Khóa luận VPN

Trin Khai H Thng VPN c IPSEC GVHD: Trn N V Thc

SVTH: ng Th Cm Li Trn Vn Dip Trang 1

Chng 1: Tng Quan V VPN

1 Tng Quan.

Cng vi s pht trin mnh m ca nn cng nghip, nhu cu trao i thng tin,

d liu gia nhng t chc, cng ty, tp th v cc c nhn tr nn bc thit v vy

Internet bng n. Mi ngi s dng my tnh kt ni Internet thng qua nh cung

cp dch v (ISP Internet service Provide), s dng mt giao thc chung l TCP/IP.

iu m k thut cn tip tc phi gii quyt l nng lc truyn thng ca mng vin

thng cng cng. Vi Internet, nhng dch v nh mua bn trc tuyn, gio dc t xa

hay t vn trc tuyn tr nn d dng. Tuy nhin Internet c phm vi ton cu

v khng t chc hay chnh ph no c th qun l , cho nn vic m bo an ton v

bo mt d liu hay qun l cc dch v l mt vn ln cn phi gii quyt. T

cc nh khoa hc nghin cu v a ra mt m hnh mng mi, nhm p ng

c nhu cu trn m vn tn dng c s h tng ang c ca Internet, l m hnh

mng ring o (VPN Virtual Private Network ). Vi m hnh ny, chng ta khng

phi u t thm qu nhiu trang thit b , c s h tng m vn m bo cc tnh

nng nh bo mt, tin cy ng thi c th qun l ring hot ng ca mng ny.

VPN cho php ngi s dng lm vic ti nh ring, trn ng i hay cc vn phng

chi nhnh c th kt ni an ton n my ch ca t chc mnh bng c s h tng

c cung cp bi mng cng cng. N m bo an ton thng tin gia cc t chc,

cng ty hoc chi nhnh, vn phng, ngi cung cp hay cc i tc kinh doanh trong

mi trng truyn thng rng ln.

Nh vy c tnh quan trng nht ca VPN l c th s dng c mng cng

cng nh Internet, m vn m bo tnh bo mt v tit kim chi ph.

1.1 Lch s pht trin ca VPN

S xut hin mng chuyn dng o, cn gi l mng ring o (VPN), bt ngun

t yu cu ca khch hng (client), mong mun c th kt ni mt cch c hiu qu

vi cc tng i thu bao (PBX) li vi nhau thng qua mng din rng (WAN).



Trc kia, h thng in thoi nhm hoc l mng cc b (LAN) trc kia s dng

cc ng thu ring cho vic t chc mng chuyn dng thc hin vic thng tin

vi nhau.

Cc mc nh du s pht trin ca VPN:

- Nm 1975, Franch Telecom a ra dch v Colisee, cung cp dch v dy

chuyn dng cho cc khch hng ln. Colisee c th cung cp phng thc gi

s chuyn dng cho khch hng. Dch v ny cn c vo lng dch v m a

ra cc ph v nhiu tnh nng qun l khc.

- Nm 1985, Sprint a ra VPN, AT&T a ra dch v VPN c tn ring l

mng c nh ngha bng phn mm SDN.

- Nm 1986, Sprint a ra Vnet, Telefonica Ty Ban Nha a ra Ibercom.

- Nm 1988, n ra i chin cc ph dch v VPN M, lm cho mt s x

nghip va v nh chu ni cc ph s dng VPN v c th tit kim gn 30%

chi ph, kch thch s pht trin nhanh chng dch v ny ti M.

- Nm 1989, AT&T a ra dch v quc t IVPN l GSDN.

- Nm 1990, MCI v Sprint a ra dch v VPN quc t VPN; Telstra ca -

xtry-li-a a ra dich v VPN rong nc u tin khu vc chu Thi

Bnh Dng.

- Nm 1992, Vin thng H Lan v Telia Thu in thnh lp cng ty hp tc

u t Unisource, cung cp dch v VPN.

- Nm 1993, AT&T, KDD v vin thng Singapo tuyn b thnh lp Lin minh

ton cu Worldparners, cung cp hng lot dch v quc t, trong c dch v

VPN.

- Nm 1994, BT v MCI thnh lp cng ty hp tc u t Concert, cung cp

dch v VPN, dch v chuyn tip khung (Frame relay)



- Nm 1995, ITU-T a ra khuyn ngh F-16 v dch v VPN ton cu

(GVPNS).

- Nm 1996, Sprint v vin thng c (Deustch Telecom), Vin thng Php

(French Telecom) kt thnh lin minh Global One.

- Nm 1997 c th coi l mt nm rc r i vi cng ngh VPN, Cng ngh

ny c mt trn khp cc tp ch khoa hc cng ngh, cc cuc hi thoCc

mng VPN xy dng trn c s h tng mng Internet cng cng mang li

mt kh nng mi, mt ci nhn mi cho VPN. Cng ngh VPN l gii php

thng tin ti u cho cc cng ty, t chc c nhiu vn phng, chi nhnh la

chn. Ngy nay, vi s pht trin ca cng ngh, c s h tng mng IP

(Internet) ngy mt hon thin lm cho kh nng ca VPN ngy mt hon

thin.

Hin nay, VPN khng ch dng cho dch v thoi m cn dng cho cc dch v d

liu, hnh nh v cc dch v a phng tin.

1.2 nh ngha VPN

VPN c hiu n gin l s m rng ca mt mng ring (Private Network)

thng qua cc mng cng cng. V cn bn, mi VPN l mt mng ring r s dng

mt mng chung (thng l Internet) kt ni cng vi cc site (cc mng ring l)

hay nhiu ngi s dng t xa. Thay cho vic s dng kt ni thc, chuyn dng nh

ng leased-line, mi VPN s dng cc kt ni o c dn qua ng Internet t

mng ring ca cc cng ty ti cc site cc nhn vin t xa. c th gi v nhn d

liu thng qua mng cng cng m vn m bo tnh an ton v bo mt, VPN cung

cp cc c ch m ha d liu trn ng truyn to ra mt ng ng bo mt gia

ni nhn v ni gi gi l Tunnel , Tunnel ging nh mt kt ni point-to-point trn

mng ring. c th to ra mt ng ng bo mt , d liu phi c m ha

theo c ch giu i, ch cung cp phn u gi tin (header) l thng tin v ng i



cho php n c th i ti ch thng qua mng cng cng mt cch nhanh chng. d

liu c m ha mt cch cn thn do nu cc packet b bt trn ng truyn

cng cng cng khng th c ni dung v khng c kha gii m, lin kt vi d

liu m ha v ng gi c gi l kt ni VPN. Cc ng kt ni VPN thng

c gi l ng ng VPN (Tunnel).

Hnh 1: M Hnh Kt Ni VPN.

1.3 Cc thnh phn to nn VPN.

trin khai mt h thng VPN bn cn c mt s thnh phn c bn sau,

nhng vic to ra h thng VPN th mi ngi s c mt s la chn thnh phn khc

nhau ph hp vi cng ty hay mc ch ca mi ngi.

1.3.1 VPN client

Mt khch hng VPN c th l mt my tnh hoc n c th l mt b nh

tuyn. Loi VPN khch hng s dng cho mng ca cng ty thc s ph thuc

vo nhu cu c nhn ca cng ty .



Mt khc, nu cng ty c mt vi nhn vin nhng ngi i du lch thng

xuyn v cn phi truy cp vo mng ca cng ty trn ng i, bn c th s

c hng li t vic thit lp my tnh xch tay ca nhn vin nh VPN khch

hng.

V mt k thut, bt k h iu hnh c th hot ng nh mt VPN khch

hng min l n h tr PPTP, L2TP, hoc giao thc IPSec. Trong cc h iu hnh

ca Microsoft, bn c th s dng 2000, v XP thm ch l Window 7. Mc d tt

c cc h iu hnh ny v mt k thut s lm vic nh khch hng, nhng tt

nht vn l Windows XP bi v n kh nng h tr L2TP v IPSec v thng dng.

1.3.2 VPN Server

Cc my ch VPN hot ng nh mt im kt ni cho cc khch hng

VPN. V mt k thut, chng ta c th s dng Windows NT Server 4.0,

Windows 2000 Server, hoc Windows Server 2003 hay Window Server 2008 nh

l mt my ch VPN.

VPN Server kh n gin. N l mt my ch cng Windows Server 2008

chy Routing v Remote Access (RRAS). Khi mt kt ni VPN c chng

thc, cc my ch VPN ch n gin l hot ng nh mt b nh tuyn cung cp

cho khch hng VPN c th truy cp n mt mng ring.

1.3.3 IAS Server

Mt trong nhng yu cu b sung cho mt my ch VPN l cn c mt

my ch RADIUS(Remote Authentication Dial In User Service). RADIUS l

mt server s dng dch v quay s xc thc t xa. RADIUS l c ch m cc nh

cung cp dch v Internet thng s dng xc thc cc thu bao thit lp kt

ni Internet.



Microsoft cng c phin bn ring ca RADIUS c gi l Dch v xc

thc Internet hoc IAS( International Accounting Standards ) . Cc dch v IAS c

c trn Windows Server 2008.

1.3.4 Firewall

Cc thnh phn khc theo yu cu ca VPN l mt tng la tt. My ch

VPN ca chp nhn kt ni t th gii bn ngoi, nhng iu khng c ngha l

th gii bn ngoi cn phi c quyn truy cp y n my ch VPN. Chng ta

phi s dng mt tng la chn bt k cng khng s dng.

Yu cu c bn cho vic thit lp kt ni VPN l a ch IP ca my ch VPN c

thng qua tng la ca bn tip cn vi my ch VPN.

Nu bn nghim tc v an ninh (v nu c ngn sch),chng ta c th t

mt my ch ISA gia chu vi tng la v my ch VPN. tng l c th cu

hnh tng la ch o tt c lu lng truy cp VPN c lin quan n ISA

Server ch khng phi l my ch VPN. ISA Server sau hot ng nh mt

proxy VPN. C hai khch hng VPN v VPN Server ch giao tip vi my ch

ISA. H khng bao gi giao tip trc tip vi nhau. iu ny c ngha rng ISA

Server c che chn cc my ch VPN t khch hng truy cp trc tip, v th

cho my ch VPN thm mt lp bo v.

1.3.5 Chn mt Giao thc Tunneling

Khi VPN khch hng truy cp vo mt my ch VPN, h lm nh vy qua

mt ng hm o. Mt ng hm l khng c g hn mt li i an ton qua mi

trng khng an ton (thng l Internet). Tuy nhin, ng hm th khng t

nhin m c. N i hi vic s dng mt giao thc ng hm. C mt s giao

thc la chn to ng hm nh : IPSec, L2TP , PPTP, GRE. Nhng la



chn giao thc ng hm ng cho cng ty, hay nhu cu ca mi ngi l mt

quyt nh quan trng khi lp k hoch thit k VPN.

Li th ln nht m L2TP hn PPTP l n da trn IPSec. IPSec m ha d

liu, cung cp xc thc d liu , d liu ca ngi gi s c m ha v m bo

khng b thay i ni dung trong khi truyn. Hn na, IPSec c thit k ngn

chn cc cuc tn cng replay.

Mc d L2TP c v l c li th hn so vi PPTP, nhng PPTP cng c li

th ring l kh nng tng thch. PPTP hot ng tt vi cc h iu hnh

Windows hn L2TP.

1.3.6 Authentication Protocol

Trong qu trnh thit lp mt VPN, chng ta phi chn mt giao thc xc

thc. Hu ht mi ngi chn MS-CHAP v2. MS-CHAP tng i an ton, v n

lm vic vi khch hng VPN s dng h iu hnh Windows. La chn tt nht

l MS-CHAP.

1.4 Li ch v Hn ch ca vic s dng VPN.

1.4.1 Li ch.

Vic s dng mng ring o l mt nhu cu v l xu th ca cng ngh truyn

thng bi v n c mt s u im nh:

Gim thiu chi ph trin khai v duy tr h thng:

- Vi VPN vic trin khai h thng p ng y nhu cu truyn ti hay tnh

bo mt an ton d liu nhng chi ph th kh r v VPN gim thiu ti a ph

thu ng truyn di thay vo l s tn dng li h thng mng Internet

c sn.



- Ph duy tr h thng cng l mt vn ng quan tm , Vi VPN ph duy tr

rt r , hn th na bng vic thu h tng c sn ca cc cng ty dch v

Internet th chi ph duy tr s khng cn ng lo ngi.

Ci thin kt ni.

- Vt qua b lc chn truy cp Web: VPN l mt la chn tt c th vt

qua c b lc Internet, y l l do ti sao VPN c s dng nhiu ti

mt s nc c s kim duyt Internet kht khe.

- Vic thay i a ch IP: Nu mun thay i IP khc th VPN c th gip

chng lm iu ny vic ny gip ta c th che du c a ch ca mnh

trnh c s xm hi hay xu ca nhng hacker (k tn cng, tin tc)

bn ngoi mng.

An ton trong giao dch.

- Vic trao i thng tin trong cng vic l nhiu v lin tc, nhng vn bo

mt thng tin th cc k quan trng, vi VPN chng ta s khng phi lo lng

qu nhiu v vic , VPN s dng c ch giu i, cc d liu s c m

ha v thng tin d liu c bo bc bi gi tin Header (phn u gi tin

ghi a ch u - cui ca gi tin) v truyn i nhanh chng da vo Internet.

- VPN p ng tt vic chia s gi tin v d liu trong mt thi gian di.

Kh nng iu khin t xa.

- Thi i hin nay, Mi ngi lm vic mun tit kim thi gian v gim chi

ph, v vy vic mt ngi lm vic ti nh m vn c th gii quyt tt

nhng cng vic ca h th tht l tuyt vi. Vi VPN ngi dng c th truy

cp vo h thng mng t bt k u nh thm ch l mt qun coffe ch cn

ni c Internet ( y h thng VPN s dng Internet), v vy n rt c li

i cho vic thc hin cng vic t xa.

Kh nng m rng h thng tt.

- Chi ph xy dng mt h thng mng li chuyn dng (s dng cp

mng) cho mt cng ty lc u c th l hp l, tuy nhin cng ty ngy cng



pht trin nhu cu m rng h thng mng l cn thit v vy VPN l mt la

chn hp l bi v VPN khng ph thuc qu nhiu vo vn h thng,

ni mt cch n gin l khi mun m rng th ch cn to thm ng ng

(tunnel) kt ni da trn h tng Internet c sn.

1.4.2 Hn ch.

Mc d ph bin nhng mng ring o (VPN) khng hn l hon ho v hn

ch th lun lun tn ti trng bt k h thng mng no. Mt s hn ch cn lu

khi trin khai h thng VPN:

VPN i hi s hiu bit chi tit v vn an ninh mng, vic cu hnh v ci

t phi cn thn, chnh xc m bo tnh an ton trn h thng mng Internet

cng cng.

tin cy v hiu xut ca mt VPN da trn Internet khng phi l di s

kim sot trc tip ca cng ty , v vy gii php thay th l hy s dng mt

nh cung cp dch v (ISP) tt v cht lng.

Vic s dng cc sn phm VPN v cc gii php ca cc nh cung cp khc

nhau khng phi lc no cng tng thch do cc vn v tiu chun cng

ngh VPN. Khi s dng pha trn v kt hp cc thit b s c th gy ra nhng

vn k thut hoc nu s dng khng ng cch s lng ph rt nhiu chi ph

trin khai h thng.

Mt hn ch hay nhc im rt kh trnh khi ca VPN l vn bo mt

c nhn, bi v vic truy cp t xa hay vic nhn vin kt ni vi h thng vn

phng bng my tnh xch tay, my tnh ring, khi cc nu my tnh ca h

thc hin hng lot cc ng dng khc, ngoi vic kt ni ti vn phng lm

vic th hacker (k tn cng, tin tc) c th li dng yu im t my tnh c

nhn ca h tn cng vo h thng ca cng ty. V vy vic bo mt c nhn

lun c cc chuyn gia khuyn co phi m bo an ton.

1.5 Chc Nng ca VPN.

Mt s chc nng chnh ca VPN :



tin cy (Confidentiality): Ngi gi c th m ha cc gi d liu trc

khi truyn chng ngang qua mng. Bng cch , khng ai c th truy nhp

thng tin m khng c cho php, nu ly c thng tin th cng khng c

c v thng tin c m ha.

Tnh ton vn d liu (Data Integrity): Ngi nhn c th kim tra d liu

nhn c sau khi truyn qua Internet c b thay i hay khng.

Xc thc ngun gc (Origin Authentication): Khi nhn c d liu iu m

u tin phi lm l xc thc ngn gc ca d liu, VPN cho php ngi dng

xc thc thng tin, ngun gc ca d liu.

1.6 Phn loi mng VPN

Mc tiu t ra i vi cng ngh mng VPN l tho mn ba yu cu c bn sau:

Ti mi thi im, cc nhn vin ca cng ty c th truy nhp t xa hoc di

ng vo mng ni b ca cng ty.

Ni lin cc chi nhnh, vn phng di ng.

Kh nng iu khin c quyn truy nhp ca khch hng, cc nh cung

cp dch v hoc cc i tng bn ngoi khc.

Da vo nhng yu cu c bn trn, mng ring o VPN c phn lm ba loi:

Mng VPN truy nhp t xa (Remote Access VPN)

Mng VPN cc b (Intranet VPN)

Mng VPN m rng (Extranet VPN)

1.6.1 Mng VPN truy nhp t xa (Remote Access VPN)

Cc VPN truy nhp t xa cung cp kh nng truy nhp t xa. Ti mi thi

im, cc nhn vin, chi nhnh vn phng di ng c kh nng trao i, truy nhp

vo mng ca cng ty. Kiu VPN truy nhp t xa l kiu VPN in hnh nht. Bi



v, nhng VPN ny c th thit lp bt k thi im no, t bt c ni no c

mng Internet.

VPN truy nhp t xa m rng mng cng ty ti nhng ngi s dng thng

qua c s h tng chia s chung, trong khi nhng chnh sch mng cng ty vn

duy tr. Chng c th dng cung cp truy nhp an ton t nhng thit b di

ng, nhng ngi s dng di ng, nhng chi nhnh v nhng bn hng ca

cng ty. Nhng kiu VPN ny c thc hin thng qua c s h tng cng cng

bng cch s dng cng ngh ISDN, quay s, IP di ng, DSL v cng ngh cp

v thng yu cu mt vi kiu phn mm client chy trn my tnh ca ngi s

dng.

Hnh 2 : M hnh mng VPN truy nhp t xa

a) Cc u im ca mng VPN truy nhp t xa:

Mng VPN truy nhp t xa khng cn s h tr ca nhn vin mng bi v

qu trnh kt ni t xa c cc ISP thc hin.



Gim c cc chi ph cho kt ni t khong cch xa bi v cc kt ni

khong cch xa c thay th bi cc kt ni cc b thng qua mng

Internet.

Cung cp dch v kt ni gi r cho nhng ngi s dng xa.

Bi v cc kt ni truy nhp l ni b nn cc Modem kt ni hot ng

tc cao hn so vi cc truy nhp khong cch xa.

VPN cung cp kh nng truy nhp tt hn n cc site ca cng ty bi v

chng h tr mc thp nht ca dch v kt ni.

b) Nhc im ca mng VPN truy cp t xa:

Mng VPN truy nhp t xa khng h tr cc dch v m bo QoS.

Nguy c b mt d liu cao. Hn na, nguy c cc gi c th b phn pht

khng n ni hoc mt gi.

Bi v thut ton m ho phc tp, nn tiu giao thc tng mt cch

ng k.

1.6.2 Mng VPN cc b ( Intranet VPN)

Cc VPN cc b c s dng bo mt cc kt ni gia cc a im

khc nhau ca mt cng ty. Mng VPN lin kt tr s chnh, cc vn phng, chi

nhnh trn mt c s h tng chung s dng cc kt ni lun c m ho bo

mt. iu ny cho php tt c cc a im c th truy nhp an ton cc ngun d

liu c php trong ton b mng ca cng ty.

Nhng VPN ny vn cung cp nhng c tnh ca mng WAN nh kh

nng m rng, tnh tin cy v h tr cho nhiu kiu giao thc khc nhau vi chi



ph thp nhng vn m bo tnh mm do. Kiu VPN ny thng c cu hnh

nh l mt VPN Site- to- Site.

vn phng xa

Router

InternetInternetPOPPOP

Remote siteCentral site

or

PIX Firewall

Vn phng

trung tm

Hnh 3: M hnh mng VPN cc b

a) Nhng u im chnh ca mng cc b da trn gii php VPN bao

gm:

- Cc mng li cc b hay ton b c th c thit lp (vi iu kin mng

thng qua mt hay nhiu nh cung cp dch v).

- Gim c s nhn vin k thut h tr trn mng i vi nhng ni xa.

- Bi v nhng kt ni trung gian c thc hin thng qua mng Internet, nn n

c th d dng thit lp thm mt lin kt ngang cp mi.

- Tit kim chi ph thu c t nhng li ch t c bng cch s dng ng

ngm VPN thng qua Internet kt hp vi cng ngh chuyn mch tc cao.

V d nh cng ngh Frame Relay, ATM.

b) Nhc im chnh ca mng cc b da trn gii php VPN :

- Bi v d liu c truyn ngm qua mng cng cng mng Internet cho

nn vn cn nhng mi e da v mc bo mt d liu v mc cht

lng dch v (QoS).



- Kh nng cc gi d liu b mt trong khi truyn dn vn cn kh cao.

- Trng hp truyn dn khi lng ln d liu, nh l a phng tin, vi yu

cu truyn dn tc cao v m bo thi gian thc l thch thc ln trong

mi trng Internet.

1.6.3 Mng VPN m rng (Extranet)

Khng ging nh mng VPN cc b v mng VPN truy nhp t xa, mng

VPN m rng khng b c lp vi th gii bn ngoi. Thc t mng VPN m

rng cung cp kh nng iu khin truy nhp ti nhng ngun ti nguyn mng

cn thit m rng nhng i tng kinh doanh nh l cc i tc, khch hng,

v cc nh cung cp .

Intranet

DSL

cable

Extranet

Business-to-business

Router

InternetInternetPOPPOP

Remote siteCentral site

or

PIX Firewall

Vn phng

xa

Vn phng

trung tm

DSL

Hnh 4: M hnh mng VPN m rng

Cc VPN m rng cung cp mt ng hm bo mt gia cc khch hng, cc

nh cung cp v cc i tc qua mt c s h tng cng cng. Kiu VPN ny s dng

cc kt ni lun lun c bo mt v c cu hnh nh mt VPN SitetoSite. S

khc nhau gia mt VPN cc b v mt VPN m rng l s truy cp mng c

cng nhn mt trong hai u cui ca VPN.



a) Nhng u im chnh ca mng VPN m rng:

- Chi ph cho mng VPN m rng thp hn rt nhiu so vi mng truyn thng.

- D dng thit lp, bo tr v d dng thay i i vi mng ang hot ng.

- V mng VPN m rng c xy dng da trn mng Internet nn c nhiu c

hi trong vic cung cp dch v v chn la gii php ph hp vi cc nhu cu

ca mi cng ty hn.

- Bi v cc kt ni Internet c nh cung cp dch v Internet bo tr, nn gim

c s lng nhn vin k thut h tr mng, do vy gim c chi ph vn

hnh ca ton mng.

a) Nhc im ca mng VPN m rng :

- Kh nng bo mt thng tin, mt d liu trong khi truyn qua mng cng cng

vn tn ti.

- Truyn dn khi lng ln d liu, nh l a phng tin, vi yu cu truyn

dn tc cao v m bo thi gian thc, l thch thc ln trong mi trng

Internet.

- Lm tng kh nng ri ro i vi cc mng cc b ca cng ty.

2 Cc giao thc s dng trong VPN.

2.1 B giao thc IPSec.

Internet Protocol Security (IPSec) l mt b giao thc bo mt (Internet Protocol

-IP) thng tin lin lc, bng cch xc thc v m ha mi gi tin IP ca mt phin

giao dch, IPSec cng bao gm cc giao thc cho vic thit lp xc thc ln nhau gia

cc i l trong cc phin giao dch v m phn bng cch s dng cc key m ha.

IPSec l mt chng trnh iu hnh bo mt end-to-end trong cc Layer

Internet (lp kt ni internet) ca Internet Protocol Suite (IPS - giao thc chun trong

internet). N c s dng vic bo v lung d liu gia mt cp my (host-to-



host), gia hai mng (network-to-network), hay gia mt mng vi mt my ch

(network-to-host).

Ngun gc IPSec ban u c pht trin ti phng th nghim Nghin cu hi

qun v l mt phn ca d n nghin cu ca DARPA (Defense Advanced Research

Projects Agency - c quan nghin cng ngh tin tin ca b quc phng M ). Trong

ESP c bt ngun trc tip th giao thc SP3D, ch khng phi c bt

ngun t lp ISO Security Network Protocol (NLSP), cc c trng k thut ca giao

thc SP3D c a ra bi NIST(National Institute of Standards and Technology

Vin tiu chun v cng ngh), nhng SP3D c thit k bo mt h thng mng

bi c quan an ninh Quc gia (NSP), IPSec AH bt ngun t cc tiu chun

IETF(Internet Engineering Task Force).

2.1.1 Kin Trc.

B giao thc IPSec l mt tiu chun m, IPSec s dng cc giao thc thc

hin cc chc nng khc nhau, IPSec gm cc thnh phn sau:

Authentication Header(AH): cung cp kt ni an ton v xc thc ngun gc

d liu cho gi tin IP, a ra chnh sch bo v chng li cc cuc tn cng.

Encapsulating Security (ESP): Cung cp bo mt, xc thc ngun gc d liu,

kt ni ton vn, kim sot cc lung d liu mt cch an ton.

Security Associations (SA):Cung cp nhng thut ton v thng s cn thit

AH v ESP hot ng. a ra mt cch thc trao i kha ( ISAKMP-

Internet Security Association and Key Management Protocol) tnh ton v

cung cp kha chia s (Pre-shared keys) nh : IKE(Internet Key Exchange),

IKEv2, KINK (Kerberized Internet Negotiation of Keys), hoc IPSECKEY.



Hnh 5: S cc thnh phn ca IPSec v lung dch chuyn.

2.2 Giao thc PPTP v L2TP v SSTP .

2.2.1 Giao thc PPTP (Point-to-Point Tunneling Protocol).

PPTP l mt phng thc ca mng ring o, c pht trin bi Microsoft kt

hp vi mt s cng ty khc, n s dng mt knh iu khin qua giao thc TCP v

ng hm GRE ng gi cc gi d liu PPP (Point-to-Point). PPTP l mt

phn ca cc tiu chun Internet Point-to-Point (PPP), PPTP s dng cc loi xc

thc nh PPP (PAP, SPAP, CHAP, MS-CHAP, v EAP).

PPTP thit lp ng hm nhng khng cung cp m ha, n m ha bng

cch s dng giao thc Microsoft Point-to-Point Encrytion (MPPE) to ra mt

VPN an ton. PPTP c chi ph tng i thp, iu ny gii thch ti sao PPTP

thng c s dng nhiu bi cc khch hng ca Microsoft.

a) Nguyn tc hot ng ca PPTP.

PPP l giao thc truy nhp vo Internet v cc mng IP ph bin hin nay.

N lm vic lp lin kt d liu trong m hnh OSI, PPP bao gm cc phng

thc ng gi, tch gi IP, l truyn i trn ch kt ni im ti im t my ny



sang my khc.

PPTP ng cc gi tin v khung d liu ca giao thc PPP vo cc gi tin IP

truyn qua mng IP. PPTP dng kt ni TCP khi to v duy tr, kt thc

ng hm v dng mt gi nh tuyn chung GRE ng gi cc khung PPP.

Phn ti ca khung PPP c th c m ho v nn li.

PPTP s dng PPP thc hin cc chc nng thit lp v kt thc kt ni

vt l, xc nh ngi dng, v to cc gi d liu PPP.

PPTP c th tn ti mt mng IP gia PPTP khch v PPTP ch ca mng.

PPTP khch c th c u ni trc tip ti my ch thng qua truy nhp mng

NAS thit lp kt ni IP. Khi kt ni c thc hin c ngha l ngi dng

c xc nhn. l giai on tuy chn trong PPP, tuy nhin n lun lun c

cung cp bi ISP. Vic xc thc trong qu trnh thit lp kt ni da trn PPTP s

dng cc c ch xc thc ca kt ni PPP.

Mt s c ch xc thc c s dng l:

Giao thc xc thc m rng EAP.

Giao thc xc thc c th thch bt tay CHAP.

Giao thc xc nh mt khu PAP.

Giao thc PAP hot ng trn nguyn tc mt khu c gi qua kt ni

di dng vn bn n gin v khng c bo mt. CHAP l giao thc cc thc

mnh hn, s dng phng php bt tay ba chiu hot ng, v chng li cc

tn cng quay li bng cch s dng cc gi tr b mt duy nht v khng th on

v gii c. PPTP cng c cc nh pht trin cng ngh a vo vic mt m

v nn phn ti tin ca PPP. mt m phn ti tin PPP c th s dng phng

thc m ho im ti im MPPE.

MPPE ch cung cp mt m trong lc truyn d liu trn ng truyn khng

cung cp mt m ti cc thit b u cui ti u cui. Nu cn s dng mt m

u cui n u cui th c th dng giao thc IPSec bo mt lu lng IP

gia cc u cui sau khi ng hm PPTP c thit lp.



Khi PPP c thit lp kt ni, PPTP s dng quy lut ng gi ca PPP

ng gi cc gi truyn trong ng hm. c th da trn nhng u im ca

kt ni to bi PPP, PPTP nh ngha hai loi gi l iu khin v d liu, sau

gn chng vo hai knh ring l knh iu khin v knh d liu. PPTP tch cc

knh iu khin v knh d liu thnh nhng lung iu khin vi giao thc iu

khin truyn d liu TCP v lung d liu vi giao thc IP. Kt ni TCP to ra

gia cc my khch v my ch c s dng truyn thng bo iu khin.

Cc gi d liu l d liu thng thng ca ngi dng. Cc gi iu khin

c a vo theo mt chu k ly thng tin v trng thi kt ni v qun l bo

hiu gia ng my khch PPTP v my ch PPTP. Cc gi iu khin cng c

dng gi cc thng tin qun l thit b, thng tin cu hnh gia hai u ng

hm.

Knh iu khin c yu cu cho vic thit lp mt ng hm gia cc

my khch v my ch PPTP. My ch PPTP l mt Server c s dng giao thc

PPTP vi mt giao din c ni vi Internet v mt giao din khc ni vi

Intranet, cn phn mm client c th nm my ngi dng t xa hoc ti cc

my ch ISP.

b) Nguyn tc kt ni iu khin ng hm theo giao thc PPTP.

Kt ni iu khin PPTP l kt ni gia a ch IP ca my khch PPTP v

a ch my ch. Kt ni iu khin PPTP mang theo cc gi tin iu khin v

qun l c s dng duy tr ng hm PPTP. Cc bn tin ny bao gm PPTP

yu cu phn hi v PPTP p li phi hi nh k pht hin cc li kt ni gia

cc my trm v my ch PPTP. Cc gi tin ca kt ni iu khin PPTP bao gm

tiu IP, tiu TCP v bn tin iu khin PPTP v tiu , phn cui ca lp

lin kt d liu.

c) Nguyn l ng gi d liu ng hm PPTP.

ng gi khung PPP v gi nh tuyn chung GRE.Phn ti ca khung PPP

ban u c m ho v ng gi vi tiu PPP to ra khung PPP. Khung



PPP sau c ng gi vi phn tiu ca phin bn giao thc GRE sa i.

GRE l giao thc ng gi chung, cung cp c ch ng gi d liu nh tuyn

qua mng IP. i vi PPTP, phn tiu ca GRE c sa i mt s im

l. Mt trng xc nhn di 32 bits c thm vo. Mt bits xc nhn c s

dng ch nh s c mt ca trng xc nhn 32 bits. trng Key c thay th

bng trng di Payload 16 bits v trng ch s cuc gi 16 bits. Trng ch

s cuc gi c thit lp bi my trm PPTP trong qu trnh khi to ng hm.

ng gi IP

Trong khi truyn ti phn ti PPP v cc tiu GRE sau c ng gi vi

mt tiu IP cha cc thng tin a ch ngun v ch thch hp cho my trm v

my ch PPTP.

ng gi lp lin kt d liu

c th truyn qua mng LAN hay WAN th gi tin IP cui cng s c ng

gi vi mt tiu v phn cui ca lp lin kt d liu giao din vt l u ra.

Nh trong mng LAN th nu gi tin IP c gi qua giao din Ethernet, n s

c gi vi phn tiu v ui Ethernet. Nu gi tin IP c gi qua ng

truyn WAN im ti im n s c ng gi vi phn tiu v ui ca giao

thc PPP.

- Cc gi tin IP, IPX, hoc khung NetBEUI c a ti giao din o i

din cho kt ni VPN bng cc giao thc tng ng s dng c t giao

din thit b mng NDIS.

- NDIS a gi tin d liu ti NDISWAN, ni thc hin vic m ho v nn

d liu, cng nh cung cp tiu PPP phn tiu PPP ny ch gm

trng m s giao thc PPP khng c trng Flags v trng chui kim

tra khung (FCS). Gi nh trng a ch v iu khin c tho thun

giao thc iu khin ng truyn (LCP) trong qu trnh kt ni PPP.



- NDISWAN gi d liu ti giao thc PPTP, ni ng gi khung PPP vi

phn tiu GRE. Trong tiu GRE, trng ch s cuc gi c t gi

tr thch hp xc nh ng hm.

- Giao thc PPTP sau s gi gi tin va to ra ti TCP/IP.

- TCP/IP ng gi d liu ng hm PPTP vi phn tiu IP sau gi

kt qu ti giao din i din cho kt ni quay s ti ISP cc b NDIS.

- NDIS gi gi tin ti NDISWAN, cung cp cc tiu v ui PPP.

- NDISWAN gi khung PPP kt qu ti cng WAN tng ng i din cho

phn cng quay s.

d) Nguyn tc thc hin gi tin d liu ti u cui ng hm PPTP.

Khi nhn c d liu ng hm PPTP, my trm v my ch PPTP, s

thc hin cc bc sau.

- X l v loi b gi phn tiu v ui ca lp lin kt d liu hay gi

tin.

- X l v loi b tiu IP.

- X l v loi b tiu GRE v PPP.

- Gii m hoc nn phn ti tin PPP.

- X l phn ti tin nhn hoc chuyn tip.

e) Tnh nng v hn ch ca PPTP.

Tnh nng :

- PPTP to ra nhiu kt ni gia cc khch hng m khng yu cu dch v

c bit ISP.

- PPTP ph hp trn nhiu h iu hnh thng dng. (Microsoft ,Nortel

Network, TeteSystems).

- PPTP h tr cc dch v IP, m ha cc gi tin RC4 (56 bit hoc 128 bit),

s dng port 1723 v cc giao thc GRE.



Mt s hn ch:

Kh khn ln nht gn km vi PPTP l c ch yu km v bo mt do n

dng m ha ng b trong kha c xut pht t vic n s dng m ha i

xng l cch to ra kha t mt khu ca ngi dng. iu ny cng nguy him hn

v mt khu thng gi di dng phi by hon ton trong qu trnh xc nhn.

Giao thc to ng hm k tip (L2F) c pht trin nhm ci thin bo mt vi

mc ch ny.

2.2.2 Giao thc nh ng hm lp 2 (Layer 2 Tunneling Protocol).

IETF kt hp hai giao thc PPTP v L2F v pht trin thnh L2TP. N kt

hp nhng c im tt nht ca PPTP v L2F. V vy, L2TP cung cp tnh linh

ng, c th thay i, v hiu qu chi ph cho gii php truy cp t xa ca L2F v

kh nng kt ni im im nhanh ca PPTP.

Do L2TP l s trn ln c hai c tnh ca PPTP v L2F, bao gm:

L2TP h tr a giao thc v a cng ngh mng, nh IP, ATM, FR, v

PPP.

L2TP khng yu cu vic trin khai thm bt c phn mm no, nh iu

khin v h iu hnh h tr. Do , c ngi dng v mng ring Intranet

cng khng cn trin khai thm cc phn mm chuyn bit.

L2TP cho php ngi dng t xa truy cp vo mng t xa thng qua mng

cng cng vi mt a ch IP cha ng k (hoc ring t).

Qu trnh xc nhn v chng thc ca L2TP c thc hin bi cng mng

my ch. Do , ISP khng cn gi d liu xc nhn hoc quyn truy cp ca ngi

dng t xa. Hn na, mng ring intranet c th nh ngha nhng chnh sch truy



cp ring cho chnh bn thn. iu ny lm qui trnh x l ca vic thit lp ng

hm nhanh hn so vi giao thc to hm trc y.

im chnh ca L2TP tunnels l L2TP thip lp ng hm PPP khng ging

nh PPTP, khng kt thc gn vng ca ISP. Thay vo , nhng ng hm m

rng n cng ca mng my ch (hoc ch), nhng yu cu ca ng hm L2TP

c th khi to bi ngi dng t xa hoc bi cng ca ISP.

Khi PPP frames c gi thng qua L2TP ng hm, chng c ng

gi nh nhng thng ip User Datagram Protocol (UDP). L2TP dng nhng thng

ip UDP ny cho vic to hm d liu cng nh duy tr ng hm. Ngoi ra,

ng hm d liu v ng hm duy tr gi tin, khng ging nhng giao thc to

hm trc, c hai c cng cu trc gi d liu.

a) Cc thnh phn ca L2TP.

Qu trnh giao dch L2TP m nhim 3 thnh phn c bn, mt Network

Access Server (NAS), mt L2TP Access Concentrator (LAC), v mt L2TP

Network Server (LNS).

Network Access Server (NAS)

- L2TP NASs l thit b truy cp im-im cung cp da trn yu cu kt ni

Internet n ngi dng t xa, l nhng ngi quay s (thng qua PSTN hoc

ISDN) s dng kt ni PPP. NASs phn hi li xc nhn ngi dng t xa

nh cung cp ISP cui v xc nh nu c yu cu kt ni o. Ging nh PPTP

NASs, L2TP NASs c t ti ISP site v hnh ng nh client trong qui

trnh thit lp L2TP tunnel. NASs c th hi p v h tr nhiu yu cu kt

ni ng thi v c th h tr mt phm vi rng cc client .

B tp kt truy cp L2TP (LAC)

- Vai tr ca LACs trong cng ngh to hm L2TP thit lp mt ng hm

thng qua mt mng cng cng (nh PSTN, ISDN, hoc Internet) n LNS



ti im cui mng ch. LACs phc v nh im kt thc ca mi trng vt

l gia client v LNS ca mng ch.

L2TP Network Server (LNS)

- LNSs c t ti cui mng ch. Do , chng dng kt thc kt ni

L2TP cui mng ch theo cng cch kt thc ng hm t client ca LACs.

Khi mt LNS nhn mt yu cu cho mt kt ni o t mt LAC, n thit lp

ng hm v xc nhn ngi dng, l ngi khi to yu cu kt ni. Nu

LNS chp nhn yu cu kt ni, n to giao din o.

b ) Qui trnh x l L2TP.

Khi mt ngi dng t xa cn thit lp mt L2TP tunnel thng qua Internet

hoc mng chung khc, theo cc bc tun t sau y:

Bc 1: Ngi dng t xa gi yu cu kt ni n ISPs NAS gn nht ca

n, v bt u khi to mt kt ni PPP vi nh ISP cui.

Bc2: NAS chp nhn yu cu kt ni sau khi xc nhn ngi dng cui.

NAS dng phng php xc nhn PPP, nh PAP, CHAP, SPAP, v EAP cho

mc ch ny.

Bc3: Sau NAS kch hot LAC, nhm thu nhp thng tin cng vi LNS

ca mng ch.

Bc4: K tip, LAC thit lp mt ng hm LAC-LNS thng qua mng

trung gian gia hai u cui. ng hm trung gian c th l ATM, Frame

Relay, hoc IP/UDP.

Bc 5: Sau khi ng hm c thit lp thnh cng, LAC ch nh mt

Call ID (CID) n kt ni v gi mt thng ip thng bo n LNS. Thng

bo xc nh ny cha thng tin c th c dng xc nhn ngi dng.

Thng ip cng mang theo LCP options dng tho thun gia ngi



dng v LAC.

Bc 6: LNS dng thng tin nhn c t thng ip thng bo xc

nhn ngi dng cui. Nu ngi dng c xc nhn thnh cng v LNS

chp nhn yu cu ng hm, mt giao din PPP o (L2TP tunnel) c

thit lp cng vi s gip ca LCP options nhn c trong thng ip

thng bo.

Bc 7: Sau ngi dng t xa v LNS bt u trao i d liu thng qua

ng hm.

L2TP, ging PPTP v L2F, h tr hai ch hot ng L2TP, bao gm:

Ch gi n. Trong ch ny, yu cu kt ni c khi to bi ngi dng

t xa. Ch gi i. Trong ch ny, yu cu kt ni c khi to bi LNS.

Do , LNS ch dn LAC lp mt cuc gi n ngi dng t xa. Sau khi LAC

thit lp cuc gi, ngi dng t xa v LNS c th trao i nhng gi d liu

qua ng hm.

c) D liu ng hm L2TP.

Tng t PPTP tunneled packets, L2TP ng gi d liu tri qua nhiu

tng ng gi. Sau y l mt s giai on ng gi ca L2TP data

tunneling:

PPP ng gi d liu khng ging phng thc ng gi ca PPTP, d liu

khng c m ha trc khi ng gi. Ch PPP header c thm vo d

liu payload gc.

L2TP ng gi khung ca PPP. Sau khi original payload c ng gi bn

trong mt PPP packet, mt L2TP header c thm vo n.

UDP Encapsulation of L2TP frames. K tip, gi d liu ng gi L2TP

c ng gi thm na bn trong mt UDP frame. Hay ni cch khc, mt

UDP header c thm vo L2TP frame ng gi. Cng ngun v ch

bn trong UDP header c thit lp n 1710 theo ch nh.



PSec Encapsulation of UDP datagrams. Sau khi L2TP frame tr thnh UDP

c ng gi, UDP frame ny c m ho v mt phn u IPSec

ESP c thm vo n. Mt phn ui IPSec AH cng c chn vo gi

d liu c m ha v ng gi.

IP Encapsulation of IPSec-encapsulated datagrams. K tip, phn u IP

cui cng c thm vo gi d liu IPSec c ng gi. Phn u IP

cha ng a ch IP ca L2TP server (LNS) v ngi dng t xa.

ng gi tng Data Link. Phn u v phn cui tng Data Link cui cng

c thm vo gi d liu IP xut pht t qu trnh ng gi IP cui cng.

Phn u v phn cui ca tng Data Link gip gi d liu i n nt ch.

Nu nt ch l ni b, phn u v phn cui tng Data Link c da

trn cng ngh LAN (v d, chng c th l mng Ethernet). mt kha

cnh khc, nu gi d liu l phng tin cho mt v tr t xa, phn u v

phn cui PPP c thm vo gi d liu L2TP ng gi.

Qui trnh x l de-tunneling nhng gi d liu L2TP tunnel th ngc li

vi qui trnh ng hm. Khi mt thnh phn L2TP (LNS hoc ngi dng

cui) nhn c L2TP tunneled packet, trc tin n x l gi d liu bng

cch g b Data Link layer header and trailer. K tip, gi d liu c x

l su hn v phn IP header c g b.

Gi d liu sau c xc nhn bng vic s dng thng tin mang theo

bn trong phn IPSec ESP header v AH trailer. Phn IPSec ESP header

cng c dng gii m v m ha thng tin. K tip, phn UDP header

c x l ri loi ra. Phn Tunnel ID v phn Call ID trong phn L2TP

header dng nhn dng phn L2TP tunnel v phin lm vic.



Cui cng, phn PPP header c x l v c g b v phn PPP

payload c chuyn hng n protocol driver thch hp cho qui trnh x

l.

d) Ch ng hm L2TP.

L2TP h tr 2 ch - ch ng hm bt buc v ch ng hm t

nguyn. Nhng ng hm ny gi mt vai tr quan trng trong bo mt giao dch

d liu t im cui n im khc.

Trong ch ng hm bt buc, khung PPP t PC xa c to ng

hm trong sut ti mng LAN. iu ny c ngha l Client xa khng iu khin

ng hm v n s xut hin nh n c kt ni chnh xc ti mng cng ty

thng qua mt kt ni PPP. Phn mm L2TP s thm L2TP header vo mi khung

PPP ci m c to ng hm. Header ny c s dng mt im cui khc

ca ng hm, ni m gi tin L2TP c nhiu thnh phn.

Cc bc thit lp L2TP ng hm bt buc c m t theo cc bc sau:

Bc 1: Ngi dng t xa yu cu mt kt ni PPP t NAS c t ti ISP site.

Bc 2: NAS xc nhn ngi dng. Qui trnh xc nhn ny cng gip NAS bit

c cch thc ngi dng yu cu kt ni.

Bc 3: Nu NAS t do chp nhn yu cu kt ni, mt kt ni PPP c thit lp

gia ISP v ngi dng t xa.

Bc 4: LAC khi to mt L2TP tunnel n mt LNS mng ch cui.

Bc 5: Nu kt ni c chp nhn bi LNS, PPP frames tri qua qu trnh

L2TP tunneling. Nhng L2TP-tunneled frames ny sau c chuyn n LNS

thng qua L2TP tunnel.

Bc 6: LNS chp nhn nhng frame ny v phc hi li PPP frame gc.

Bc 7: Cui cng, LNS xc nhn ngi dng v nhn cc gi d liu. Nu ngi



dng c xc nhn hp l, mt a ch IP thch hp c nh x n frame

Bc 8: Sau frame ny c chuyn n nt ch trong mng intranet.

Ch ng hm t nguyn c Client xa khi gn lin chc nng LAC

v n c th iu khin ng hm. T khi giao thc L2TP hot ng theo mt

cch y ht nh khi s dng ng hm bt buc, LNS s khng thy s khc bit

gia hai ch .

Thun li ln nht ca ng hm t nguyn L2TP l cho php ngi

dng t xa kt ni vo internet v thit lp nhiu phin lm vic VPN ng thi.

Tuy nhin, ng dng hiu qu ny, ngi dng t xa phi c gn nhiu a

ch IP. Mt trong nhng a ch IP c dng cho kt ni PPP n ISP v mt

c dng h tr cho mi L2TP tunnel ring bit. Nhng li ch ny cng l

mt bt li cho ngi dng t xa v do , mng ch c th b tn hi bi cc

cuc tn cng.

Vic thit lp mt voluntary L2TP tunnel th n gin hn vic thit lp mt

ng hm bt buc bi v ngi dng t xa m nhim vic thit lp li kt ni

PPP n im ISP cui.

Cc bc thit lp ng hm t nguyn L2TP gm :

Bc 1: LAC (trong trng hp ny l ngi dng t xa) pht ra mt yu cu cho

mt ng hm t nguyn L2TP n LNS.

Bc 2: Nu yu cu ng hm c LNS chp nhn, LAC to hm cc PPP

frame cho mi s ch r L2TP v chuyn hng nhng frame ny thng qua

ng hm.

Bc 3: LNS chp nhn nhng khung ng hm, lu chuyn thng tin to hm,

v x l cc khung.

Bc 4: Cui cng, LNS xc nhn ngi dng v nu ngi dng c xc nhn



thnh cng, chuyn hng cc frame n nt cui trong mng Intranet.

e) Nhng thun li v bt li ca L2TP.

Thun li chnh ca L2TP c lit k theo danh sch di y:

L2TP l mt gii php chung. Hay ni cch khc n l mt nn tng c lp.

N cng h tr nhiu cng ngh mng khc nhau. Ngoi ra, n cn h tr giao

dch qua kt ni WAN non-IP m khng cn mt IP.

L2TP tunneling trong sut i vi ISP ging nh ngi dng t xa. Do ,

khng i hi bt k cu hnh no pha ngi dng hay ISP.

L2TP cho php mt t chc iu khin vic xc nhn ngi dng thay v ISP

phi lm iu ny.

L2TP cung cp chc nng iu khin cp thp c th gim cc gi d liu

xung ty nu ng hm qu ti. iu ny lm cho qua trnh giao dch bng

L2TP nhanh hn so vi qu trnh giao dch bng L2F.

L2TP cho php ngi dng t xa cha ng k (hoc ring t) a ch IP truy

cp vo mng t xa thng qua mt mng cng cng.

L2TP nng cao tnh bo mt do s dng IPSec-based payload encryption trong

sut qua trnh to hm, v kh nng trin khai xc nhn IPSec trn tng gi d

liu.

Ngoi ra vic trin khai L2TP cng gp mt s bt li sau:

L2TP chm hn so vi PPTP hay L2F bi v n dng IPSec xc nhn mi

gi d liu nhn c.



Mc d PPTP c lu chuyn nh mt giai php VPN dng sn, mt Routing

and Remote Access Server (RRAS) cn c nhng cu hnh m rng

2.2.3 Secure Socket Tunneling Protocol (VPN-SSTP).

Hin nay, ngoi 2 c ch PPTP v L2TP trn Windows Server 2008 v

Windows Vista Service Pack 1 cn h tr thm mt c ch kt ni mi l: Secure

Socket Tunneling Protocol (SSTP).

a) Gii thiu.

SSTP (Secure Socket Tunneling Protocol) l mt dng ca kt ni VPN

trong Windows Vista v Windows Server 2008. SSTP s dng cc kt ni HTTP

c m ha SSL thit lp mt kt ni VPN n VPN gateway. SSTP l mt

giao thc rt an ton v cc thng tin quan trng ca ngi dng khng c gi

cho ti khi c mt ng hm SSL an ton c thit lp vi VPN gateway.

SSTP cng c bit n vi t cch l PPP trn SSL, chnh v th n cng c

ngha l bn c th s dng cc c ch chng thc PPP v EAP bo m cho

cc kt ni SSTP c an ton hn.

b) L do s dng PPTP trong VPN.

Mng ring o VPN cung cp mt cch kt ni t xa n h thng mng

thng qua Internet. Windows Server 2003 h tr cc ng hm VPN da vo

PPTP v L2TP/IPSec. Nu ngi dng truy cp t xa ng sau mt

Firewall,nhng ng hm ny i hi cc port ring bit c m bn trong cc

firewall nh cc port TCP 1723 v giao thc IP GRE cho php kt ni PPTP.

C nhng tnh hung nh nhn vin gh thm khch hng, a im i

tc hoc khch sn m h thng ch cho truy cp web (HTTP,HTTPs),cn tt c

cc port khc b ngn chn. Kt qu,nhng user t xa ny gp phi vn khi thc

hin kt ni VPN do lm tng cuc gi nh tr gip v gim nng sut ca

nhn vin. Secure Socket Tunneling Protocol(SSTP) l mt ng hm VPN mi

c gii thiu trong Windows Server 2008 nhm gii quyt vn kt ni VPN



ny.

SSTP thc hin iu ny bng cch s dng HTTPs lm lp vn chuyn

sao cho cc kt ni VPN c th i qua cc firewall, NAT v server web proxy

thng c cu hnh. Bi v kt ni HTTPs (TCP 443) thng c s dng

truy cp cc site Internet c bo v nh cc web site thng mi, do HTTPs

thng c m trong cc firewall v c th i qua cc Proxy web, router NAT.

VPN Server chy trn nn Windows Server 2008 da vo SSTP lng

nghe cc kt ni SSTP t VPN client. SSTP server phi c mt Computer

Certificate c ci t thuc tnh Server Authentication.Computer Certificate ny

c s dng xc thc server SSTP vi client SSTP trong qu trnh thit lp

session SSL.Client hiu lc ha certificate ca server SSTP. thc hin iu ny

th Root CA cp pht certificate cho SSTP server phi c ci t trn client

SSTP.

ng hm VPN da vo SSTP c chc nng nh mt ng hm peer-

L2TP v da vo PPTP. iu ny c ngha PPTP c bao bc trn SSTP m sao

gi cc lu lng cho cho kt ni HTTPs. Nh vy,tt c cc tnh nng khc

ca VPN nh kim tra sc khe da vo NAT, ti lu lng IPV6 trn VPN, cc

thut ton xc thc nh username v smartcard...v client VPN da vo trnh qun

l kt ni vn khng thay i i vi SSTP, PPTP v L2TP. N giup cho Admin

mt ng dn di tr tt di chuyn t L2TP/PPTP n SSTP.

c) SSTP hat ng nh th no?

SSTP hat ng trn HTTPs tc l ch HTTP s dng SSL cho s bo mt

thng tin v d liu. SSL cng cung cp c ch xc thc cc im cui khi uc

yu cu s dng PKI.SSTP s dng SSL xc thc server vi client v n da

vo PPP chy trn xc thc client vi server. Ngha l Client xc thc server

bng certificate v Server xc thc Client thng qua giao thc hin c c h tr

bi PPP.



Khi Client kt ni vi Remote Access Server bng cch s dng SSTP lm

giao tc to lp ng hm, SSTP thit lp session HTTPs vi server t xa ti port

443 mt a ch URL ring bit. Cc xc lp proxy HTTP c cu hnh thng

qua IE s c s dng thit lp kt ni ny.

Vi session HTTPs, client i hi server cung cp certificate xc

thc.Khi thit lp quan h SSL han tt, cc session HTTP c thet lp trn .

Sau , SSTP c s dng thng lng cc tham s gia Client v Server.

Khi lp SSTP c thit lp, vic thng lng SSTP c bt u nhm cung

cp c ch xc thc client vi server v to ng hm cho d liu.

Chng 2: Tm hiu v c ch m ha ca IPSec.

1. Gii thiu v IPSec.

1.1. Mt s ch lm vic.

1.1.1. Ch giao vn.

Ch ny h tr truyn thng tin gia cc my hoc gia my ch vi my

khc m khng c s can thip no ca cc gateway lm nhim v an ninh mng.

Trong Transport mode, ch nhng d liu bn giao tip cc gi tin c m ho v

hoc xc thc. Trong qu trnh Routing, c IP header u khng b chnh sa hay

m ho; tuy nhin khi authentication header c s dng, a ch IP khng th

chnh sa ( v d nh port number). Transport mode s dng trong tnh hung giao

tip host-tohost. iu ny c ngha l ng gi cc thng tin trong IPSec cho NAT

traversal c nh ngha bi cc thng tin trong ti liu ca RFC bi NAT-T.



Hnh 6 Cu trc gi tin IPSec ch Transport Mode

1.1.2. Ch ng hm ( Tunnel Mode ):

Ch ny h tr kh nng truy nhp t xa v lin kt an ton cc Website.

Ch chuyn vn s dng AH v ESP i vi phn ca tng chuyn vn trong

mt gi tin IP. Phn d liu thc ca giao thc IP ny l phn duy nht c bo

v trong ton gi tin. Phn header ca gi tin IP vi a ch ca im truyn v

im nhn khng bo v. Khi p dng c AH v ESP th AH c p dng sau

tnh ra tnh ton vn ca d liu trn tng lng d liu. Mt khc ch ng

hm cho php m ho v tip nhn i vi ton b gi tin IP. Cc cng bo mt s

dng ch ny cung cp cc dch v bo mt thay cho cc thc th khc trn

mng. Cc im truyn thng u cui c bo v bn trong cc gi tin IP n

trong khi cc im cui m ho li c lu trong cc gi tin IP truyn i. Mt

gateway bo mt thc hin phn tch gi tin IP n cho im nhn cui cng sau

khi IPSec hon thnh vic s l ca mnh. Trong ch ng hm, a ch IP ca

im n c bo v.



Hnh 7. Cu trc gi tin IPSec ch Tunnel Mode

Trong ch ng hm, c mt phn header IP ph c thm vo, cn

trong ch chuyn vn th khng c iu ny. IPSec nh ra ch ng hm

p dng cho AH v ESP.

Khi host 1 mun giao tip vi host 2, n c th s dng ch ng hm

cho php cc gateway bo mt c th cung cp cc dch v m bo an ton

cho vic lin lc gia hai nt mng trn mng cng cng.

IPSec cho php ch bo mt theo nhiu lp v theo nhiu tuyn truyn.

Trong , phn header ca gi tin ni ti c hon ton bao bc bi phn header

ca gi tin c pht i. Tuy vy, phi c mt iu kin l cc tuyn truyn khng

c gi chng ln nhau.

i vi vic s l lung d liu truyn i, tng IP s tham chiu n SPD

(Security Policy Database) quyt nh cc dch v bo mt cn p dng. Cc b

chn lc c ly ra t cc phn header s dng ch ra mt cch thc hot ng

cho SPD. Nu hot ng ca SPD l p dng tnh nng bo mt th s c mt con

tr, tr n SA trong SADB ( Security Association Database) c tr v. Trng

hp SA khng c trong SADB th IKE s c kch hot. Sau cc phn header

AH v ESP c b xng theo cch m SA nh ra v gi tin s c truyn i.



Vi vic s l lung d liu gi n, sau khi nhn c mt gi tin, tng c

nhim v bo mt s kim tra danh mc cc phng thc bo mt a ra cc

hnh ng sau y: hu b, b qua hoc p dng. Nu hnh ng l p dng m

SA khng tn ti th gi tin s b b qua. Tuy nhin, nu SA c trong SADB th

gi tin s c chuyn n tng tip theo x l. Nu gi tin c cha cc phn

header ca dch v IPSec th stack ca IPSec s thu nhn gi tin ny v thc hin

s l. Trong qu trnh s l, IPSec ly ra phn SPI, phn a ch ngun v a ch

ch ca gi tin. ng thi, SADB c nh s theo cc tham s chn ra SA

nht n s dng: SPT, a ch ch hoc l giao thc.

Hnh 8

IPSec cho php thit lp cc mi truyn thng ring bit v m bo tnh b

mt trn mng internet m khng cn bit n cc ng dng ang chy trn

my hay cc giao thc tng cao hn nh tng vn chuyn ( Transport

layer).



Hnh 9

IPSec l b giao thc c kh nng thm nh d liu c hai pha ngi

gi v ngi nhn, m bo tnh b mt v ton vn d liu bng cch m

ho chng thc. IPSec c kh nng thch ng vi tt c cc t nh ng dng

chy trn mng IP.

IPSec hot ng hiu qu v nhanh hn cc ng dng bo mt hot ng

tng ng dng (Application layer).



Hnh 10

IPSec c th c coi nh l mt lp di ca giao thc TCP/IP, lp ny

kim sot cc ngi dng truy nhp da vo mt chnh sch an ton v mi

my tnh v mt t chc m phn an ninh gia ngi gi v ngi nhn.

Giao thc ng gi an ton ESP ( Encapsulation Security Payload): l giao

thc s 50 c gn bi IANA. ESP l mt giao thc bo mt c th c s

dng cho vic cung cp tnh bo mt v xc thc cc gi d liu khi s nh m

ng ca ngi dng khng c php. ESP cung cp phn ti tin ca gi d

liu, ESP cung cp s xc thc cho gi tin IP ni b v phn tiu ESP. S

xc thc cung cp s xc thc v ngun gc v tnh ton vn ca gi d liu.

ESP l giao thc h tr v kiu m ho i xng nh: Blowfish, DES. Thut

ton m ho d liu mc nh s dng trong IPSec l thut ton DES 56 bit.

Trong cc sn phm v thit b mng ca Cisco dng trong VPN c n s dng

vic m ho d liu tt hn bng cch s dng thut ton 3DES( Triple Data

Encryption Security ) 128 bit.

Giao thc ESP c th c s dng c lp hoc kt hp vi giao thc

chng thc u mc AH ( Authentication Header ) tu thuc vo tng mi



trng. Hai giao thc ESP v AH u cung cp tnh ton vn, xc thc cc

gi d liu.

Giao thc ESP cng c th bo v c tnh duy nht ca gi tin bng cch

yu cu bn nhn t bit replay trong tiu ch ra rng gi tin

c gi.

Giao thc chng thc mc u AH ( Authentication Header Protocol ).

Trong h thng IPSec c mt u mc c bit: u mc chng thc AH

c thit k cung cp hu ht dch v chng thc cho d liu IP.

Vi IP v4

Hnh 11

Vi IP v6

Hnh 12

Giao thc trao i cha kho Inernet ( IKE ).



AH v ESP l nhng giao thc m IPSec yu cu nhng b mt dng chung

trong vic phn phi kho, do cc cha kho c th mt cp khi trao i qua li.

Do mt c ch trao i cha kho an ton cho IPSec phi tho mn yu cu sau.

Khng ph thuc vo cc thut ton c bit.

Khng ph thuc vo mt nghi thc trao i kho c bit.

S chng thc ca nhng thc th qun l kho.

Thit lp cc SA trn cc tuyn giao thng khng an ton.

S dng hiu qu cc ngun ti nguyn.

Giao thc IKE da trn khung ca Hip hi qun l ch a kha trn Internet v

Giao thc phn phi kho Oakley.

Giao thc IKE c cc c tnh sau:

+ Cc cha kho pht sinh v nhng th tc nhn bit.

+ T ng lm mi li cha kho.

+ Gii quyt vn mt kho.

+ Mi mt giao thc an ton ( AH, ESP ) c mt khng gian ch s an

ton ca chnh mnh.

+ Gn sn s bo v.

+ Chng li cc cuc tn cng lm nghn mch ti nguyn nh: Tn cng

t chi dch v DoS ( Denial- of- Service ).

+ Tip cn hai giai on

Thit lp nhng SA cho kho trao i.

Thit lp SA cho d liu chuyn.

+ S dng ch k s.

+ Dng chung kho.

Giao thc IKE thit k ra cung cp 5 kh nng:



Cung cp nhng phng tin cho hai bn v s ng nhng giao

thc,thut ton v nhng cha kho s dng.

m bo trao i kho n ng ngi dng.

Qun l nhng ch a kho sau khi c chp nhn.

m bo rng s iu khin v trao i kho an ton.

Cho php s chng thc ng gia cc i tng ngang hang.

1.2. Tm hiu v cc giao thc.

1.2.1. Giao thc AH (Authentication Header).

AH c s dng trong cc kt ni khng c tnh m bo d liu. Hn

na n l la ch nhm chng li cc tn cng replay attack bng cch s dng

cng ngh chng tn cng sliding window v discarding older packets , AH

bo v qu trnh truyn d liu khi s dng IP. Trong IPv4, IP Header c bao

gm TOS, Flags, Fragment Offset, TTL, va Header checksum. AH thc hin

trc tip trong phn u tin ca gi tin IP. Di y l m hnh ca AH

header.

Hnh 13 : Cu trc gi tin AH

ngha ca tng trng:



Next header (8 Bits): Nhn dng giao thc s dng truyn thng tin, cc

nh li d liu cha trong tiu AH.

Payload leghth (8 Bits): ln ca gi tin AH tnh bng n v (32 Bits) v

tr i 2 n v.

(v d: ton b chiu di tiu AH l 6 th chiu di vng Payoad

l 4).

RESERVED (16 Bits): S dng trong tng lai (cho n thi im hin

ny n c biu din bng cc con s 0).

Security paramaters index (SPI 32 Bits): Nhn ra cc thng s bo mt,

c tch hp vi a ch IP, v nhn dng cc thng lng bo mt c

kt hp vi cc gi tin. Gi tr 1-255 c dnh ring, gi tr 0 s dng cho

mc ch c bit, cc gi tr khc dng gn cho SPI.

Sequence numbet (32 Bits): y l mt gi tr khng u, lun tng v cho

php cung cp dch v antireplay cho mt SA. Thng tin ny khng nht

thit c dng bi bn nhn nhng n c phi bao gm thit b gi. Ch s

ny c khi ng v 0 khi SA c thit lp. Nu dch d antureplay

dc dng, ch s ny khng bao gi dc php lp li.Bi v bn gi khng

bit bn nhn c dng dch v antireplay hay khng, SA s c hy v

mt SA mi s c ti thit lp sau khi c 232 goi tin c truyn.

Authentication data (chiu di khng xc nh): trng ny cha nhiu gi

tr Integrity Check Value (ICV) cho gi tin.Trng ny phi l mt s

nguyn bi s ca 32 v c th cha cc gi tr m (padding) p y cc

bt trng chp 32 bits. Gi tr ICV ny c dng cc gii thut nh

Message Authentication Code (MACs). MACs c da trn cc gii thut

m ha i xng nh DES v 3DES hoc cc hm Hash mt chiu di nhu

MD5 hoc SHA-1. Khi tnh chon ch s ICV, dng trong MAC lm gi tr

ny kh b b gy. Mi u ca mt kt ni VPN s tnh ton ch s ICV ny



mt cch c lp. Nu cc gi tr ny khng trng, gi tin s b b qua. iu

ny gip m bo cc gi tin khng b thay i trong qu trnh truyn.

AH cung cp cc tnh xc thc, tnh nguyn vn v khu lp cho ton b

gi tin bao gm c phn tiu ca IP (IP Header) v cc gi d liu c

chuyn trong cc gi tin.

AH khng cung cp tnh ring t, khng m ha d liu nh vy d liu

c th c c nhng chng s c bo v chng li s thay i. AH s

s dng thut ton Key AH nh du gi d liu nhm m bo tnh ton

vn ca gi d liu.

Hnh 14: Cc thnh phn chng thc trong AH.

Hnh 15: Qu Trnh to gi tin AH.

Qu trnh to gi tin AH.



Khi mt AH SA c khi to ln u tin , thut ton xc thc v cc

kha c gi li, v s chui truy cp c thit lp l 0. Khi IPsec xc nh

rng mt gi tin s ra bn ngoi c AH c p dng, n nm bn trong SA

thch hp v thc hin cc dc sau:

Bc 1: Mt tiu AH mu c chn vo gia IP haeder v tiu lp

trn.

Bc 2: S sepuence number tang dn v c lu gi trong cc tiu AH.

Vo thi gian ny, AH kim tra m bo rng s th t s khng b lp,

Nu lp, AH s to ra mt SA mi v khi to dy s 0. Trong trng hp s

sepeunce number khng lp, s th t s c tng ln v c lu gi

trong cc tiu AH.

Bc 3: Phn cn li ca cc trng AH, ngoi tr ca ICV, c lm y

vi chiu di quy nh.

Bc 4: Nu cn. paddinh ty c thm vo tiu AH m bo rng

n l mt bi s ca 32 bit (64 bit cho IPv6).

Bc 5: Cc trng c th thay i trong IP Header v trng ICV trong tiu

AH c nh 0, v ICV c tnh trn ton b datagram IP. Nu c

nhiu ngun nh tuyn khc trong khi truyn (truyn qua cc thit b trung

gian) trong IP Header, a ch dch phi c t l a ch cui cng trc

khi tnh ton ICV.

Bc 6: cc trng c th thay i c lm y , v cc ICV c lu tr

trong tiu AH. Nu c mt ngun nh tuyn ty chn trung gian khac,

trng a ch ch ca tiu IP c thit lp cc im n trung gian.

Bc 7: cc datagram IP c t v hng i u ra cho truyn dn n

ch ca n.

1.2.2. Giao thc ESP(Encapsulating security Pyload).



Giao thc ESP cung cp xc thc, ton vn, m bo tnh bo mt ca

gi tin. ESP cng h tr tnh nng cu hnh s dng trong tnh hung ch cn

m ha hay ch cn xc thc.

Hnh 16: Cu trc gi tin ESP.

ngha cc thnh phn:

Security paramaters index (SPI 32Bits): nhn ra cc thng s c

tch hp vi a ch IP, nhn dng lin kt SA.

Sequence number (32 Bits): T ng tang c tc dng pht li.

Payload data ( di bt k): y l gi tin IP hoc mt phn ca gi tin

ban u ty thuc vo ch (mode) ca IPSec ang c dng. Khi

dng Tunnel Mode, trng hp ny cha ton b gi tin IP ban u.

Trong Transport Mode, n ch bao gm phn giao thc cc lp bn trn

ca gi tin ban u. Chiu di ca pay load lun l mt s nguyn ca

bytes.

Padding ( di bt k): v Pad Length (8 Bits): D liu chn vo di

ca n.



Next Header (8 Bits): Nhn ra giao thc c s dng trong qu trnh

truyn thng tin. Nu l TCP gi tr l 6, nu l UDP gi tr l 17 khi dng

Transport Mode, khi dng Tunnel Mode l 4 (IP-in-IP).

Authentication (Bi s ca 32): bao gm d liu cc thc cho gi tin,

c tnh trn ton b gi tin ESP tr phn Authentication data. Cc thut

ton m ha bao gm DES, 3DES,AES. Cc thut ton xc thc bao gm

MD5 hoc SHA-1. ESP cn cung cp tnh nng anti-repay bo v cc

gi tin khng b chnh sa. ESP trong trng thi vn chuyn s khng

ng gi thut ton trn ton b gi tin m ch ng gi phn thn IP

Header. ESP c th s dng c lp hay kt hp AH, di y l m hnh

ca qu trnh thc thi ESP trn user data tr v gia 2 IPSec Peers.

Hnh 17: Qu trnh hot ng ca ESP.

ESP s dng mt m i xng cung cp m ha d liu cho cc gi tin

IPsec. Cho nn, kt hp c 2 u cui u c bo v bi ESP th hai

bn phi s dng kha ging nhau mi m ha v gii m c gi tin. Khi

mt u cui m ha d liu, n s chia d liu thnh cc block nh, v sau

thc hin thao tc m ha nhiu ln s dng block d liu v kha. Thut ton

m ha hot ng trong chiu ny c xem nh Block Cipher Algorithms.

Khi mt u cui khc nhn c d liu m ha, n thc hin gii m s



dng key ging nhau v qu trnh thc hin tng t, nhng trong bc ny

ngc vi thao tc m ha. ESP c ch s IP Protocol l 50.

Qu trnh gi ESP.

Khi sn sang c t trn hng i ra, mt datagram IP c

kim tra xem c th x l bng IPSec hay khng? Nu ng gi ESP c

yu cu, th cn bit chnh xc SA hot ng trong Transport Mode hay

Tunnel Mode. Qu trnh x ly thc hin cc bc sau:

Bc 1: SPD tm kim mt SA ph hp vi cc thng tin chnh xc nh a

ch ch, cng, giao thc nu SA cha tn ti, mt cp SA c thng

lng gia hai bn truyn nhn.

Bc 2: Cc s th t t SA tng dn v c t trong tiu ESP. Nu

peer khng v hiu ha chc nng antireplay, s th t c kim tra chc

chn rng n khng bng 0.

Nc 3: Nu cn thit, Padding s c thm vo cho s bit, chiu di

pad v next header s c lm y. nu thut ton m ha yu cu, IV c

thm vo payload data(Initializanti vector l mt block ty c XOR

bi block d liu ban u trc khi m ha, trnh tnh trng chui m ha

ging nhau v d liu ging nhau), IV v payload data cng ESP trailer s

c m ha, s dng kha v thut ton m ha c ch nh trong SA.

Bc 4: ICV c tnh trn ESP header, IV, payload data, trng ESP trailer

v t trong trng Authentication data, s dng ha v thut ton m ha

trong SA.

Bc 5: Nu cc gi d liu kt qu yu cu phn mnh, n c thc hin

ti thi im ny. Trong Transport Mode, ESP ch c p dng cho ton b

datagram IP. Tunnel Mode, ESP c th c p dng cho mt mnh

datagram IP.

Mt lu l trnh t trong qu trnh m ha v xc thc rt quan trng,

v xc thc c thc hin cui cng, ICV s tnh ton trn d liu m ha



trc , c ngha l ngi nhn c th thc hin vic xc minh chng thc

tng i nhanh chng trc khi thc hin qu trnh gii m kh chm. iu

ny c th phn no ngn cn tn cng Dos bi mt lot d liu nhu nhin

c m ha gi ti u nhn.

Qu trnh nhn ESP.

V d liu n c th b phn mnh do qu trnh nh tuyn, chng phi

c ti hp. v sau khi ti hop, qu trnh x l ESP s c thc hin qua

cc bc sau:

Bc 1: SA nhn c bng cch so snh a ch ch, giao thc(ESP) v

SPI ca gi n. Nu khng c SA no tn ti, gi s b loi b.

Bc 2: nu antireplay c kch hot, n s thc hin vic kim tra mt s

sequence number.

Bc 3: Gi tin c xc nh thc bng vic tnh ton ICV da trn ESP

Header, payload v trng ESP trailer, s dng thut ton m ha v kha

trong SA, nu xc thc tht bi, gi tin ny s b loi b. Nu gi tin c

xc thc, n s c chp nhn v u nhn cp nhp li sequence number.

Bc 4: Payload v trng ESP trailer c m ha bng vic s dng

thut ton v kha trong SA. Nu Padding c thm vo, n cn c

kim tra chc chn c nhng gi tr thch hp cho thut ton gii m. Gi

IP gc c ti hp b i cc trng ESP, vic ti hp ny ph thuc vo

vic s dng Transport Mode hay Tunnel Mode.



Hnh 18: Bng so snh gia AH v ESP.

2 S dng IPSec.

2.1 Mc ch s dng.

IPSec c dng bo mt d liu khi truyn trn mng. Ngi qun tr

thit lp chui chnh sch c gi l IPSec Policy. Nhng chnh sch ny bao

gm b lc ch r loi lu lng no i hi phi m ha, ch k s hoc c hai.

Sau mi gi my tnh gi i c n nh t nhn thy liu c ph hp vi

iu kin ca chnh sch. Tin trnh ny trong sut vi ngi dng v cc ng

dng bt u truyn d liu. Do IPSec c ng trong gi IP chun nn n c th

truyn trn mng m khng i hi cu hnh c bit trn thit b gia hai host.

IPSec khng th m ha mt s loi lu lng chng hn broadcast, multicast v

gi giao thc Kerberos.

2.2 u v nhc im khi s dng IPSec.

2.2.1 u im

Li ch chnh ca IPSec l n m ha trong sut hon ton i vi tt c giao

thc lp 3 ca m hnh OSI v cao hn.

IPSec cung cp:

- Xc thc ln nhau trc v trong qu trnh trao i.

- S cn mt trong sut qu trnh m ha ca lu lng IP v xc thc s ca

gi. IPSec c 2 ch : ESP (Encapsulating Security Payload) m ha

da trn mt hoc mt vi thut ton no v AH (Authentication

Header) xc thc lu lng nhng khng m ha n.

- Ton vn lu lng IP bng cch loi b lu lng c thay i. C

ESP v AH u dng xc nhn tnh ton vn ca tt c lu lng IP.

Nu gi c thay i th ch k s s khng nh km v gi s b hy.



- Ngn chn tn cng: C ESP v AH dng s tun t bt c gi no c

capture li trong ln gi li sau s dng s khng tun t. Dng s c

sp xp theo th t chc chc rng k tn cng khng th dng li hay

gi li d liu c capture thit lp phin lm vic hoc thu thp

thng tin bt hp php. Dng s tun t cng bo v tn cng cng bng

cch chn message v sau dng message y ht truy nhp bt hp php

vo ti nguyn, c th l vi thng sau .

2.2.2 Nhc im

Tt c cc gi c x l theo IPSec s b tng kch thc do phi thm vo

cc tiu khc nhau, v iu ny lm cho thng lng hiu dng ca mng

gim xung. Vn ny c th c khc phc bng cch nn d liu trc

khi m ha, song cc k thut nh vy vn cn ang nghin cu v cha c

chun ha.

IPSec c thit k ch h tr bo mt cho lu lng IP, khng h tr cc

dng lu lng khc.

Vic tnh ton nhiu gii thut phc tp trong IPSec vn cn l mt vn kh

i vi cc trm lm vic v my PC nng lc yu.

Vic phn phi cc phn cng v phm mm mt m vn cn b hn ch i

vi chnh ph mt s quc gia.

3 Trin Khai IPSec.

3.1 Cch IPSec bo mt lu lng.



Cu hnh IPSec c thit lp thng qua policy trn my cc b hoc policy

nhm trong Active Directory directory service:

IPSec policies c cung cp cho tt c my tnh: Policy quy nh cho b phn

iu khin IPSec cch chy v nh ngha Security Association m c th c

thit lp. Security asscociation chi phi giao thc m ha no c s dng cho

loi lu lng no v phng thc xc thc no c thit lp.

Security Association c thit lp: Phn Internet Key Exchange (IKE) thit lp

Security Association. IKE kt hp gia hai giao thc: Internet Security

Association v Key Management (ISAKMP) v Oakley Key Determination. Nu

mt my client i hi certificate xc thc v mt client khc i hi giao thc

Kerberos, IKE s khng th thit lp security association (s kt hp bo mt)

gia hai my. Nu bn nhn thy gi trong Network Monitor th bn s thy gi

ISAKMP nhng bn cng s khng thy bt c gi AH hay ESP theo sau.

Gi IP c m ha: Sau khi security association c thit lp th b iu khin

IPSec gim st ton b lu lng IP, so snh lu lng vi b lc c nh

ngha.



3.2 IPSec Security Policy l g?

nh ngha

IPSec security policy bao gm mt hoc nhiu quy lut quyt nh cch

hot ng ca IPSec

IPSec Security policy rules

Bn trin khai IPSec bng cch thit lp policy. Mi policy c th cha

ng mt vi quy lut nhng bn ch c th xc nhn mt policy ring l ti

mt thi im bt k trn mt my. Bn phi phi hp tt c quy lut c yu

cu thnh mt chnh sch n. Mi quy lut bao gm:

B lc: B lc quy nh cho policy bit loi lu lng no p dng cho

filter action. Chng hn, bn c th c b lc nhn dng ch lu lng giao

thc HTTP hoc lu lng FTP.

Filter action: Filter action quyt nh cho chnh sch phi lm g nu lu

lng tha b lc. Chng hn, bn c th bo cho IPSec chn ng tt c

lu lng FTP nhng i hi m ha tt c lu lng HTTP. Filter action

cng c th ch r thut ton m ha v bm m policy nn dng.

Phng php xc thc: C 3 phng php c th xc thc: certificates,

giao thc Kerberos v Preshared key. Mi rule c th ch r nhiu phng

php xc thc.

Policy mc nh

Window 2000 hoc sau , c 3 policy c cu hnh mc nh:

Client (Respond only): Nu my tnh yu cu client dng IPSec th n s

p ng vi IPSec. Policy Client (Respond Only) s khng khi to IPSec

trn chnh n. Policy ny c 1 rule c gi l Default Response rule. Rule

ny cho php host p ng i hi ESP cng nh c host trong Active

Directory domains tin cy. ESP l ch IPSec cung cp s tin cy cng

vi xc thc, ton vn v chng truyn li.



Server (Request Security): Bn c th dng chnh sch ny trn c server

v client. Chnh sch ny lun c gng dng IPSec nhng c th tr li qu

trnh lin lc khng bo mt nu client khng c cu hnh vi IPSec

policy. Chnh sch Response Security c 3 rule. Rule th nht l Default

Response c m t. Rule th hai cho php lu lng ICMP. ICMP l

giao thc duy tr trong TCP/IP, thng bo li v cho php kt ni n gin.

Lnh ping dng ICMP thc hin vic g ri TCP/IP. Mc d ICMP l

tin ch chun on tt nhng bn c th mun v hiu ha n trong mng

bo mt cao v c mt vi t tn cng chng da trn ICMP. Rule th 3

i hi ESP cho tt c lu lng IP.

Secure Server (Require Security): Bn c th s dng chnh sch ny trn

c server v client. Nu chnh sch ny c gn th my tnh c th ch

lin lc trn IPSec v s khng bao gi tr li ch lin lc khng bo

mt. Policy ny cng c 3 rule. Hai rule u l Default Response v Permit

ICMP th c ni trn. S khc nhau trong policy Secure Server

(Require Security) l tt c lu lng phi c m ha vi ESP nu

khng server s khng lin lc vi n. Rule ICMP ghi rule i hi

bo mt cho tt c lu lng IP khc.

3.3 Cc Policy lm vic nh th no?



Tha thun s kt hp bo mt

Chng ta ng bao gi so snh cc policy mt cch ring l. Cc my tnh

c tha thun k thp bo mt phi c policy b sung. Bng trn ch ra cc tc

ng khi cc policy mc nh lm vic vi nhau. Nu hai host c th tha thun

kt hp bo mt tng thch vi nhau th lin lc c th c thc hin bng cch

dng IPSec. Nu hai host c cc policy khng tng thch vi nhau th c th

chng s tr li dng lin lc khng bo mt hoc khng th lin lc vi nhau.

V d v cch thc cc policy lm vic vi nhau

Bng trn ch p dng cho cc policy mc nh vi cc rule mc nh. Nu

bn p policy vi rule l my A request ESP cho HTTP v my B require AH cho

HTTP th sau hai my s khng th tha thun c s kt hp bo mt.

Xc thc Kerberos l thit lp mc nh cho tt c cc policy mc nh.

Giao thc Kerberos lm vic vi my tnh trong h thng Active Directory nhng

nu mt my khng l thnh vin trong h thng th cc my tnh khc khng

th tha thun xc thc. Nu my B c thay i s dng ch certificate cho

xc thc lu lng IP th khng th thit lp kt hp bo mt. C th cu hnh li



cho my B yu cu giao thc Kerberos hoc certificates. Khi tha phng php

xc thc th xc thc c th c thc hin.

Nu bn thit lp policy Secure Server (Require Security) th my tnh

s khng th lin lc vi bt k my no khng ci t IPSec. Chng hn, my tnh

cn truy cp server chy Microsoft SQL Server khng c IPSec th h thng s b

fail.

Nu bn thit lp policy Server (Request Security) th my tnh s quay v

lin lc khng bo mt vi bt c my tnh no khng c policy. Policy IPSec s

c thit lp bo mt lu lng cn c bo mt khi cho php thc hin cc

lin lc c bn.

4 Trin khai IPSec vi Certificates.

4.1 Gii thiu v Certificates.

nh ngha

Mt certificate X.509 certificate s l mt giy y nhim in t

thng c s dng cho vic xc thc v bo mt trao i thng

tin trn h thng mng m chng hn Internet, Extranets v

Intranets.

Mt certificate ni kt mt public key vi thc th nm gi private

key tng ng. Chng hn, bn c th m ha d liu cho ngi

nhn vi public key ca h v chc chn rng ch ngi nhn c

private key dng gii m d liu.

Ngi cung cp certificate c gi l Certification Authority (CA).

Certificate c cung cp cho ngi dng, my tnh hoc mt dch

v chng hn IPSec.

Li ch ca certificate



Mt trong nhng li ch chnh ca certificate l host s khng cn duy tr

mt tp password cho i tng ring t cn c xc thc nh mt iu kin cho

php truy cp. iu thay cho vic host ch n thun thit lp s tin cy trong

mt CA cung cp certificate.

4.2 Ti sao dng Certificates vi IPSec bo mt lu lng.

Bng sau miu t mt vi trng hp bn c th dng certificate



Mc ch

Dng certifiacate t mt CA ng tin cy c xem nh phng php xc

thc gia hai host IPSec cho php cc doanh nghip lin lc vi nhau. Bn cng

c th dng certificate enable Windows Routing and Remote Access service

giao tip bo mt trn Internet vi router lp 3 h tr IPSec. Tuy nhin, v

certificate phc tp hn c preshare keys hoc giao thc Kerberos nn chng i

hi nhiu v vic thit lp ca admin. Certificate ch l mt thnh phn ca gii

php PKI. Mc d PKI i hi ti nguyn qun l. v lp k hoch nn

Giao thc Kerberos v preshared keys

Hai phng php khc cho vic xc thc gia hai host dng IPSec l:

Giao thc Kerberos: i vi lu lng gia cc my tnh trong cng mt

h thng domain th vic dng giao thc Kerberos mc nh l phng

php xc thc n gin nht cho IPSec v khng i hi bt c cu hnh

no. Giao thc Kerberos l mt thnh phn c Active Directory v th n

cng l thnh phn ca cu trc enterprise domain. Tuy nhin, i vi cc

client khng h tr giao thc Kerberos hoc cc client khng l thnh phn

ca kin trc Active Directory th s dng preshared key hoc X.509

certificate

Preshared keys: preshared key l chui k t di ngu nhin c dng lm

password gia hai host IPSec. Preshared keys khng bo mt nh giao

thc Kerberos hoc certificate v n c ct trong on clear text policy



IPSec. Nu ngi tn cng ginh c quyn truy cp ca admin vo

policy th s thy c preshared key. Preshared key cng khng c

dng tt cho cu hnh nhiu my.

Chng 3:Trin Khai H Thng VPN C IPSec.

1.M hnh trin khai:

VPN Server v DC ni vi nhau bng card CROSS.

VPN Server v VPN Client ni vi nhau bng card LAN.

VPN Server join to domain loidiep.itc.edu.

2. Cc bc thc hin:

- Ci t v cu hnh VPN Server.

- VPN Server ci t Certificate Services.

- VPN Server v VPN Client xin Certificate.



- CA cp Certificate cho VPN Server v Client.

- VPN Server v VPN Client ci t Certificate.

- VPN Client to Connection.

- Test: truy cp DC v Join to Domain.

Bc 1: Ci t v cu hnh VPN Server

- VPN Server m Routing & Remote Access -> Chut phi Server2 -> Configure

and Enable Routing and Remote Access.

- Chn Custom Configuration.



- Check VPN Access -> Next.

- Click Finish.



- Cu hnh cp IP cho VPN Client khi kt ni thnh cng:

Chut phi ln Server2 -> Properties.



- Qua tab IP -> Chn Static Address Pool -> click Add.

- Cp a ch t : 10.10.10.100 -> 10.10.10.149 (50 kt ni) -> OK



- Chn Port, quan st thy VPN Server mc nh cho php kt ni c PPTP ln

L2TP. Cu hnh VPN Server ko cho php kt ni PPTP, ch cho php kt ni L2TP:

Chut phi ln Port -> Properties.



- Chn WAN Miniport (PPTP) -> click Configure.

- B check Remote Access Connections v Demand-dial routing connection-> OK



- Quan st VPN Server by gi ch cho php kt ni L2TP.



Bc 2: VPN Server ci t Certificate Services.

- u tin tin hnh ci t ASP.NET.

- Sau ci Certificate Services.

- Chn Stand-alone root CA.



- Nhp tn CA (vd: DC).

- Mn hnh Certificate Database -> Next.



- Mn hnh cnh bo chn YES ng tm thi stop IIS hon tt qu trnh ci

t.

- Mn hnh cnh bo v Security chn YES.



Bc 3: VPN Server v VPN Client xin Certificate.

-VPN Server xin Certificate.

M Web Browser nhp: a ch CA/Certsrv ( y VPN Server cng chnh l CA

nn c th nhp localhost/certsrv). Sau chn Request a certificate.

- Chn Advanced Certificate request.



- Chn Create and submit s request to this CA.

-



- Phn NAME nhp tn my VPN Server ( y l server2.loidiep.itc), phn Type

of Certificate bung ra v chn IPSec Certificate .

-

- Check Store certificate int the local computer certificate store v click Submit.



- Ca s cnh bo chn YES



-VPN Client xin Certificate.

Trn VPN Client m Web Browser nhp: a ch CA/certsrv(192.168.1.3/certsrv)

v sau chn Request a certificate.

- Chn Advanced request -> Create and submit a request to this CA.

- Nhp tn my VPN Client -> Type of Certificate chn IPSec Certificate



- Check Store Certificate in the local computer certificate store sau click

Submit.



- Chn YES ca s cnh bo v quan st vic xin hon tt.

Bc 4: CA cp Certificate cho VPN Server v VPN Client.

- Trn Certificate Server (cng chnh l VPN Server) m Certificate Authority ( Start-

>Programs->Administrative Tools->Certificate Authority).

- Chn Pending Requests v ln lt chut phi ln cc Request ca VPN Server v VPN

Client bc trn chn All Task -> Issue.



- Chn Issue Certificates, kim tra cc certificate cho VPN Server

v VPN Client.



Bc 5: VPN Server v VPN Client ci t Certificate.

- Trn my VPN Server m Web Browser nhp localhost/certsrv -> chn View the

status of a pending certificate request.

- Chn IPSec Certificate.

- Chn Install this certificate.



- Ca s cnh bo chn YES.

- Quan st ci t Certificate thnh cng.



- Kim tra xem Certificate c hp l hay cha:

Chn Start->Run->MMC.

- Mn hnh MMC click menu File -> Add/Remove Snap-in.



- click Add.



- Chn Certificate -> click Add.

- Chn Computer account.

- Chn Local Computer -> Finish.



- Sau bung Certificates -> Personal -> Certificates v nhp p ln Certificate

Server2.loidiep.itc.edu quan st thy hp l.



- Trn my VPN Client lm tng t nh trn VPN Server.

- Kim tra thy Certificate ca Client ko hp l (cho ).

- V DC cp Certificate cho VPN Client khng nm trong danh sch cc CA tin

tng.



- Tin hnh download Certificate ca Server

- M Web Browser nhp a ch CA/Certsrv . Sau chn Download a

CA Certificate, certificate chain, or CRL.



- Chn Download CA certificate.

- Ca s download -> click Save.

- V lu ngoi Desktop -> click Save. (chung ta c th lu ti mt ni no c th d

nh v tm kim)



- Download hon tt click Close.

- Quay tr li ca s MMC (Console1.msc) v import Certificate ca CA va

download v: bung Trusted Root Certification Authorities v chut phi

ln Certificates -> All Task -> Import.



- Mn hnh Welcome -> Next. Mn hnh File to Import -> click Browse.



- Ch ng dn ra desktop (ni lu Certificate ca CA bc trn va

download) -> Chn Certificate ca CA -> Open.

- Click Next.



- Mn hnh Certificate Store -> click Next -> Finish.

- Qu trnh Import thnh cng.



- Quan st thy DC c trong danh sch cc CA tin tng.

- Kim tra li Certificate hp l.



- Trn my DC to 1 domain user.

- V cho user ny quyn Allow Access.



Bc 6: VPN Client to connection.

- Trn VPN Client: Chut phi My Network Places -> Properties. Click Create a

new Connection.

- Mn hnh Welcome -> Next, mn hnh Network Connection Type -> chn

Connect to the network at my workplace.



- Mn hnh Network connection -> chn Virtual Private Network connection.

- Mn hnh Connection name -> nhp Company name .



- Mn hnh VPN Server Selection nhp a ch VPN Server -> Next.



- Click -> Finish.

- Nhp User name, password; Check Save this User name and password for the

following users. > click Properties.



- Qua Tab Networking, phn Type of VPN chn L2TP IPSec VPN -> click OK.

- Click Connect. Quan st kt ni thnh cng.



Bc 7: Kim tra

- VPN Client truy cp my DC thnh cng.

- VPN Client m phn chnh a ch IP card LAN v b sung Preferred DNS v

my DC (172.16.3.2) -> OK.



- Tin hnh Join to domain loidiep.itc.edu -> OK.



- Restart li my VPN Client -> Ca s logon chn Log on to: LOIDIEP -> Check

Log on using dial-up connection (nhm mc ch thc hin kt ni VPN trc khi

ng nhp) -> OK.

- Chn Connection: itc.edu to bc trn -> Connect.



- Nhp User name v password -> Connect.

- Khi thc hin xong kt ni, VPN Client log on thnh cng vo domain.

Tin hnh ci Adminpak.msi.



- Ch cho qu trnh setup xong.

- Click Finish.



- Sau khi ci t hon tt tin hnh m Active Directory Users and Computers.

- To th 1 user. Quan st thy to thnh cng.

DANH SCH T VIT TT V TI LIU THAM KHO

1. DANH SCH CC T VIT TT.

VPN - Virtual Private Network.

AH - Authentication Header.

ESP - Encapsulating Security Payload.

ISP - Internet service Provide.

PBX - Private Branch Exchange.

WAN -Wide Area Network.

LAN - Local Area Network.

RRAS - Routing v Remote Access.

RADIUS - Remote Authentication Dial In User Service.

L2TP - Layer 2 Tunneling Protocol.

SSTP - Secure Socket Tunneling Protocol.

PPTP - Point-to-Point Tunneling Protocol.

DARPA - Defense Advanced Research Projects Agency

NIST - National Institute of Standards and Technology

IETF - Internet Engineering Task Force

ISAKMP - Internet Security Association and Key Management Protocol.

IKE - Internet Key Exchange.

MPPE - Microsoft Point-to-Point Encrytion .

TCP - Transmission Control Protocol.

CHAP - Challenge-Handshake Authentication Protocol .

PAP - Password authentication protocol.

EAP - Extensible Authentication Protocol.

GRE - Generic routing encapsulation.

IP, IPX - Internet Protocol, Internetwork Packet Exchange.

ATM - Asynchronous Transfer Mode .

FR - Frame Relay.

PPP - Point-to-point Protocol.

NAS - Network Access Server .

LAC, LNS - L2TP Access Concentrator, L2TP Network Server.

UDP - User Datagram Protocol.

HTTP, HTTPs - Hypertext Tranfer Protocol , Hypertext Tranfer Protocol

Sercurity.

SSL - Secure Sockets Layer.

SADB - Security Association Database.

3DES - Triple Data Encryption Security.

DoS - Denial- of- Service.

ICV - Integrity Check Value .

2. TI LIU THAM KHO.

1. Microsoft Windows Ser

Documents

Khóa luận VPN