address shutdown half-duplex ' interface Serial0/0 no ip address shutdown no fair-queue ! interface Ethernet2/0 no ip address shutdown half-duplex ! interface Ethemet2/I no ip address shutdown half-duplex ! interface Ethemet2/2 no ip addressshutdown half-duplex ! interface Ethernet2/3 no ip address shutdown half-duplex ! ip classless ip hup server ip pim bidir-enable dial-peer cor custom ! line con 0 line aux 0 line vty 04 ! end - Buéc 6: Man hinh sau khi g6 show re théi dang hoat déng trong hé thong, tuy nhién cau hinh nay sé mat néu nhw hé thong khoi déng lai. Dé lu cdu hinh vaio NVRAM, ban chic chan phai go lénh 10S# copy running-config startup-config Destination filename [startup-config]? Building configuration,[OK] - Bude 7: Dé xem cau hinh duge luu trong NVRAM, ban ding lénh show startup-config thj trong nhu su déng géi va dia chi duge cai dat trude khi interface c6 thé sit dung mot céch ding din. Thém vao 46, dinh tryén IP va bac cau can phai duoc cau hinh, Tham khao viée cai dat Cisco IOS va H m cho phién ban phan mém cia ban dé tham khao cdc tuy chon cau hinh cé thé cé va huéng dan chi ti ~ Mét vai cau lénh thudng ding dé quan Ly hé théng Cisco IOS Command Miéu ta show interface Hién thi trang thai hién tai va chi tiét cu hinh cho tat ca céc interface trong hé thong show processes cpu Hién thi viée sir dung CPU va céc tién trinh dang chay trong hé théng show buffers Xem c6 bao nhiéu buffers dang duge cp phat hign thoi va sw hoat déng cho viée chuyén tiép céc packet show memory Xem c6 bao nhiéu b§ nhé duge cp phat cho cdc chue nang khéc cia hé thong va viéc str dung b6 nho show diag Hién thi chi tiét cdc thé nhé trong hé thong show ip route Hién thj bang IP route dang sir dung show arp Hién thj dja chi MAC 4nh xa tir dia chi IP dang ding trong bang ARPIv. ui Trinh C4u Hinh 4 Buéc IPSec/VPN Trén Cisco IOS: - Ta cé thé cdu hinh IPSec trén VPN qua 4 budc sau day: 1, Chuan bj cho IKE va IPSec 2. Cau hinh cho IKE 3. Cau hinh cho IPSec Y Cau hinh dang ma héa cho géi dit ligu Crypto ipsec transform-set Y Céu hinh thai gian tén tai ciia g6i dit ligu va cée tay chon bio mat khée Crypto ipsec sercurity-association lifetime Y Tao crytoACLs bing danh sch truy cp mé réng (Extended Access List) Crypto map iu hinh IPSec crypto maps v Ap dung cdc crypto maps vao cdc céng giao tiép (interfaces) Crypto map map-name 4, Kiém tra lai viée thy hién IPSec A. C4u hinh cho ma héa dir liguz - Sau day ban sé cu hinh Cisco IOS IPSec bing céch sir dung chinh séch bao mat IPSec (IPSec Security Policy) dé dinh nghia céc céc chinh sch bao mat IPSec (transform set).~ Chinh sch bao mat IPSec (transform set) Ia sy két hgp céc edu hinh IPSec transform riéng ré dugc dinh nghia va thiét ké cho cdc chinh sch bao mat hru thong trén mang. Trong suét qué trinh trao déi ISAKMP IPSec SA néu xy ra Iéi trong qué trinh IKE Phase 2 quick mode, thi hai bén sé sir dung transform set riéng cho viée bio vé dit ligu rigng ca minh tén dung truyén. Transform set 1a su két hop ciia cdc nhan 18 sau: * Corché cho viée chimg thye: chinh sich AH * Co-ché cho viée ma héa: chinh sich ESP © Ché d6 IPSec (phuong tién truyén théng cling véi duéng ham bao mat) Step 1—Configure Transform Sets _————— site2 Routers ss Internet = 0013 10023 Era ar router(contig) # crypto ipsec transforn -set transform-set-nane transform! (transforn2 [transfers] | router (ofg-erypto-trans) # RoutezA(config)# crypts ipsec transform. + Atransform set is a combination of IPSec transforms that enact a security policy for traffic. Sets are limited to up to one AH and up to two ESP transforms, - Transform set bing véi viée két hop céc AH transform, ESP transform va ché 46 IPSec (hodc co ché dung ham bao mat hoac ché d6 phuong tién truyén thong). Transform set gidi han tir mdt cho ti hai ESP transform va m6t AH transform. Dinh